Cipher Rules And Groups in BIG-IP v13
Nimbostratus@Piotr,
That's exactly my point. After you've changed your cipher group configurations, you have to go to each client profile, select another cipher group, save, re-select your original one, save, in order for your cipher group changes to be applied. This is counter-intuitive, time consuming and prone to omissions if you have a large number of client profiles using that cipher group.
It can also be misleading since Big-IP's cipher audit lists what should be expected, not what the VS actually supports after the change. Could also be a security concern where administrators may think they patched a security issue with weak protocols / ciphers when in fact they will not have.
I'm a bit disappointed. Unless it is fixed, I now feel that it's better to have the cipher string directly in the client profile instead of a Cipher Group. With a Cipher Group, if you made changes to the group you don't know if your profile needs "updating" or no. With a cipher string, what you have there is what you get, so there is no misunderstanding. Cipher Groups would be a great way to standardize and simplify cipher string configurations if changes could automatically permeate to all the Client SSL profiles on which they are applied.
- Ben