Forum Discussion
Konstantinos_Be
Altostratus
AltostratusSSLO HTTPS conversion to HTTP for NGFW inspection
Hi all, I am new to the bigip SSLO and I was playing around it in order to see if I can enhance my NGFW visibility instead of moving to a bigger box. The BIGIP has been moved as the default gateway...
Hi,
this is the use case for which the SSLO is build for, so yes it is (easy) possible to do this. In this case, the NGFW is just a service (inspection) device and SSLO will forward traffic based on your policy. There is one thing to consider in how to positioning the SSLO and NGFW. Is this NGFW the internet facing device with NAT, VPN, etc? If yes, it is a bit more complex as you can't move the device into the inspection zone completely.
From a SSLO perspective (best prectise) all inspection devices are hidden and isolated within a dedicated inspection zone and only the SSLO can forward traffic to them. It would be best to use a separate or a virtual instance of your NGFW as inspection device. Otherwise you can use PBR to steer the the traffic.
client --> (https) SSLO --> (http) NGFW --> (http) SSLO --> (https) NGFW --> (https) internet
The SSLO itself can be integrated as a L2 or a L3 device and it can work as a transparent or an explicit proxy. This really depends on your architecture or use case. You can find more details here: https://clouddocs.f5.com/sslo-deployment-guide/
Cheers
Stephan
Konstantinos_BeAltostratus
AltostratusHi Leslie_Hubertus ,
I can understand the "accept" criteria, however, I am seeing traffic as encrypted passing through the NGFW.
Do I need an iRule in order to decrypt it before been sent?
Thank you
Best Regards
Konstantinos
That's a follow up for Stephan_Schulz - who I think is already offline for the day, but will hopefully come back tomorrow to reply.