Implementing SSL Orchestrator - L2 Service Configuration (Palo Alto)
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, inline Layer 2 security device and everything you need to know about it. This article covers the configuration of a Palo Alto NGFW running PAN-OS version 9.0.3. Please forgive me for using SSL and TLS interchangeably in this article. The simplest Palo Alto deployment is in Layer 2, or Virtual Wire mode.This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. From the Palo Alto UI go to the Network tab > Interfaces. Click the name (ethernet1/X) of the interface you wish to configure. Set the Interface Type to Virtual Wire and the Security Zone to trust.Click OK. Do the same for the next interface. Click the name of one of the interfaces configured previously.Click Virtual Wire > New Virtual Wire. Give it a name.Select the 2 interfaces configured previously.Click OK and OK. You will need to Commit the changes for them to take effect. Note: setting the Security Zone to trust is needed for the F5 Health Monitors to work. Summary In this article you learned how to configure a Palo Alto NGFW in Layer 2 mode. Configuration of Palo Alto NGFW can be downloaded fromherefrom GitLab. Next Steps Contact Palo Alto Networks if you need additional assistance with their products. Click Next to proceed to the next article in the series.Implementing SSL Orchestrator - Explicit Proxy Service Configuration (Cisco WSA)
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, Explicit Proxy security device and everything you need to know about it. This article covers the configuration of Cisco Web Security Appliance (WSA) running version 11.8. Please forgive me for using SSL and TLS interchangeably in this article. A common Cisco WSA deployment mode is as an Explicit Proxy.The WSA proxy is completely transparent to the user but the BIG-IP will connect to it as an Explicit Proxy. The default settings for Cisco WSA will work with SSL Orchestrator.Keep in mind that: 1)By default WSA accepts connections on ports 80 & 3128.If you changed this you will have to specify the correct port when configuring SSLO. 2)It is assumed you are using WSA security features like URL categorization, Anti-Malware, Reputation filtering, etc. 3)It is recommended to use separate ethernet ports for Management and Data, similar to the image below. Summary In this article you learned how to configure a Cisco WSA in Explicit Proxy mode. Configuration of Cisco WSA can be downloaded fromherein GitLab. Next Steps Click Next to proceed to the next article in the series. Contact Cisco if you need additional assistance with their products.
