SSL forward proxy integration with FireEye to inspect HTTPS

Question

We are trying to integrate F5 with FireEye to be able to inspect HTTPS traffic with the FireEye NX solution.&nbsp;
We started off by creating a simple SSL forward proxy setup to verify the SSL proxy functionality as follows. We used the IAPP f5.airgap_egress.v1.0.0rc4 and modified some details, like we created a separate virtual server for 443 for testing purposes.&nbsp;
&nbsp;
Considerations
Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. 
SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this.&nbsp;
SSL forward proxy with route domains
Lab setup
After setting up the basic SSL forward proxy we continued creating to route domains. Created to routes one from route domain 0 to route domain 1 and one from route domain 1 to the external router. For your information we used only 1 Big IP device.&nbsp;
&nbsp;
&nbsp;
Considerations
All traffic works fine UDP, HTTP, but HTTPS always results in an SSL error message, because there are two SSL client sessions.&nbsp;
&nbsp;
To be able to decrypt the traffic and forwarding it unencrypted from route domain 0 to route domain 1 we have to disable SSL on the server side on virtual server wildcard 443 in route domain 0 and we have to disable client side ssl on the SSL wildcard virtual server located in route domain 1 so it will accept connections unencrypted.
The following Irule is being used to simply disable SSL traffic on the server side communicating towards route domain 1.&nbsp;
&nbsp;
On the SSL wildcard virtual server in route domain 1 we disable Client ssl profile and enable server SSL to re-encrypt the connection.&nbsp;
&nbsp;
Now when we try to open a SSL website like gmail.com we receive the following error. It happens with every SSL website w
&nbsp;
In Wireshark we observer that the handshake is failing to the Gmail website, but the client proxy SSL connection is successfully setup with TLS 1.2. The TLS session towards google is TLSv1, so perhaps that’s the problem here.&nbsp;
&nbsp;
Does anyone has some recomendations why this is happening?&nbsp;

marvin · Answer

Update on the original test;&nbsp;
Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this.&nbsp;
It is not needed to configure the F5 as the gateway when we have a Vlan group configured as a tranparent layer 2 setup. Also it is not needed to translate the original IP.&nbsp;

marvin · Answer

Some images got mixed up from another article I don¬¥t know why, please take that into account, the first Picture shouldn¬¥t appear here, Also 4th, 5th and 6th.¬†
https://devcentral.f5.com/s/feed/0D51T00006i7hokSAA¬†

Forum Discussion

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS