F5 Secure Web Gateway iApp Template

Problem this snippet solves:

This iApp assists in the configuration of the F5 Secure Web Gateway subscription add-on to Access Policy Manager (APM). It allows you to configure for both transparent or explicit proxy modes, SSL interception, and additional services in support of the proxied connections (like Proxy Auto-Configuration).

How to use this snippet:

Prerequisites

This template requires BIG-IP v11.5 or later, and can only be used with APM and SWG provisioned, and a valid subscription to SWG services applied to the BIG-IP.

Prior to running this template, if you intend to use the SSL interception features of SWG, you must have imported a CA certificate and key. In addition, you must create an APM Access Profile of the appropriate type for your deployment; the iApp will use this profile for its authentication and assignment of an SWG malware/filtering scheme.

Note: This template has not been tested nor is it supported if deploying multiple times on a single BIG-IP (via route domains or within partitions)

Features

  • Supports two deployment modes: explicit and transparent proxy
  • Configures interception of SSL traffic by category; can decrypt certain SSL traffic for inspection
  • Creates all necessary virtual servers and profiles to quickly build your SWG environment
  • For explicit proxy, creates and manages a Proxy Auto-Configuration (PAC) function

v1.1.0rc1

This updated template includes all features from the previous version, and adds support for the use of APM per-request policy in BIG-IP v11.6.0 and later. You must create a per-request APM access policy prior to deploying the iApp. When using per-request policy, the iRule for controlling SSL bypass via URL categories has been deprecated; however, the iApp template is compatible with BIG-IP v11.5.0.

v1.1.0rc2

Fixed a missing variable error when deploying transparent proxy on 11.6 or later. iApp now uses the f5.iapp cli script for portability and maintainability.

v1.1.0rc3

Fixed an issue with the associated cli script that could prevent users from importing iApp templates.

v1.1.0rc4

Added support for deploying ICAP to forward requests to DLP server(s). Fixed an error that occurred when deploying an AAM-enabled LTM policy.

Code :

67239
Published Mar 10, 2015
Version 1.0
  • I am using the 'f5.secure_web_gateway.v1.1.0' template. when I try to create an iApp using this template, I'm getting this error: "01070734:3: Configuration error: Can't associate (/Common/Drafts/SWG_v1.1.0_iApp_acceleration_policy) with folder (/Common/Drafts) folder does not exist" I saw that RC3 is out so I tried with that. Using this template (f5.secure_web_gateway.v1.1.0rc3), I managed to create the iApp successfully. However I noticed that the "Web Acceleration and Optimization" menu is missing when using the RC3 template (whereas it was present on the 'f5.secure_web_gateway.v1.1.0' template). Is this an expected behavior with the RC3 template?
  • Has there been any updates to RC4? Doesn't look like its made its way into the Iapps download yet.

     

  • With the release of the new TCP profiles in V13, it would be good to have an updated iAPP that either uses the new TCP Profiles, or provides an advanced option to allow selection of TCP Profiles.