F5 Community Training & Labs Edit on

F5 SSL Orchestrator Training Lab

Welcome

Welcome to F5’s SSL Orchestration Training series. The intended audience for these labs are security engineers that would like to leverage the SSL Orchestration tools offered by the F5 platform and gain regulatory visibility into the encrypted traffic on their networks. If you require a pre-built lab environment, please contact your F5 account team and they can provide access to environments on an as-needed basis.

The content contained here adheres to a DevOps methodology and automation pipeline. All content contained here is sourced from the following GitHub repository:

https://github.com/f5devcentral/f5-agility-labs-sslviz

Bugs and Requests for enhancements are handled in two ways:

Class 1: SSL Orchestration

F5 SSL Orchestrator provides high-performance decryption of inbound and outbound SSL/TLS traffic, enabling security inspection to expose threats and stop attacks. Dynamic service chaining and policy-based traffic steering allow organizations to intelligently manage encrypted traffic flows across the entire security chain with optimal availability.

SSL Orchestrator ensures encrypted traffic can be decrypted, inspected by security controls, then re-encrypted, delivering enhanced visibility to mitigate threats traversing the network. As a result, organizations maximize their security services investment for malware, data loss prevention (DLP), ransomware, and next-generation firewalls (NGFW), thereby preventing inbound and outbound threats, including exploitation, callback, and data exfiltration.

This class covers the following topics:

  • SSLO Deployment Settings
  • Security Services Creation
  • Classification and Interception Rules
  • Outbound and Inbound Use cases

Expected time to complete: 4 hours

To continue please review the information about the Lab Environment.

Lab Topology

image0


The credentials used to access the resources are:

Environment Username Password
Window(s) RDP student agility
Ubuntu(s) student agility
BIG-IP SSH root F5agility!2
BIG-IP GUI admin F5agility!2

And the networking information is as follows:

VLAN Interface (tag) Self-IP
client-net 1.1 10.20.0.100
HTTP_in 1.3 (110) SSLO managed
HTTP_out 1.3 (120) SSLO managed
ICAP admin 10.70.0.10
L2_in 1.6 SSLO managed
L2_out 1.7 SSLO managed
L3_in 1.3 (50) SSLO managed
L3_out 1.3 (60) SSLO managed
Tap 1.4 SSLO managed
outbound-net 1.2 10.30.0.100

Module 1: Outbound SSLO

image1

In this module we will learn the basic concepts required to deploy Outbound SSLO. Additionally, we will walk through creating services and interception rules. It’s important to note that this module will focus on demonstrating an Outbound SSLO.

We will be following the workflow in the following diagram for the SSLO configuration:

image2

Lab 1.1: Deployment Settings

Task 1 - Create Outbound SSLO Deployment

In this lab, we will explore the settings required to deploy Outbound SSLO. First, we will cover the General Properties of the deployment. We will then configure the Egress, DNS, and Logging settings.

Note

This guide may require you to Copy/Paste information from the guide to your jumphost. To make this easier you can open a copy of the guide by using the Lab Guide bookmark in Firefox.

  1. Open Firefox and navigate to the following bookmark: f5 BIG-IP. Bypass any SSL errors that appear and ensure you see the login screen for each bookmark:

    image3

Warning

We are using a self-signed certificate in this lab. In your environment you must make sure that you use certificates issued by your certificate authority for both production and lab equipment. Not doing so would make it possible for an attacker to do a man-in-the-middle attack and allow him the ability to steal passwords and tokens.

  1. Authenticate to the interface using the default credentials as defined in the lab topology.

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Deployment Settings and click:

    image4

  3. In General Properties change the Deployment Name to sslo_agility_lab

    image5

  4. In the Egress Configuration section set the following:

    1. Manage SNAT Settings –> Auto Map
    2. Gateways –> Specific gateways
    3. Add IPv4 gateway address 10.30.0.1

    image6

  5. Leave the DNS settings at their defaults.

  6. Change Logging level –> Debug

    image7

    Note

    The Debug log level should not be used in production unless recommended by f5 Support.

