Service chains packet processing for L3 devices
Hello, I'm trying to understand SSL intercept and Service Chains, and have a few questions about it: According to a devCentral video, https://www.youtube.com/watch?v=mvse6zCt_jo , devices in a service chain are accessed in parallell, minimizing the delay in a long chain with many inspection devices. However, reading the SSL intercept deployment guide, it says " Each service chain is an ordered list of services of various types", that sounds like the devices are processed one at a time? Question 2: When you hook up a L3 device in your service chain, does the complete packet get sent to the device and back again to the BIGIP (if allowed though the L3 device)? Question 3: What about the return traffic, is it automatically send back to the sending interface of the L3 device? In my case the L3 device is a NGFW, I'm asking because I want to know if the traffic flow will be weird in any way from the NGFW point of view (statistics, logging and so on).
SSL Intercept
Hi All, fairly new to using an iApp - so here is my question. We need to be using the SSL_intercept_SVC_chain iApp to mitigate the scenario where TLS 1.0 is no longer supported in the big wide world. Basically we have a number of old apps that will only use TLS 1.0 and since this is now being deprecated we plan to use the F5 to handle the client to F5 as TLS 1.0, but then forwards onto external sites as TLS1.2 or 1.3. I have downloaded the iApp, and have worked out all the settings I need to use to make the Application Service - however what I don't get is how to join together the AS and a virtual server. We plan to use an internal DNS entry for selected external sites so that the traffic is forced to the F5 and passed to the internet, and away from our proxies thereby using the F5 to do the TLS re-negotiation/upgrade. We have a two LTMs running in HA so its not a case of passing it from one F5 to another F5 via a decrypt zone. Once I have run the iApp - what do I need to do to use it.
SSL Intercept with F5 in L2 mode
I am looking for a deployment where I configure same VLAN to the ports my client and server are connected. I would like to intercept this traffic. Is this possible on F5. The current scenario explained in the F5 doc is to have self-ips for server and client vlans and route the traffic to the F5 using these IPs. Anyone is aware of deployment without these self-ips and having client and server in the same vlan?
