Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Rosieodonell_16's avatar
Rosieodonell_16
Icon for Cirrus rankCirrus
Dec 04, 2017

Some SSL Orchestrator Questions

Just upgraded to 13 code on our F5 and noticed I now has a nice GUI and setup for the SSL Orchestrator. I know this was available via an iApp but I never had the time to play with it. Now that it is ...
BIG-IP Access Policy Manager (APM)
iApps
security
ecce's avatar
ecce
Icon for Cirrostratus rankCirrostratus
Jan 28, 2018

Hi!

 

  1. Depends. If the receive-only device is the ONLY device in the ONLY chain then YES, traffic is forwarded. Traffic is not forwarded if ANY device in the chain says no. The receive only device is normally a logging device, sitting on a read-only connection. You could do another chain with a IDS, firewall or whatever. If that detects the malware it is not forwarded. Check out this lightboard lesson: https://www.youtube.com/watch?v=mvse6zCt_jo (and the link in it)

     

  2. I'm not sure if I understand the question fully. You can use two VLANs on a single physical connection. If you look in the Service chain tab you'll see you can add a VLAN tag next to the interface when you add a device.

     

  3. Are we talking about decrypting clients traffic in/out from your own network to the internet? Then you need a certificate installed on F5 that the clients trust. You need to install the signing certificate on every client, otherwise you will get a warning. The server does not need to trust it. Note that the signing certificate are installed in different ways depending on client and browser. Firefox for example has it's own certificate storage. Other browsers use different solutions.

     

Hope this helps!