Manual Chapter :
Features and Terminology in F5 Guided Configuration for SSL
Orchestrator
Applies To:
Show VersionsF5 SSL Orchestrator
- 17.0.0
Features and Terminology in F5 Guided Configuration for SSL
Orchestrator
Features and Terminologies
This section defines and describes some of the features and terminology used in SSL
Orchestrator. Additionally, it details the available topologies (steps) available in SSL
Orchestrator's Guided Configuration.
Features in SSL Orchestrator 10.1
- Enhanced Logging capabilitiesThe SSL Orchestrator connection summary logs now have enhanced capabilities to log new data such as Ingress/Egress VLAN, policy rule names, URL categories, TLS handshake status, reset causes, and connection failures. Previously, there was no way to identify which policy rule was taking effect and directing the traffic to the ending (allow or reject). Now, with the rule name logging in the summary logs, you can determine which rules reject, allow, abort, or bypass traffic in the SSL Orchestrator Security Policy page.
- iFILE Snapshot supportSSL Orchestrator now supports a Snapshots utility that lets you create a backup copy of your deployed configurations. You can preserve your existing configurations as an iFILE and provide yourself with a restore point. The Snapshot feature lets you freely experiment with configuration settings and restore your backed-up configurations quickly when required.
- Office 365 Tenant Restrictions as a serviceSSL Orchestrator 10.1 now offers Office 365 Tenant Restrictions within the SSL Orchestrator interface, specifically in the F5 tab as part of the Solutions Catalog. This update enables organizations to control their users' access only to the company Office 365 resources while blocking access to personal/non-company Office 365 resources. In addition, the SSL Orchestrator injects Microsoft "Tenant-Restriction" HTTP headers into outbound HTTP flows and provides a mechanism to allow or deny access to O365 resources based on organizational requirements.
- Office 365 URL categorizationSSL Orchestrator now allows you to create a schedule to fetch O365 URLs and add fetched data to custom URL categories/data groups according to their specifications. You can attach the URL category to an SSLO security policy to dictate which traffic will be inspected or bypassed and then deploy the policy to managed BIG-IP devices.
- Security Policy enhancementsSSL Orchestrator Security Policy step now has the following enhancements while creating a new rule:
- A new drop-down list contains the "is" and "is not" operators to compare or negate your specified condition. Previously, you could configure rules having search/filter conditions with the "is/are" or "contains" operator. With this release, you can use the "is not" operator that can negate your selected conditions into "is not"/"are not" and "not contains."
- A new condition, "IP Protocol," lets you match the SSL traffic based on Internet Protocols such as TCP and UDP.
- With the new "Bypass (Client Hello)" setting in SSL Proxy Action, you can bypass traffic on certain conditions without triggering the TLS handshake. However, the SSL conditions such as "Server Certificate (Issuer DN, SANs, Subject DN)" and "Category Lookup (All)" do not have this setting enabled.
Other SSL Orchestrator Features
- Certificate Authority (CA) certificateThis implementation requires a Certificate Authority PKI (public key infrastructure) certificate and matching private key for SSL Forward Proxy. Your TLS clients must trust this CA certificate to sign server certificates.
- Inspection zoneAn inspection zone refers to the network region between separate ingress and egress BIG-IP® devices where cleartext data is available for inspection. Basically, an extra inline service can be placed at the end of every service chain for additional inspection. You cannot configure a decrypt zone in the scenario where a single BIG-IP system handles both ingress and egress traffic because the inspection zone does not exist.
- F5 Guided Configuration for SSL OrchestratorF5 Guided Configuration for SSL Orchestrator is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup.The current version displays on the landing page. To upgrade SSL Orchestrator, you can download the SSL Orchestrator RPM(.rpm) file from F5 Downloads (Security) to your local workstation and then choose the downloaded RPM file for uploading and installing.Refer to the Update or Upgrade the F5 SSL Orchestrator chapter in theBIG-IP update and upgradeguide for detailed steps on installing and upgrading to the newest version.
- HTTP servicesYou can configure inline HTTP explicit proxy (EP) or transparent proxy (TP) settings with SSL Orchestrator configured as either an explicit or transparent proxy for extended SSL visibility and existing or new deployments. Using SSL Orchestrator, the inline proxy device can be in either transparent or explicit mode, irrespective of SSL Orchestrator's mode.
