Integrating SSL Orchestrator with Symantec ProxySG: Explicit Proxy
Introduction The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic? An integrated F5 and Symantec/Broadcom ProxySG solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Symantec ProxySGs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS. Prerequisites This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 F5 SSL Orchestrator version 11.0 Symantec/Broadcom ProxySG version 7.3.1.1 Symantec/Broadcom ProxySG will be configured as an Explicit Proxy Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Demo Video F5 BIG-IP SSL Orchestrator Network Configuration Create VLANS from Network > VLANs In this example: The 10.0.0.0 vlan is used for egress/ingress connectivity between BIG-IP and ProxySG The north_vlan is used for connectivity to the North of BIG-IP The south_vlan is used for connectivity to the South of BIG-IP Create Self IPs from Network > Self IPs In this example: IP address 10.0.0.1 is on the 10.0.0.0 vlan and is used for egress/ingress connectivity between BIG-IP and ProxySG IP address 192.168.0.1 is on the north_vlan and is used for connectivity to the North of BIG-IP IP address 172.16.0.1 is on the south_vlan and is used for connectivity to the South of BIG-IP NOTE: On the north_vlan there is a test client at IP address 192.168.0.5 On the south_vlan there is a test server at IP address 172.16.0.5 In this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two north/south Self IPs are for. Your configuration will look different if using an L2 Topology. Symantec/Broadcom ProxySG Configuration Go to the Configuration tab of the ProxySG management console Expand Network and Select Adapters In this example we are configuring Interface 3:0 of the Bridge Group “passthru-3” IP address 10.0.0.5 is assigned to this interface Click Edit to set the IP Address Specify the IP Address to be used for this interface, 10.0.0.5 in this example Click OK when done then click Apply on the next screen Select Routing and add the correct Gateway, 10.0.0.1 (the BIG-IP Self IP) in this example Click Apply when done Expand Services and select Proxy Services Set the Explicit HTTP Service to Intercept and click Apply Create a Policy to Allow the client request As an example, expand Policy then select Policy Options Set the Default Proxy Policy to Allow Click Apply NOTE: Use the Visual Policy Manager to create a more specific, granular Allow policy Troubleshooting You may need to disable “Reflect Client IP” Do this from Proxy Settings > General BIG-IP SSL Orchestrator Configuration This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the Symantec ProxySG Service Under Services, click Add. In the Service Catalog select the Inline HTTP tab then double click on Symantec ProxySG HTTP Proxy Give it a name, SYMC in this example Uncheck the option to Auto Manage Addresses Set the Proxy Type to Explicit Under To Service Configuration select Use Existing then choose 10.0.0.1/24 Click Add to configure the HTTP Proxy Device Enter the IP Address, 10.0.0.5 in this example Enter the Port, 8080 in this example Click Done Under From Service Configuration select Use Existing then choose 10.0.0.1/24 Set Manage SNAT Settings to Auto Map Click Save & Next at the bottom. Click the name of the Service Chain. Select the SYMC Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the Symantec ProxySG Testing the Configuration In this example there is a Linux client that connects through the SSL Orchestrator to a Linux server running DVWA: https://172.16.0.5/ Test this connection now and it should look like the following: An Access Log (Statistics > Access Logging) running on the ProxySG should show the connection in plain-text HTTP: Active Sessions (Statistics > Active Sessions) running on the ProxySG should show the connection in plain-text HTTP: Conclusion This completes configuration of BIG-IP SSL Orchestrator with Symantec ProxySG Explicit Proxy. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Symantec ProxySG Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy
Automating SSL Orchestrator in AWS with the help of Ansible and Terraform
Overview Learn how to automate the deployment of SSL Orchestrator in Amazon Web Services. This article is based on the automation templates available here: https://github.com/f5devcentral/sslo-cloud-templates This will deploy SSL Orchestrator with an L3 Inbound Topology and two L3 Services in a Service Chain. Follow the instructions here: lab-instructions-aws.md A demo video of this article is available below Steps Performed: Install the Container Environment Clone the Repository Subscribe to EC2 Instances Export your AWS Credentials Copy the Terraform variables file and update the values Deploy the Terraform configuration Build the SSL Orchestrator Topology using Ansible Deploy the Ansible Configuration Check the results Launch the development container environment Restart the container and attach to the console: Clone the Repository Subscribe to EC2 Instances From a web browser client - subscribe to the following EC2 instances: https://aws.amazon.com/marketplace/pp?sku=5e92658b-3fa7-42c1-9a9b-569f009582df https://aws.amazon.com/marketplace/pp?sku=78b1d030-4c7d-4ade-b8e6-f8dc86941303 