no-idea-what-im
Jun 14, 2017Nimbostratus
iRule for IPS and SSL decryption (Air Gap) - "SSL::disable serverside" not working
Hello,
I am working on getting an iRule implemented that will decrypt inbound traffic, send it to a load balanced IPS pool on VLAN A, receive the post IPS inspected traffic on VLAN B, re-encrypt and send on to its destination.
Flow overview: Firewall > F5 > IPS Pool > F5
It's essentially this deployment guide, using a single F5 device.
We are seeing that the command
SSL::disable serverside
is not working.
Any ideas on what is happening?
when CLIENT_ACCEPTED {
perform operation on percentage of traffic
set percent [class lookup percent vip_presets]
if { rand() < $percent } {
disable server side ssl. Leave disabled unless inline security devices are down
SSL::disable serverside
get the name of the default pool and store in a variable
set app_pool [LB::server pool]
check for active members of the security device pool
if { [active_members IPS_Pool] > 0 } {
get load balanced L3 service
pool IPS_Pool
set L3 [lindex [split [LB::select]] 3]
log local0. "router is $L3"
use snat none if snat is enabled in VS config but
needs to be disabled for routing through security devices
snat none
} else {
inline service failed - go direct to app pool
log local0. "l3 service down"
SSL::enable serverside
snat as required
snat automap
}
re-select the app pool
pool $app_pool
} else {
log local0. "not redirected HTTPS"
}
}
when LB_SELECTED {
if { [info exists L3] } {
nexthop through L3 service
LB::reselect nexthop ${L3}
}
}
Thank you in advance for any and all help (I'm not a coder - someone else created the iRule).