Dear F5 Expert,I just implement SSL-O offload in Explicit proxy topologies and off-load SWG in explicit proxy mode.I found the issue detail as below.Security policyCatagorie lookup ALL (Pinner) Bypass sent to SWG(explicit)All intercept sent to SWG(explicit)When i decrypt traffic traffic can sent to SWG collectly.When I bypass SSL action traffic not sent to SWG .i'm not sure why F5 not sent traffic when bypass SSL intercept.Regrads,

To be clear though, you CAN send TLS bypassed (encrypted) traffic to inline layer 2, inline layer3, and TAP services.

Just create layer 2/3 service for the bypassed traffic depending if the F5 SSLO and the Web Proxy see each other on the Local Network or they are in different networks. Please the link below: https://clouddocs.f5.com/sslo-deployment-guide/chapter3/page3.1.html

If you managed to get the needed answers, please flag the question as answered.

Yes, configure the proxy device as an HTTP service, instead of inline L3. The signaling used for HTTP services is different so can handle the port change.

Hello, You provided to little information as even an expert can't say what exactly is the case as for example there is no picture of your per-request policy or guided config rules that show if there is service attached for the proxy bypass rule and the service that is asigned can't be of type "HTTP services" as when doing bypass you need to aqssign layer2/3 service type that works without decryption. Still you can check the link below as I suspect that when you bypass the traffic there is no attached service to which the the per-request policy to send data: -------- The easiest way to get started with SSL Orchestrator security policies is to first understand your goals. For example: Do you need to block any type of traffic, and if so, under what condition? For example, you may want to block traffic for known TOR Proxy exit nodes which you can detect with the IP Intelligence subscription. Do you need to bypass decryption for any type of traffic, and if so, under what condition? For example, you may need to bypass decryption for sites that typically contain personally identifiable information (PII) like Financial and Healthcare related sites. You can achieve this with the URL Category subscription. Do you need to send different types of traffic to different service chains, and if so, under what condition? For example, it may be optimal to bypass some traffic types but still send to a subset of security products for additional encrypted analysis. ------ https://clouddocs.f5.com/sslo-deployment-guide/chapter4/page4.3.html Also for the SSLO issue now there are great articles and even a guide: https://community.f5.com/t5/technical-articles/implementing-ssl-orchestrator-high-level-considerations/ta-p/285866 https://support.f5.com/csp/article/K26520133 https://clouddocs.f5.com/sslo-troubleshooting-guide/main/ https://clouddocs.f5.com/sslo-deployment-guide/chapter5/page5.2.html

F5 SSL-O service chaining issue

11 Replies

Nikoolayy1
MVP
Aug 19, 2022
Hello,

You provided to little information as even an expert can't say what exactly is the case as for example there is no picture of your per-request policy or guided config rules that show if there is service attached for the proxy bypass rule and the service that is asigned can't be of type "HTTP services" as when doing bypass you need to aqssign layer2/3 service type that works without decryption.

Still you can check the link below as I suspect that when you bypass the traffic there is no attached service to which the the per-request policy to send data:

--------

The easiest way to get started with SSL Orchestrator security policies is to first understand your goals. For example:

Do you need to block any type of traffic, and if so, under what condition? For example, you may want to block traffic for known TOR Proxy exit nodes which you can detect with the IP Intelligence subscription.

Do you need to bypass decryption for any type of traffic, and if so, under what condition? For example, you may need to bypass decryption for sites that typically contain personally identifiable information (PII) like Financial and Healthcare related sites. You can achieve this with the URL Category subscription.

Do you need to send different types of traffic to different service chains, and if so, under what condition? For example, it may be optimal to bypass some traffic types but still send to a subset of security products for additional encrypted analysis.

------

https://clouddocs.f5.com/sslo-deployment-guide/chapter4/page4.3.html

Also for the SSLO issue now there are great articles and even a guide:

https://community.f5.com/t5/technical-articles/implementing-ssl-orchestrator-high-level-considerations/ta-p/285866

https://support.f5.com/csp/article/K26520133

https://clouddocs.f5.com/sslo-troubleshooting-guide/main/

https://clouddocs.f5.com/sslo-deployment-guide/chapter5/page5.2.html
- Kirimaya
  Nimbostratus
  Aug 21, 2022
  Dear Nikoolayy1
  
  i will test by your recomendation and update to you
  
  for my policy and setup like this
Kevin_Stewart
Employee
Aug 22, 2022
This is by design. Encrypted traffic does not flow to ICAP and HTTP services, which includes SWG.
- Kirimaya
  Nimbostratus
  Aug 22, 2022
  Dear Kevin
  
  But i don't understand, why i juse classification by source IP and bypass ssl. It can be sent to SWG
  - Nikoolayy1
    MVP
    Aug 26, 2022
    Also I forgot to mention that if you have URL database the SSLO can also do a URL lookup based on CN or SNI without SSL decryption and you can then forward those sites to the the proxy with a service as mentioned that is not HTTP or ICAP. You can also create a custom categories without license. Also you should be able to use the category lookup as a condition rule without directly changing that Per-Request Policy as the Guided config will change it.
    
    Category lookup
    
    https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/per-request-policy-item-reference/about-per-request-classification-items/about-category-lookup.html
    
    An example:
    
    https://techdocs.f5.com/en-us/bigip-16-0-0/ssl-orchestrator-setup/terminology-for-herculon-ssl-orchestrator-ct.html
    
    Managing the URL Category Database
    
    https://clouddocs.f5.com/sslo-deployment-guide/chapter4/page4.8.html
Kevin_Stewart
Employee
Aug 22, 2022
Well, specifically because an SWG per-request policy would have no effect on encrypted traffic. SSLO intentionally bypasses security services (ie. ICAP, HTTP, SWG) that cannot process encrypted traffic).
Nikoolayy1
MVP
Aug 22, 2022
Just create layer 2/3 service for the bypassed traffic depending if the F5 SSLO and the Web Proxy see each other on the Local Network or they are in different networks.

Please the link below:

https://clouddocs.f5.com/sslo-deployment-guide/chapter3/page3.1.html
Kevin_Stewart
Employee
Aug 22, 2022
To be clear though, you CAN send TLS bypassed (encrypted) traffic to inline layer 2, inline layer3, and TAP services.
- IanWijaya
  Nimbostratus
  Dec 03, 2022
  Hi Kevin,
  Trying to send an encrypted traffic to the Proxy devices configured as L3 service, however the proxies change the source port, and seems the signalling doesn't match on SSLO. I can see a RST packet coming from SSLO after the proxy forward the request using different source port.
  Any advice / workaround ?
  Thanks,
  Ian
  - Kevin_Stewart
    Employee
    Dec 03, 2022
    Yes, configure the proxy device as an HTTP service, instead of inline L3. The signaling used for HTTP services is different so can handle the port change.
Nikoolayy1
MVP
Oct 13, 2022
If you managed to get the needed answers, please flag the question as answered.