Air Gap Egress Inspection with SSL Intercept iApp Template Release Candidate

Problem this snippet solves:

Note F5 has released a new F5 supported iApp template (f5.ssl_intercept) that replaces all versions of Air Gap template. Find the template and details on AskF5:

We strongly recommend using the fully supported SSL Intercept iApp instead of any of the Air Gap release candidates.

Initial Release

v1.0.0rc1 iApp template for configuring LTM to decrypt outbound SSL traffic for inspection by a security device, such as an Intrusion Prevention System (IPS). BIG-IP intercepts and decrypts HTTPS client traffic, and forwards it to:

  • Layer 2 mode: The internal self IP address of the egress BIG-IP. The security device sits between the ingress (client-side) and egress (internet-side) BIG-IPs. Two BIG-IP systems are required for this scenario.

  • Layer 3 mode: The layer 3 IP address of the security device. The security device must be configured to route outbound traffic to the internal self IP address of the egress BIG-IP. This scenario supports deployment on a single BIG-IP system configured with separate ingress and egress networks, or two BIG-IP systems.

After inspection, the egress BIG-IP re-encrypts the SSL traffic and forwards it to a pool of routers or other devices.

Optional: If the ingress BIG-IP system is running BIG-IP version 11.5.0 or later and has Secure Web Gateway (SWG) provisioned and URL Filtering licensed, users may choose to bypass SSL decryption for selected SWG URL categories.

v1.0.0rc2 This includes all of the functionality from the RC1 template. It adds support for using the network firewall (AFM must be licensed and provisioned) to restrict outbound access to specific networks/addresses. Support for explicit forward proxy is also included.

v1.0.0rc3 Fixed an issue with the associated cli script that could prevent users from importing iApp templates

v1.0.0rc4 Multiple changes, including:

  • iApp now supports decrypting HTTPS traffic over any TCP port, previous versions only supported port 443.

  • A UDP forwarding ingress virtual server is created.

  • iApp now supports the use of a default route for forwarding of egress traffic.

  • iApp now supports selecting LTM data groups for bypassing SSL intercept by hostname, source IP address, or destination IP address.

  • A performance issue was corrected.


  • Fixed missing variable error when deploying egress scenario in advanced mode

  • Added SNI (Server Name Indication) support

Minimum required BIG-IP version: 11.4.

You can find the associated deployment guide at Air Gap Egress Inspection with SSL Intercept.

Contributed by: F5

Code :

Published Mar 10, 2015
Version 1.0

Was this article helpful?