- ICAP servicesEach ICAP service uses the ICAP protocol (https://tools.ietf.org/html/rfc3507) to refer HTTP traffic to one or more Content Adaptation device(s) for inspection and possible modification. You can add an ICAP service to any TCP service chain, but only HTTP traffic is sent to it, as we do not support ICAP for other protocols. You can configure up to ten ICAP services using F5® SSL Orchestrator™.
- Layer 2 (L2) and Layer 3 (L3) inline servicesInline services pass traffic through one or more service (inspection) devices at Layer2 (MAC)/Bump-in-the-wire or Layer3 (IP). Each service device communicates with the SSL Orchestrator device over two VLANs calledInwardandOutwardwhich carry traffic toward the intranet and the Internet respectively. You can configure up to ten inline services, each with multiple defined devices, using SSL Orchestrator.
- Receive-only/TAP servicesReceive-only services refer to services that only receive traffic for inspection, and do not send it back to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (e.g. plaintext) passing through it to an inspection device. You can configure up to ten receive-only services using SSL Orchestrator.
- F5 services: You can configure F5 SWG service after selecting it from the Service Settings Catalog for L3 Explicit, L3 Outbound, and L2 Outbound topologies with SSL Orchestrator configured as either an explicit or transparent proxy for extended SSL visibility and existing or new deployments. After configuring the F5 SWG service you can add it to a Service Chain.The F5 Office 365 Tenant Restrictions service provide a mechanism to allow or deny access to O365 resources based on organizational requirements. You will require your organization'sRestrict-Access-To-TenantsandRestrict-Access-Contextvalues to be inserted into HTTP headers. You can obtain the Tenant Domain and Tenant ID values from the Microsoft Azure portal by signing in as the Administrator. Click Office 365 Tenant Restrictions for detailed information on Tenant Restrictions.
- Security policiesThe SSL Orchestrator uses a visual per-request policy engine, or Visual Policy Editor (VPE), to define traffic flows through the security services. Security policies are available within the VPE with each element, or box, representing a corresponding macro whose information (and output) influences the next element and its macro, until the traffic is either allowed or blocked.
- Service chainsSSL Orchestrator service chains process specific connections based on rules which look at protocol, source and destination addresses, and so on. These service chains can include five types of services (HTTP services, Layer 2 inline services, Layer 3 inline services, receive-only/TAP services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices.
- SNATA SNAT (Secure Network Address Translation) is a feature that defines routable alias IP addresses that the BIG-IP system substitutes for client IP source addresses when making connections to hosts on the external network. A SNAT pool is a pool of translation addresses that you can map to one or more original IP addresses. Translation addresses in a SNAT pool should not be self IP addresses.
- Strict Update option (Protected/Unprotected Configurations)By selecting the strict update option (on the Guided Configuration Welcome screen in a column labelledProtected/Unprotected Configurations) for deployed configurations, you cannot manually modify any settings produced by the application. Once you disable this option (click on the lock symbol), you can manually change your configuration. F5 recommends you keep this setting enabled (locked) to avoid misconfigurations that can result in an unusable application and limit F5's ability to support your product. The strict update check box is enabled/selected by default.
- Sync-Failover device groupA Sync-Failover device group (part of the Device Service Clustering (DSC®) functionality) contains BIG-IP devices that synchronize their configuration data and failover to one another when a device becomes unavailable. In this configuration, a Sync-Failover device group supports a maximum of two devices.
- Transparent/Explicit proxyYou can operate in transparent and/or explicit proxy mode. A transparent proxy intercepts normal communication without requiring any special client configuration; clients are unaware of the proxy in the network. In this implementation, the transparent proxy scheme can intercept all types of TLS and TCP traffic. It can also process UDP and forward other types of IP traffic. The explicit proxy scheme supports only HTTP(S) per RFC2616. In addition, transparent proxy supports direct routing for policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) that are dependent on networking services to support both protocols, while explicit proxy supports manual browser settings for proxy auto-config (PAC) and Web Proxy Autodiscovery Protocol (WPAD) that require additional iRule configurations (not included) to provide the PAC/WPAD script content.