This completes the Deployment Settings setup. When your screen looks like the following, click Finished:

image8

Note

The Strict Updates option protects against accidental changes to an application service’s configuration. The Strict Updates setting is checked by default.

Unless you have a specific reason to turn off strict updates, F5 recommends that you leave the setting enabled.

Lab 1.2: HTTP Service

Task 1 - Create SSLO HTTP Service

A service is a collection of security devices that will receive decrypted traffic from the SSLO solution. In this section, the HTTP Service will be created. An HTTP Service would typically be a Secure Web Proxy. The proxy could explicit or transparent.

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Deployment Settings and click:

    image4

  3. On the menu across the top of the main window pane, navigate to Services ‣ HTTP Services and click:

    image9

  4. Click Create on the far right:

    image10

  5. Enter the following information:

    Property Value
    Name ssloS_HTTP_service
    Proxy Type Explicit
    To Service VLAN ssloN_HTTP_in.app/ssloN_HTTP_in
    Node –> IP Address 198.19.96.66 (click Add)
    From Service VLAN ssloN_HTTP_out.app/ssloN_HTTP_out

    Note

    For To Service VLAN and From Service VLAN, use the drop-down menu to select the correct value.

  6. Once your settings look like the following screenshot, click Finish:

    image11

Lab 1.3: ICAP Service

Task 1 - Create SSLO ICAP Service

A Service is a collection of security devices that will receive decrypted traffic from the SSLO solution. In this section, an ICAP Service will be created. An ICAP Service would typically be an Anti-Virus or DLP solution. It is important to have the correct Request and Response URIs for the solution and the appropriate Preview Max Length.

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Deployment Settings and click:

    image4

  3. On the menu across the top of the main window pane, navigate to Services ‣ ICAP Services and click:

    image12

  4. Click Create on the far right

    image13

  5. Enter the following values:

    Property Value
    Name ssloS_ICAP_service
    ICAP Devices –> IP Address 10.70.0.10 (click Add)
    Request Replace /req with /squidclamav
    Response Replace /res with /squidclamav
    Preview Max Length 1048576

  6. Once your settings look like the following screenshot, click Finish:

    image14

Lab 1.4: L2 Service

Task 1 - Create SSLO L2 Service

A Service is a collection of security devices that will receive decrypted traffic from the SSLO solution. In this section an L2 Service will be created. An L2 Service could be an IDS/IPS or DLP solution. Some refer to this as a “Bump in the Wire.”

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Deployment Settings and click:

    image4

  3. On the menu across the top of the main window pane, navigate to Services ‣ L2 Services and click:

    image15

  4. Click Create on the far right:

    image16

  5. Enter the following values:

    Property Value
    Name ssloS_L2_service
    Paths –> From BIGIP VLAN ssloN_L2_in.app/ssloN_L2_in
    Paths –> To BIGIP VLAN ssloN_L2_out.app/ssloN_L2_out (click Add)

  6. Once your settings look like the following screenshot, click Finished:

    image17

Lab 1.5: L3 Service

Task 1 - Create SSLO L3 Service

A Service is a collection of security devices that will receive decrypted traffic from the SSLO solution. In this section, an L3 Service will be created. An L3 Service would typically be an IDS/IPS, DLP, or Next-Gen Firewall (NGFW).

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Deployment Settings and click:

    image4

  3. On the menu across the top of the main window pane navigate to Services ‣ L3 Services and click:

    image18

  4. Click Create on the far right:

    image19

  5. Enter the following values:

    Property Value
    Name ssloS_L3_service
    To Service VLAN ssloN_L3_in.app/ssloN_L3_in
    Node –> IP Address 198.19.64.64 (click Add)
    From Service VLAN ssloN_L3_out.app/ssloN_L3_out

    Note

    For To Service VLAN and From Service VLAN, use the drop-down menu to select the correct value.

  6. Once your settings look like the following screenshot, click Finished:

    image20

Lab 1.6: TAP Service

Task 1 - Create SSLO TAP Service

A Service is a collection of security devices that will receive decrypted traffic from the SSLO solution. In this section, a TAP Service will be created. A TAP Service would typically be an IDS/IPS.

