on 21-Jan-2020 12:16
This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ.
Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on management with BIG-IQ.
This article is divided into the following high level sections:
Please forgive me for using SSL and TLS interchangeably in this article.
Software versions used in this article:
BIG-IP Version: 14.1.2
SSL Orchestrator Version: 5.5
BIG-IQ Version: 7.0.1
Notes on installing BIG-IQ
If an existing pair (CM and DCD) are already installed:
-Upgrade the BIG-IQ to 126.96.36.199 (latest as of in 10/16/2019):
--scp BIG-IQ-188.8.131.52-0.0.6.iso firstname.lastname@example.org:/shared/images
--install sys software image BIG-IQ-184.108.40.206-0.0.6.iso volume HD1.2 create-partition reboot
--Same on other BIG-IQ
Adding BIG-IP devices
From the BIG-IQ UI go to Devices > BIG-IP Devices. Click Add Device(s).
Enter the IP Address, User Name and Password. Click the down arrow next to Cluster Display Name and select Create New.
Name it, in this example “My_Cluster” then click Add.
On the next screen select the Services you wish to discover. LTM should be selected by default. Select the box next to SSL Orchestrator and click Continue.
The Discovery process may take a few minutes. When complete click Add Device(s) again.
Enter the IP Address, User Name and Password of the next BIG-IP device. Click the down arrow to the right of Cluster Display Name and select Use Existing. Under Select a cluster choose My_Cluster.
LTM should be selected by default. Select the box next to SSL Orchestrator and click Continue.
When complete click the link to Complete import tasks.
For LTM click the box to Create a snapshot. Click the Import button.
Click the arrow to go back.
Click the link to Complete import tasks.
For LTM click the box to Create a snapshot. Click the Import button.
Then scroll to the bottom and click Import.
For the Location choose to Create New or Use Existing. In this example we Use Existing Location, “pmelab”. Click Deploy then Yes.
You should see a success message like below. Click OK.
Repeat the steps above to Import and Deploy the SSL Orchestrator settings on the 2nd BIG-IP.
Note: If you receive an out of sync error message you may need to connect to the BIG-IP Configuration Utility and manually synchronize the devices.
Under Services you should see Management, LTM, SSO. If there is an error under Stats Collection click the blue text.
Click Save & Close
Do this for both BIG-IP devices if needed.
The next screen should look like this.
Note: The Status icon will indicate overall device health. Notice in this example it’s a yellow triangle. Hover the mouse cursor over the Status icon to get more details.
The pop-up message indicates that disc space is running low. You can click the Device Name to drill in and get more detail.
Visibility and Reporting
For Visibility and Reporting go to Monitoring > SSL Orchestrator > SSL Overview. This screen gives you an overview of your Topologies, Devices and more.
Click the highlighted icon on the top right to toggle on/off the different statistical widgets.
Click the highlighted icon on the top right to change the refresh rate of this page.
Clicking on any of the widgets drills down into more detail. Click the SSL Decryption widget to view more detail.
Click SSLO Analytics for more analytical reports.
Notice the following on the right. Click the Export button to export this report in a printer friendly format or save as a PDF. There are also extensive filtering criteria, like Destination Countries, that you can use to refine your report data.
Edit/create new policy
From the BIG-IQ UI go to Configuration > SSL Orchestrator > Security Policies. Click the Security Policy name.
Click the pencil icon to edit the Security Policy.
Scroll down to view the Rules. Click the pencil icon to edit the Pinners_Rule.
We will add another Category to this rule to bypass decryption. Click in the field to the right of the last Category. Start typing Education and it should come up. Select the Education Category and click Save.
Note: This rule is still set to Allow, the connection will not be decrypted and it will not be sent to a Service Chain.
On the next screen click Deploy then Yes.
When complete it should look like the image below.
Use Config Templates to make devices changes, like adding a new NTP server.
From the BIG-IQ UI go to Devices > Config Templates > Templates. Click Create.
Give it a name. In this example NTP_template. Click the Down arrow and select NTP.
Click Add. Enter the IP address or hostname of the NTP server you wish to use. If needed, click the Plus sign to add more. Select your time zone, in this example America/Los Angeles. Click Save & Close.
Click Deployments > Create.
For the Config Template select the NTP_template created previously. Select both Devices and click the arrow to move them from Available to Included.
Give the deployment a name, in this example my_deployment. Click Next.
Click Deploy then OK.
You should see a successful deployment.
In this article you learned how to install and configure BIG-IQ. Then you learned how to add BIG-IP devices to BIG-IQ and import their configuration. We also covered some common tasks with Visibility and Reporting. You learned how to manage and update the security policy. And finally, you learned how to use Config Templates to configure common items in your BIG-IP deployment.
Click Next to proceed to the next article in the series.
I am a bit lost at the step starting with "When complete click the link to Complete import tasks."
Last but not least, BIG-IQ support for SSLO is a bit lagging in versions. As far as I understand from Interoperability Matrix for F5 SSL Orchestrator with BIG-IP and BIG-IQ highest supported version is 5.5, 5.6 (220.127.116.11). When support for 15.1.x is expected?
Hi, I see what you mean in #1 but I can't seem to remember now. I'll have to go thru these steps again to make sure I didn't miss something.
For #2, good eye! At this point all the settings from the BIG-IPs have been retrieved by BIG-IQ. In looking at it now it is confusing. The "Location" concept is there specifically for shared objects but this certainly does look like a push.
I'll respond back with further clarification.
Thanks a lot!
About (2) above and the import process, the BIG-IQ ensures that the base SSLO feature configuration is done on the BIG-IP. This includes the NTP, Default Route, and DNS configurations that the administrator does when first enabling SSLO on the BIG-IP. In the case of this lab iirc, these values are already set on the BIG-IP. On blank devices freshly added to the network, these values can be set during the discovery process with this mechanism.
So, the result is that changes can be made to the BIG-IP configuration in the process. No topology is "deployed" to the BIG-IP. HTH.
Thanks a lot for explanation it's clear now 😎