Dear F5 Expert,
I just implement SSL-O offload in Explicit proxy topologies and off-load SWG in explicit proxy mode.
I found the issue detail as below.
Catagorie lookup ALL (Pinner) Bypass sent to SWG(explicit)
All intercept sent to SWG(explicit)
When i decrypt traffic traffic can sent to SWG collectly.
When I bypass SSL action traffic not sent to SWG .
i'm not sure why F5 not sent traffic when bypass SSL intercept.
You provided to little information as even an expert can't say what exactly is the case as for example there is no picture of your per-request policy or guided config rules that show if there is service attached for the proxy bypass rule and the service that is asigned can't be of type "HTTP services" as when doing bypass you need to aqssign layer2/3 service type that works without decryption.
Still you can check the link below as I suspect that when you bypass the traffic there is no attached service to which the the per-request policy to send data:
The easiest way to get started with SSL Orchestrator security policies is to first understand your goals. For example:
Do you need to block any type of traffic, and if so, under what condition? For example, you may want to block traffic for known TOR Proxy exit nodes which you can detect with the IP Intelligence subscription.
Do you need to bypass decryption for any type of traffic, and if so, under what condition? For example, you may need to bypass decryption for sites that typically contain personally identifiable information (PII) like Financial and Healthcare related sites. You can achieve this with the URL Category subscription.
Do you need to send different types of traffic to different service chains, and if so, under what condition? For example, it may be optimal to bypass some traffic types but still send to a subset of security products for additional encrypted analysis.
Also for the SSLO issue now there are great articles and even a guide:
Also I forgot to mention that if you have URL database the SSLO can also do a URL lookup based on CN or SNI without SSL decryption and you can then forward those sites to the the proxy with a service as mentioned that is not HTTP or ICAP. You can also create a custom categories without license. Also you should be able to use the category lookup as a condition rule without directly changing that Per-Request Policy as the Guided config will change it.
Well, specifically because an SWG per-request policy would have no effect on encrypted traffic. SSLO intentionally bypasses security services (ie. ICAP, HTTP, SWG) that cannot process encrypted traffic).
Just create layer 2/3 service for the bypassed traffic depending if the F5 SSLO and the Web Proxy see each other on the Local Network or they are in different networks.
Please the link below:
Trying to send an encrypted traffic to the Proxy devices configured as L3 service, however the proxies change the source port, and seems the signalling doesn't match on SSLO. I can see a RST packet coming from SSLO after the proxy forward the request using different source port.
Any advice / workaround ?