Topologies in Guided Configuration
F5 Guided Configuration for SSL
Orchestrator helps guide you through setting up a particular use case configuration on the
SSL Orchestrator system. Each topology, or step (template), requires minimal input and
provides contextual help to assist users during setup.
F5 Guided
Configuration for SSL Orchestrator topologies (steps):
- Topology
- SSL Configuration
- Authentication
- Service
- Service Chain
- Security Policy
- Interception Rule
- Egress Setting
- Log Settings
- Summary
- Preview Merge
In
addition, SSL Orchestrator also includes:
- System Settings: for general information the system requires.
- High Availability Status (HA-Status): for detailed information on the status of your HA devices with detailed warning and error messages indicating issues with your system status, HA network status, and device groups and options on how to fix.
- SSL Orchestrator Dashboard: for various methods to review and analyze the status and trends of your SSL Orchestrator environment and systems. Each tile has customizable features based on reporting time ranges.
The current version displays on the SSL Orchestrator
Configuration landing page. When a later upgrade becomes available, you can use the
available link next to the version number to download it from devcentral.f5.com, then upload
and install Guided Configuration for SSL Orchestrator.
See the
Setting up F5 Guided Configuration for SSL Orchestrator
section, or the Setting up F5 Guided Configuration for SSL
Orchestrator in High Availability
section, for detailed steps on installing and
upgrading to the newest version.- TopologyWhen using the Topology screen, you can set up SSL Orchestrator in an array of topologies that define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect.These deployment settings, which can be modified as needed without un-deploying a configuration, are complimented by SSL settings that assist you in defining inbound and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2 (L2)/Layer 3 (L3) inline, and receive-only/TAP services), creating your service chains and security policies that can be managed through a visual policy editor.Available topologies are based on your initial network setup. Topologies that are not supported by your network setup or licensing will not show as an enabled option.
- L2 InboundandL2 Outboundtopologies are only available for supported L2 wire enabled networks.
- L3 InboundandL3 Outboundtopologies are available for all supported networks.
- L3 Explicit Proxytopology is only available when Protocol is set to either TCP or Any.
- Existing Applicationtopology is available for SSL Orchestrator addon licensed devices. This option is not available for standalone SSL Orchestrator devices.
SSL Orchestrator provides the installation of default or custom outbound interception rules for greater support in defining your listeners and the flexibility to create your own outbound and inbound interception rules.You can specify the L3 Inbound mode as eitherGatewayorApplication. L2 Inbound mode isGatewayonly. Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment. Inbound Application mode enables address translation.L2/L3 Inbound Gateway and Application mode option:- L2 Inbound: OnlyGatewaymode is available with address translation disabled. In Interception Rule,Portdefaults to 0 andDestination Address/Maskdefaults to 0.0.0.0%0/0.
- L3 Inbound: SelectGatewaymode so address translation is disabled. In Interception Rule,Portdefaults to 0 andDestination Address/Maskdefaults to 0.0.0.0%0/0. Or, selectApplicationmode so address translation is enabled. In Interception Rule, specifyPortandDestination Address/Maskvalues.
Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment.In L2 or L3 InboundGatewaymode, theVerified Acceptcheck box appears on the Interception Rule screen inAdvanced Settings.When upgrading from previous releases, if SSL Orchestrator inbound topology had:- L2 inbound topologies, it will map toGatewaymode.
- Port set to a number that is not 0, it will map toApplicationmode.
- Port set to 0 and no LB pool attached, it will map toGatewaymode.
- Port set to 0, with LB Pool attached, a specific mode will not be mapped. The admin can determine ifGatewayorApplicationmode should be selected for that topology using theModeoption in the UI.
After upgrading an L2 Inbound deployment, the
Gateway mode is automatically set. However, you cannot use the Inbound Gateway mode feature
unless you manually edit the topology by selecting the
Enable Inbound Gateway Feature
check box or
manually associate the corresponding -gw_in_t
and -lib
iRules in SSL Orchestrator (in the Interception Rule step) or using TMUI/TMSH (virtual
server).Enabling the inbound gateway feature ensures that non-SSL
and non-HTTP traffic can be forwarded. In addition, L7 protocol, identified as outbound
deployment, and HTTP traffic, can be forwarded and L7 protocol identified as HTTP while
also handling server-speak-first traffic (e.g. IMAP). Enabling this feature may break
current custom iRules.
