Forum Discussion

Nandhi's avatar
Icon for Cirrus rankCirrus
Sep 13, 2022

How to filter VIP with SSL method


Just want to understand is there any way we can filter vip with ssl method associated like offload, full-proxy and passthrough using tmsh. The requirement is to fetch all virtual servers and pool members which are encrypted and unencrypted. 


1 Reply

  • There's no details in the profile objects themselves that indicate that it is an ssl profile unless your nomenclature is set up that way and you're confident it's accurate. But you can do this with a tmsh script. You'll need to first build two lists, one each for client-ssl and server-ssl profiles, and then loop through each virtual's profiles to determine one or more matches. Logic would be something like this:

    • if match client AND server profile, then traffic client->BIG-IP->server is encrypted on the wire but offloaded
    • if match only client profile, then traffic to BIG-IP is encrypted, but to server is decrypted
    • if match only server profile, then traffic to BIG-IP is decrypted, but to server is encrypted
    • if match no profiles but the defined port (or port list if not standard 443/https),then traffic client->BIG-IP->server is encrypted on the wire and passthru

    I think this gets you most of the way to where you want to go. You will likely want to communicate the state differently than I did, but the code is here now in the codeshare for you to adjust as you see fit.