Orchestrated Infrastructure Security - Guided Configuration
The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latest here.
Introduction
This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF and Protocol Inspection (IPS) with AFM. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.
If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series Implementing SSL Orchestrator here.
This article focuses on configuring SSL Orchestrator to decrypt inbound SSL and pass the decrypted content to F5 Advanced WAF and Protocol Inspection (IPS) with AFM for enhanced protection from threats. It covers the configuration of the SSL Orchestrator Topology, Services and more on an F5 BIG-IP running version 15.1.0.4 and SSL Orchestrator version 7.4.9.
Configuration of BIG-IP deployed as SSL Orchestrator can be downloaded from here from GitLab.
Please forgive me for using SSL and TLS interchangeably in this article.
In this article we will walk you through the SSL Orchestrator Guided Configuration which covers the following:
- Inbound L2 Topology creation
- Certificate and Key used for SSL Decryption
- Adding the Advanced WAF and AFM devices
- Creating a Security Policy
- Creating an Interception Policy
SSL Orchestrator Guided Configuration
From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration from the menu on the left.
Note: There are Required Configuration options on the right you may need to configure. A Route is not needed when SSL Orchestrator is deployed in Layer 2 mode.
The Configuration screen presents all of the configuration options that are available. Scroll to the bottom of the page and click Next.
Give the Topology a name, InboundAppProtection in this example. You can optionally configure the Protocol and IP Family you want the Topology to support. We’re using the default of TCP and IPv4. Select L2 Inbound and click Save & Next.
Configure the Certificate Key Chain by clicking the Pencil icon on the right.
Choose the correct Certificate and Key from the drop menu. In this example we use subrsa.f5labs.com for the Certificate and Key. Click Done.
There are Server-side SSL settings that you can optionally configure. Click Save & Next.
On the next screen click Add Service.
Scroll to the bottom, select Generic Inline Layer 2 and then Add.
Give it a name, Advanced_WAF in this example. Under Network Configuration click Add.
Here we create the VLANs & select the Interfaces the Advanced WAF devices are connected to. For the From and To VLAN options select Create New. Give them a unique name, egress_WAF1 and ingress_WAF1 in this example. Select the interfaces connected to the first WAF device, 4.1 and 4.2 in this example. Then click Done.
Repeat this process for the 2nd Advanced WAF device using interfaces 4.3 and 4.4. It should look like this when done.
Note: In this case the SSL Orchestrator interfaces 4.1 and 4.2 are connected to Advanced WAF1 interfaces 2.1 and 2.2. SSL Orchestrator interfaces 4.3 and 4.4 are connected to Advanced WAF2 interfaces 2.3 and 2.4.
You can optionally configure the Device Monitor and Service Down Action. Enable the Port Remap option and click Save.
Click Add Service to add the AFM devices.
Scroll to the bottom, select Generic Inline Layer 2 and then Add.
Give it a name, AFM in this example. Under Network Configuration click Add.
Here we create the VLANs & select the Interfaces the AFM devices are connected to. For the From and To VLAN options select Create New. Give them a unique name, egress_AFM1 and ingress_AFM1 in this example. Select the interfaces connected to the first AFM device, 5.1 and 5.2 in this example. Then click Done.
Repeat this process for the 2nd AFM device using interfaces 5.3 and 5.4. It should look like this when done.
Note: In this case the SSL Orchestrator interfaces 5.1 and 5.2 are connected to AFM1 interfaces 5.0 and 6.0. SSL Orchestrator interfaces 5.3 and 5.4 are connected to AFM2 interfaces 5.0 and 6.0.
You can optionally configure the Device Monitor and Service Down Action. Enable the Port Remap option and click Save.
Click Save & Next at the bottom.
Click Add to create the Service Chain.
Give it a name, Inbound_Protect1 in this example. Select ssloS_AFM and ssloS_Advanced_WAF Services then click the arrow to move them to the right. Click Save.
Note: It is recommended that AFM be placed first in the Service Chain Order. That way intrusion attempts are detected and blocked before they ever get to the Advanced WAF. This saves resources on the Advanced WAFs because they don’t have to process any of the attempted intrusion connections.
Click Save & Next.
For the Security Policy click the Pencil icon on the lower right to edit the rule.
Set the Service Chain to the one created previously. Click OK.
Click Save & Next at the bottom.
For the Interception Rule, define the Destination Address or subnet of the application servers you wish to protect. In this example the application servers are all in the 10.4.1.0/24 subnet. Specify the correct port, typically 443.
For the Ingress Network select the VLAN(s) that will be receiving traffic from external users, Direct_all in this example. Set the L7 Profile to http. Click Save & Next.
Make any changes to the Log Settings if needed. Click Save & Next.
On the Summary screen you can review and change any of the settings. Click Deploy when ready.
You should get a Success message.
If you receive an error you will need to go back into the configuration to resolve it. If successful, you should see a screen like this:
Notice the Service Health status is indicated by the small green circle.
Summary
In this article you learned how to use the SSL Orchestrator Guided Configuration to create a Topology, select the certificate and key used for SSL Decryption, add the Advanced WAF and AFM devices, create a Security Policy and an Interception Policy.
Next Steps
Click Next to proceed to the next article in the series.