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Deployment Settings and click:

    image4

  3. On the menu across the top of the main window pane navigate to Services ‣ TAP Services and click:

    image21

  4. Click Create on the far right:

    image22

  5. Enter the following values:

    Property Value
    Name ssloS_TAP_service
    MAC Address 2c:c2:60:22:e4:23
    VLAN ssloN_TAP_in.app/ssloN_TAP_in
    Interface 1.4

    Note

    For VLAN, use the drop-down menu to select the correct value.

  6. Once your settings look like the following screenshot, click Finished:

    image23

Lab 1.7: Outbound Interception Rules

Task 1 - Interception Rules

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Deployment ‣ Interception Rules and click:

    image29

  3. Click Install Default Rules…

    image30

  4. Under Proxy Settings, configure these options:

    Property Value
    Proxy Scheme Transparent and Explicit
    Proxy Server : Port 10.20.0.150 : 3128

    image31

  5. Under Security ‣ SSL, select Create New. This will redirect to a separate page for configuring SSL settings.

    image32

  6. Name the configuration ssloT_ob_ssl

    image33

  7. In the Client section, for Certificate Key Chains, select default.crt and default.key, and then click Add

    image35

  8. Under CA Certificate Key Chains, select subca.f5demolabs.com.cer and subca.f5demolabs.com.key, and then click Add.

    image36

  9. In the Server section, select ca-bundle.crt for Trusted Certificate Authority. Leave all other settings at the defaults. Click Finished.

    image37

  10. The screen should have returned to the original Install Default Rules page. Under the Security section, from the Per Request Policy drop-down select Create New

    image38

  11. Name the policy ssloP_ob_pol

    image39

  12. Under TCP Service Chain, add and order the available services to both the Intercept Chain and Non Intercept Chain:

    image40

  13. Repeat step (12) for UDP Service Chain

  14. Click Finish.

  15. Under Ingress Network ‣ VLANs, choose /Common/client-net from the Available VLANs and add to the Selected section.

    image41

  16. Click Finish.

Lab 1.8: Testing

In order to test the configuration, we will open an HTTPS website and observe plain text traffic within the inspection zone.

Task 1 - Issuing Requests

  1. Open a remote desktop (RDP) session to the Windows 7 Outbound Client and log in with the credentials referenced in the lab topology.

  2. Open a web browser and navigate to some HTTPS URLs.

  3. Observe the resigned certificate. (Pay attention to the Issued By line.)

    image43

  4. SSH into the Layer 3 Security device with the credentials in the topology. Run a tcpdump with the following parameters:

    sudo tcpdump -i eth5.60 -X

    Observe the plain text HTTP traffic.

    image44

Module 2: Inbound SSLO

In this lab, we will explore the settings required to deploy Inbound SSLO. We will be deploying SSLO in Transparent Proxy mode. This single rule will provide visibility for all SSL sites behind the SSLO solution.

Lab 2.1: Inbound Interception Rules

Task 1 - Create a new Interception Rule

  1. Navigate to SSL Orchestrator ‣ Deployment ‣ Interception Rules

    image45

  2. In the top, right hand corner, click Create Inbound Rule…

    image46

Task 2 - Create Wildcard Listener

In this step we will create a listener to intercept all inbound HTTPS traffic. After the configuration steps, this will be saved as a wildcard virtual server listening on port 443.

  1. Under the General Properties section, configure the following values:

    Property Value
    Name ssl_inbound_listener
    Destination Address/Mask 0.0.0.0/0
    Service Port 443

    image47

  2. Under the Security Policy section, select Create New.

    image48

    The configuration GUI will redirect to the SSL settings configuration page.

  3. In the General Settings section of the Security Policy, set the name to ssloT_inbound_ssl.

    Note

    For Inbound configurations the Forward Proxy option should be disabled

    image49

  4. Under the Client-side SSL section, choose wildcard.f5demolabs.com.crt and wildcard.f5demolabs.com.key from the respective drop-down menus and click Add.

    image50

  5. Under the section Server-side SSL, configure the following values:

    Property Value
    Expire Certificate Response Control ignore
    Untrusted Certificate Response Control ignore

    serverside_ssl

  6. Review the settings and click Finished. This will redirect back to the original Inbound Listener configuration screen.

