Forum Discussion

Rosieodonell_16's avatar
Rosieodonell_16
Icon for Cirrus rankCirrus
Dec 04, 2017

Some SSL Orchestrator Questions

Just upgraded to 13 code on our F5 and noticed I now has a nice GUI and setup for the SSL Orchestrator. I know this was available via an iApp but I never had the time to play with it. Now that it is built in, i was wondering a few things before i start playing with it.

 

  1. If traffic is sent to a "Receive Only Services" and the receive only device sees malware, is it already too late to prevent the traffic from going on since it's a copy of the decrypted traffic?

     

  2. "Inline Services" needs two interfaces to work on the F5? Is it possible to setup a single arm setup on a new interface to send the traffic too?

     

  3. To allow the decryption to occur, do you have to have a cert on the F5 that both the client and the server trust? Is it possible to just have the cert trusted by the server so that the users are not prompted o their end and don't notice any difference from their end?

     

Thanks in advance!

 

APM
iApps
security

1 Reply

Sort By
  • ecce's avatar
    ecce
    Icon for Cirrostratus rankCirrostratus
    Jan 28, 2018

    Hi!

     

    1. Depends. If the receive-only device is the ONLY device in the ONLY chain then YES, traffic is forwarded. Traffic is not forwarded if ANY device in the chain says no. The receive only device is normally a logging device, sitting on a read-only connection. You could do another chain with a IDS, firewall or whatever. If that detects the malware it is not forwarded. Check out this lightboard lesson: https://www.youtube.com/watch?v=mvse6zCt_jo (and the link in it)

       

    2. I'm not sure if I understand the question fully. You can use two VLANs on a single physical connection. If you look in the Service chain tab you'll see you can add a VLAN tag next to the interface when you add a device.

       

    3. Are we talking about decrypting clients traffic in/out from your own network to the internet? Then you need a certificate installed on F5 that the clients trust. You need to install the signing certificate on every client, otherwise you will get a warning. The server does not need to trust it. Note that the signing certificate are installed in different ways depending on client and browser. Firefox for example has it's own certificate storage. Other browsers use different solutions.

       

    Hope this helps!