SSL Intercept F5
SSL Intercept F5
SSL Intercept F5
Why F5?
SSL Visibility
The proliferation of websites now leveraging SSL (including TLS in this document) encryption to protect users poses a challenge to
security sensor pools in their mission to eliminate malware and attacks for outbound application requests. With the BIG-IP system,
SSL Intercept can be leveraged to provide full visibility into user traffic.
SSL termination is resource-intensive. F5 BIG-IP devices include dedicated hardware processors specializing in SSL/TLS
processing. In both inbound and outbound deployment scenarios, using F5 SSL Intercept solution provides uncompromising
visibility into SSL traffic.
For those with policy and privacy concerns, you can configure the iApp so it does not decrypt requests to sites with sensitive data.
For more information on SSL visibility, see the F5 Lightboard Lesson: SSL Outbound Visibility on DevCentral:
https://devcentral.f5.com/articles/lightboard-lessons-ssl-outbound-visibility-20888
Product Version
iApp Template Version f5.ssl_intercept_svc_chain.v1.5.8 (all users should be on this or a later version)
Deployment guide version 1.2 (see Document Revision History on page 58)
Important: Make sure you are using the most recent version of this deployment guide, available at
http://f5.com/pdf/deployment-guides/f5-ssl-intercept-v1.5-dg.pdf.
All documentation and additional information for this solution can be found at
https://support.f5.com/kb/en-us/products/ssl-orchestrator.html.
To provide feedback on this deployment guide or other F5 solution documents, contact us at solutionsfeedback@f5.com
Contents
Prerequisites and configuration notes 3
How to configure in-line services using the SSL Intercept iApp template 9
Configuring the iApp for receive-only services 11
Preparation worksheet 12
Next Steps 48
Known Issues 55
hh iApp version f5.ssl_intercept_svc_chain.v1.5.8 contains important security improvements over previous versions.
All users should upgrade to this version as soon as possible. See Upgrading an Application Service from previous
version of the iApp template on page 16 for instructions. See https://support.f5.com/csp/article/K53244431 and
https://support.f5.com/csp/article/K23001529 for details.
hh You must have an SSL Intercept license in order to use this functionality. Contact your F5 sales representative for details.
hh W
e strongly recommend you back up the BIG-IP configuration before running the iApp template, as well as before
making any major changes to an existing iApp configuration. See Backing up the BIG-IP configuration before starting the
configuration (or before major changes to the iApp) on page 51 for instructions.
hh B
ecause of the new features and advanced functionality in this version of the iApp template, you cannot upgrade an
existing Application Service based on any f5.ssl_intercept.v1.0.0 or f5.ssl_airgap_egress template to this version. You
must start a new deployment using this template.
hh For this implementation, your Sync-Failover Device Group can only contain two BIG-IP devices for high availability.
hh W
hen configuring high availability for multiple BIG-IP systems in a Sync-Failover Device Group, DO NOT use the Automatic
Sync option. You must manually synchronize the configuration for this implementation. See Synchronizing the BIG-IP
configuration on page 50.
hh Y
ou can only have one instance of this iApp running on a BIG-IP system. You cannot have multiple instances of this iApp
on any BIG-IP device.
hh T
o intercept TLS (SSL) traffic, you must provide a Certificate Authority (CA) PKI certificate and matching private key for
SSL Forward Proxy. Your TLS clients must trust this CA certificate to sign server certificates. You should have installed this
certificate on the system when you ran the Setup Wizard.
If you did not import the CA certificate in the Setup Wizard, you must install your CA certificate before configuring this
iApp. This CA certificate must have the Digital Signature and Certificate Signing key-usage properties. To import
certificates and keys onto the BIG-IP system, see System > File Management > SSL Certificate List. For specific
instructions on importing certificates and keys, see the Help tab or the BIG-IP system documentation on support.f5.com.
hh Y
ou must download and import the SSL Intercept iApp template before you can begin the configuration. Downloading and
importing the SSL Intercept iApp template on page 16.
hh B
e sure to see Understanding Service Chain Classification on page 52 for a flow diagram and detailed explanation
of how the system chooses service chains, including how the match score is calculated, and Dynamic Domain Bypass
information.
