Incident Remediation with Cisco Firepower and F5 SSL Orchestrator

SSL Orchestrator Configuration steps This guide assumes you have a working SSL Orchestrator Topology, either Incoming or Outgoing, and you want to add a Cisco Firepower TAP Service. Both Topology ty...
Published Aug 18, 2020
Version 1.0
BIG-IP
cisco
firepower
integration
iRules
remediation
security
sslo
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Aug 20, 2020

HI,

Great article! As I am not routing expert I am not sure about this statement related to FTD-Protect VS: The 10.5.11.0 network is the Destination the 10.4.11.0 network must take to pass through SSL Orchestrator and get to the internet.

 

I assumed following:

  1. SSLO configured in L2 mode (vWire)
  2. L2 Outbound Topology is configured

As far as I understand in such config SSLO is transparent to other devices (but of course still process traffic in L3-L7).

 

How traffic destined to the Internet can be destined to 10.5.11.0 network? If dst IP in traffic passing via SSLO is in 10.5.11.0 network (so FTD-Protect VS can capture and process it) then it can only reach anything that is in this network not Internet destination - Am I missing something here?

It could work if 10.5.11.0 network would be kind of overlay network carrying client traffic inside, but if client initiates traffic to 10.5.11.0 network then it can't be directed to Internet but only to anything in this network.

 

Would really appreciate few words of explanation about traffic flow.

 

Piotr