https://aws.amazon.com/marketplace/pp?sku=a133064f-76e1-4d8a-aa3d-26ef12e6b95a Export your AWS Credentials From inside your development environment - export the AWS credentials export AWS_ACCESS_KEY_ID="your-aws-access-key-id" export AWS_SECRET_ACCESS_KEY="your-aws-secret-access-key" export AWS_SESSION_TOKEN="your-aws-session-token" Copy the Terraform variables file and update the values From the terraform-aws-sslo folder - Copy the includedterraform.tfvars.examplefile toterraform.tfvarsand update the values It should look like this: Deploy the Terraform Configuration From inside your development environment - deploy the Terraform configuration terraform init terraform validate terraform plan terraform apply -auto-approve Build the SSL Orchestrator Topology using Ansible Edit the ansible.cfg file and add the two lines at the bottom: [defaults] host_key_checking = False retry_files_enabled = False inventory = ./inventory/hosts library = ./library roles_path = ./roles collections_paths = ./collection [galaxy] server = https://old-galaxy.ansible.com cd ansible ansible-galaxy collection install f5networks.f5_modules f5networks.f5_bigip -f Deploy the Ansible Configuration Deploy an Ansible config using the variables file that was created by the accompanying Terraform. This will create an inbound layer 3 SSL Orchestrator topology. From the 'ansible' folder: cp ../terraform-aws-sslo/ansible_vars.yaml . ansible-playbook -e @ansible_vars.yaml playbooks/config-sslo-inbound-l3-complete.yaml Check the Results Login to the BIG-IP GUI and verify SSL Orchestrator has been configured and deployed Conclusion You're done! These templates and configuration files can be cusomized by you and re-used for future SSL Orchestrator deployments in AWS.
Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy
Introduction The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic? An integrated F5 and Symantec/Broadcom ProxySG solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Symantec ProxySGs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS. Prerequisites This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 F5 SSL Orchestrator version 11.0 Symantec/Broadcom ProxySG version 7.3.1.1 Symantec/Broadcom ProxySG will be configured as a Transparent Proxy Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Demo Video F5 BIG-IP SSL Orchestrator Network Configuration Create VLANS from Network > VLANs In this example: The 10.0.0.0 vlan is used for egress/ingress connectivity between BIG-IP and ProxySG The north_vlan is used for connectivity to the North of BIG-IP The south_vlan is used for connectivity to the South of BIG-IP Create Self IPs from Network > Self IPs In this example: IP address 10.0.0.1 is on the 10.0.0.0 vlan and is used for egress/ingress connectivity between BIG-IP and ProxySG IP address 192.168.0.1 is on the north_vlan and is used for connectivity to the North of BIG-IP IP address 172.16.0.1 is on the south_vlan and is used for connectivity to the South of BIG-IP NOTE: On the north_vlan there is a test client at IP address 192.168.0.5 On the south_vlan there is a test server at IP address 172.16.0.5 In this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two north/south Self IPs are for. Your configuration will look different if using an L2 Topology. Symantec/Broadcom ProxySG Configuration Go to the Configuration tab of the ProxySG management console Expand Network and Select Adapters In this example we are configuring Interface 3:0 of the Bridge Group “passthru-3” IP address 10.0.0.5 is assigned to this interface Click Edit to set the IP Address Specify the IP Address to be used for this interface, 10.0.0.5 in this example Click OK when done then click Apply on the next screen Select Routing and add the correct Gateway, 10.0.0.1 (the BIG-IP Self IP) in this example Click Apply when done Expand Services and select Proxy Services Set an HTTP Service to Intercept and click Apply In this example we’re using the Internal HTTP Service Create a Policy to Allow the client request As an example, expand Policy then select Policy Options Set the Default Proxy Policy to Allow Click Apply NOTE: Use the Visual Policy Manager to create a more specific, granular Allow policy Troubleshooting You may need to disable “Reflect Client IP” Do this from Proxy Settings > General BIG-IP SSL Orchestrator Configuration This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the Symantec ProxySG Service Under Services, click Add. In the Service Catalog select the Inline HTTP tab then double click on Symantec ProxySG HTTP Proxy Give it a name, SYMC in this example Uncheck the option to Auto Manage Addresses Set the Proxy Type to Transparent Under To Service Configuration select Use Existing then choose 10.0.0.1/24 Click Add to configure the HTTP Proxy Device Enter the IP Address, 10.0.0.5 in this example Click Done Under From Service Configuration select Use Existing then choose 10.0.0.1/24 Enable the Port Remap option to remap the port to 80. Click Save & Next at the bottom. Click the name of the Service Chain. Select the SYMC Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the Symantec ProxySG Testing the Configuration In this example there is a Linux client that connects through the SSL Orchestrator to a Linux server running DVWA: https://172.16.0.5/ Test this connection now and it should look like the following: An Access Log (Statistics > Access Logging) running on the ProxySG should show the connection in plain-text HTTP: Active Sessions (Statistics > Active Sessions) running on the ProxySG should show the connection in plain-text HTTP: Conclusion This completes configuration of BIG-IP SSL Orchestrator with Symantec ProxySG Transparent Proxy. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Symantec ProxySG Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with Symantec ProxySG: Explicit ProxyIntegrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire
Introduction The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic? An integrated F5 and Fortinet FortiGate solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Fortinet FortiGate VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS. Prerequisites This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 F5 SSL Orchestrator version 11.0 Fortinet FortiGate Virtual Appliance Fortinet FortiGate version 7.2.4 Deployed on VMWare ESXi version 6.7 Fortinet FortiGate will be configured as a Virtual Wire in Transparent Mode Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Demo video: Fortinet FortiGate Virtual Edition Configuration ESX Virtual Hardware Configuration The Network Adapters should be configured like the following: Network Adapter 1 is used for Management and corresponds to the “mgmt” interface on the FortiGate. Network Adapter 2 is used for egress connections from BIG-IP to port1 on the FortiGate. Network Adapter 3 is used for ingress connections from port2 on the FortiGate to BIG-IP. Create a Port Group for BIG-IP to connect to the FortiGate port1 interface. The ESX vSwitch topology should be configured as follows: Create a Port Group for BIG-IP to connect to the FortiGate port1 interface. The ESX vSwitch topology should be configured as follows: Fortinet FortiGate Configuration Enable Transparent Mode from the CLI. Configure the Virtual Wire as follows: Give it a name, vwire in this example. Add port1 and port2. Click OK. Create a Firewall Virtual Wire Pair Policy Select Policy & Objects > Firewall Virtual Wire Pair Policy > Create New Give it a name, “policy” in this example. Set the Source, Destination and Service. In this example they are set to all. The Action should be set to Allow. Optionally enable the Security Profiles. Click OK. F5 BIG-IP SSL Orchestrator VMWare ESXi Configuration Configure the Virtual Machine Network Adapters as follows: Network Adapter 1 is used for Management and corresponds to the management interface on the BIG-IP. Network Adapter 2 is used for network connectivity from the BIG-IP to the North. Network Adapter 3 is used for network connectivity from the BIG-IP to the South. Network Adapter 4 is used for egress connections from BIG-IP to port1 on the FortiGate. Network Adapter 5 is used for ingress connections from port2 on the FortiGate to BIG-IP. BIG-IP SSL Orchestrator Network Configuration The BIG-IP VLAN settings should look like the following: Egress is used for egress connections from BIG-IP to port1 on the FortiGate. Ingress is used for ingress connections from port2 on the FortiGate to BIG-IP. Network_North is used for network connectivity from the BIG-IP to the North. Network_South is used for network connectivity from the BIG-IP to the South. The BIG-IP Self IPs setting should look like the following: These Self IPs will be used for connectivity from the BIG-IP to the North and South. Self IPs are not needed for the connection from/to BIG-IP and FortiGate. Note: in this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two Self IPs are for. Your configuration will look different if using an L2 Topology. BIG-IP SSL Orchestrator Configuration This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the Fortinet FortiGate Service Under Services, click Add. In the Service Catalog select the Inline L2 tab then double click on Generic Inline Layer 2 Give it a name, FortiGate in this example. Under Network Configuration click Add Under Network Configuration set From BIGIP VLAN to Egress. Set To BIGIP VLAN to Ingress. Click Done. Enable the Port Remap option to remap the port to 80. Click Save & Next at the bottom. Click the name of the Service Chain. Select the FortiGate Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the FortiGate VM. Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://192.168.0.5 Test this connection now and it should look like the following: A tcpdump taken from the BIG-IP Egress and Ingress VLANS should show the connection in plain-text HTTP: Conclusion This completes configuration of BIG-IP SSL Orchestrator with Fortinet FortiGate Virtual Edition. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Fortinet FortiGate Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with Fortinet FortiGate Virtual EditionIntegrating SSL Orchestrator with Fortinet FortiGate Virtual Edition-Explicit Proxy
