Thank you for answer and I will answer your questions.
1. What does your HSL::open look like?
- Create the <syslog_server_pool> pool of the remote log server and saved the generated debug log in syslog format
<customer iRules summary> : **Don't worry about grammar, it's a summary for better understanding**
...
#1.
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set DEBUG 1
...
#2.
if { [class match $tls_servername contains Bypass-Host] }{
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass-Host"}}
...
#3.
elseif{
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass_Category"}}
...
#4.
when CLIENTSSL_HANDSHAKE {
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Decryption"}
2. HSL and BIG-IP do not care if the destination IP is locally significant or n-number of hops away. If BIG-IP has a route for it, it'll work.
- But, as mentioned earlier in the first task, I set <syslog_server_pool> to a syslog server IP in a network more than one hop, not mgmt, to send debug logs, but only <default send string>, which is a health check log and actual debug log is not saved.
(At this time, as the syslog server goes through a network of multiple hops, self-ip is not set at f5.)
(No actual debug log packets occurred even on tcpdump of all interfaces.)
- As a secondary task, set the syslog server IP to an IP directly connected to the F5 interface, set <syslog_server_pool>, set self-ip, and confirm that the debug log is saved normally. Judging from this part, it was decided that the debug log using HSL can be saved only on the local network where self-ip can be used.
So I think that when using HSL as syslog_server_pool method, it cannot be loaded on more than one hop network.
(Please exclude the method of proceeding with the global syslog setting in the GUI.)
3. on your #2 concern, I have no context with which to assess the issue. If you can state the overall goals, I can help proprose a solution that will work.
<goal>
1. When SSL encryption/decryption, if the conditions are met, the following debug log is loaded: Solved
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass-Host"}
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Bypass_Category"}
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername --Decryption"}
<Actual log during decryption>
May 14 02:33:12 SSL_01.com info tmm17[25022]: Rule /Common/SSL_Forward_Bypass_Rule_real <CLIENTSSL_HANDSHAKE>: 10.237.12.87:55575 -> 203.133.167.14:443 shop-redapi.daum.net --Decryption
<Actual log at Host Bypass>
May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 www.google.com --Bypass-Host
<Actual log when Host Category match>
May 13 16:00:00 SSL_01.com info tmm12[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:64787 -> 39.115.2.214:443 game.daum.net --Bypass_Category
2. If the Bypass-Host condition is met, check which Bypass-host policy the debug log was generated by
<iRules for Before Host-Bypass>: It is unknown which policy was matched to Bypass-Host
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] $tls_servername –Bypass-Host" }
<Actual log during Before Host-Bypass>
May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 www.google.com --Bypass-Host
<Requires iRules guide for After Host-Bypass>: I want to know what policy was matched to Bypass-Host
if { $DEBUG } { HSL::send $hsl "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port] [?????] $tls_servername –Bypass-Host" }
<Desired log after Host-Bypass>
May 14 02:13:08 SSL_01.com info tmm4[25022]: Rule /Common/SSL_Forward_Bypass_Rule <CLIENT_DATA>: 10.237.12.87:56129 -> 172.217.175.228:443 *.google.com www.google.com --Bypass -Host
<Example of Customer Bypass-Host Policy>
*.google.com
*.office365.com
*.microsoft.com
naver.com
...