Task 3 - Configure VLAN Settings

In this step, we will define which VLAN interface that our listener will accept connections.

Note

Since we are configuring only for inbound traffic, it is important that the wildcard listener only accept connections on the incoming interface. In this case, the VLAN labeled outbound.

  1. In the VLANs section, choose the /Common/outbound VLAN from the Available List and click the left arrow to move it into Selected.

    image51

  2. Under the Security Policy section, configure these values:

    Property Value
    L7 Profile Type HTTP
    L7 Profile /Common/http
    Access Profile /Common/ssloP_outbound_ssl.app/ssloP_outbound_ssl_accessProfile
    Per Request Policy Create New

    image52

  3. Once redirected to the New Inbound Rule configuration:

    1. Create a name for the rule
    2. Add ICAP, TAP, and L2 services to the Intercept Chain section
    3. Repeat step (ii) for the Non Intercept Chain
    4. Click Finished

    image53

  4. Verify the settings under Security Policy.

    image54

  5. Click Finish

Lab 2.2: Testing

  1. Open up a RDP session to the Inbound Win7 Client and log using the documented credentials.

  2. Launch Firefox and expand the Inbound Testing` Bookmarks

  3. Use SSH or the console to the Layer 2 Security device and log in using the documented credentials.

    image55

  4. Choose one of the Test websites and open the page.

  5. Run a tcpdump with the following parameters:

    sudo tcpdump -i eth5.60 -X

    Refresh the web page in the browser and observe the plain text HTTP traffic in the Layer 2 Security device console.

    image56

Module 3: Service Policies

In this lab, we will review and modify the Service Policies that are created by the Inbound and Outbound SSLO templates. Service Polices provide the classification to provide Dynamic Service chaining.

Lab 3.1: Reviewing the Policies

Task 1 - View the Per-Request Policies

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Policies ‣ Access Per-Request Policies

    image57

  3. Click the plus sign next to Show all for the ssloP_outbound_ssl row

  4. Select the ssloP_outbound_ssl_prpTcp Per-Request policy

    image58

  5. Review the general flow from categorization through Intercept policy to Service Chain

    image59

  6. Expand the Macro: Categorization macro by clicking on Categorization in the boxed area or the plus symbol in the macro section.

    image60

  7. Explore the SSL Check advanced Action Properties

    image61 image62

  8. Expand the SSL Intercept Policy macro. Notice that the Not Intercepted and Intercepted terminal endings differ based on the category and setting interception.

    image63

  9. Explore the Category Branching Action Property

    image64

  10. Expand the macros Service Chain Intercepted and Service Chain Not Intercepted

    image65

  11. Explore the Action Properties in the Service Chains and notice the Connector Profiles

    image66

Task 2 - Modify the Intercept Policy

  1. Expand the macro SSL Intercept Policy and click the Intercepted terminal ending

    image67

  2. Select the Not Intercepted radio button, then Save

    image68

    Note

    Notice that now all traffic is bypassed and therefore not decrypted

    image69

  3. Repeat the test from Lab 1.8 and notice that traffic is not decrypted. Notice that this had the impact of all traffic bypassing inspection zone.

  4. Undo the change by setting the terminal ending back to Intercepted and repeat test.

Task 3 - Modify Service Chain

  1. Expand the macro named Service Chain Not Intercepted and remove the HTTP Service node by selecting the X in the corner. The X will turn red when you hover over it.

    image70

  2. Click the Delete button in the Item delete confirmation dialogue box

    image71

  3. View your results

    image72

  4. Add the HTTP Service node back by selecting the plus key between TAP and L3 services

    image73

  5. Select the Traffic Management tab, then the Service Connect item and click Add Item

    image74

  6. Change the Name to HTTP Service, choose the HTTP Service item from the Connector Profile drop down menu named /Common/ssloS_HTTP_server.app/ssloS_HTTP_service-t-connector and then click Save at the bottom

    image75