After upgrading,
you can update an existing L3 Inbound deployment in either
Gateway
or Application
mode if you did not select the
inbound mode value set by the upgrade. For example, if your inbound topology has not yet
been manually modified, an "i" icon appears in front of the name of your deployment. Mouse
over the icon for more information and make edits by clicking on the name. In addition, an
Enable Inbound Gateway Feature
check box may appear. By selecting it, the corresponding iRules, -gw_in_t
and -lib
, will be attached to this topology.
This is a one-time action.- SSL ConfigurationWhen configuring the SSL Configuration screen, you can set up or manage your forward proxy (for outbound traffic) or reverse proxy (for inbound traffic) scenarios by creating a new SSL profile or selecting an existing SSL profile you have previously created. In addition, you can attach multiple SSL profiles to the same virtual for both inbound and outbound topologies. You can also switch SSL profile based on ClientHello SNI matches. For this, specify the server name used for SNI communications and select theDefault SNIcheckbox in the SSL profile that the system should consider as the default profile. You can only use one such SSL Configuration in a Topology.You can set up and manage client and server cipher types (group or string) and select certificate, key, and chain configuration details required to process SSL traffic.For outbound scenarios, clickShow Advanced Settingto enable or disable SSL forward proxy bypass when receiving a handshake failure, protocol version, or unsupported extension alert message during the server-side SSL handshake, so the SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption.You can enable or disable SSL forward proxy bypass when failing to get a client certificate (that the server asks for), so the SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption.You can also control whether SSL Orchestrator should ignore/drop untrusted/expired server certificates for outbound and inbound scenarios. Additionally, you can specify an OCSP responder or a CRL file to validate server certificates.
- AuthenticationYou can configure a Local Online Certificate Status Protocol (OCSP) Responder and associate a Local OCSP Responder to a virtual server (which is part of the UI). OCSP is an Internet protocol used to obtain the revocation status of a digital certificate. When the validity of a certificate is requested, an OCSP request is sent to an OCSP Responder and checks the specific certificate with a trusted certificate authority. This results in an OCSP response being sent back of good, revoked, or unknown.To configure Authentication, you must selectTCPorAnyas your Protocol and eitherL2 Outbound,L3 Outbound, orL3 Explicit Proxyas your SSL Orchestrator topology from the Topology Properties screen. If you do not select one of the required protocols or topologies, Authentication will not be supported or appear as a Guided Configuration step.To create a new authentication, clickAdd. The Authentication Properties screen appears where you can select OCSP Responder (for the Client). ClickOCSP Responderand clickAdd. The Authentication Properties screen appears where you can configure a new OCSP Responder.You may also edit or delete a newly created authentication that is a part of your current workflow and that has not yet been deployed. These configurations will showNOT DEPLOYEDnext to the authentication name.Previously deployed authentications that are listed cannot be deleted or edited and belong to deployed global authentications.ClickShow Advanced Settingto select the following Protocol Settings:Client TCP Profile,Server TCP Profile,HTTP Profile.Optional: Later, when configuring the Interception Rule, you may select from the Authentication section OCSP Responder list to associate a Local OCSP Responder into the Interception Rule. This action adds a new iRule to the virtual server. In addition, you may configure authentication using the mini-flow Authentication tab without creating a topology and may utilize the existing iRule item-selector to select the OCSP iRule.
- ServiceWhen configuring the Service screen, you can create services such as HTTP, ICAP, Layer 2 and Layer 3 inline, receive only TAP, and other services.
- Inline HTTP: You can configure inline HTTP explicit or transparent proxy settings with SSL Orchestrator configured as either an explicit or transparent proxy for extended SSL visibility and existing or new deployments. Using SSL Orchestrator, you can support multiple explicit and transparent proxy configurations such as: SSLO Explicit proxy with in-line explicit proxy as a service (EP-EP); SSLO Transparent proxy with in-line explicit proxy as a service (TP-EP); SSLO Explicit proxy with in-line transparent proxy as a service (EP-TP); SSLO Transparent proxy with in-line transparent proxy as a service (TP-TP).
