Forum Discussion
Simon_Blakely
Oct 21, 2018Employee
Jeff,
What sort of virtual is the Wildcard virtual (standard or Performance Layer 4/IP Forwarding)?
Does the tcp profile enable SynCookie protection?
When SynCookies protection kicks in, even a fastl4 will respond to the [SYN] with a [SYN,ACK].
K14779: Overview of BIG-IP SYN cookie protection (11.3.x - 12.x)
If you are running a network range port scan, the virtual will see (and cache) a large number of [SYN] packets, with no corresponding [SYN,ACK]. Once the SYN cookie cache value is exceeded, the LTM will start responding to [SYN] packates with a [SYN,ACK] containing a syncookie.
This behavioural change may trigger false positive results in the network scanner.
The observed change probably relates to functional differences in the hardware platforms and default trigger values.