cancel
Showing results for 
Search instead for 
Did you mean: 

Portscan detected from f5 snatpool?

Zero27351
Nimbostratus
Nimbostratus

Hi Guys,

So we have a security incident in wich a portscan is detected coming from our f5 snatpool towards another specifiek machine. Is there any logging i can check to see from which machine the portscan was initiated? I am not f5 expert so bear with me please 🙂

Thank you.

3 REPLIES 3

Hello Zero27351.

If the connection is currently active, you could check the connections table to figure out the origin.

show sys connection ss-client-addr <SNAT_IP>

 

Regards,
Dario.

Hi Dario,

Thanks! Ill give it a try once we see it happening again. There is otherwise no logging which i can check to figure out the origin adres?

Kr,

Zero.

Hello Zero27351.

There are no records for old flows, but you can create an iRule for logging those sessions and apply it to the VS. Or even better, create a Request-Logging profile.

Logging connections using High Speed Logging

https://github.com/DariuSGB/F5_iRules/blob/master/HSL_Logging.tcl

Request logging profile

https://support.f5.com/csp/article/K00847516

In both cases, I recommend you send those logs to an external device, to not affect the local system performance.

 

Regards,
Dario.