|

[F5 SSLO] LAB 1 – Application Access Via Transparent Forward Proxy

Byadmin
Figure 1: Overall Architecture Diagram
Figure 2: SSLO Topology
Figure 3: SSLO Interception Rules (Listener)
Figure 4: LTM VS (Listener)
The SSLO configuration as a transparent forward proxy has been completed. At this point an internal client should be able to browse out to external (Internet) resources, and decrypted traffic will flow across the security services.
3. Test The Solution
3.1 Server Certificate Review
  • View SSLO access logs
    • Client’s default gateway is 10.1.10.100 (F5 SSLO Self-IP)
Client Access To Google
  • https://www.google.com/
  • URL Category: Search_Engines_and_Portals
  • Matched Policy Rule: All Traffic | Action: Intercepted
Server SSL Certificate Review
Figure 4-1: Google Certificate Review

Traffic Summary

  • APM Access Profile: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile
  • LTM Virtual Server: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4
  • L4 Connection: tcp 10.1.10.50:40204 -> 74.125.130.106:443
  • ClientSSL: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
  • ServerSSL: TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
  • Application: L7 https (www.google.com)
  • decryption-status: decrypted
  • duration: 139350 msec
  • service-path: ssloSC_all_services
  • client-bytes-in: 3921
  • client-bytes-out: 5015
  • server-bytes-in: 8416
  • server-bytes-out: 3916
  • client-tls-handshake: completed
  • server-tls-handshake: completed
  • reset-cause: ‘NA’
  • policy-rule: ‘All Traffic’
  • url-category: /Common/Search_Engines_and_Portals
  • ingress: /Common/client-vlan
  • egress: /Common/outbound-vlan
SSLO Logs - Traffic Summary
info tmm[27190]: 01c40000:6: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile:Common:555d6c57: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4 Traffic summary - tcp 10.1.10.50:40204 -> 74.125.130.106:443 clientSSL: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 serverSSL: TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 L7 https (www.google.com) decryption-status: decrypted duration: 139350 msec service-path: ssloSC_all_services client-bytes-in: 3921 client-bytes-out: 5015 server-bytes-in: 8416 server-bytes-out: 3916 client-tls-handshake: completed server-tls-handshake: completed reset-cause: 'NA' policy-rule: 'All Traffic' url-category: /Common/Search_Engines_and_Portals ingress: /Common/client-vlan egress: /Common/outbound-vlan

Full logs
Client Access To WHO
  • https://www.who.int/
  • URL Category: Health_and_Medicine
  • Matched Policy Rule: urlf_bypass | Action: Intercepted
Server SSL Certificate Review
Figure 4-2: WHO Certificate Review

Traffic Summary

  • APM Access Profile: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile
  • LTM Virtual Server: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4
  • L4 Connection: tcp 10.1.10.50:33648 -> 104.18.156.21:443
  • ClientSSL: NA NA
  • ServerSSL: NA NA
  • Application: L7 https (www.who.int)
  • decryption-status: not-decrypted
  • duration: 302464 msec
  • service-path: ssloSC_L2_services
  • client-bytes-in: 3514
  • client-bytes-out: 19919
  • server-bytes-in: 2814
  • server-bytes-out: 601
  • client-tls-handshake: bypassed
  • server-tls-handshake: completed
  • reset-cause: ‘connector abort by cs service’
  • policy-rule: ‘urlf_bypass’
  • url-category: /Common/Health_and_Medicine
  • ingress: /Common/client-vlan
  • egress: /Common/NA
SSLO Logs - Traffic Summary
info tmm1[27190]: 01c40000:6: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile:Common:3325642a: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4 Traffic summary - tcp 10.1.10.50:33648 -> 104.18.156.21:443 clientSSL: NA NA serverSSL: NA NA L7 https www.who.int) decryption-status: not-decrypted duration: 302464 msec service-path: ssloSC_L2_services client-bytes-in: 3514 client-bytes-out: 19919 server-bytes-in: 2814 server-bytes-out: 601 client-tls-handshake: bypassed server-tls-handshake: completed reset-cause: 'connector abort by cs service' policy-rule: 'urlf_bypass' url-category: /Common/Health_and_Medicine ingress: /Common/client-vlan egress: NA

Full logs
3.2 Traffic TCPdump Review
  • The routing from Client to Internet is via F5 SSLO
    • Client’s default gateway is 10.1.10.100 (F5 SSLO Self-IP)
  • View SSLO access logs
    • Log Settings > SSL Orchestrator Generic: Information
    • tail -f /var/log/apm
Client Access To Google
  • https://www.google.com/
  • URL Category: Search_Engines_and_Portals
  • Matched Policy Rule: All Traffic | Action: Intercepted
1. Client send HTTP_Request Thru F5 SSLO VS (via client-vlan)
Figure 4-1: Packet Capture Review
2. F5 SSLO send HTTP_Request To ssloS_Proxy (via Proxy_in)
Figure 4-1: Packet Capture Review
3. ssloS_Proxy send HTTP_Request To F5 SSLO (via Proxy_out)
Figure 4-1: Packet Capture Review
4. F5 SSLO send ICAP REQMOD For HTTP_Request To ssloS_DLP (via dlp-vlan)
Figure 4-1: Packet Capture Review
5. F5 SSLO send HTTP_Request To ssloS_TAP (via TAP_in)
Figure 4-1: Packet Capture Review
6. F5 SSLO send HTTP_Request To ssloS_FEYE (via FEYE_in)
Figure 4-1: Packet Capture Review
7. ssloS_FEYE send HTTP_Request To F5 SSLO (via FEYE_out)
Figure 4-1: Packet Capture Review
8. F5 SSLO send HTTP_Request To ssloS_IPS (via IPS_in)
Figure 4-1: Packet Capture Review
9. ssloS_IPS send HTTP_Request To F5 SSLO (via IPS_out)
Figure 4-1: Packet Capture Review
10. F5 SSLO send HTTP_Request To Internet (via outbound-vlan)
Figure 4-1: Packet Capture Review
11. F5 SSLO receive HTTP_Response From Internet (via outbound-vlan)
Figure 4-1: Packet Capture Review
12. ssloS_IPS send HTTP_Response To F5 SSLO (via IPS_out)
Figure 4-1: Packet Capture Review
13. F5 SSLO send HTTP_Response To ssloS_IPS (via IPS_in)
Figure 4-1: Packet Capture Review
14. ssloS_FEYE send HTTP_Response To F5 SSLO (via FEYE_out)
Figure 4-1: Packet Capture Review
15. F5 SSLO send HTTP_Response To ssloS_FEYE (via FEYE_in)
Figure 4-1: Packet Capture Review
16. F5 SSLO send HTTP_Response To ssloS_TAP (via TAP_in)
Figure 4-1: Packet Capture Review
17. F5 SSLO send ICAP RESMOD For HTTP_Response To ssloS_DLP (via dlp_vlan)
Figure 4-1: Packet Capture Review
18. F5 SSLO send HTTP_Response To ssloS_Proxy (via Proxy_out)
Figure 4-1: Packet Capture Review
19. ssloS_Proxy send HTTP_Response To F5 SSLO (via Proxy_in)
Figure 4-1: Packet Capture Review
20. F5 SSLO send HTTP_Response To Client (via client-vlan)
Figure 4-1: Packet Capture Review
SSLO Logs - Traffic Summary
info tmm[27190]: 01c40000:6: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile:Common:555d6c57: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4 Traffic summary - tcp 10.1.10.50:40204 -> 74.125.130.106:443 clientSSL: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 serverSSL: TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 L7 https (www.google.com) decryption-status: decrypted duration: 139350 msec service-path: ssloSC_all_services client-bytes-in: 3921 client-bytes-out: 5015 server-bytes-in: 8416 server-bytes-out: 3916 client-tls-handshake: completed server-tls-handshake: completed reset-cause: 'NA' policy-rule: 'All Traffic' url-category: /Common/Search_Engines_and_Portals ingress: /Common/client-vlan egress: /Common/outbound-vlan

Full logs
Client Access To WHO
  • https://www.who.int/
  • URL Category: Health_and_Medicine
  • Matched Policy Rule: urlf_bypass | Action: Intercepted
Server SSL Certificate Review
Figure 4-2: WHO Certificate Review

Traffic Summary

  • APM Access Profile: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile
  • LTM Virtual Server: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4
  • L4 Connection: tcp 10.1.10.50:33648 -> 104.18.156.21:443
  • ClientSSL: NA NA
  • ServerSSL: NA NA
  • Application: L7 https (www.who.int)
  • decryption-status: not-decrypted
  • duration: 302464 msec
  • service-path: ssloSC_L2_services
  • client-bytes-in: 3514
  • client-bytes-out: 19919
  • server-bytes-in: 2814
  • server-bytes-out: 601
  • client-tls-handshake: bypassed
  • server-tls-handshake: completed
  • reset-cause: ‘connector abort by cs service’
  • policy-rule: ‘urlf_bypass’
  • url-category: /Common/Health_and_Medicine
  • ingress: /Common/client-vlan
  • egress: /Common/NA
SSLO Logs - Traffic Summary
info tmm1[27190]: 01c40000:6: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile:Common:3325642a: /Common/sslo_demoL3.app/sslo_demoL3-in-t-4 Traffic summary - tcp 10.1.10.50:33648 -> 104.18.156.21:443 clientSSL: NA NA serverSSL: NA NA L7 https www.who.int) decryption-status: not-decrypted duration: 302464 msec service-path: ssloSC_L2_services client-bytes-in: 3514 client-bytes-out: 19919 server-bytes-in: 2814 server-bytes-out: 601 client-tls-handshake: bypassed server-tls-handshake: completed reset-cause: 'connector abort by cs service' policy-rule: 'urlf_bypass' url-category: /Common/Health_and_Medicine ingress: /Common/client-vlan egress: NA

Full logs

Supplemental Links

  • None

Navigation

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *