Manual Chapter : Interception Rules

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 17.1.0
Manual Chapter

Interception Rules

  • The Interception Rule defines the more specific ingress properties of the topology. When configuring the Interception Rule screen, you can set up both outbound and inbound scenarios.
    • Outbound Topology Scenarios
      : Using the SSL Orchestrator default outbound interception rules settings is recommended by F5 and allows you to:
      • Define your outbound proxy scheme settings to support either
        proxy modes.
      • Simplify your security settings by creating both SSL and Per-Request Policy settings with pre-defined configurations for your outbound rule.
      • Simplify your ingress network VLAN settings with pre-defined configuration for your outbound rule.
    • Inbound Topology Scenarios
      : You can use the inbound interception rules to create inbound (reverse proxy) listeners. For example, you can setup a gateway where SSL Orchestrator sits in front of your applications (or a separate ADC to do inspections) where a wildcard or SAN certificate is used to decrypt traffic.
    Your inbound interception rules can also be optionally (through advanced properties) configured to service individual applications.
    Using Protocol Settings, you can specify multiple client-side and server-side SSL profiles for managing SSL traffic. Before the 9.1 version, the SSL Orchestrator generated SSL profiles for Verified Handshake True (vht) and Verified Handshake False (vhf) with suffixes -vht and -vhf in the file names.
    Starting 9.1 version, for upgraded and newly created config, the SSL orchestrator generates a single pair of SSL profiles that do not have a vhf/vht suffix. For an upgraded config to retain the configurations generated before the upgrade, copies of all the Client and Server SSL profiles that are in use are generated with the suffix. These profile copies are attached to the virtual server but are not managed through SSLO. Hence, if you delete all configurations in SSLO, these profiles will not be deleted. You can select them as desired in the Protocol Settings and attach them to the Interception Rule. By default, the verified Handshake is enabled for Outbound traffic and disabled for Inbound traffic.