Forum Discussion

daboochmeister2's avatar
daboochmeister2
Icon for Altostratus rankAltostratus
Feb 26, 2025

Any approach to encrypting HSL traffic such that no plain text is ever sniffable?

Hi - we have been asked to integrate a vendor logging solution on our F5s that uses HSL to send information about requests to and responses from our HTTP/HTTPS VIPs on our LTMs. (I describe this conf...
hsl
tls
Michael_Saleem's avatar
Michael_Saleem
Icon for MVP rankMVP
Feb 26, 2025

Hi,

I took a look at this in my personal lab today, and I don't think this is possible. With HSL you only have the options of UDP or TCP (but not TLS) in either the iRule HSL::open command or when creating an HSL destination (sys log-config destination remote-high-speed-log).

I tried recreating your configuration. I thought that perhaps adding a clientssl profile to the HTTP VIP would result in the traffic on the client-side from the management port to this VIP being TLS encrypted, but in my packet capture I could still see the logs in plain text. It was only encrypted on the server-side, between the VIP and the back-end syslog server.

So unfortunately, it looks like the F5 BIG-IP can only send HSL traffic in plain text on the client-side. I am not aware of any other configurations that could be leveraged to achieve end-to-end TLS encryption for logs.

zamroni777's avatar
zamroni777
Icon for MVP rankMVP
Feb 27, 2025

Hsl isn't using http format, so you must remove http profile from the vserver.

Also remove the client side ssl profile from the vserver. If you put client side ssl profile, the vserver will only accept tls connections.

  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Feb 27, 2025

    Good points. 

    It still means though that we do not have a way of encrypting the HSL on the client-side which is what @daboochmeister2 wants.