Sending a traffic feed of decrypted TLS traffic to an external intrusion detection system

Question

I'm trying to set up an intrusion detection system (Suricata) which inspects TLS decrypted traffic from our f5 (of VIPs on which we do TLS offloading). &nbsp;
My initial thoughts were that I could simply set up 'clone pools' or 'interface mirroring' [1], but based on what I've read in some other posts [2], both of these options will only result in encrypted traffic being made available. And that's not what I'm after -- we want a decrypted feed. &nbsp;
What's the recommended approach for achieving this? &nbsp;
[1] https://support.f5.com/csp/article/K13392
[2] https://devcentral.f5.com/questions/ssl-decryption-to-ids , https://devcentral.f5.com/questions/clone-pool-and-port-mirroring&nbsp;

morten_marstran · Answer

Hi,&nbsp;
You can do this by assigning the clone pool to the server side context:&nbsp;
tmsh modify /ltm virtual 'virtual_name' clone-pools add { 'pool_name' {context serverside } }&nbsp;

Forum Discussion

Sending a traffic feed of decrypted TLS traffic to an external intrusion detection system

Recent Discussions

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

F5 Distributed Cloud JA4 detection for enhanced performance and detection

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

F5 Distributed Cloud - Regional Decryption with Virtual Sites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS