The connection table is a great way to find any6 entries to see the who/what is connecting to a f5. It will also show or demonstrate connections that are not decided on and show you what TMM has that connection.
e.g ( a typical f5 conn output )
show sys connection | grep any6
10.75.2.69:56138 22.214.171.124:443 any6.any any6.any tcp 48 (tmm: 1) none
126.96.36.199:61190 188.8.131.52:443 any6.any any6.any tcp 1 (tmm: 1) none
184.108.40.206:53284 220.127.116.11:443 any6.any any6.any tcp 0 (tmm: 1) none
18.104.22.168:9744 22.214.171.124:443 any6.any any6.any tcp 59 (tmm: 1) none
126.96.36.199:62514 188.8.131.52:443 any6.any any6.any tcp 5 (tmm: 1) none
184.108.40.206:61928 220.127.116.11:443 any6.any any6.any tcp 0 (tmm: 1) none
show the above output shows numerous connection lated as "any6.any" and they are all TCP.
You could get creative and do a geoip lookup by using maxmind or unix geoip-bin and look for location and client types for trending.
ISP name, Continnet, Country,etc...
So armed with geoip database details you could now investigate as security analyst if these address are repetitional bad or known bot or C&Cs,etc...
Keep in mind, connections that are no authenticated or have a final disposition could trigger a any6.any connection state and it's not always a sign of something "bad"
NOTE: These connections are also show as no handler in the show sys tmp-traffic details if they are actually drop.
With in the APM sessions, until a user has started the authentication process, you will not known the "username" for obvious reasons.
examples ( unknown username and geo & no geo-info )
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=