- ICAP: Each ICAP service uses the Internet Content Adaptation Protocol (ICAP) RFC3507 protocol to refer HTTP traffic to one or more Content Adaptation devices for inspection and possible modification. You can configure the ICAP services that are a part of this configuration.
- Layer 2 and Layer 3 inline: Inline services pass traffic through one or more service devices at Layer 2 (LAN) or Layer 3 (IP). Each service device communicates with the BIG-IP device on the ingress side over two VLANs called Inward and Outward that carry traffic toward the intranet and the Internet, respectively.
- TAP: TAP services only receive traffic for inspection, and do not send it back to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (for example, plaintext), passing through it to an inspection device.
- F5: F5 tab lists F5's internal products as services. Deploy these services to suit your categorization, classification, and content inspection needs for encrypted traffic. The available services are F5 Secure Web Gateway, F5 Office 365 Tenant Restrictions, and F5 Advanced Web Application Firewall.The F5 Secure Web Gateway (SWG) service allows you to take an existing F5 SWG solution and migrate or move it to the same BIG-IP as SSL Orchestrator. Selecting this service helps provide visibility, orchestration, categorization, and classification for, all encrypted traffic traversing your network, both inbound and outbound. You can manage web access across your organization with URL categorization. This allows you to enforce organizational policies against access to specific content, prevent access to potentially malware-laden websites and apps, or stop bandwidth chokers, among other uses. On configuring the F5 SWG service you can add the newly created SWGaaS to an existing Service Chain or create a new one.The F5 Office 365 Tenant Restrictions service provides a mechanism to allow or deny access to O365 resources based on organizational requirements. You will require your organization'sRestrict-Access-To-TenantsandRestrict-Access-Contextvalues to be inserted into HTTP headers. You can obtain the Tenant Domain and Tenant ID values from the Microsoft Azure portal by signing in as the Administrator. Click Office 365 Tenant Restrictions for detailed information on Tenant Restrictions.
To use a previously created service, select the check box next to the name of the desired service type and clickSave & Next. You can edit any previously created service by clicking directly on the name. To create a new service, clickAdd Service.Only the services created as part of this workflow can be deleted. - Service ChainA service chain is a logical grouping of services in a defined order through which SSL Orchestrator processes traffic. Security policies match traffic flow conditions, which then assign flows to service chains. The service chain then orchestrates the traffic through the defined set of services in the defined order.When configuring the Service Chain screen, you can process specific connections based on security policy rules which look at protocol, source, and destination addresses to define an ordered list of services. These service chains can include an ordered list of services you define, as well as any decrypt zone between separate ingress and egress devices. Select services that have already been created from the available list, filter as necessary, and add them to theSelected Service Chain Orderlist.This service chain list can also be reordered by using the direction arrow buttons.To use a previously created service chain, select the check box next to the name of the desired service chain type and clickSave & Next. You can edit any previously created service chain by clicking directly on the name. To create a new service chain, clickAdd.Only the service chains created as part of this workflow can be deleted.
- Security PolicyThe Security Policy defines the set of traffic matching rules and corresponding actions to take on matches. When configuring the Security Policy screen, you can provide security policy configuration details, including policy conditions, rules, and custom policy details, for your SSL Orchestrator deployment. By default, SSL Orchestrator providesPinners_RuleandAll Trafficrules.Pinners_Ruleconsists of domain names of some TLS- (SSL-) based services from well-known businesses that support software which may not work well when their connections are intercepted and decrypted by the SSL Orchestrator solution. You can also use theAll Trafficdefault rule that allows the interception of all traffic.ClickAddto create a new security policy rule. Select a condition from the first dropdown list for which you want to configure the rule. You can specify conditions, match type (match any/match all), operators (is) or (is not) that compares or negates the selected value, and choose the action (reject/allow/abort) for that traffic. You can also select a service chain and specify if SSL proxy traffic will be intercepted or bypassed. Use the+sign to add additional conditions and thexsign to remove any unwanted rule condition.You can selectServer Certificates Status Checkif you want to add a new per-request policy agent for server certificate status and to allow administrators to select ignore/mask options and generate a blocking page for untrusted and expired server certificates. In addition, you can selectProxy Connectif you want to add an upstream explicit proxy to your security rule chaining. You can add multiple proxy devices, or pool members, as necessary.When selecting a new rule Condition, we recommend you follow these tips:
- When you selectCategory Lookup (HTTP Connect)condition, also add theL7 Protocol Lookup (TCP)condition.
