F5 Secure Web Gateway iApp Template
Problem this snippet solves:
This iApp assists in the configuration of the F5 Secure Web Gateway subscription add-on to Access Policy Manager (APM). It allows you to configure for both transparent or explicit proxy modes, SSL interception, and additional services in support of the proxied connections (like Proxy Auto-Configuration).
How to use this snippet:
This template requires BIG-IP v11.5 or later, and can only be used with APM and SWG provisioned, and a valid subscription to SWG services applied to the BIG-IP.
Prior to running this template, if you intend to use the SSL interception features of SWG, you must have imported a CA certificate and key. In addition, you must create an APM Access Profile of the appropriate type for your deployment; the iApp will use this profile for its authentication and assignment of an SWG malware/filtering scheme.
Note: This template has not been tested nor is it supported if deploying multiple times on a single BIG-IP (via route domains or within partitions)
- Supports two deployment modes: explicit and transparent proxy
- Configures interception of SSL traffic by category; can decrypt certain SSL traffic for inspection
- Creates all necessary virtual servers and profiles to quickly build your SWG environment
- For explicit proxy, creates and manages a Proxy Auto-Configuration (PAC) function
This updated template includes all features from the previous version, and adds support for the use of APM per-request policy in BIG-IP v11.6.0 and later. You must create a per-request APM access policy prior to deploying the iApp. When using per-request policy, the iRule for controlling SSL bypass via URL categories has been deprecated; however, the iApp template is compatible with BIG-IP v11.5.0.
Fixed a missing variable error when deploying transparent proxy on 11.6 or later. iApp now uses the f5.iapp cli script for portability and maintainability.
Fixed an issue with the associated cli script that could prevent users from importing iApp templates.
Added support for deploying ICAP to forward requests to DLP server(s). Fixed an error that occurred when deploying an AAM-enabled LTM policy.