SSL Orchestrator and ASM application policy om BigIP
Hello. I met a problem while trying combine SSL Orcestrator and ASM application policy together. Is anyone met the same? Or have any ideas about such deployment. I need to inspect unencrypted HTTP trafiic on inline antivirus and same time I need provide web application security on F5 Big IP. Thank you in advance.424Views0likes1CommentSSLO Security policies; do we still need the Pinners category?
Playing with SSLO again, and came across the Pinners category in the Security Policy (category of website that is immediately bypassing SSLO due to the use of Pinned certificates). (More detail on Certificate Pinning: https://community.f5.com/t5/technical-articles/implementing-ssl-orchestrator-guided-configuration/ta-p/285880 https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning It seems that HTTP pinning and Certificate pinning has now mostly been deprecated (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning &https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning , but the Pinners category still exist. I've removed quite a few of the domains from the category, tested again with Forged certificates, and all sites still work! (which I believe they shouldn't if Pinning was still in place at those sites. And Google classically being one of the biggest users of Pinning initially isn't even in the Pinners category anymore. So, should SSLO still configure the Pinners category by default, or should it now be removed by default and Pinning only be kept in the back of our minds in the case we do come across a website that uses it? (Or 3rd and just as likely option - have I completely misunderstood something?Solved1.2KViews0likes4CommentsSSLO HTTPS conversion to HTTP for NGFW inspection
Hi all, I am new to the bigip SSLO and I was playing around it in order to see if I can enhance my NGFW visibility instead of moving to a bigger box. The BIGIP has been moved as the default gateway for all users and acts as a transparent proxy. All users have been provisioned the CA certificate and exceptions for pinned and sensitive sites have been provisioned and working as intended. The main idea is that I want to decrypt HTTPS traffic and send it over a Layer2/3 path via the NGFW in order to examine traffic and then re-encrypt it before been sent over to the internet. I have everything working as intended except the HTTPS-to-HTTP-to-HTTPS. Is this something which can be done by the SSLO? Thank you KonstantinosSolved1.7KViews0likes10CommentsWhere are the F5 SSL Orchestrator (SSLO) SplitSession Client/SplitSession Server profiles used?
I have seen this profiles but there is not a lot of info about their use cases. From the article below I think that they are only important when two F5 sslo devices are used ingress and egress traffic: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/39.html From what I gather if a single SSLO is used the settings will be "Local Peer" enabled and "Lookup Type" set to "Flow" but when is "Session Flow" or "HTTP Header" used ? Is session flow for layer2/3 services and when there are 2 SSLO for ingress and egress traffic and "HTTP Header" for transparent/explicit proxy services again with two SSLO for ingress and egress traffic?Solved967Views0likes2CommentsCan the F5 SSL Orchestrator(SSLO) send traffic to a not directly attached Layer 3 device?
I was playing with the SSLO wizards/guided configurations and when I tried to configure layer3 or http service with an IP address that is not directly attached to the a Vlan/Self IP on the F5 I got the error message " This is not a valid IP address for selected selfip for 'To Service' subnet.". For ICAP services there is no problem to send the traffic to a not directly attached device but I have to ask if I can do the same for HTTP/Layer 3 inline service in some way?Solved995Views0likes1CommentCustom script to shut down interface
Hi Guys, I'm new to F5 and a scripting novice. I have an F5 running SSLO sitting on the internet path and running BGP. I'm trying to design an automatic rerouting of internet to an alternate data center if any of my primary DC devices fail, but there is no inherent way to influence BGP routing through monitoring of service chain devices. F5 only has fail-open or fail-close for service chain devices. I thought of IP SLA Imish does not support this. Is there a way to write a script or custom monitor to ping the service chain devices and shut down an interface on failure?Solved959Views0likes1CommentCommon Name for Public/Signed SSL Certificate
Hi Community, Just want to ask regarding purchasing a Signed Public SSL Certificate. Does common name should be a registered dns domain? Because what we are planning is to use a dns domain currently defined in their AD Server, but the dns domain is not a registered DNS domain in the Internet. Ex. proxy.internal-xyz.com intended only for internal use for clientssl profile using F5 SSLO Forward Proxy. Thanks.352Views1like1Comment