Introduction The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic? An integrated F5 and Fortinet FortiGate solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Fortinet FortiGate VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS. Prerequisites This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 F5 SSL Orchestrator version 11.0 Fortinet FortiGate Virtual Appliance Fortinet FortiGate version 7.2.4 Deployed on VMWare ESXi version 6.7 Fortinet FortiGate will be configured as an Explicit Proxy Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Demo video: Fortinet FortiGate Virtual Edition Configuration ESX Virtual Hardware Configuration The Network Adapters should be configured like the following: Network Adapter 1 is used for Management and corresponds to the “mgmt” interface on the FortiGate. Network Adapter 3 is used for Explicit Proxy connections and corresponds to the “port2” interface on the FortiGate. The other Network Adapters are not used. Create a Port Group for BIG-IP to connect to the port2 interface (Network Adapter 3) of the FortiGate. The ESX vSwitch topology should be configured as follows: Fortinet FortiGate Configuration Enable the Explicit Proxy feature. Configure the Explicit Web Proxy as follows Configure a Network Interface as follows Double click on Port2 to configure it Specify the IP address and mask to be used, 10.0.0.49 255.255.255.0 in this example. Enable the Explicit web proxy and click OK. A Static Route is needed for the Explicit Proxy connection. Configure it as follows: F5 BIG-IP SSL Orchestrator VMWare ESXi Configuration Configure the Virtual Machine Network Adapters as follows: Network Adapter 1 is used for Management and corresponds to the management interface on the BIG-IP. Network Adapter 2 is used for Explicit Proxy connections to/from the FortiGate. Network Adapter 3 is used for network connectivity from the BIG-IP to the North. Network Adapter 4 is used for network connectivity from the BIG-IP to the South. BIG-IP SSL Orchestrator Network Configuration The BIG-IP VLAN settings should look like the following: Network_North is used for network connectivity from the BIG-IP to the North. Network_South is used for network connectivity from the BIG-IP to the South. The BIG-IP Self IPs setting should look like the following: 10.0.0.1 will be used for Explicit Proxy connections to the FortiGate. Note: in this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the other two Self IPs are for. Your configuration will look different if using an L2 Topology. BIG-IP SSL Orchestrator Configuration This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the Fortinet FortiGate Service Under Services, click Add. In the Service Catalog select the Inline HTTP tab then double click on Fortinet Secure Web Gateway HTTP Proxy. Give it a name, FortiGate in this example. Under Service Definition unselect the option to Auto Manage Addresses. For the To Service VLAN select 10.0.0.1 (VLAN FortiGate_Egress). Click Add for HTTP Proxy Devices. Enter the FortiGate IP address, 10.0.0.49 in this example. Set the port to 8080. Click Done. For the From Service VLAN select 10.0.0.1 (VLAN FortiGate_Egress). Click Save & Next at the bottom. Click the name of the Service Chain. Select the FortiGate Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the FortiGate VM. Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://192.168.0.5 Test this connection now and it should look like the following: In this example the FortiGate VM is configured with a Custom Category to block connections to http://192.168.0.99. When attempting to connect to this site with a web browser you should see a block page like the following: Note: in the block page you can see FortiGate VM has identified this site as HTTP and not HTTPS. This is because SSL Orchestrator has decrypted the HTTPS and sent the content to FortiGate as HTTP. Check the Security Dashboard on the FortiGate VM and you should see something like the following: Here you can see the attempt to access 192.168.0.99 is logged as a High Threat Level. Conclusion This completes configuration of BIG-IP SSL Orchestrator with Fortinet FortiGate Virtual Edition. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Fortinet FortiGate Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual WireIntegrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy
Introduction SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable. An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content. Versions Tested This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 SSL Orchestrator version 11.0 CheckPoint Gaia R81.20 CheckPoint SmartConsole version 81.20.9700.641 CheckPoint Firewall will be configured as an Explicit Proxy Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Video demo VMware ESX Configuration Create the following 3 Port Groups: Network-North Network-South New-CheckPoint-Egress Attach them to a vSwitch, CheckPoint-Switch in this example: Configure the BIG-IP virtual network settings as follows: NOTE: VM Network is used for Management Network-North is used for connectivity to the North side of the network Network-South is used for connectivity to the South side of the network New-CheckPoint-Egress is used for connections from/to the BIG-IP and the CheckPoint Firewall Configure the CheckPoint Firewall virtual network settings as follows: NOTE: VM Network is used for Management New-CheckPoint-Egress is used for connections from/to