Our security team run scans for vlunerability and he doesn't them from the public internet.
It was noticed that based on the image the Big-IP does respond differently but for all images the nmap scan returns all ports scanned as open.
I've see responses about similar scans but from the inside but I noticed that on our most recent image, the packets from Scans doesn't reach the front end interface of the Big-IP for this specific VS. Instead it receives only an ACK then on the next packet it receives a RST.
Trying to figure out why did the responses change from earlier image and why the latest image upgrade recommended by F5 shows the same issue when open ports are scanned from the public Internet.
1.Check the distination ports of your virtual servers as they can be listening to all ports:
https://support.f5.com/csp/article/K6018
2.Also if the F5 vip is with "Loose Initiation and Loose Close " this means that any client packets is accepted without 3 way handshake
https://support.f5.com/csp/article/K13558
3.you mention RST to see if the F5 is returning the RST enable special logging https://support.f5.com/csp/article/K13223 and you may do nnnp tcpdump https://support.f5.com/csp/article/K13637. Also check if nmap is not triggering syn cookie protection https://support.f5.com/csp/article/K74451051#syn-cookie-status
