sslo

16 Topics

SSL Orchestrator and ASM application policy om BigIP
Hello. I met a problem while trying combine SSL Orcestrator and ASM application policy together. Is anyone met the same? Or have any ideas about such deployment. I need to inspect unencrypted HTTP trafiic on inline antivirus and same time I need provide web application security on F5 Big IP. Thank you in advance.
Illia
Apr 25, 2023 Place Technical Forum
424Views
0likes
1Comment
SSLO Security policies; do we still need the Pinners category?
Playing with SSLO again, and came across the Pinners category in the Security Policy (category of website that is immediately bypassing SSLO due to the use of Pinned certificates). (More detail on Certificate Pinning: https://community.f5.com/t5/technical-articles/implementing-ssl-orchestrator-guided-configuration/ta-p/285880 https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning It seems that HTTP pinning and Certificate pinning has now mostly been deprecated (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning &https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning , but the Pinners category still exist. I've removed quite a few of the domains from the category, tested again with Forged certificates, and all sites still work! (which I believe they shouldn't if Pinning was still in place at those sites. And Google classically being one of the biggest users of Pinning initially isn't even in the Pinners category anymore. So, should SSLO still configure the Pinners category by default, or should it now be removed by default and Pinning only be kept in the back of our minds in the case we do come across a website that uses it? (Or 3rd and just as likely option - have I completely misunderstood something?
Solved
AlexBCT
Apr 14, 2023 Place Technical Forum
1.2KViews
0likes
4Comments
SSLO HTTPS conversion to HTTP for NGFW inspection
Hi all, I am new to the bigip SSLO and I was playing around it in order to see if I can enhance my NGFW visibility instead of moving to a bigger box. The BIGIP has been moved as the default gateway for all users and acts as a transparent proxy. All users have been provisioned the CA certificate and exceptions for pinned and sensitive sites have been provisioned and working as intended. The main idea is that I want to decrypt HTTPS traffic and send it over a Layer2/3 path via the NGFW in order to examine traffic and then re-encrypt it before been sent over to the internet. I have everything working as intended except the HTTPS-to-HTTP-to-HTTPS. Is this something which can be done by the SSLO? Thank you Konstantinos
Solved
Konstantinos_Be
Apr 04, 2023 Place Technical Forum
1.7KViews
0likes
10Comments
Where are the F5 SSL Orchestrator (SSLO) SplitSession Client/SplitSession Server profiles used?
I have seen this profiles but there is not a lot of info about their use cases. From the article below I think that they are only important when two F5 sslo devices are used ingress and egress traffic: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/39.html From what I gather if a single SSLO is used the settings will be "Local Peer" enabled and "Lookup Type" set to "Flow" but when is "Session Flow" or "HTTP Header" used ? Is session flow for layer2/3 services and when there are 2 SSLO for ingress and egress traffic and "HTTP Header" for transparent/explicit proxy services again with two SSLO for ingress and egress traffic?
Solved
Nikoolayy1
Oct 07, 2022 Place Technical Forum
967Views
0likes
2Comments
Can the F5 SSL Orchestrator(SSLO) send traffic to a not directly attached Layer 3 device?
I was playing with the SSLO wizards/guided configurations and when I tried to configure layer3 or http service with an IP address that is not directly attached to the a Vlan/Self IP on the F5 I got the error message " This is not a valid IP address for selected selfip for 'To Service' subnet.". For ICAP services there is no problem to send the traffic to a not directly attached device but I have to ask if I can do the same for HTTP/Layer 3 inline service in some way?
Solved
Nikoolayy1
Oct 04, 2022 Place Technical Forum
1KViews
0likes
1Comment
Custom script to shut down interface
Hi Guys, I'm new to F5 and a scripting novice. I have an F5 running SSLO sitting on the internet path and running BGP. I'm trying to design an automatic rerouting of internet to an alternate data center if any of my primary DC devices fail, but there is no inherent way to influence BGP routing through monitoring of service chain devices. F5 only has fail-open or fail-close for service chain devices. I thought of IP SLA Imish does not support this. Is there a way to write a script or custom monitor to ping the service chain devices and shut down an interface on failure?
Solved
elemzy
Feb 08, 2022 Place Technical Forum
968Views
0likes
1Comment
SSLO Resources for starter
Hi F5 experts, I am very new to SSLO was wondering we have any PDF's or a book that i can refer to for good knowledge on that. Can you guys help :) ? Thanks in advance!
Anil_chenreddy1
Oct 11, 2021 Place Technical Forum
389Views
0likes
0Comments
DLMS/COSEM protocol supported on F5 SSLO
i need to know if the smart metering protocol that handle encryption/decryption ( DLMS/COSEM) are supported on F5-Big IP SSLO I5800
Mohamed_Ezz
Jun 23, 2020 Place Technical Forum
358Views
0likes
0Comments
Common Name for Public/Signed SSL Certificate
Hi Community, Just want to ask regarding purchasing a Signed Public SSL Certificate. Does common name should be a registered dns domain? Because what we are planning is to use a dns domain currently defined in their AD Server, but the dns domain is not a registered DNS domain in the Internet. Ex. proxy.internal-xyz.com intended only for internal use for clientssl profile using F5 SSLO Forward Proxy. Thanks.
pynot
Dec 19, 2019 Place Technical Forum
352Views
1like
1Comment
Does SSLO can perform the full LTM functions?
Guys, Does SSLOcan perform the full LTM functions? IHAC wants to use SSLO to replace LTM
Jie_ZHU
Nov 26, 2019 Place Technical Forum
254Views
0likes
1Comment