Orchestrated Infrastructure Security - Protocol Inspection with AFM

The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latest here.

Introduction

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF and Protocol Inspection (IPS) with AFM. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series Implementing SSL Orchestrator here.

This article focuses on configuring Protocol Inspection (IPS) with AFM deployed as a Layer 2 solution. It covers the configuration of Protocol Inspection on an F5 BIG-IP running version 16.0.0.

Configuration of BIG-IP deployed as AFM can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

This article is divided into the following high level sections:

  • Protocol Inspection (IPS) with AFM Network Configuration
  • Create an AFM Protocol Inspection Policy
  • Attach Virtual Servers to an AFM Protocol Inspection Policy

Protocol Inspection (IPS) with AFM: Network Configuration

The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. 

From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.

Give it a name, ingress1 in this example. Set the Interface to 5.0. Set Tagging to Untagged then click Add. Interface 5.0 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.

Note: In this example interface 5.0 will receive decrypted traffic from sslo1.

Give it a name, egress1 in this example. Set the Interface to 6.0. Set Tagging to Untagged then click Add. Interface 6.0 (untagged) should be visible like in the image below. Click Finished when done.

Note: In this example interface 6.0 will receive decrypted traffic from sslo1.

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2

It should look something like this when done:

Note: In this example Interface 3.0 and 4.0 are physically connected to sslo2.

Click VLAN Groups then Create on the right.

Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators.  Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:

For full Layer 2 transparency the following CLI option needs to be enabled:

(tmos)# modify sys db connection.vgl2transparent value enable

Create an AFM Protocol Inspection Policy

You can skip this step if you already have an AFM Protocol Inspection policy created and attached to one or more virtual servers. If not, we’ll cover it briefly. In this example we configured Protocol Inspection with Signatures and Compliance enabled.

From Security select Protocol Security > Inspection Profiles > Add > New.

Give it a name, IPS in this example. For Services, select the Protocol(s) you want to inspect, HTTP in this example.

Optionally check the box to enable automatic updates and click Commit Changes to System.

Attach Virtual Servers to an AFM Protocol Inspection Policy

Attach the Protocol Inspection Profile to the Virtual Server(s) you wish to protect. From Local Traffic select Virtual Servers. Click the name of the Virtual Server you want to apply the profile to, 10.4.11.52 in this example.

Click Security > Policies.

Set the Protocol Inspection Profile to Enabled, then select the Profile created previously, IPS in this example. Click Update when done.

Repeat this process to attach the IPS Profile to the remaining Virtual Servers.

Summary

In this article you learned how to configure BIG-IP in layer 2 transparency mode using VLAN groups. We also covered how to create an AFM Protocol Inspection policy and attach it to your Virtual Servers.

Next Steps

Click Next to proceed to the next article in the series.

Updated Aug 11, 2022
Version 2.0
No CommentsBe the first to comment