cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
KevinGallaugher
F5 Employee
F5 Employee

Introduction

This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ.

Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on management with BIG-IQ.

This article is divided into the following high level sections:

  • BIG-IQ installation
  • Adding BIG-IP devices
  • Visibility and reporting
  • Managing policy
  • Using templates

Please forgive me for using SSL and TLS interchangeably in this article.

Software versions used in this article:

BIG-IP Version: 14.1.2

SSL Orchestrator Version: 5.5

BIG-IQ Version: 7.0.1

Notes on installing BIG-IQ

If an existing pair (CM and DCD) are already installed:

-Upgrade the BIG-IQ to 7.0.0.1 (latest as of in 10/16/2019):

--scp BIG-IQ-7.0.0.1-0.0.6.iso root@192.168.41.129:/shared/images

--ssh admin@192.168.41.129

--install sys software image BIG-IQ-7.0.0.1-0.0.6.iso volume HD1.2 create-partition reboot

--Same on other BIG-IQ

-Onboard BIG-IQ:

--https://github.com/f5devcentral/f5-big-iq-onboarding

Adding BIG-IP devices

From the BIG-IQ UI go to Devices > BIG-IP Devices. Click Add Device(s).

0151T000003lKUtQAM.png

Enter the IP Address, User Name and Password. Click the down arrow next to Cluster Display Name and select Create New.

0151T000003lKUyQAM.png

Name it, in this example “My_Cluster” then click Add.

0151T000003lKV3QAM.png

On the next screen select the Services you wish to discover. LTM should be selected by default. Select the box next to SSL Orchestrator and click Continue.

0151T000003lKVDQA2.png

The Discovery process may take a few minutes. When complete click Add Device(s) again. 

Enter the IP Address, User Name and Password of the next BIG-IP device. Click the down arrow to the right of Cluster Display Name and select Use Existing. Under Select a cluster choose My_Cluster.

0151T000003lKVNQA2.png

Click Add. 

LTM should be selected by default. Select the box next to SSL Orchestrator and click Continue.

0151T000003lKVSQA2.png

When complete click the link to Complete import tasks.

0151T000003lKVXQA2.png

For LTM click the box to Create a snapshot. Click the Import button.

0151T000003lKVcQAM.png

Click the arrow to go back.  

0151T000003lKVhQAM.png

Click the link to Complete import tasks.

0151T000003lKVmQAM.png

For LTM click the box to Create a snapshot. Click the Import button.

0151T000003lKW1QAM.png

Then scroll to the bottom and click Import.  

0151T000003lKViQAM.png

For the Location choose to Create New or Use Existing. In this example we Use Existing Location, “pmelab”. Click Deploy then Yes.

0151T000003lKWGQA2.png

You should see a success message like below. Click OK.

0151T000003lKWHQA2.png

Repeat the steps above to Import and Deploy the SSL Orchestrator settings on the 2nd BIG-IP.

Note: If you receive an out of sync error message you may need to connect to the BIG-IP Configuration Utility and manually synchronize the devices.

Under Services you should see Management, LTM, SSO. If there is an error under Stats Collection click the blue text.

0151T000003lKWVQA2.png

Click Save & Close

0151T000003lKWWQA2.png

Do this for both BIG-IP devices if needed.

The next screen should look like this.

0151T000003lKWIQA2.png

Note: The Status icon will indicate overall device health. Notice in this example it’s a yellow triangle. Hover the mouse cursor over the Status icon to get more details.

0151T000003lKWzQAM.png

The pop-up message indicates that disc space is running low. You can click the Device Name to drill in and get more detail.

0151T000003lKX4QAM.png

Visibility and Reporting

For Visibility and Reporting go to Monitoring > SSL Orchestrator > SSL Overview. This screen gives you an overview of your Topologies, Devices and more.

0151T000003lKX9QAM.png

Click the highlighted icon on the top right to toggle on/off the different statistical widgets.

0151T000003lKXEQA2.png

Click the highlighted icon on the top right to change the refresh rate of this page.

0151T000003lKXJQA2.png

Clicking on any of the widgets drills down into more detail. Click the SSL Decryption widget to view more detail.

0151T000003lKXOQA2.png

Click SSLO Analytics for more analytical reports.

0151T000003lKXTQA2.png

Notice the following on the right. Click the Export button to export this report in a printer friendly format or save as a PDF. There are also extensive filtering criteria, like Destination Countries, that you can use to refine your report data.

