Summary
F5 SSL Orchastrator provides an all-in-one solution designed to optimize the SSL infrastructure, provide visibility of SSL/ TLS encrypted traffic, and maximize efficient use of existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into any architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.
F5 SSL orchastrtor provides a topology to integrate with out of band solutions such as Traceable. TAP topology sends a duplicate copy of all the transactions passing through SSL Orchastrator.
High Level SSLO-TAP Mirroring Architecture
Prerequisites
Layer-2 adjacency between F5-SSLO and Traceable-TPA
F5-SSLO’s TAP interface and Traceable Platform Agent should be layer-2 adjacent/ in same VLAN in order to forward packets using MAC address. We would need to create TPA instance in same VLAN as SSLO’s TAP interface.
Refresh Token
We would need to generate a Refresh Token from the Platform Admin UI which will be used in one of the installation steps. The following screenshots show how to generate the Refresh Token.
Copy the generated value somewhere to be used in the later steps of the installation.
Installation
Install the Traffic Mirroring Package
- Download and copy the mirroring package from the download site to the TPA VM(s) that will be dedicated for F5 traffic mirroring in the same network as the F5.
The latest version can be downloaded from following link: https://downloads.traceable.ai/install/traffic-mirroring/linux/latest/traffic-mirroring-amd64.tar.gz - untar it
tar -xf traffic-mirroring-amd64.tar.gz
- Change into the directory of the downloaded installation package:
cd traffic-mirroring-amd64
- Run the following command to install the package
sudo ./bin/install.sh mirror -i <INTERFACE> -e <ENVIRONMENT> -s <SERVICE_NAME> -t --enable-tls-capture --server-port <SERVER_PORT> --no-download
Example:
sudo ./bin/install.sh mirror -i ens192 -e f5-mirroring -s mirroring -t --enable-tls-capture --server-port 8001 --no-download
- Provide interface’s name where mirrored traffic will be coming
- Server-port should be opened through the firewall, if any. At this port we run a TLS server where F5 will send master keys
- Script will prompt for refresh token
Note: In case the install needs to be uninstalled, uninstall.sh script can be used:
./bin/uninstall.sh
F5-SSLO Configuration for TAP Service
- Login to F5 administration GUI. Navigate to SSL Orchastrator > Configuration > Services. Click on “Add” to add new service.
- Scroll to the bottom. Select “Generic TAP”, click “Add” and click on “Save & Next”.
- Provide Name to the TAP Service as “TraceableTPA”. Provide MAC Address of the TPA installed in last step. Provide VLAN and Select interface. Hit “Save & Next”.
- Select service chain where TAP service should be added.
- Select the TAP Service and move it to the right. Once moved, Hit Save.
- Confirm the change, hit “Save & Next” and hit “Deploy”
- You will see confirmation of TAP service as shown below.
Congratulations, you have successfully integrated SSLO with Traceable TPA!
References:
F5 SSLO Configuration guide: https://clouddocs.f5.com/sslo-deployment-guide/sslo-08/chapter3/page3.5.html