Forum Discussion
shopkeeper56_23
Cirrostratus
CirrostratusSSL Inspection Bypass
Hi,
Im in the process of setting up SSL inspection on browsing traffic for a client. I have been using F5's deployment guide (https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf) to set t...
Yann_Desmarest
Cirrus
CirrusHello,
Why not just set up an SSL forward proxy configuration and apply a specific SSL profile for that :
You can also define a bypass list within the SSL profile directly
shopkeeper56_23That method would require that I manually input every site/hostname that I would like to bypass. The intention here is to use URL DB Categories from the SWG to determine which sites should be bypassed (see the F5 documentation I linked). And as mentioned in my post, the bypassing isnt the issue here. The fact is that the above iRule which is supplied by F5 verbatim as part of their deployment guide is for some reason bombing out non-bypassed HTTPS connections.- Yann_DesmarestAre you sure that a "non-bypassed" connection hit the following command within the irule : SSL::forward_proxy policy intercept Did you add some logs in the irule to check the path used for those failing connections ?
- shopkeeper56_23I did not add anything to the iRule. It's taken verbatim from F5's documentation baring changes to pool information. How would I log that to be sure?
- Yann_Desmarestyou can add the following command where you need it : log local0. "my custom log information" I suggest to put a log after each if or else condition
- shopkeeper56_23Sorry didnt see this response. Will try the logging today and see if its hitting the SSL forward proxy policy