- When you selectL7 Protocol Lookup (UDP)condition, do not add theCategory Lookup (SNI),Category Lookup (HTTP Connect),SSL Check, orURL Matchconditions.
- To allow SSL traffic to bypass without triggering the TLS handshake, you can now select "SSL Proxy Action: Bypass (Client Hello)" for all conditions exceptCategory Lookup (All)andServer Certificate (*). Configuring a rule withAllowfor Bypass (Client Hello) enables theBypass on SSL Client Hellosetting in theSSL Bypass Setaction in the deployed policy. If a rule contains an SSL condition with "SSL Proxy Action: Bypass", no subsequent rule can have the Bypass on SSL Client Hello enabled.
A URLF license is not required to useCustom Categorieswhen creating a new URL category.When you use SSL Orchestrator to provision and deploy an L3 Outbound or L3 Explicit Proxy configuration, and then use BIG-IP Access to configure a custom category, the custom category is supported for the hostname only (with no URLDB or SWG). Therefore, the URL should be configured with the hostname only (for example, http://www.f5.com/). In case of a full URL configuration (http://www.f5.com/services/), the category lookup will result in an uncategorized category (id# 153). - Interception RuleThe Interception Rule defines the more specific ingress properties of the topology. When configuring the Interception Rule screen, you can set up both outbound and inbound scenarios.
- Outbound Topology Scenarios: Using the SSL Orchestrator default outbound interception rules settings is recommended by F5 and allows you to:
- Define your outbound proxy scheme settings to support eitherTransparentorExplicitproxy modes.
- Simplify your security settings by creating both SSL and Per-Request Policy settings with pre-defined configurations for your outbound rule.
- Simplify your ingress network VLAN settings with pre-defined configuration for your outbound rule.
- Inbound Topology Scenarios: You can use the inbound interception rules to create inbound (reverse proxy) listeners. For example, you can setup a gateway where SSL Orchestrator sits in front of your applications (or a separate ADC to do inspections) where a wildcard or SAN certificate is used to decrypt traffic.
Your inbound interception rules can also be optionally (through advanced properties) configured to service individual applications.Using Protocol Settings, you can specify multiple client-side and server-side SSL profiles for managing SSL traffic. Before the 9.1 version, the SSL Orchestrator generated SSL profiles for Verified Handshake True (vht) and Verified Handshake False (vhf) with suffixes -vht and -vhf in the file names.Starting 9.1 version, for upgraded and newly created config, the SSL orchestrator generates a single pair of SSL profiles that do not have a vhf/vht suffix. For an upgraded config to retain the configurations generated before the upgrade, copies of all the Client and Server SSL profiles that are in use are generated with the suffix. These profile copies are attached to the virtual server but are not managed through SSLO. Hence, if you delete all configurations in SSLO, these profiles will not be deleted. You can select them as desired in the Protocol Settings and attach them to the Interception Rule. By default, the verified Handshake is enabled for Outbound traffic and disabled for Inbound traffic. - Egress SettingThe Egress settings define how traffic exits the topology. The BIG-IP receives traffic after a connection travels through the specified service chain and directs the traffic to the final destination. When configuring the Egress Setting screen, you can select whether or not you want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways (routers). If you want to override the default routing and choose to use specific gateways, you can define the ratios within the pool of routers to load balance the traffic.The Egress Setting step is only for L3 topology configurations.To create egress settings, you must set both SNAT (Secure Network Address Translation) settings and your selected gateway routes for SSL intercept traffic. When managing SNAT settings, you define routable alias IP addresses that the BIG-IP system substitutes for client IP source addresses when making connections to hosts on the external network. You can use an existing SNAT (and thus define a SNAT pool), the SNAT Auto Map functionality, or create new SNAT settings or none at all. Create a BIG-IP SNAT pool to define a pool of distinct host addresses for SNAT to use. A SNAT pool is a pool of translation addresses that you can map to one or more original IP addresses. Translation addresses in a SNAT pool should not be self IP addresses.For gateway addresses, enter multiple gateways if you have multiple systems and wish to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one. Create a BIG-IP gateway pool if you add more than one gateway (routers) that specifies the routes of all SSL intercept traffic.
