TAP service on BIG IP LTM

Question

Hi Guys, its been&nbsp; a while since I've been working wiht big ip so looking forward to start it now again. Lately I was asked if there is an option of TAPing decrypted traffic on the big ip and mirroring it to the separate interface of the BIGIP from which it will further reach the external IDS for inspection.From what I see there is a separate 'TAP service' for that in the SSL Orchestrator.&nbsp;However what I wonder is if it's doable on the deployment w/o SSL Orchestrator.&nbsp;So currently there are 2 implemented options for SSL: passthrough or offloading. The question is if that traffic could be mirrored to a separate interface that will be used as a TAP.&nbsp;&nbsp;Thanks in advance for taking your time on that and sharing your experience. thx

amine_kadimi · Answer

Hi
Maybe the clone pools feature is the way to go, did you try it? https://support.f5.com/csp/article/K13392

sebastiansierra · Answer

Hi,You have the better solution in this post:&nbsp;https://community.f5.com/t5/technical-articles/divert-unencrypted-traffic-through-an-ips-with-local-traffic/ta-p/288005

cieciak · Answer

Thank you&nbsp;Sebastiansierra&nbsp;and&nbsp;Amine_Kadimi&nbsp;- I am meeting cuistomer tomorrow to discuss all options. To sum up there are these to chose from: port mirroring, clone pool, passthrough IPS/IDS, TAP service (requires SSL Orchestration license). I will update ticket after implementation 🙂

mohitjoshi · Answer

Any idea on pros and cons of each of these mechnisms for traffic mirroring a) port mirroring b) clone pool, c) passthrough IPS/IDS, Tap Service (SSL orchestration).

Also for tap the consumer of the mirrored traffic needs to be on the same L2 network, what is the preferred way to carry this over to an L3 network (some encapsulation)

Forum Discussion

TAP service on BIG IP LTM

4 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Service discovery and registration with BIG-IP

Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service

Leverage BIG-IP 17.1 Distributed Cloud Services to Integrate F5 Distributed Cloud Bot Defense

What is BIG-IP Next?

Consul Templating BIG-IP Services