Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1

KevinGallaugher · ‎15-Nov-2022

Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using McAfee Web Gateway. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of McAfee Web Gateway can be downloaded from here from GitLab.

Please forgive me for using SSL and TLS interchangeably in this article.

A video demo of this Dev/Central article is available HERE

This article is divided into the following high level sections:

Part1 (Available here)

Configure McAfee Web Gateway (MWG) interfaces
Create a new Topology to perform testing
Monitor McAfee Web Gateway statistics – change the weight ratio – check McAfee Web Gateway stats again
Remove a single McAfee Web Gateway device from the Service

Part 2 (Available here)

Perform maintenance on the McAfee Web Gateway device
Add the McAfee Web Gateway device to the new Topology
Test functionality with a single client
Add the McAfee Web Gateway device back to the original Topology
Test functionality again
Repeat to perform maintenance on the other McAfee Web Gateway device

Configure McAfee Web Gateway (MWG) interfaces

From the MWG UI navigate to Configuration > Appliances > Proxies. Under Network Setup select Transparent bridge.

Screen Shot 2022-11-01 at 1.24.42 PM.png

Click Save Changes on the top right

Screen Shot 2022-11-01 at 1.27.50 PM.png

Navigate to Network interfaces. In this example eth2 and eth3 will be used to create the Transparent bridge. Both interfaces need to be enabled and the IP settings must be disabled for IPv4 and IPv6.

Screen Shot 2022-11-01 at 1.30.19 PM.png

On the Advanced tab enable the bridge and give it a name, ibr0 in this example. Do this for both interfaces.

Screen Shot 2022-11-01 at 1.37.48 PM.png

Save changes

Screen Shot 2022-11-01 at 1.27.50 PM.png

Check ibr0 and set it to enabled. Disable IPv4 and IPv6

Screen Shot 2022-11-01 at 1.51.14 PM.png

Click Save Changes

Screen Shot 2022-11-01 at 1.27.50 PM.png

Note: complete these steps on the 2^nd McAfee Web Gateway

Note: when configuring for High Availability you will need to create a 2^nd Transparent bridge

Please contact McAfee for assistance if needed

Create a new Topology to perform testing

A new Topology will be used to safely test the Service after maintenance is performed. The Topology should be similar to the one used for production traffic. This Topology can be re-used in the future.

From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration. Click Add under Topologies.

Screen Shot 2021-01-15 at 10.59.33 AM.png

Scroll to the bottom of the next screen and click Next.

Screen Shot 2021-01-15 at 10.59.54 AM.png

Give it a name, Topology_Staging in this example.

Screen Shot 2021-01-15 at 11.00.43 AM.png

Select L2 Outbound as the Topology type then click Save & Next.

Screen Shot 2022-10-20 at 1.00.24 PM.png

Screen Shot 2021-01-15 at 11.15.11 AM.png

For the SSL Configurations you can leave the default settings. Click Save & Next at the bottom.

Screen Shot 2021-01-15 at 11.01.32 AM.png

Click Save & Next at the bottom of the Services List.

Screen Shot 2021-01-15 at 11.01.50 AM.png

Click the Add button under Services Chain List. A new Service Chain is needed so we can remove McAfee Web Gateway from the Production Service and add it here.

Screen Shot 2021-01-15 at 11.02.02 AM.png

Give the Service Chain a name, Staging_Chain in this example. Click Save at the bottom.

Screen Shot 2021-01-15 at 11.02.23 AM.png

Note: The Service will be added to this Service Chain later.

Click Save & Next

Screen Shot 2021-01-15 at 11.02.38 AM.png

Click the Add button on the right to add a new rule.

Screen Shot 2021-01-15 at 11.56.33 AM.png

For Conditions select Client IP Subnet Match.

Screen Shot 2021-01-15 at 11.03.09 AM.png

Enter the Client IP and mask, 10.5.9.51/32 in this example. Click New to add the IP/Subnet.

Screen Shot 2022-10-27 at 12.35.24 PM.png

Set the SSL Proxy Action to Intercept.

Screen Shot 2021-01-15 at 11.05.40 AM.png

Set the Service Chain to the one created previously.

Screen Shot 2021-01-15 at 11.06.03 AM.png

Click OK.

Screen Shot 2022-10-27 at 12.39.27 PM.png

Note: This rule is written so that a single client computer (10.5.9.51) will match and can be used for testing. In the All Traffic default rule set the SSL Proxy Action to Bypass.

Screen Shot 2022-10-27 at 1.35.43 PM.png

Select Save & Next at the bottom.

Screen Shot 2021-01-15 at 11.06.29 AM.png

For the Interception Rule set the Source Address to 10.5.9.51/32. Set the Destination Address/Mask to 10.4.11.0/24. Set the port to 443.

Screen Shot 2022-10-27 at 12.42.38 PM.png

Select the VLAN for your Ingress Network and move it to Selected.

Screen Shot 2022-10-11 at 12.58.40 PM.png

Set the L7 Profile to Common/http.

Screen Shot 2021-01-15 at 11.08.03 AM.png

Click Save & Next.

Screen Shot 2021-01-15 at 11.01.50 AM.png

For Log Settings, scroll to the bottom and select Save & Next.

Screen Shot 2021-01-15 at 11.08.23 AM.png

Click Deploy.

Screen Shot 2021-01-15 at 11.08.33 AM.png

Monitor McAfee Web Gateway statistics – change the weight ratio – check McAfee Web Gateway statistics again

Check the statistics on the McAfee Web Gateway device we will be performing maintenance on. It’s “MWG1” in this example. One way to do this is with a packet trace. From the McAfee Web Gateway UI go to Troubleshooting > Packet tracing. I set the Command line parameters to “-I ibr0” which will capture all packets on the bridge interface.

Screen Shot 2022-10-27 at 11.39.47 AM.png

Note: This McAfee Web Gateway device is actively processing connections. Note the connections are in clear text, HTTP on port 80. SSL Orchestrator decrypted the SSL/TLS and sent it to the McAfee device for inspection.

Change the Weight Ratio

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_McAfeeWebGateway in this example.

Screen Shot 2022-10-20 at 1.15.07 PM.png

Click the pencil icon to edit the Service.

Screen Shot 2021-01-15 at 11.13.31 AM.png

Click the pencil icon to edit the Network Configuration for MWG2

Screen Shot 2022-10-20 at 1.17.57 PM.png

Set the ratio to 65535 and click Done.

Screen Shot 2022-10-20 at 1.18.16 PM.png

Click Save & Next at the bottom.

Screen Shot 2021-01-15 at 11.15.11 AM.png

Click OK if presented with the following warning.

Screen Shot 2021-01-15 at 11.15.20 AM.png

Click Deploy.

Screen Shot 2021-01-15 at 11.15.45 AM.png

Click OK when presented with the Success message.

Screen Shot 2021-01-15 at 11.16.12 AM.png

Check McAfee Web Gateway Statistics Again

Check the statistics on the McAfee Web Gateway device again. It’s “MWG1” in this example. From the McAfee Web Gateway UI go to Troubleshooting > Packet tracing. I set the Command line parameters to “-I ibr0” which will capture all packets on the bridge interface.

It should look like the following:

Screen Shot 2022-10-27 at 11.16.22 AM.png

Note: The connections above represent the health checks from SSL Orchestrator to the inline Service. Therefore, this McAfee Web Gateway is not actively processing connections.

Remove a single McAfee Web Gateway device from the Service

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_McAfeeWebGateway in this example.

Screen Shot 2022-10-20 at 1.15.07 PM.png