cancel
Showing results for 
Search instead for 
Did you mean: 

SSLO make malfunction when configure SNI Block and IP intercept condition.

neeeewbie
MVP
MVP

Hi

I need your help!

SSLO make malfunction when configure condition of Block pinner site and intercept IP Address

environment:configure on security policy

1st match : Block pinner site and intercept IP Address

2nd match : bypass some IP Address


3rd match : all traffic bypass 

 

malfunction: configure IP can't access block pinner site and other site can access but other client can't access internet

but it is work well when change order 1 and 2


please let me know if you know that!

thanks

 

 

 

2 REPLIES 2

LiefZimmerman
Community Manager
Community Manager

@neeeewbie - I'll reach out to some SSLO folks and see if they can help.

------
Lief ZimmermanLiefZimmerman | @LiefZF5 | DevCentral Community Manager

Kevin_Stewart
F5 Employee
F5 Employee

SSLO security policy rules are nested and evaluated top-down. So basically, like any firewall rule, once a match is made, no further rule processing is done.

It's also important to understand that some rule conditions require server-side validation. In this case, the URL category conditions require SSLO to reach out to the server to evaluate the server certificate. The Pinners rule includes a category lookup. If you have some traffic that would break becuase of this server side "look", for example when the server requires mutual TLS (mTLS) authentication, you need to move your layer 3 and layer 4 rules above any rules that do category lookup.