Forum Discussion

Nikoolayy1's avatar
Oct 07, 2022

Where are the F5 SSL Orchestrator (SSLO) SplitSession Client/SplitSession Server profiles used?

I have seen this profiles but there is not a lot of info about their use cases.

 

From the article below I think that they are only important when two F5 sslo devices are used ingress and egress traffic:

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/39.html

From what I gather if a single SSLO is used the settings will be "Local Peer" enabled and "Lookup Type" set to "Flow" but when is "Session Flow" or "HTTP Header" used ? Is session flow for layer2/3 services and when there are 2 SSLO for ingress and egress traffic and "HTTP Header" for transparent/explicit proxy services again with two SSLO for ingress and egress traffic?

 

 

  • Splitsession profiles are used to convey flow information, signaling, for the traffic that leaves the BIG-IP to pass through the security services. For inline L2/L3 services, flow is used (5-tuple src:dst addr:port proto). Flow signaling can't work across an HTTP (proxy) devices because a proxy will always minimally change the source port, and usually some of the other values. So for HTTP services it uses an HTTP header to track the flow across the service. To my knowledge, session flow isn't used.

2 Replies

  • Splitsession profiles are used to convey flow information, signaling, for the traffic that leaves the BIG-IP to pass through the security services. For inline L2/L3 services, flow is used (5-tuple src:dst addr:port proto). Flow signaling can't work across an HTTP (proxy) devices because a proxy will always minimally change the source port, and usually some of the other values. So for HTTP services it uses an HTTP header to track the flow across the service. To my knowledge, session flow isn't used.