0151T000003lKXPQA2.png

Managing Policies

Edit/create new policy

From the BIG-IQ UI go to Configuration > SSL Orchestrator > Security Policies. Click the Security Policy name.

0151T000003lKXYQA2.png

Click the pencil icon to edit the Security Policy.

0151T000003lKfDQAU.png

Scroll down to view the Rules. Click the pencil icon to edit the Pinners_Rule.

0151T000003lKfIQAU.png

We will add another Category to this rule to bypass decryption. Click in the field to the right of the last Category. Start typing Education and it should come up. Select the Education Category and click Save.

0151T000003lKfNQAU.png

Note: This rule is still set to Allow, the connection will not be decrypted and it will not be sent to a Service Chain.

On the next screen click Deploy then Yes.

0151T000003lKfSQAU.png

When complete it should look like the image below.

0151T000003lKfXQAU.png

Use Config Templates to make devices changes, like adding a new NTP server.

From the BIG-IQ UI go to Devices > Config Templates > Templates. Click Create.

0151T000003lKfYQAU.png

Give it a name. In this example NTP_template. Click the Down arrow and select NTP. 

0151T000003lKfhQAE.png

Click Add. Enter the IP address or hostname of the NTP server you wish to use. If needed, click the Plus sign to add more. Select your time zone, in this example America/Los Angeles. Click Save & Close.

0151T000003lKfmQAE.png

Click Deployments > Create.

0151T000003lKfrQAE.png

For the Config Template select the NTP_template created previously. Select both Devices and click the arrow to move them from Available to Included.

0151T000003lKg1QAE.png

Give the deployment a name, in this example my_deployment. Click Next.

0151T000003lKfsQAE.png

Click Deploy then OK.

0151T000003lKg6QAE.png

You should see a successful deployment.

0151T000003lKjyQAE.png

Summary

In this article you learned how to install and configure BIG-IQ. Then you learned how to add BIG-IP devices to BIG-IQ and import their configuration. We also covered some common tasks with Visibility and Reporting. You learned how to manage and update the security policy. And finally, you learned how to use Config Templates to configure common items in your BIG-IP deployment.

Next Steps

Click Next to proceed to the next article in the series.

Comments

Hi,

I am a bit lost at the step starting with "When complete click the link to Complete import tasks."

  1. SSL Orchestrator is not selected for import for first node i5800-11.pmelab.internal, but is selected for Import on second node - is that on purpose - so SSLO should be imported only on one node?
  2. What is step "For the Location choose to Create New or Use Existing. In this example we Use Existing Location, “pmelab”. Click Deploy then Yes." required for? It's described next to Importing SSLO service. So I would assume (like with LTM) that in this step configuration already existing on BIG-IP node is imported into BIG-IQ, but it looks like SSLO config is pushed form BIG-IQ to BIG-IP node...quite confused 😞

Last but not least, BIG-IQ support for SSLO is a bit lagging in versions. As far as I understand from Interoperability Matrix for F5 SSL Orchestrator with BIG-IP and BIG-IQ highest supported version is 5.5, 5.6 (14.1.2.1). When support for 15.1.x is expected?

KevinGallaugher
F5 Employee
F5 Employee

Hi, I see what you mean in #1 but I can't seem to remember now. I'll have to go thru these steps again to make sure I didn't miss something.

For #2, good eye! At this point all the settings from the BIG-IPs have been retrieved by BIG-IQ. In looking at it now it is confusing. The "Location" concept is there specifically for shared objects but this certainly does look like a push.

I'll respond back with further clarification.

Hi,

Thanks a lot!

Romain
F5 Employee
F5 Employee

Piotr,

 

About (2) above and the import process, the BIG-IQ ensures that the base SSLO feature configuration is done on the BIG-IP. This includes the NTP, Default Route, and DNS configurations that the administrator does when first enabling SSLO on the BIG-IP. In the case of this lab iirc, these values are already set on the BIG-IP. On blank devices freshly added to the network, these values can be set during the discovery process with this mechanism.

So, the result is that changes can be made to the BIG-IP configuration in the process. No topology is "deployed" to the BIG-IP. HTH.

 

Romain

Hi,

  Thanks a lot for explanation it's clear now 😎

Piotr

Version history
Last update:
‎21-Jan-2020 12:16
Updated by:
Contributors