cancel
Showing results for 
Search instead for 
Did you mean: 
KevinGallaugher
F5 Employee
F5 Employee

Introduction

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF and Protocol Inspection (IPS) with AFM. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series Implementing SSL Orchestrator here.

This article focuses on configuring SSL Orchestrator to decrypt inbound SSL and pass the decrypted content to F5 Advanced WAF and Protocol Inspection (IPS) with AFM for enhanced protection from threats. It covers the configuration of the SSL Orchestrator Topology, Services and more on an F5 BIG-IP running version 15.1.0.4 and SSL Orchestrator version 7.4.9.

Configuration of BIG-IP deployed as SSL Orchestrator can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

In this article we will walk you through the SSL Orchestrator Guided Configuration which covers the following:

  • Inbound L2 Topology creation
  • Certificate and Key used for SSL Decryption
  • Adding the Advanced WAF and AFM devices
  • Creating a Security Policy
  • Creating an Interception Policy

SSL Orchestrator Guided Configuration

From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration from the menu on the left. 

0151T000003pk8mQAA.png

Note: There are Required Configuration options on the right you may need to configure. A Route is not needed when SSL Orchestrator is deployed in Layer 2 mode.

The Configuration screen presents all of the configuration options that are available. Scroll to the bottom of the page and click Next.

0151T000003pk8rQAA.png

Give the Topology a name, InboundAppProtection in this example. You can optionally configure the Protocol and IP Family you want the Topology to support. We’re using the default of TCP and IPv4. Select L2 Inbound and click Save & Next.

0151T000003pk8wQAA.png

Configure the Certificate Key Chain by clicking the Pencil icon on the right.

0151T000003pk8sQAA.png

Choose the correct Certificate and Key from the drop menu. In this example we use subrsa.f5labs.com for the Certificate and Key. Click Done.

0151T000003pk91QAA.png

There are Server-side SSL settings that you can optionally configure. Click Save & Next.

0151T000003pk9BQAQ.png

On the next screen click Add Service.

0151T000003pk9GQAQ.png

Scroll to the bottom, select Generic Inline Layer 2 and then Add.

0151T000003pk9LQAQ.png

Give it a name, Advanced_WAF in this example. Under Network Configuration click Add.

0151T000003pk9VQAQ.png

Here we create the VLANs & select the Interfaces the Advanced WAF devices are connected to. For the From and To VLAN options select Create New. Give them a unique name, egress_WAF1 and ingress_WAF1 in this example. Select the interfaces connected to the first WAF device, 4.1 and 4.2 in this example.  Then click Done.

0151T000003pk9WQAQ.png

Repeat this process for the 2nd Advanced WAF device using interfaces 4.3 and 4.4. It should look like this when done.

0151T000003pk9fQAA.png

Note: In this case the SSL Orchestrator interfaces 4.1 and 4.2 are connected to Advanced WAF1 interfaces 2.1 and 2.2. SSL Orchestrator interfaces 4.3 and 4.4 are connected to Advanced WAF2 interfaces 2.3 and 2.4. 

You can optionally configure the Device Monitor and Service Down Action. Enable the Port Remap option and click Save.

0151T000003pk9kQAA.png

Click Add Service to add the AFM devices.

0151T000003pk9gQAA.png

Scroll to the bottom, select Generic Inline Layer 2 and then Add.

0151T000003pk9uQAA.png

Give it a name, AFM in this example. Under Network Configuration click Add.

0151T000003pk9vQAA.png

Here we create the VLANs & select the Interfaces the AFM devices are connected to. For the From and To VLAN options select Create New. Give them a unique name, egress_AFM1 and ingress_AFM1 in this example. Select the interfaces connected to the first AFM device, 5.1 and 5.2 in this example. Then click Done.

0151T000003pk9hQAA.png

Repeat this process for the 2nd AFM device using interfaces 5.3 and 5.4. It should look like this when done.

0151T000003pkAEQAY.png

Note: In this case the SSL Orchestrator interfaces 5.1 and 5.2 are connected to AFM1 interfaces 5.0 and 6.0. SSL Orchestrator interfaces 5.3 and 5.4 are connected to AFM2 interfaces 5.0 and 6.0. 

You can optionally configure the Device Monitor and Service Down Action. Enable the Port Remap option and click Save.

0151T000003pkATQAY.png

Click Save & Next at the bottom.

0151T000003pkAUQAY.png


0151T000003pkAYQAY.png

Click Add to create the Service Chain.

0151T000003pkAdQAI.png

Give it a name, Inbound_Protect1 in this example. Select ssloS_AFM and ssloS_Advanced_WAF Services then click the arrow to move them to the right. Click Save.

0151T000003pk9XQAQ.png

Note: It is recommended that AFM be placed first in the Service Chain Order. That way intrusion attempts are detected and blocked before they ever get to the Advanced WAF. This saves resources on the Advanced WAFs because they don’t have to process any of the attempted intrusion connections.

Click Save & Next.

0151T000003pkAVQAY.png

For the Security Policy click the Pencil icon on the lower right to edit the rule.

0151T000003pk9qQAA.png

Set the Service Chain to the one created previously. Click OK.

0151T000003pkAiQAI.png

Click Save & Next at the bottom.

0151T000003pkAjQAI.png

For the Interception Rule, define the Destination Address or subnet of the application servers you wish to protect. In this example the application servers are all in the 10.4.1.0/24 subnet. Specify the correct port, typically 443.

0151T000003pkAnQAI.png

For the Ingress Network select the VLAN(s) that will be receiving traffic from external users, Direct_all in this example. Set the L7 Profile to http. Click Save & Next.

0151T000003pkAsQAI.png

Make any changes to the Log Settings if needed. Click Save & Next.

0151T000003pkAxQAI.png

On the Summary screen you can review and change any of the settings. Click Deploy when ready.

0151T000003pkB2QAI.png

You should get a Success message.

0151T000003pk9wQAA.png

If you receive an error you will need to go back into the configuration to resolve it. If successful, you should see a screen like this:

0151T000003pk9xQAA.png

Notice the Service Health status is indicated by the small green circle.

Summary

In this article you learned how to use the SSL Orchestrator Guided Configuration to create a Topology, select the certificate and key used for SSL Decryption, add the Advanced WAF and AFM devices, create a Security Policy and an Interception Policy.

Next Steps

Click Next to proceed to the next article in the series.

Version history
Last update:
‎09-Oct-2020 14:10
Updated by:
Contributors