the BIG-IP and the CheckPoint Firewall CheckPoint Firewall Configuration Using a web browser connect to the GAIA Portal. Under Network Management select Network Interfaces. In this example eth1 is being used for incoming and outgoing connections from/to the BIG-IP and the CheckPoint Firewall. It has an IP address of 10.0.0.5. NOTE: eth2 is not used in this example 10.0.0.5 will need a route or default gateway that is the BIG-IP Self IP of 10.0.0.1 (to be configured later). This example uses a closed network, a Static Route is added so the CheckPoint knows where to send connections destined for 192.168.0.5 (this is the IP address of the web server we will be using to test this). Launch the Smart Console and log in. Double click on the firewall you want to configure, check-fw1 in this example. Enable the HTTP/HTTPS Proxy with the following settings. Click OK when done. Double click on check-fw1 again. Select Network Management Select Get Interfaces then choose With Topology in this example. The Topology Results should look like the following. Click Accept then OK. NOTE: Typically eth1 (10.0.0.5) should be defined as Internal. Double click on the interface name to configure this. For eth1 click Modify. Set “Leads To” to Internal. Click OK Click Publish at the top. Click Publish again Click Security Policies on the left Change the Action from Drop to Accept NOTE: This is just an example for this article. Normally you would not set a firewall policy to Any/Any/Accept Select NAT and create a new NAT rule like the following: Set the Original Source to 10.0.0.1. Set the Original Destination to 10.0.0.5. Set the Translated Source to 10.0.0.5. Set Install On to the correct CheckPoint Firewall. Click Publish then Publish again When that completes click Install Policy Click Install NOTE: in this example the policy is installed on a single firewall. Your setup may differ. At this point the CheckPoint Firewall should be configured properly with an Access Control Policy and NAT BIG-IP SSL Orchestrator Configuration The BIG-IP VLAN settings should look like the following: Egress is the VLAN used for connections from/to the BIG-IP and the CheckPoint Firewall North_vlan is used for network connectivity from the BIG-IP to the North South_vlan is used for network connectivity from the BIG-IP to the South Create the following Self IP 10.0.0.1 is used for connections from/to the BIG-IP and the CheckPoint Firewall. The VLAN is set to Egress. This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the CheckPoint Firewall Service Under Services, click Add. In the Service Catalog select the Inline HTTP tab then double click on Generic HTTP Service Give it a name, CheckPoint in this example. Uncheck the box to Auto Manage Addresses. Set the Proxy Type to Explicit. For the To Service VLAN select 10.0.0.1/24 For HTTP Proxy Devices click Add Enter 10.0.0.5 for the IP Address. Enter 8080 for the Port. Click Done For the From Service select 10.0.0.1/24 Set Manage SNAT Settings to Auto Map. Click Save and Next. Click the name of the Service Chain. Select the CheckPoint Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://192.168.0.5 Test this connection now and it should look like the following: We’ll use tcpdump on the BIG-IP to verify connectivity. The capture from the Network_South vlan shows the encrypted HTTPS request The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection NOTE: Some of the requests are identified as “webcache” due to using HTTP port 8080. Check the log file on the CheckPoint Firewall. Launch the SmartConsole and click LOGS & MONITOR. Double click on the entry highlighted below for more detail. Here we can see the connection was Accepted. We can also see the Service is http on TCP port 8080. Conclusion This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2) Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy - DevCentralIntegrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy
Introduction SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable. An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content. Versions Tested This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 SSL Orchestrator version 11.0 CheckPoint Gaia R81.20 CheckPoint SmartConsole version 81.20.9700.641 CheckPoint Firewall will be configured as a Transparent Proxy Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Video Demo VMware ESX Configuration Create the following 4 Port Groups: Network-North Network-South New-Checkpoint-Egress New-Checkpoint-Ingress Attach them to a vSwitch, CheckPoint-Switch in this example: Configure the BIG-IP virtual settings as follows: NOTE: VM Network is used for Management Network-North is used for connectivity to the North side of the network Network-South is used for connectivity to the South side of the network New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP Configure the CheckPoint Firewall virtual settings as follows: NOTE: VM Network is used for Management New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP CheckPoint Firewall Configuration Using a web browser connect to the GAIA Portal. Under Network Management select Network Interfaces. In this example eth1 is being used for incoming connections from the BIG-IP and has