hh T
he name you give the iApp template, as well as the names you give to services and service chains are limited to 15
alphanumeric characters, including underscores, and must start with a letter. This message is repeated in the applicable
sections of the iApp walkthrough.
hh W
e strongly recommend using the Preparation Worksheet form (http://f5.com/pdf/deployment-guides/ssl-intercept-
preparation-worksheet.pdf) or the Preparation worksheet on page 12 before starting the iApp to gather a list of IP
addresses, interfaces, tags and so on, you need to complete the iApp.
hh See Terminology used in this solution on page 5 for important definitions of terms used in this guide and the iApp.
hh If you choose the option in this iApp template to use DNSSEC to validate DNS information, the iApp configures the initial
DNSSEC keys (root Trust Anchor and div.isc.org DLV Anchor keys). When the issuer updates (replaces) those keys, you
must use the Reconfigure option on the iApp template, and then click Finished. The iApp automatically retrieves the new
keys. See 6. Do you want to use DNSSEC to validate DNS information? on page 41 for more information.
hh Be sure to see Known Issues on page 57 to review any known issues that exist for this solution.
hh D
eleting the entire iApp configuration is a multi-step process. See Removing or modifying the iApp configuration on page
51 for specific instructions.
hh If you are using the iApp template for logging, before configuring the iApp we strongly recommend you configure the system
to send log messages to one or more external log servers. You can choose to store logs on the BIG-IP device, but this is less
desirable because BIG-IP devices have limited log storage capacity. To control where log messages are sent or stored, you must
configure BIG-IP High Speed Logging features outside of the iApp template. You can then select the Log Publisher object you
create in the iApp template. Configuring external logging is outside the scope of this document; for instructions see: https://
support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html.
hh If you are using the BIG-IP system in a highly available configuration using a Sync-Failover device group (recommended),
you must have configured the cluster before configuring the iApp template. See the BIG-IP documentation for details:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-admin-12-0-0.html.
For this configuration, the Sync-Failover group can only include two BIG-IP devices.
hh If you want to use IP Intelligence and/or URL filtering in this implementation, you just have the appropriate license(s) on the
BIG-IP system. Contact your F5 Sales representative for specific information. Both of these options are selectable in the TCP
Service Chain Classifier rule section TCP Service Chain Classifier Rules on page 34 and IP Intelligence is also available
in the optional UDP Service Chain Classifier Rules on page 37 section. If you are deploying optional URL filtering, we
strongly recommend updating the URL database before running the iApp template, see Optional URL filtering on page 56.
hh The Service Chain Classification Previewer is an Early Access feature and may change or not be present in future versions.
hh If you are using more than a single, standalone BIG-IP system, anytime you click Finish on the iApp template, you should
manually synchronize the configuration. See Synchronizing the BIG-IP configuration on page 50.
hh L
ayer 3 in-line services require the user to give service (inspection) devices IP addresses from the choices in the iApp. If
you are using Layer 3 in-line services, this iApp is designed to send and receive information from them using a pre-defined
set of addresses. If your configuration requires different addressing, see 2. Do you want to replace in-line service subnet
block(s)? on page 23. Note that changing the subnet blocks is not recommended or supported by F5 Networks, and
should only be done if you understand the consequences.
hh If you plan to use in-line services in this deployment and are using two devices in a Sync-Failover Group, it is critical that
you configure and then SAVE the VLAN information in the In-Line Services section on both BIG-IP systems that are a part
of this configuration. You must then synchronize the configuration to the other device before configuring the rest of the
template. See the sections How to configure in-line services using the SSL Intercept iApp template on page 9 and
Synchronizing the BIG-IP configuration on page 50 for more information.
hh A
fter deploying the iApp template, if you want to modify or remove an active in-line service, see the instructions in
Modifying or deleting an in-line service you already created on page 10.
hh If you choose to configure Receive-Only services and are using more than a single, standalone BIG-IP system (multiple
devices in a Sync-Failover group): After you click Finished on the device you are currently configuring, on each device in
the Sync-Failover group you must use the Reconfigure option (click iApps > Application Services > name you gave the
iApp > Reconfigure (on the menu bar)), and then click Finished (even if you do not make any other changes) in order for
the iApp to install the non-floating configuration for Receive-Only services on each device. See Receive-Only Services on
page 29 for more information.
hh The Metrics Collector service is an Early Access feature and may change or not be present in future versions of this solution.
