Skip to main content
Traceable Documentation

F5 vTAP Mirroring with Key Exchange

Saad Farooq
  • Updated

Overview

In general, mirroring F5 data for monitoring and analysis by Traceable consists of two parts:

  1. Mirroring the traffic – this can be setup using cloned pools, port mirroring or network TAPs
  2. Decryption handling in case of encrypted traffic

Encrypted traffic can be decrypted if the master key is known which is used by the SSL handshake. F5 provides a way to capture master keys using iRules. There are other tools such as wireshark and ssldump that also perform decryption if master keys for sessions are provided. We are in essence using the same mechanism to decrypt the traffic, and an iRule needs to be configured in the F5 to send the master keys to Traceable agent (or more specifically the Packet Processing Service) in addition to the mirrored traffic.


In this document, we outline the vTAP approach of mirroring encrypted traffic to Traceable for processing.

 

High Level vTAP Mirroring Architecture

vTAP Packet Processing and Reporting

Prerequisites

Refresh Token

We would need to generate a Refresh Token from the Platform Admin UI which will be used in one of the installation steps. To do this login to the UI and go to Administration -> Agent Tokens -> Generate Agent token

Copy the generated value somewhere to be used in the later steps of the installation.

 

TPA Load Balancer Setup

If multiple TPA(s) are being load balanced for redundancy and load distribution, following load balancer settings are required. For the F5 mirroring with TLS key exchange, both TPA and TLS key capture service components are installed on the same machine.

Note / Assumption:

For this use case, customer requires all traffic to TPA server to be TLS encrypted. Therefore, the setup will require TLS passthrough on the F5 load balancer.


This requires the TLS certificates to be installed and managed at the F5 load balancer but on the TPA server(s) itself it will use a self-signed certificate by default for internal communication between the packet exchange service and the TPA service.


To simplify the setup, both the mirrored traffic and the master secret key will be sent to the same port, 8001.
IMPORTANT:

For TPAs used for F5 Mirroring + Key Exchange for encrypted traffic, only 1 TPA can be active at any given time since the master key exchange affinity is required with the mirrored traffic.


Hence the two TPAs should be set up in an Active/Passive HA configuration where one TPA is actively serving traffic, while the other is passively waiting in standby mode.

 

Following diagram outlines the setup of TPAs that will be provisioned within the same subnet as F5 load balancers that will be monitored via mirroring and key exchange:

For the TPAs designated for F5 Mirror traffic data collection with key exchange, TLS will be passed through to TPA and the TPA requires to be set up with correct TLS certificates for listening on the TLS port 8001. Use the following port mapping and health check URLs.

Port Mappings

LB Port LB Incoming TPA Port TPA Incoming  Port Description
8001 HTTPS 8001 HTTPS F5 Mirror with Key Exchange

 

Health Check

Use tcp health check against the configured port to determine health of the TPA.

 

Installation

Install the Traffic Mirroring Package

Note: This package and installation options install both the TPA and TLS key capture service at the same time on the same machine.
  1. Download and copy the mirroring package from the download site to the TPA VM(s) that will be dedicated for F5 traffic mirroring in the same network as the F5.

    The latest version can be downloaded from following link: https://downloads.traceable.ai/install/traffic-mirroring/linux/latest/traffic-mirroring-amd64.tar.gz
  2. untar it 
    tar -xf traffic-mirroring-amd64.tar.gz
  3. Change into the directory of the downloaded installation package:
    cd traffic-mirroring-amd64
  4. Run the following command to install the package
    sudo ./bin/install.sh mirror -i <INTERFACE> -e <ENVIRONMENT> -s <SERVICE_NAME> -t --enable-tls-capture --server-port <SERVER_PORT> --no-download
    Example:
     
    sudo ./bin/install.sh mirror -i ens192 -e f5-mirroring -s mirroring -t --enable-tls-capture --server-port 8001 --no-download
    1. Provide interface’s name where mirrored traffic will be coming
    2. Server-port should be opened through the firewall, if any. At this port we run a TLS server where F5 will send master keys
    3. Script will prompt for refresh token
Note: In case the install needs to be uninstalled, uninstall.sh script can be used:
./bin/uninstall.sh

F5 Configuration of the Key Exchange

  1. Configure a node named traceable-agent with TPA VM IP address (where the mirroring package was installed above)
  2. Configure a server pool name traceable-agent-ssl-pool with node traceable-agent and port used in install script (e.g. 8001)

The port number used here should match the one specified as an input parameter in the Install the Traffic Mirroring Package section — Basically, the port for the cloned pool and the iRule for sending the session key should be the same.

  1. Create a virtual server (TCP only, no HTTP) traceable-agent-vip without any client side ssl profile, and serverssl profile for server. Add traceable-agent-ssl-pool as default backend. You might need to configure Source Address Translation to auto map
  2. Create an iRule named remote-log-keys

when RULE_INIT {
    # TPA pool name
    set static::tpa_vip_pool "traceable-agent-vip"
}

when CLIENTSSL_HANDSHAKE {
    set conn_status ""
    set send_status ""
    if { [catch { set conn [connect -timeout 3000 -idle 30 -status conn_status $static::tpa_vip_pool]}]} then {
        log local0.debug "error creating connection to $static::tpa_vip_pool $conn_status"
    return
    }
    set data "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]\n"
    if { [catch { 
        set send_info [send -timeout 3000 -status send_status $conn $data]
        close $conn
     }]} then {
        log local0.debug "error sending data to $static::tpa_vip_pool $send_status"
        close $conn
      }
}

5. Add this iRule to virtual server where TLS termination is happening and mirrored traffic is to be captured (virtual server configured in section F5 Configuration of Cloned Pool)

 

F5 Configuration of Cloned Pool

Follow directions outlined in online docs at F5 mirroring > F5 Configuration to configure cloned pool setting for a virtual server where traffic should be mirrored. Use the same pool from above (i.e. traceable-agent-ssl-pool ) for the clone pool. Use the traceable-agent-ssl-pool as the Client Side Clone Pool.

Related articles