Sending a traffic feed of decrypted TLS traffic to an external intrusion detection system

Question

I'm trying to set up an intrusion detection system (Suricata) which inspects TLS decrypted traffic from our f5 (of VIPs on which we do TLS offloading). &nbsp;
My initial thoughts were that I could simply set up 'clone pools' or 'interface mirroring' [1], but based on what I've read in some other posts [2], both of these options will only result in encrypted traffic being made available. And that's not what I'm after -- we want a decrypted feed. &nbsp;
What's the recommended approach for achieving this? &nbsp;
[1] https://support.f5.com/csp/article/K13392
[2] https://devcentral.f5.com/questions/ssl-decryption-to-ids , https://devcentral.f5.com/questions/clone-pool-and-port-mirroring&nbsp;

morten_marstran · Answer

Hi,&nbsp;
You can do this by assigning the clone pool to the server side context:&nbsp;
tmsh modify /ltm virtual 'virtual_name' clone-pools add { 'pool_name' {context serverside } }&nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Sending a traffic feed of decrypted TLS traffic to an external intrusion detection system

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

AST Configuration Assistance

Adding logging to APM per-request policy without SWG license

Single LTM with multiple GTM domains

License activation

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

F5 Distributed Cloud JA4 detection for enhanced performance and detection

decrypted tcpdump capture without using an iRule and without using tshark

Decrypting BIG-IP Packet Captures Automatically

Decrypting TLS traffic on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS