Saturday, April 15, 2017

f5 any6 and APM connections and other tips.

In this post we will look at  connections tables on a f5 that acts like a vpn gateway using a APM policy.

The connection table is a great way to  find  any6 entries to see the who/what  is connecting to a f5. It will also show or demonstrate connections that are not decided on and  show you what TMM has that connection.

e.g ( a typical  f5 conn  output )

show sys connection | grep any6      any6.any             any6.any              tcp   48    (tmm: 1)  none      any6.any             any6.any              tcp   1     (tmm: 1)  none      any6.any             any6.any              tcp   0     (tmm: 1)  none      any6.any             any6.any              tcp   59    (tmm: 1)  none      any6.any             any6.any              tcp   5     (tmm: 1)  none      any6.any             any6.any              tcp   0     (tmm: 1)  none

show the above output shows numerous connection lated as  "any6.any"  and they are all TCP.

You could get creative and  do a geoip  lookup by using maxmind or unix geoip-bin and look for location and  client types for trending.


ISP name, Continnet, Country,etc...

So armed with geoip database details you could now  investigate as security  analyst if these address are repetitional bad or known bot or C&Cs,etc...

Keep in mind,  connections that are no authenticated or have a final disposition could trigger a any6.any connection state and it's not always a sign of something "bad"

NOTE: These connections are also show as no handler  in the show sys tmp-traffic  details if they are actually drop.


With in the APM sessions, until a user  has started the authentication process, you will not known the "username" for obvious reasons.

examples ( unknown username and  geo &  no geo-info )

 Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment