For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Nov 22, 2017

On BIG-IP VE TMOS v12.1.2 I tested a different approach:

A "frontend" virtual server terminates SSL by using a client-ssl profile but does not re-encrypt (no server-ssl profile assigned).

Instead the "frontend" virtual server has an iRule (please see below) to forward traffic to a 2nd "internal" virtual server on the same BIG-IP device (no pool assigned): 
when CLIENTSSL_HANDSHAKE {
    virtual vs_internal
}

The "internal" virtual server will re-encrypt by using a server-ssl profile to the pool of real servers. The tcpdump will target the interface "

0.0:nnn
" (capturing "F5 internal noise" to be decoded by the F5 wireshark plugin) and filters on the "internal" virtual servers IP address.

Please make sure to capture the whole packet "
-s 0
" into the raw dump file specified by "
-w
" and limit the number of packets i.e "
-c 10000
": 
tcpdump -i 0.0:nnn -s 0 -c 10000 -w /var/tmp/internal.001.pcap host