How to trigger an alert when a specific number of connections are attempted to VIP on a port that isn't provisioned.
I have read the following KB support.f5.com/csp/article/K14813, and didn't know if there was way to trigger an alert when something is generating traffic on a non configured port to a VIP. We currently have a VIP that answers on all ports but are working to restrict to specific ports, but would like to be have evidence or alerts if a port scan or DDOS event is occurring. Is there a way to monitor the tm.maxrejectrate value for a specific VIP and trigger some type of alert when it drops to a specific value?
When the number of packets that match a virtual IP address or a self IP address exceeds the tm.maxrejectrate threshold, but the packets specify an invalid port, the system stops sending RST packets in response to the unmatched packets and logs an error message to the /var/log/ltm file that appears similar to the following example:011e0001:4: Limiting closed port RST response from 299 to 250 packets/sec
Does this log entry reflect the "client" address as well as the VIP/port that the connection was attempting?
Thanks,
Joe