Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

nmap port scanner shows open ports when destination is to a VS on the front end

Jacqueline_Tadr
Altocumulus
Altocumulus

Our security team run scans for vlunerability and he doesn't them from the public internet.

It was noticed that based on the image the Big-IP does respond differently but for all images the nmap scan returns all ports scanned as open.

 

I've see responses about similar scans but from the inside but I noticed that on our most recent image, the packets from Scans doesn't reach the front end interface of the Big-IP for this specific VS. Instead it receives only an ACK then on the next packet it receives a RST.

 

Trying to figure out why did the responses change from earlier image and why the latest image upgrade recommended by F5 shows the same issue when open ports are scanned from the public Internet.

 

Kindly advise.

1 REPLY 1

1.Check the distination ports of your virtual servers as they can be listening to all ports:

 

https://support.f5.com/csp/article/K6018

 

 

2.Also if the F5 vip is with "Loose Initiation and Loose Close " this means that any client packets is accepted without 3 way handshake

 

https://support.f5.com/csp/article/K13558

 

 

 

3.you mention RST to see if the F5 is returning the RST enable special logging https://support.f5.com/csp/article/K13223 and you may do nnnp tcpdump https://support.f5.com/csp/article/K13637. Also check if nmap is not triggering syn cookie protection https://support.f5.com/csp/article/K74451051#syn-cookie-status