an IP address of 10.0.0.5. Eth2 is being used for outgoing connections to the BIG-IP and has an IP address of 10.1.1.5. The outgoing IP address, 10.1.1.5 will need a route or default gateway that is the BIG-IP Self IP of 10.1.1.1 (to be configured later). This example uses a closed network, a Static Route is added so the CheckPoint knows where to send connections destined for 192.168.0.5 (this is the IP address of the web server we will be using to test this). Launch the Smart Console and log in. Double click on the firewall you want to configure, check-fw1 in this example. To create a simple NAT policy, click NAT. Check the box to Hide internal networks behind the Gateway’s external IP. Click OK. Double click on check-fw1 again. Select Network Management Select Get Interfaces then choose With Topology in this example. The Topology Results should look like the following. Click Accept then OK. NOTE: Typically eth1 (10.0.0.5) should be defined as Internal and eth2 should be defined as External. However, in this example both interfaces are defined as Internal since this is a closed network. Double click on the interface name to configure this. For eth1 click Modify. Set “Leads To” to Internal. Click OK Double click on eth2. Click Modify. You can change “Leads To” to Internet (External). Click OK Click Publish at the top. Click Publish again Click Security Policies on the left Change the Action from Drop to Accept NOTE: This is just an example for this article. Normally you would not set a firewall policy to Any/Any/Accept NOTE: A more granular NAT policy can be configured here instead of using the simple check box. Click Publish then Publish again When that completes click Install Policy Click Install NOTE: in this example the policy is installed on a single firewall. Your setup may differ. At this point the CheckPoint Firewall should be configured properly with an Access Control Policy BIG-IP SSL Orchestrator Configuration The BIG-IP VLAN settings should look like the following: Egress is the VLAN used for connections from BIG-IP to the CheckPoint Firewall Ingress is the VLAN used for connections from the CheckPoint Firewall to the BIG-IP North_vlan is used for network connectivity from the BIG-IP to the North South_vlan is used for network connectivity from the BIG-IP to the South Create the following Self IPs 10.0.0.1 is used for connections from BIG-IP to the CheckPoint Firewall. The VLAN is set to Egress. 10.1.1.1 is used for connections from the CheckPoint Firewall to BIG-IP. The VLAN is set to Ingress. This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the CheckPoint Firewall Service Under Services, click Add. In the Service Catalog select the Inline HTTP tab then double click on Generic HTTP Service Give it a name, CheckPoint in this example. Uncheck the box to Auto Manage Addresses. Set the Proxy Type to Transparent. For the To Service VLAN select 10.0.0.1/24 For HTTP Proxy Devices click Add Enter 10.0.0.5 for the IP Address. Click Done For the From Service select 10.1.1.1/24 Enable Port Remap. Set the Remap Port to 80. Set Manage SNAT Settings to Auto Map. Click Save and Next. Click the name of the Service Chain. Select the CheckPoint Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://192.168.0.5 Test this connection now and it should look like the following: We’ll use tcpdump on the BIG-IP to verify connectivity. The capture from the Network_South vlan shows the encrypted HTTPS request The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection Check the log file on the CheckPoint Firewall. Launch the SmartConsole and click LOGS & MONITOR. Double click on the entry highlighted below for more detail. Here we can see the connection was Accepted. We can also see the Service is http on TCP port 80. Conclusion This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2) Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy
Integrating SSL Orchestrator with Netscout vStream VM
Introduction SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable. An integrated F5 and Netscout solution eliminates the blind spots introduced by SSL/TLS encrypted content. Versions Tested This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 SSL Orchestrator version 11.0 Netscout vStream version 6.3.4 Netscout nGeniusONE version 6.3.4 Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Demo Video VMware ESX Configuration Create the following 3 Port Groups: Internal-north Internal-south Netscout-tap Attach them to a vSwitch, Netscout-demo in this example: Configure the BIG-IP virtual settings as follows: NOTE: VM Network is used for Management Internal-north is used for connectivity to the North side of the network Internal-south is used for connectivity to the South side of the network Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream Configure the Netscout vStream virtual settings as follows: NOTE: VM Network is used for Management Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream Netscout Configuration Use a web browser connect to the nGeniousONE management console. Click Device Configuration. You should have at least one vStream device configured here. At this point Netscout nGeniusONE should be configured properly and ready to accept decrypted