Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Portscan detected from f5 snatpool?

Zero27351
Altostratus
Altostratus

‎20-Apr-2022 05:10

Hi Guys,

So we have a security incident in wich a portscan is detected coming from our f5 snatpool towards another specifiek machine. Is there any logging i can check to see from which machine the portscan was initiated? I am not f5 expert so bear with me please 🙂

Thank you.

Labels:
0 Kudos
3 REPLIES 3

Dario_Garrido
MVP
MVP

‎20-Apr-2022 09:59

Hello Zero27351.

If the connection is currently active, you could check the connections table to figure out the origin.

show sys connection ss-client-addr <SNAT_IP>

 

Regards,
Dario.

Zero27351
Altostratus
Altostratus
In response to Dario_Garrido

‎20-Apr-2022 15:53

Hi Dario,

Thanks! Ill give it a try once we see it happening again. There is otherwise no logging which i can check to figure out the origin adres?

Kr,

Zero.

0 Kudos

Dario_Garrido
MVP
MVP
In response to Zero27351

‎21-Apr-2022 00:57

Hello Zero27351.

There are no records for old flows, but you can create an iRule for logging those sessions and apply it to the VS. Or even better, create a Request-Logging profile.

Logging connections using High Speed Logging

https://github.com/DariuSGB/F5_iRules/blob/master/HSL_Logging.tcl

Request logging profile

https://support.f5.com/csp/article/K00847516

In both cases, I recommend you send those logs to an external device, to not affect the local system performance.

 

Regards,
Dario.
0 Kudos
Copyright © 2023 Khoros, LLC