• Ingress device
The ingress BIG-IP system is the device (or Sync-Failover device group) to which each client sends traffic. In the scenario
where both ingress and egress traffic are handled by the same BIG-IP system, ingress refers to the ingress VLAN(s) where
the clients send traffic. The ingress BIG-IP system (or ingress VLAN(s)) decrypts the traffic and then based on protocol, source,
destination, and so on, classifies it and passes each connection for inspection based on service chains you will configure (or
allows certain connections to bypass service-chain processing based on your selections).
• E
gress device
The egress BIG-IP system is the device (or Sync-Failover device group) that receives the traffic after a connection traverses
the chosen service chain and then directs it to its final destination. In the scenario where both ingress and egress traffic are
handled by the same BIG-IP system, egress refers to the egress VLAN(s) where the BIG-IP system receives traffic.
• In-line services
In-line services pass traffic through one or more service (inspection) devices at Layer 2 (MAC/bump in the wire) or Layer 3
(IP). Each service device communicates with the ingress BIG-IP device over two VLANs called Inward and Outward which
carry traffic toward the intranet and the Internet respectively. You can configure up to ten in-line services using the iApp
template. For detailed information on configuring in-line services, see How to configure in-line services using the SSL
Intercept iApp template on page 9.
• Receive-only services
Receive-only services refer to services that only receive traffic for inspection, and do not send it back to the BIG-IP system.
Each receive-only service provides a packet-by-packet copy of the traffic (e.g. plaintext) passing through it to an inspection
device. You can configure up to ten receive-only services using the iApp template. For more information on receive-only
services, see Receive-Only Services on page 29.
• ICAP services
Each ICAP service uses the ICAP protocol (https://tools.ietf.org/html/rfc3507) to refer HTTP traffic to one or more Content
Adaptation device(s) for inspection and possible modification. You can add an ICAP service to any TCP service chain, but
only HTTP traffic is sent to it, as ICAP does not support other protocols. You can configure up to ten ICAP services using
the iApp template. For more information on ICAP services, see ICAP Services on page 30.
• M
etric Collector services
The purpose of the metric collector services is to gather statistical information (like bytes transferred) whenever they are
placed in a service chain. These services are internal to the SSL intercept iApp and do not examine or modify data in
connections. You can see the statistics in the BIG-IP Configuration utility. For more information on metric collector services,
see Metrics Collector Services on page 32. Note this is an Early Access feature and may change or not be present in
future versions of this solution.
• S
ervice chains
SSL Intercept service chains process specific connections based on classifier rules which look at protocol, source and
destination addresses, and so on. These service chains can include four types of services (Layer 2 in-line services, Layer 3
in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress
and egress devices). For more information on service chains, see Service Chains on page 33.
• S
ervice chain classifier rules
Each service chain classifier rule chooses ingress connections to be processed by a service chain you configure (different
classifier rules may send connections to the same chain). Each classifier rule has three filters. The filters match source (client)
IP address, destination (which can be IP address, IP Intelligence category, IP geolocation, domain name, domain URL
Filtering category, or server port), and application protocol (based on port or protocol detection). Filters can overlap so the
solution chooses the classifier rule which best matches each connection.
• S
ervice Chain Classification Previewer
The service chain classification previewer is a useful tool that allows you to use a web browser or HTTP client to ascertain
which service chain would be chosen for a connection with certain parameters of protocol, source, destination, and so on. It
is a small web page/service hosted on the ingress BIG-IP device (or device group). For more information on the previewer,
see Service Chain Classification Previewer on page 42. Note this is an Early Access feature and may change or not be
present in future versions of this solution.
• D
ecrypt zone
A decrypt zone refers to the network region between separate ingress and egress BIG-IP devices where cleartex data
is available for inspection. Basically an extra in-line service can be placed at the end of every service chain for additional
inspection. You cannot configure a decrypt zone in the scenario where a single BIG-IP system handles both ingress and
egress traffic.
• T
ransparent/Explicit Proxy
This solution can operate in transparent and/or explicit proxy mode. A transparent proxy intercepts normal communication
without requiring any special client configuration; clients are unaware of the proxy in the network. An explicit proxy requires
manual configuration on the client. In this solution, the transparent proxy scheme can intercept all types of TLS and TCP
traffic. It can also process UDP and forward other types of IP traffic. The explicit proxy scheme supports only HTTP(S) per
RFC2616.
• C
ertificate Authority (CA) certificate
This solution requires a Certificate Authority PKI (public key infrastructure) certificate and matching private key for SSL
Forward Proxy. Your TLS clients must trust this CA certificate to sign server certificates. You must import the certificate
and key before you start the iApp template, as importing certificates and keys is not a part of the template. See System >
File Management > SSL Certificate list > Import to install your CA certificate. This CA certificate must have the Digital
Signature and Certificate Signing key-usage properties.
• S
NAT
A SNAT (Secure Network Address Translation) is a feature that defines routable alias IP addresses that the BIG-IP substitutes
for client IP source addresses when making connections to hosts on the external network. A SNAT pool is a pool of
translation addresses that you can map to one or more original IP addresses. Translation addresses in a SNAT pool are not self
IP addresses.
• S
tatic and Floating configuration objects
In the iApp and this guide, we refer to static and floating BIG-IP configuration objects. Static configuration objects mean
those objects which must be configured separately on each device, such as VLAN and self IP objects. These objects are
not synchronized across the BIG-IP devices in a Sync-Failover group, as those object must remain unique.
Floating configuration objects are those that are shared across the Sync-Failover group, such as virtual servers and pools.
These objects are synchronized to all devices in the cluster.
• D
ata groups (including @pinners)
A BIG-IP data group is a group of related elements, such as a set of IP addresses for specific clients. These data groups are
used in the iRules that are a part of the iApp template and eliminate the need to list multiple values as arguments in an iRule
expression. Data groups are not created by the iApp (with the exception of @pinners described in the next paragraph), but
you can use them in your service chain classifier rules. This allows you to create and maintain these groups without having
to modify the iApp. For more information on data groups, see Using BIG-IP Data Groups to match IP address, domain
names, geolocations, or IPI/URL filtering categories (optional) on page 34.
The iApp does include one preconfigured domain-name matching data group called @pinners which contains a list of domain
names. These are domain names of some TLS- (SSL-) based services from well-known businesses like Microsoft that support
software (such as Microsoft Update) which may not work well when their connections are intercepted and decrypted by the
SSL Intercept solution. For complete details, see Using the @pinners data group on page 34.
Outward
Inward Decrypt Zone
Corporate
Data Center
Receive-only Services
Figure 1: Logical configuration diagram of the SSL intercept configuration using an ingress and egress BIG-IP system
Traffic flow
Traffic originates on the VLANs you specify. In our configuration example, we have two locations from which encrypted traffic
originates: corporate users, and the corporate data center.
Each client sends traffic to the ingress BIG-IP device (or the ingress side of a single BIG-IP system). The ingress BIG-IP system
decrypts the traffic, and then based on protocol, source, destination, and so on, classifies the traffic and then passes each connection
for inspection based on service chains you will configure (or allows certain connections to bypass service-chain processing based on
your selections).
This iApp template supports in-line services on Layer 2 and Layer 3, receive-only services, ICAP services, and metrics collector
services. If you are using separate BIG-IP systems for ingress and egress traffic as shown in the diagram, you can also have a decrypt
zone network between them that carries plaintext and you may place service devices in that network for further inspection. Note that
even when ingress and egress devices are separate, the ingress device must have a route to remote servers so the decryption
function can fetch servers' PKI certificates. See Terminology used in this solution on page 5 for definitions of the services.
In our example, the traffic from the corporate office users is sent to ICAP services (which deliver HTTP requests/replies to ICAP
servers) and then in-line services at Layer 3 (which send traffic through an L3 gateway or proxy device) for inspection. Traffic from
the corporate data center is sent to receive-only services (the BIG-IP provides a copy of the decrypted data stream to the receive-
only devices) and then in-line services at Layer 2 (which send traffic through an L2 'bump-in-the-wire' device) for inspection. You
may configure multiple services in the chain depending on the level of inspection you want. See Understanding Service Chain
Classification on page 52 for a detailed description of how the SSL Intercept chooses service chains.
After a connection traverses the chosen service chain, the egress BIG-IP device (or the egress side of a single BIG-IP system) directs
it to its final destination. Each service chain is an ordered list of services of various types. For TLS connections the decryption function
always precedes the service chain and the re-encryption function comes after. In between those, the connection's plaintext is available
to services (inspectors) in the chain.
1. C
omplete the Preparation Worksheet.
You can use the Preparation Worksheet form (http://f5.com/pdf/deployment-guides/ssl-intercept-preparation-worksheet.pdf) or
the Preparation worksheet on page 12.
2. D
ownload and import the iApp template
If the SSL Intercept iApp template is not present on your BIG-IP system, follow the instructions in Downloading and importing
the SSL Intercept iApp template on page 16.
3. O
pen the template and complete the Template Selection, Welcome, and General Configuration sections.
Template Selection contains the Name field and template selection. Welcome contains inline help options and an option to
delete the iApp configuration. General Configuration contains questions about your BIG-IP setup, as well as CA certificate, proxy
mode, and IP addressing family questions. These sections of the walkthrough start with Template Selection on page 17.
4. C
onfigure In-Line services (if applicable)
If you have any Layer 2 or Layer 3 in-line services to add to this configuration, configure the in-line services section of the
iApp as applicable. See How to configure in-line services using the SSL Intercept iApp template on page 9 for information
on how to configure in-line services. The in-line services section of the iApp walkthrough starts on page 23.
a. If you are using a pair of BIG-IP systems as a Sync-Failover group for HA, it is important to save and then synchronize the
configuration after configuring Stage 1 of the in-line service(s).
b. After synchronizing the configuration, re-enter the template to complete Stage 2 of the in-line services configuration.
5. Configure Receive-Only (if applicable)
If you have any receive-only services you want to be a part of this configuration, configure the receive-only section. The
receive-only section of the iApp walkthrough starts on page 29.
a. If you are using two BIG-IPs as a Sync-Failover group, you must save and synchronize the configuration after configuring
the receive-only service(s). You must open and save the configuration on the other system (no changes necessary).
b. After synchronizing the configuration, re-enter the template on one system to complete the rest of the template.
6. C
onfigure ICAP services (if applicable)
If you have any ICAP services you want to be a part of this configuration, configure the ICAP section of the template.
The ICAP section of the iApp walkthrough starts on page 30.
7. C
onfigure Metrics Collector (optional)
If you plan to use metrics collector services to gather statistical information, configure the metrics collector section of the
template. The metrics collector section of the iApp walkthrough starts on page 32.
8. C
onfigure Service Chains
After creating the applicable services, you configure the service chains. Service chains consist of a list of one or more of the
services you configured. The service chain section of the iApp walkthrough starts on page 33.
9. C
onfigure Service Chain Classifier rules
After creating service chains, you configure the service chain classifier rules which process specific connections using the
service chains you configured. The service chain classifier rules section of the iApp walkthrough starts on page 34.
10. C
onfigure Explicit Proxy options (optional)
If you are using explicit proxy, you configure these options. The ingress section of the iApp walkthrough starts on page 39.
11. I ngress Device configuration
Next, you configure ingress device settings, such as VLAN, certificate, and DNS information. The ingress section of the iApp
walkthrough starts on page 40.
12. S
ervice Chain Classification previewer (optional)
The previewer allows you to preview the path of a connection through the service chains. The previewer section of the iApp
walkthrough starts on page 42.
13. E
gress Device configuration
Next, you configure ingress device settings. The egress section of the iApp walkthrough starts on page 44.
No
i Important If you are only using a standalone BIG-IP system and not a Sync-Failover Group for high availability, you do not
need to perform the ConfigSync operation. You do still need to save the configuration after configuring the stage
1 options and then re-enter the template to configure stage 2.
• S
tage 1: Configure VLANs for Layer 2 (bump in the wire)
When you are initially configuring the iApp for Layer 2 in-line services, you select this option. When you select stage
1, the questions about the service name, number of devices, and VLAN details appear. You MUST configure these
options, submit the iApp, and then synchronize the configuration (see page 50) before completing the remainder of
the template.
hh P
reparing in-line services for use in a service chain
After you have completed the initial VLAN configuration, the next step is to activate the in-line services you created.
• S
tage 2: Finalize Layer 2 (bump in the wire) configuration
Once you have completed Stage 1 of the Layer 2 services and synchronized the configuration, you use the
Reconfigure option on the application service to re-enter the template and then select this option enable the service to
be used in a service chain. When you select this option, the questions about the service name, service failure options,
and port for HTTP traffic appear. Configure these options as applicable, and then configure the rest of the template.
hh U
nconfigured (or delete existing service when I click Finished)
Use this option if you want to completely and permanently remove an existing in-line service from the configuration. Once
you select this option and then click Finished on the iApp, the in-line service is permanently gone.
1. U
se the Reconfigure option on the template (iApps >Application Services > name you gave the iApp > Reconfigure (on
the menu bar) to re-enter the iApp.
2. In the In-Line Services section, find the service you want to modify or delete.
3. From the What is the status of this service? question, select the applicable Stage 1 option (either Layer 2 or Layer 3).
5. The next steps depend on if you want to modify or delete the service.
If you want to delete the entire iApp configuration, see Removing or modifying the iApp configuration on page 51.
2. Open the iApp template on the other BIG-IP system in the Sync-Failover group.
3. Simply click Finished without making any other changes. This installs the non-floating objects for the receive-only configuration.
1)
1)
2) (etc)
2)
Decrypt zone: IPv6 gateway (Self IP) addresses (if using IPv6)
IP Address for Ingress device control-channel virtual server
BIG-IP IP Addresses and 1)
iApp template name 1)
2) (etc)
You should have the following
IP Address for Egress device control-channel virtual server
BIG-IP addresses available or
If you are configuring separate Ingress and Egress devices,
reserved. 1)
the template needs to know the name you will give the iApp
You may have more than two application service (the Name field at the top of the template) Address of each IPv4 exit gateway (if using IPv4)
Gateway addresses. Only two on the other device. You can use the same name for the iApp
spaces are shown for space. 1)
application on both devices.
Use the back of these sheet
2) (etc)
or the margins. This name must be 1-15 alphanumeric or underscore characters
and must start with a letter (not case sensitive). Address of each IPv6 exit gateway (if using IPv6)
2) (etc)
Service name Inward VLAN Interface Tag Outward VLAN interface Tag
In-Line Services
For each in-line service you
plan to use (if any), you first
need to assign an Interface
to the Inward and Outward
VLANs and possibly a tag.
You can include a maximum of
10 services.
Each service can have up to
8 devices. We only provide
space for 4 services with 4
devices for each service here,
see the printable version for
more.
It is helpful to also record the
name you will give the service,
as you have to type this name
when configuring service
chains.
Each Service can be either Layer 2 (bump in the wire), or Layer 3 (IP Gateway).
For each in-line service, no matter which type, you must choose whether you want to inspect all apparent HTTP traffic on port 80,
8080, or 8443, or if connections should use their original ports (such as 443, though unencrypted).
If you are deploying a Layer 3 in-line service, see In-line Services on page 23 for specific information about the device IP
addresses.
ICAP Services
If you are deploying the
template for ICAP services,
you can define up to 10 ICAP
services. Each service can
include multiple ICAP servers.
We only include space for 4
services, and 4 servers per
Service ICAP Request and Response Processing URIs
service in the table; you may
have more. See the printable Name
Request Response
worksheet for the full table.
Send to forwarding nameservers on local network Send to nameservers across the Internet
You should have at least two nameservers on the local network. The ingress device will locate Internet nameservers
Specify the IP addresses (you may have more/less than 4) automatically, but you must choose if you want to configure
local/private DNS zones. If you do, you must specify the local/
DNS 1) private forwarding zones. You may have more/less than 4.
You must decide whether you 2) This also requires DLV keys (long hexadecimal strings). You
want to send DNS queries to
should prepare to copy them from your local source and then
forwarding nameservers on 3)
paste them into the iApp.
the local network or directly
4)
to nameservers across the
Forward Zone Nameserver
Internet
If you want to use the IPv4 address for previewer (if using v4)
previewer to use a web IPv6 address for previewer (if using v6)
browser or HTTP client to see
which service chain would be TCP port for previewer (port 80 is usually fine)
chosen for a connection, you Existing SSL profile (optional)
need to gather this information.