- Log SettingsLog Settings are defined per-topology and provide options to enable different logging levels for the multiple SSL Orchestrator objects. When using the Log Settings screen, you can enable logging for selected facilities at various levels of severity to describe the system messages. Facilities describe the specific element of the system generating the message: Per-Request Policy, FTP, IMAP, POP3, SMTPS, SSL Orchestrator Generic.No logging is expressly required, so the default “Error” setting appropriately generates logs only on error conditions. However, keep in mind that SSL Orchestrator will produce extensive logs per-flow when raised above Error, so it is recommended only to set higher when troubleshooting issues.The following levels describe the severity of the message and are listed in order of the severity of the messages they handle:
- Emergency: Specifies the emergency system panic messages.
- Alert: Serious errors that require administrator intervention.
- Critical: Critical errors, including hardware and file system failures.
- Error: Non-critical, but possibly very important, error messages.
- Warning: Warning messages that should at least be logged for review.
- Notice: Messages that contain useful information but may be ignored.
- Information: Messages that contain useful information but may be ignored.
- Debug: Messages that are only necessary for troubleshooting.
Generally, higher levels contain all the messages for lower levels. For example, theAlertlevel will generally also report all messages from theEmergencylevel, and theDebuglevel will generally also report all messages for all levels. - SummaryThe summary page displays all of the previously defined settings and provides re-entry to each setting to make modifications before deploying. After completing your configuration, or when updating, use the Summary screen to review and change configuration settings as necessary for each topology. Select the arrow to review the topology details or select the pencil to edit most field content and re-save.
- Preview MergeThePreview Mergeoption becomes available for previously deployed SSL Orchestrator configurations after a configuration is moved into theUnprotected Configurationmode. Once a configuration is unlocked, changes made in any of the following configuration topologies (steps) are available for review and merge configuration options:
- Topology
- SSL Configuration
- Service
- Interception Rule
- System Settings
See theUsing F5 SSL Orchestrator Preview Mergesection in this guide for more detailed information.
Configuring System Settings
In addition to the SSL Orchestrator topologies, you can configure your
deployment settings using System Settings. When configuring a topology, after clicking
Add
from the Configuration
screen, select System Settings
at
the top right of the screen. The System Settings screen allows you to provide general
information the system needs, such as IP
Family
settings to specify whether you want this configuration to support IPv4
addresses, IPv6 addresses, or both. You can specify the
DNS
Query resolution
. This solution uses DNS extensively. You can either permit
the system to send DNS queries directly out to the Internet, or specify one or more local
forwarding nameservers to process all DNS queries from SSL Intercept. Direct resolution can
be more reliable than using forwarders but requires outbound UDP+TCP port 53 access to the
Internet.You can select
DNSSec
Validation
to specify whether you want to use DNSSec to validate the DNS
information. Using DNSSec to validate DNS information improves security.You can also specify in
Gateways Configuration
whether you want the system to let all SSL intercept
traffic use the default route, or specify Internet gateways (routers) depending on the IP
family selection:- IPv4 and/or IPv6 Outbound Gateways: You may specify one or more Internet gateways (routers) to handle outbound SSL intercept traffic (plus control the share of traffic each is given).
- Non-public IPv6 Networks: You may specify route connections to any non-public IPv6 networks via the IPv6 gateways by entering the prefix/mask-length (CIDR). Non-public IPv6 networks are those outside the 2000::/3 block, such as ULA networks in the fc00::/7 block. Your organization and your VPN-linked business partners likely have some non-public IPv6 networks.
By default, during the F5 SSL Orchestrator deployment process, the system
database value for Traffic Management Microkernel (TMM) fast forward is automatically
disabled (set to false) so that client connections do not disconnect prematurely. To ensure
your F5 SSL Orchestrator deployment works properly, make sure the system database value for
TMM fast forward remains disabled throughout the deployment. If you are not using F5 SSL
Orchestrator and need the system database value for TMM fast forward enabled, it must be
manually changed.
