Forum Discussion
NimbostratusiRule for IPS and SSL decryption (Air Gap) - "SSL::disable serverside" not working
Hello,
I am working on getting an iRule implemented that will decrypt inbound traffic, send it to a load balanced IPS pool on VLAN A, receive the post IPS inspected traffic on VLAN B, re-encrypt and send on to its destination.
Flow overview: Firewall > F5 > IPS Pool > F5
It's essentially this deployment guide, using a single F5 device.
We are seeing that the command
SSL::disable serversideAny ideas on what is happening?
when CLIENT_ACCEPTED {
perform operation on percentage of traffic
set percent [class lookup percent vip_presets]
if { rand() < $percent } {
disable server side ssl. Leave disabled unless inline security devices are down
SSL::disable serverside
get the name of the default pool and store in a variable
set app_pool [LB::server pool]
check for active members of the security device pool
if { [active_members IPS_Pool] > 0 } {
get load balanced L3 service
pool IPS_Pool
set L3 [lindex [split [LB::select]] 3]
log local0. "router is $L3"
use snat none if snat is enabled in VS config but
needs to be disabled for routing through security devices
snat none
} else {
inline service failed - go direct to app pool
log local0. "l3 service down"
SSL::enable serverside
snat as required
snat automap
}
re-select the app pool
pool $app_pool
} else {
log local0. "not redirected HTTPS"
}
}
when LB_SELECTED {
if { [info exists L3] } {
nexthop through L3 service
LB::reselect nexthop ${L3}
}
}
Thank you in advance for any and all help (I'm not a coder - someone else created the iRule).
Why do you think the 'SSL::disable serverside' isn't working? Are there any specific error messages?
no-idea-what-imOur PCAPs show TLS/SSL traffic going across the VLANs. We should never see that as the F5 should handle all of that.
The two VLANS, A and B, are private non-routable between the F5 and IPSs. There are no other devices on those VLANs.
Plus, the site breaks when we enable the IPS Pool.
It seems that you are using an old deployment guide? Why?
I've been using the guidelines from this deployment guide succesfully: http://f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf
- Ilian_Ivanov
Hi,
I can suggest you to add serverssl profile to your VIP and then just remove "SSL::enable serverside".
https://devcentral.f5.com/wiki/iRules.SSL__enable.ashx
- no-idea-what-im
Hi,
That deployment guide was just meant to illustrate the single F5 deployment we are using.
But this iRule you are using appears to be from an older deployment guide. Unfortunately I can't find this deployment guide. Do you still have it? The iRules I have been using are completely different.
- no-idea-what-im
No, I don't have it. The iRule was written by someone else and given to me.
I will start working on the "newer" iRule from the deployment guide you provided.
Does your iRule (that is working) look similar to the one in the deployment guide? Or did you use the iApp?
- no-idea-what-im
Thanks for that!
My first attempt at it did not work, but I will keep trying.
Do these iRules get applied on the corresponding "wildcard VIPs"?
The ingress iRule is for the ingress tcp virtual server and the egress iRule is for the egress http virtual server.
- no-idea-what-im
One thing I failed to mention is that is a reverse proxy setup.
All of the implementation guides show forward proxy implementations.
I would think it would be the same or similar, but unfortunately it is still not working for me.
Thanks again!