IPv4 subnets clients must connect from
Only enter the IPv4/IPv6
information for the version you IPv6 subnets clients must connect from
are using.
Once you have gathered the information using the worksheet, continue with the iApp walkthrough starting on the next page.
• Sub choice #2
• Sub-sub choice
Explanatory text
• Sub-sub #2
2. Click Find a Download, and then in the Security F5 Product Family section, click SSL Orchestrator.
3. Select BIG-IP version 12.1 from the list, and then click SSL Orchestrator.
4. Accept the End User License agreement, and then download the iapps zip file to a location accessible from your BIG-IP system.
5. Extract (unzip) the f5.ssl_intercept_svc_chain.v1.5.8.tmpl file. All users should be on this or a later version.
10. Click the Browse button, and then browse to the location you saved the iApp file.
11. Click the Upload button. The iApp is now available for use.
7. Synchronize the configuration across the devices in the Sync-Failover device group.
After you synchronize the configuration, you can re-enter the template and modify any of the settings as usual.
2. On the Main tab, expand iApp, and then click Application Services.
Template Selection
This section contains general template information, including the name you give the iApp Application Service
1. Name
In the Name box, type a name for this application service. In our example, we use intercept.
! Warning N
ames must contain 1-15 alphanumeric or underscore characters and must start with a letter (not case sensitive).
Welcome
At the bottom of the Welcome section of the iApp template, you will find the following questions.
1. Do
you want to see inline help?
Select whether you want to see informational and help messages inline throughout the template. Important and critical notes are
always shown, no matter which selection you make. Because of the number of different advanced options in the template, we
recommend you select Yes, show inline help at least the first time you use the iApp template.
• Y
es, show inline help
Select this option to show inline help for most questions in the template.
• N
o, do not show inline help
Select this option if you do not want to see inline help. If you are familiar with this iApp template, or with the BIG-IP system in
general, you can select this option to hide the inline help text.
When you have finished the final step on all BIG-IP devices, click iApps > Application Services. Click the box next to
your SSL Intercept service, and then click Delete. The configuration is now completely deleted.
If you experience an error, be sure to see You may experience a "cannot delete" error in certain situations after
configuring the Egress device to send traffic to the Internet via specific gateways on page 57.
1. Do you want to configure separate ingress and egress BIG-IP devices with a decrypt zone network between them?
Choose whether or not you are using separate devices for ingress and egress traffic (with a decrypt network zone between the
two devices). If you are deploying separate devices (or separate Sync-Failover Groups), you must run this iApp on both devices,
selecting the appropriate answers in the following questions.
a. What is the name you have the iApp on the EGRESS device?
Type the name you gave (or will give) the iApp template application service on the Egress BIG-IP device. Again,
this name must contain 1-15 alphanumeric or underscore characters and must start with a letter (not case
sensitive). The iApp uses this as part of the service channel communication between devices.
c. What IP address should THIS (ingress) device's control-channel virtual server use?
You must assign an IP address to the virtual server for the service chain control channel on a VLAN (and subnet)
which will carry control data to and from the egress device (often VLAN external). The control channel uses TCP
port 245.
a. What is the name you have the iApp on the INGRESS device?
Type the name you gave, or will give, the iApp template application service on the Ingress BIG-IP device. Again,
this name must contain 1-15 alphanumeric or underscore characters and must start with a letter (not case
sensitive). The iApp uses this as part of the service channel communication between devices.
c. What IP address should THIS (egress) device's control-channel virtual server use?
You must assign an IP address to the virtual server for the service-chain control channel on a VLAN (and subnet)
which will carry control data to and from the egress device (often VLAN external). The control channel uses TCP
port 245.
Select the Certificate Authority (CA) certificate that your clients will trust to authenticate intercepted TLS connections. You imported
the CA certificate and private key while configuring the Setup Wizard. If you did not use the Setup Wizard, you must import a CA
certificate before you can use this functionality.
Whenever you CHANGE the CA certificate, you must enter the passphrase (if any) that protects the private key.
Select the corresponding private key. Again, you either imported this using the Setup Wizard, or must manually import it.
If applicable, type the private-key passphrase. If the key does not have a passphrase leave the field empty.
Chose how you want the system to handle connections made using SSLv3.
