Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

F5 SSL-O service chaining issue

Kirimaya
Nimbostratus
Nimbostratus

Dear F5 Expert,

I just implement SSL-O offload in Explicit proxy topologies and off-load SWG in explicit proxy mode.

I found the issue detail as below.

Security policy

Catagorie lookup ALL (Pinner) Bypass sent to SWG(explicit)

All intercept sent to SWG(explicit)

When i decrypt traffic traffic can sent to SWG collectly.

When I bypass SSL action traffic not sent to SWG .

i'm not sure why F5 not sent traffic when bypass SSL intercept.

Regrads,

 

 

11 REPLIES 11

Hello,

 

You provided to little information as even an expert can't say what exactly is the case as for example there is no picture of your per-request policy or guided config rules that show if there is service attached for the proxy bypass rule and the service that is asigned can't be of type "HTTP services" as when doing bypass you need to aqssign layer2/3 service type that works without decryption.

 

Still you can check the link below as I suspect that when you bypass the traffic there is no attached service to which the the per-request policy to send data:

--------

The easiest way to get started with SSL Orchestrator security policies is to first understand your goals. For example:

Dear Nikoolayy1

 

i will test by your recomendation and update to you

 

for my policy and setup like thisScreen Shot 2565-08-19 at 15.43.08.pngScreen Shot 2565-08-19 at 15.43.50.png

Kevin_Stewart
F5 Employee
F5 Employee

This is by design. Encrypted traffic does not flow to ICAP and HTTP services, which includes SWG.

Dear Kevin

 

But i don't understand, why i juse classification by source IP and bypass ssl. It can be sent to SWG 

291A5B20-A526-4306-B9F3-D50354758FC5.jpeg

2E921826-6253-4745-B3FF-DBB1C099F371.jpeg

  

Also I forgot to mention that if you have URL database the SSLO can also do a URL lookup based on CN or SNI without SSL decryption and you can then forward those sites to the the proxy with a service as mentioned that is not HTTP or ICAP. You can also create a custom categories without license. Also you should be able to use the category lookup as a condition rule without directly changing that Per-Request Policy as the Guided config will change it.

 

 

Category lookup

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/per-req...

 

An example:

https://techdocs.f5.com/en-us/bigip-16-0-0/ssl-orchestrator-setup/terminology-for-herculon-ssl-orche...

 

Managing the URL Category Database

https://clouddocs.f5.com/sslo-deployment-guide/chapter4/page4.8.html

 

Kevin_Stewart
F5 Employee
F5 Employee

Well, specifically because an SWG per-request policy would have no effect on encrypted traffic. SSLO intentionally bypasses security services (ie. ICAP, HTTP, SWG) that cannot process encrypted traffic).

Just create layer 2/3 service for the bypassed traffic  depending if the F5 SSLO and the Web Proxy see each other on the Local Network or they are in different networks.

 

Please the link below:

 

https://clouddocs.f5.com/sslo-deployment-guide/chapter3/page3.1.html

Kevin_Stewart
F5 Employee
F5 Employee

To be clear though, you CAN send TLS bypassed (encrypted) traffic to inline layer 2, inline layer3, and TAP services.

Hi Kevin,

Trying to send an encrypted traffic to the Proxy devices configured as L3 service, however the proxies change the source port, and seems the signalling doesn't match on SSLO. I can see a RST packet coming from SSLO after the proxy forward the request using different source port.

Any advice / workaround ?

Thanks,

Ian

Yes, configure the proxy device as an HTTP service, instead of inline L3. The signaling used for HTTP services is different so can handle the port change.

If you managed to get the needed answers, please flag the question as answered.