Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
KevinGallaugher
F5 Employee
F5 Employee

Introduction

BIG-IP 16.0 with SSL Orchestrator 9.0 has support for running Secure Web Gateway (SWG) “as a Service” inside the Service Chain. This allows you to take an existing F5 SWG solution and migrate or move it to the same BIG-IP as SSL Orchestrator.

Typical SWG features include:

User authentication (not covered here)
Enforcement of an Acceptable Use Policy (AUP)
Website category database (google.com = Search Engines)
Logging and Reporting (not covered here) 
A typical SWG deployment will have a Per-Session Policy that handles authentication. Then a Per-Request Policy that enforces the AUP.
User authentication (not covered here) 
Refer to this Dev/Central Article for more information on this topic.
Enforcement of an Acceptable Use Policy (AUP) 
A Per-Request Policy is used to enforce the AUP. You can find this from the Configuration Utility under Access > Profiles / Policies > Per-Request Policies. Click Edit for the Per-Session Policy and a new window like this should open:

0151T0000040fyIQAQ.png

This policy does a Protocol Lookup to determine if the content is HTTP, then performs a Category Lookup based on the host header in the URI. Response Analytics will check for malicious content and pass that information on to the URL Lookup Agent.  The Category is compared to the URL Filter which maps URL categories to Allow/Deny Actions. As a final result the request is either Allowed or Denied (Reject).

Note: In a per-request SWG policy you would typically have a Protocol Lookup for HTTP and HTTPS. But in this case the SSL Orchestrator will perform SSL decryption so the SWG Service will receive plain-text, HTTP content. Therefore, this SWG policy is ready to be used with SSL Orchestrator.

Website category database (google.com = Search Engines)
The URL Filter is configured from Access > Secure Web Gateway > URL Filters.

Select CorporateURLFilter in this example. 

0151T0000040fyNQAQ.png

This opens the Category editor. Different Categories and sub-categories are available to make Allow or Deny decisions. In this example the Games and Shopping categories have been set to Deny. 

0151T0000040fySQAQ.png

0151T0000040fyXQAQ.png

Logging and Reporting (not covered here) Refer to the AskF5 Knowledge Center for more information.

Configuration

Export / Import the SWG Per-Request Policy

The SWG Per-Request Policy is easy to export from one BIG-IP to another. From the Configuration Utility select Access > Profiles / Policy > Per-Request Policies. 

0151T0000040fyJQAQ.png

Click Export then OK to save the policy.

0151T0000040fymQAA.png

The policy file can be directly imported into another BIG-IP device. On the Per-Request Policies screen click Import.

0151T0000040fyrQAA.png

Give the Policy a name, click Browse to select the policy file then Import.

0151T0000040fyTQAQ.png

This policy is ready for SSL Orchestrator to use with SWGaaS. You can click Edit to verify the policy is correct.

Configure the F5 SWGaaS

From the SSL Orchestrator Configuration page select Services then click Add. 

0151T0000040fynQAA.png

F5 Secure Web Gateway is available on the F5 tab. Double-click the icon to configure. 

0151T0000040fyoQAA.png

Give it a name. Set the Access Profile Scope to Profile. Set the Per Request Policy to the policy imported previously. Click Save and Next.

0151T0000040fz6QAA.png

Add the newly created SWGaaS to an existing Service Chain or create a new one.

0151T0000040fz7QAA.png

Select the F5_SWG Service on the left and click the right arrow to move it to the Selected column. Click Save.

0151T0000040fzBQAQ.png

Save & Next. 

0151T0000040fzLQAQ.png

Then Deploy.

0151T0000040fypQAA.png

Test SWG Functionality

Note: be sure that a Security Policy has the Service Chain applied. Go to a client computer and test access to various web sites. News sites are allowed but Shopping is set to Block so sites like amazon.com and walmart.com should be blocked.

Details from espn.com. The padlock indicates the connection is encrypted. The Issued By field indicates that this was intercepted & signed by SSL Orchestrator.

0151T0000040fzCQAQ.png

Any attempts to visit a site categorized as Shopping or Games will be blocked.

0151T0000040fyKQAQ.png

0151T0000040fyLQAQ.png

The configuration is now complete.

 
Comments

Thanks 🙂

Version history
Last update:
‎12-Jul-2021 13:36
Updated by:
Contributors