content from SSL Orchestrator. BIG-IP SSL Orchestrator Configuration The BIG-IP VLAN settings should look like the following: Internal-north is used for network connectivity from the BIG-IP to the North Internal-south is used for network connectivity from the BIG-IP to the South Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Create the Netscout Service Under Services, click Add. In the Service Catalog select the TAP tab then double click on NETSCOUT TAP Give it a name, NETSCOUT in this example. Enter the MAC Address of the vStream network adapter connected to the netscout-tap port group. NOTE: You can find the MAC Address in the vStream VM network settings. For the VLAN select Use Existing then netscout-tap Enable Port Remap. Set the Remap Port to 80 Click Save and Next. Click the name of the Service Chain. Select the Netscout Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://192.168.0.5 Test this connection now and it should look like the following: We’ll use tcpdump on the BIG-IP to verify connectivity. The capture from the internal-south vlan shows the encrypted HTTPS request The capture from the netscout-tap vlan shows plain text HTTP content being sent to Netscout for Inspection Netscout nGeniusONE Monitors Check the Traffic Monitor to view statistics Zoom into the HTTP request that has been decrypted by SSL Orchestrator You can also see the server response in clear text Conclusion This completes configuration of BIG-IP SSL Orchestrator with Netscout. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Netscout Service and inspected.
Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)
Introduction SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable. An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content. Versions Tested This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 SSL Orchestrator version 11.0 CheckPoint Gaia R81.20 CheckPoint SmartConsole version 81.20.9700.641 CheckPoint Firewall will be configured in Bridging mode (L2) Additional Help If setting up SSL Orchestrator for the first time refer to the Deployment Guide availableHERE For information on SSL Certificate considerations and trust, click HERE Demo video: VMware ESX Configuration Create the following 4 Port Groups: Network-North Network-South New-Checkpoint-Egress New-Checkpoint-Ingress Attach them to a vSwitch, CheckPoint-Switch in this example: Configure the BIG-IP virtual settings as follows: NOTE: VM Network is used for Management Network-North is used for connectivity to the North side of the network Network-South is used for connectivity to the South side of the network New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP Configure the CheckPoint Firewall virtual settings as follows: NOTE: VM Network is used for Management New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP CheckPoint Firewall Configuration Using a web browser connect to the GAIA Portal. Under Network Management select Network Interfaces. Network interfaces cannot have an IP address when being added to a Bridge. In this example we’ll use eth1 and eth2. Click Add then select Bridge Set a Bridge Group number, 10 in this case. Add eth1 and eth2 to Chosen Interfaces. Click OK Launch the Smart Console and log in. Double click on the firewall you want to configure, check-fw1 in this example. Select Network Management Select Get Interfaces then choose one of the options, Without Topology in this example. The Topology Results should look like the following. Click Accept then OK. Click Publish at the top. Click Publish again Click Security Policies on the left Change the Action from Drop to Accept. Click Publish then Publish again When that completes click Install Policy Click Install NOTE: in this example the policy is installed on a single firewall. Your setup may differ. At this point the CheckPoint Firewall should be configured properly with a network Bridge and associated policy. BIG-IP SSL Orchestrator Configuration The BIG-IP VLAN settings should look like the following: Egress is the VLAN used for connections from BIG-IP to the CheckPoint Firewall Ingress is the VLAN used for connections from the CheckPoint Firewall to the BIG-IP Network_North is used for network connectivity from the BIG-IP to the North Network_South is used for network connectivity from the BIG-IP to the South Create the CheckPoint Firewall Service This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration. Under Services, click Add. In the Service Catalog select the Inline L2 tab then double click on Check Point Security Gateway Inline Layer 2 Give it a name, CheckPoint in this example, then click Add. For the To Service VLAN select Egress For the From Service VLAN select Ingress Click Done Enable Port Remap. Set the Remap Port to 80. Click Save and Next. Click the name of the Service Chain. Select the CheckPoint Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://192.168.0.5 Test this connection now and it should look like the following: We’ll use tcpdump on the BIG-IP to verify connectivity. The capture from the Network_South vlan shows the encrypted HTTPS request The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection Conclusion This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations.
Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy
Introduction SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable. An integrated F5 and McAfee Web Gateway solution eliminates the blind spots introduced by SSL/TLS encrypted content. Versions Tested This article assumes you have SSL Orchestrator configured with a Topology and Service Chain F5 BIG-IP version 17.1 SSL Orchestrator version 11.0 McAfee Web Gateway version 11.2 McAfee Web Gateway will be configured as a Transparent Proxy Additional Help If setting up SSL Orchestrator for the first time refer to theF5 SSL Orchestrator Deployment Guides For information on SSL Certificate considerations and trust, refer to Implementing SSL Orchestrator - Certificate Consid... - DevCentral McAfee Web Gateway (MWG) Configuration Configure the Transparent Web Proxy as follows and click the plus sign under Port Redirects Set the Destination proxy port to 80 and click OK Click Save Changes Configure the Network Interfaces as follows Specify the IP address and mask to be used for eth2, 10.0.0.55 255.255.255.0 in this example. Specify the IP address and mask to be used for eth3, 10.1.1.5 255.255.255.0 in this example. The Default Gateway will be a Self IP address on SSL Orchestrator, 10.1.1.1 in this example. BIG-IP SSL Orchestrator Configuration The BIG-IP VLAN settings should look like the following 10.0.0.0 is the interface used for Transparent Proxy connections to the MWG 10.1.1.0 is the interface used for Transparent Proxy connections to SSL Orchestrator North_vlan is used for network connectivity from the BIG-IP to the North South_vlan is used for network connectivity from the BIG-IP to the South The BIG-IP Self IPs setting should look like the following 10.0.0.1 will be used for Transparent Proxy connections to the McAfee Web Gateway 10.1.1.1 will be used for Transparent Proxy connections from the McAfee Web Gateway Note: in this example SSL Orchestrator is deployed with an L3 Outbound Topology. That’s what the other two Self IPs are for. Your configuration will look different if using an L2 Topology. This article assumes you have SSL Orchestrator configured with a Topology and Service Chain. Navigate to SSL Orchestrator > Configuration Create the McAfee Web Gateway Service Under Services, click Add. In the Service Catalog select the Inline HTTP tab then double click on McAfee Web Gateway HTTP Proxy. Give it a name, MWG in this example. Under Service Definition unselect the option to Auto Manage Addresses. Set the Proxy Type to Transparent For the To Service VLAN select 10.0.0.1 (VLAN 10.0.0.0). Click Add for HTTP Proxy Devices. Enter the MWG IP address, 10.0.0.55 in this example. Click Done. For the From Service VLAN select 10.1.1.1 (VLAN 10.1.1.0) Enable Port Remap. Set the Remap Port to 80. Set Manage SNAT Settings to Auto Map Click Save & Next at the bottom. Click the name of the Service Chain. Select the MWG Service from the left and click the arrow to move it to the right. Click Save. Click OK Click Save & Next at the bottom. Click Deploy Click OK to the Success message. When done it should look like the following: From the Services screen if you expand the Pool Member Status you should see the McAfee Web Gateway Testing the Configuration In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site: https://10.4.11.52 Test this connection now and it should look like the following: In this example the MWG is configured with a Custom Category to block connections to http://10.4.11.99. When attempting to connect to this site with a web browser you should see a block page like the following: Conclusion This completes configuration of BIG-IP SSL Orchestrator with McAfee Web Gateway. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the MWG Service and inspected for malicious payloads or policy violations. Related Articles Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy Verified Design SSL Orchestrator with McAfee Web Gateway (Part 1) Verified Design SSL Orchestrator with McAfee Web Gateway (Part 2)