Using HA Status utility
SSL Orchestrator provides a built-in high availability (HA) status
utility to help in diagnosing HA communication issues. The HA-Status screen provides
detailed information on the status of your HA devices with detailed warning and error
messages indicating issues with your system status, HA network status, and device groups and
options on how to fix. From the SSL Orchestrator home screen, you may select the HA-Status
icon at the top right to open the High Availability screen. This will present a screen (on
both devices) that displays the status of the various communication states.
- System Status: Review the status for each System Status item. If there are no errors, the status displays a Good result. If there is a System Status error, the status displays a Bad result. Review the error message and select Fix Issue Manually to address the configuration errors.
- HA Network Status: Review the HA Status. If there are no errors, the status displays a Good result. If there is an error, the status displays a Bad result. Review the configuration error message to address the issue.
- Device Groups: Review the status for all Device Groups listed based on Management IP, Config Sync IP, Failover State, Self Device, and Version information.
The HA-Status screen and details may be utilized during your HA
installation and upgrade to check the health of your HA devices.
Refer to the Troubleshooting SSL Orchestrator High Availability Issues
link for more information.
Using SSL Orchestrator Dashboard
The SSL Orchestrator
Dashboard
provides you with various methods to review and analyze the
status and trends of your SSL Orchestrator environment and systems. Each tile has
customizable features based on reporting time ranges.- Overall Status: When you first click theDashboardtab, each dashboard tile renders data for 1 day by default if Application Visibility and Reporting (AVR) is provisioned. Using theOverall Statustile, you can view your SSL Orchestration overallServicesandTopologiesconfiguration status. You can refresh displayed dashboard tiles and change the reporting time range from the top right of the menu panel (Change Time Range). The available reporting time ranges areLast hour,Last 4 hours,Last day,Last week,Last month,Last year,Year to date, orAll. The default isLast day. You can also click theRefreshicon (double arrows) to automatically refresh the available tiles.If you have not provisioned the AVR module, you will only be able to view CPU Usage and Memory Usage overall statistics tiles. When a provisioned AVR is not detected, a message appears with a link to provision the AVR.
- CPU Usage: From the tile header icon you can select to view either theControl Plane,Data Plane, orAnalysis Planedetails in a dial graph showing high (red), medium (yellow), low (green) CPU usage and respective percentage. Just click the tile header icon to select your specific view.
- Memory Usage: From the tile header icon you can select to view either the percentage of memory forTMM,Other, orTotalused. Just click the tile header icon to select your specific view.
- SSL Decryption Status: You can view your SSL Orchestration SSL decryption configuration status for the amount of SSL traffic isDecrypted,Not Decrypted, and is inPlain Textin a single graph. Use your mouse to hover over the graph for specific status information. Click on the interactive legend to customize the dashboard chart details.
- Top 10 URL Categories: From the tile header icon you can select to view either theAllowed,Blocked, orCombinedtop 10 URL and other miscellaneous categories in a bar graph display (the combined setting shows both allowed and blocked details). Click the tile header icon to select your specific view. By default, the URL Category tile displays a combined stacked chart. TheAllowoption includes bypass. You can also use your mouse to hover over the bar charts to display the specific URL category, if it is allowed (green) or blocked (red), and its URL category and value. Click on the interactive legend to customize the dashboard chart details.
- Cipher Version/Name: You can view your SSL Orchestrator configurationsClient Cipher Version,Name,Value, andPercentand yourServer Cipher Version,Name,Value, andPercentin two clickable pie charts that provide respective hit count analytics based on the cipher version segment (each segment is color coded with an available legend that associates the colors with the cipher details). Click on the interactive legend to customize the dashboard chart details.
- Throughput Averages: You can select eitherClient In-Client Out/Server In-Server OutorClient In-Server Out/Server In-Client Outline chart from Display Options to view the average throughput statistics for your SSL Orchestrator configuration. Just click the tile header icon to select your specific view. You can also use your mouse to hover over the line charts to display client-bytes-out and client-bytes-in details and dates and to display server-bytes-out and server-bytes-in details and dates. Click on the interactive legend to customize the dashboard chart details.