Forum Discussion
AltostratusSSLO HTTPS conversion to HTTP for NGFW inspection
Hi,
this is the use case for which the SSLO is build for, so yes it is (easy) possible to do this. In this case, the NGFW is just a service (inspection) device and SSLO will forward traffic based on your policy. There is one thing to consider in how to positioning the SSLO and NGFW. Is this NGFW the internet facing device with NAT, VPN, etc? If yes, it is a bit more complex as you can't move the device into the inspection zone completely.
From a SSLO perspective (best prectise) all inspection devices are hidden and isolated within a dedicated inspection zone and only the SSLO can forward traffic to them. It would be best to use a separate or a virtual instance of your NGFW as inspection device. Otherwise you can use PBR to steer the the traffic.
client --> (https) SSLO --> (http) NGFW --> (http) SSLO --> (https) NGFW --> (https) internet
The SSLO itself can be integrated as a L2 or a L3 device and it can work as a transparent or an explicit proxy. This really depends on your architecture or use case. You can find more details here: https://clouddocs.f5.com/sslo-deployment-guide/
Cheers
Stephan
AltostratusDear all,
After further troubleshooting it has been found that the decryption is working.
The flow is decrypted and sent over the original port, hence the port 443.
Thank you for the support and quick feedback.
Best Regards
Konstantinos
EmployeeHi,
ah yes, this can happen. It is a (recommended) option for the service device to use "port remap" to change the port to 80 (at least to something different than 443).
glad to hear it is working now.
Cheers
Stephan
