Forum Discussion

Konstantinos_Be's avatar
Konstantinos_Be
Icon for Altostratus rankAltostratus
Mar 28, 2023

SSLO HTTPS conversion to HTTP for NGFW inspection

Hi all, I am new to the bigip SSLO and I was playing around it in order to see if I can enhance my NGFW visibility instead of moving to a bigger box. The BIGIP has been moved as the default gateway...
BIG-IP
https
security
sslo
  • Stephan_Schulz's avatar
    Stephan_Schulz
    Mar 29, 2023

    Hi,

    this is the use case for which the SSLO is build for, so yes it is (easy) possible to do this. In this case, the NGFW is just a service (inspection) device and SSLO will forward traffic based on your policy. There is one thing to consider in how to positioning the SSLO and NGFW. Is this NGFW the internet facing device with NAT, VPN, etc? If yes, it is a bit more complex as you can't move the device into the inspection zone completely.

    From a SSLO perspective (best prectise) all inspection devices are hidden and isolated within a dedicated inspection zone and only the SSLO can forward traffic to them. It would be best to use a separate or a virtual instance of your NGFW as inspection device. Otherwise you can use PBR to steer the the traffic.

    client --> (https) SSLO --> (http) NGFW --> (http) SSLO --> (https) NGFW --> (https) internet

    The SSLO itself can be integrated as a L2 or a L3 device and it can work as a transparent or an explicit proxy. This really depends on your architecture or use case. You can find more details here: https://clouddocs.f5.com/sslo-deployment-guide/

    Cheers
    Stephan

Konstantinos_Be's avatar
Konstantinos_Be
Icon for Altostratus rankAltostratus

Hi Leslie_Hubertus ,

I can understand the "accept" criteria, however, I am seeing traffic as encrypted passing through the NGFW.

Do I need an iRule in order to decrypt it before been sent?

Thank you

Best Regards

Konstantinos

Stephan_Schulz's avatar
Stephan_Schulz
Icon for Employee rankEmployee
Mar 30, 2023

Hi,

no, there is no additional iRule needed to decrypt the traffic, but maybe we should go back one step and verify how you have integrated the solution. I understand that the SSLO is integrated in L3-mode and it is behaving as a transparent proxy. How is the service for NGFW configured? Is it a L2 or a L3 device?

In general, the SSLO will decrypt and forward traffic based on your security policy in combination with any dynamic service chain (see pictures below).

With the security policy you define your criterias for a specific traffic type (i.e. URLs) and the action (allow, drop etc.). You can also configure if this traffic type should be decrypted or not and to which service chain it should be forwarded.

  • Bypass means no TLS/SSL decryption
  • if a service chain is selected, SSLO will forward the traffic to all devices in this chain

 

 

 

You can configure different chains to involve different inspection devices in different order etc. 

 

 

 

To understand, why you are seeing encrypted traffic on your NGFW it is important to understand at which stage it has seen the traffic. Remember my previous answer, I don't know yet, but I assume your NGFW will see the traffic twice.

If you see the traffic outgoing from the SSLO to the NGFW (you can verify this with tcpdump on the SSLO) within the inspection zone, then you should verify your security policy and the matching criteria for the traffic. You can also see the classification result in /var/log/apm (you should enable debug-logging for trouble shooting).

Cheers
Stephan

  • Konstantinos_Be's avatar
    Konstantinos_Be
    Icon for Altostratus rankAltostratus
    Mar 30, 2023

    Hi Stephan,

     

    I fully understand what you just described and thanks for the nice illustrations.

    I have configured the NGFW as a L3 service using the provided IP addresses (even through I cannot understand why I cannot use other private IP addresses).

    The L3 service can be viewed below:

    The configured security policy is the below:

    The SSL configuration is the below:

    The NGFW is deployed in the LAB as a service only. Traffic after the service chain is forwarded from the BIGIP SSLO to the internet router and NATted for internet access.

    The NGFW configuration is pretty straighforward as it can be seen below:

     

    Am I missing something?

     

    Thank you

    Best Regards

    Konstantinos

    • Stephan_Schulz's avatar
      Stephan_Schulz
      Icon for Employee rankEmployee
      Mar 31, 2023

      Hi Konstantinos,

      actually it looks good, so there must be something different... And btw. you can use your own IP addresses if you want. Just disable the "auto manage addresses" option. This behaviour is by design, as we recommend to use isolated and dedicated vlans and IP addresses for any inspection device. 

      Which TMOS version do you use? (I don't remember the exact version, but we've have changed the default IP range in newer versions).

      You can find some troubleshooting tips here (choose your version): https://clouddocs.f5.com/sslo-deployment-guide/sslo-10/chapter5/page5.01.html

      Cheers
      Stephan

      • Konstantinos_Be's avatar
        Konstantinos_Be
        Icon for Altostratus rankAltostratus
        Mar 31, 2023

        Hi Stephan,

         

        I am currently running 16.1.3.3 and SSLO 9.3.41.

        I don't know how I can "force" HTTPS traffic to be decrypted before been sent to the NGFW.

        I do see the HTTPS traffic as terminated on the BIGIP since I have the wildcard certificate on the site as expected.

         

        Thank you

        Best Regards

        Konstantinos