Choose how you want the system to handle connections made using SSLv3. Note that SSLv2 is long obsolete and insecure, and
these connections cannot be intercepted (decrypted) by this iApp.
Choose whether you want to enforce TLS secure renegotiation. To avoid a serious TLS vulnerability, both client and server
must use secure renegotiation per RFC5746. By default, when this solution detects an attempt to use insecure renegotiation it
terminates the affected TLS session to avert loss of session security.
However, you may select to allow use of insecure TLS renegotiation to disable secure-renegotiation enforcement (thereby exposing
affected TLS sessions to man-in-the-middle attacks). This may permit TLS sessions with obsolete servers and/or clients.
a. Do you want to pass UDP traffic through the transparent proxy unexamined?
By default, transparent-proxy mode manages TCP traffic but allows UDP traffic to pass through unexamined. You may
choose to manage UDP as well as TCP traffic-- for example, to redirect QUIC web connections to HTTPS (so you can
intercept them) or to send UDP traffic to a receive-only service.
b. Do you want to pass non-TCP, non-UDP traffic through the transparent proxy?
If you select to implement a transparent proxy, you can choose to pass non-TCP, non-UDP traffic through this solution
unexamined or to block traffic that is not TCP or UDP. By default, transparent-proxy mode blocks all non-TCP/UDP traffic
(for example, IPSec or SCTP).
• No, block all non-TCP, non-UDP traffic (IPSec, SCTP, OSPF, etc.)
Select this option if you want the system to block all non-TCP, non-UDP traffic.
a. Do you want to pass UDP traffic through the transparent proxy unexamined?
By default, transparent-proxy mode manages TCP traffic but allows UDP traffic to pass through unexamined. You may
choose to manage UDP as well as TCP traffic-- for example, to redirect QUIC web connections to HTTPS (so you can
intercept them) or to send UDP traffic to a receive-only service.
b. Do you want to pass non-TCP, non-UDP traffic through the transparent proxy?
If you select to implement a transparent proxy, you can choose to pass non-TCP, non-UDP traffic through this solution
unexamined or to block traffic that is not TCP or UDP. By default, transparent-proxy mode blocks all non-TCP/UDP traffic
(for example, IPSec or SCTP).
• No, block all non-TCP, non-UDP traffic (IPSec, SCTP, OSPF, etc.)
Select this option if you want the system to block all non-TCP, non-UDP traffic.
If you chose a single BIG-IP device to handle ingress and egress, or chose separate devices and that you are currently configuring the
ingress device, continue with In-line Services on page 23.
If you chose separate devices and you are currently configuring the egress device, continue with Egress Device Configuration (for the
separate ingress and egress device scenario) on page 46.
i Important If deploying the template for in-line services for the first time, you must complete the following two separate tasks:
hh First, you must complete the following in the In-Line services area of the template:
a. A
nswer the questions as applicable until you get to the What is the status of this service? question.
From that question, select one of the Stage 1 options and then complete the rest of the questions that
appear in the in-line services section.
fter you configure the VLANs in the In-Line Services section, click the Finished button at the bottom
b. A
of the template without completing the rest of the template.
c. If you are using more than one standalone BIG-IP device, after you click Finished, you must
synchronize the BIG-IP configuration to the other device in the ingress device group (see
Synchronizing the BIG-IP configuration on page 50 for guidance).
d. Repeat each step in this task for all ingress devices in the Sync-Failover group.
hh Second, after configuring all VLAN information on both devices and synchronizing the configuration, use the
Reconfigure option to open run this iApp again on just one device in the ingress-device Sync-Failover group.
In the In-line services section, select one of the Stage 2 options for each in-line service you configured, and
then complete the rest of the in-line services section. After completing the in-line services, complete the
rest of the template as applicable.
After deploying the template, if you want to add more in-line services at a later time and reconfigure the template,
you must again update the in-line service configuration on all devices, and the synchronize the configuration
again.
Return to How to configure in-line services using the SSL Intercept iApp template on page 9 for more
information and a flow diagram.
If you do not have any in-line services you want to be a part of this configuration, continue with Receive-Only Services on page 29.
Choose whether or not you want to replace the service-network subnet block(s). The IP subnets and addresses for in-line services
are assigned by this iApp and must be used by all configured in-line service devices. You can change the base address of each
address block (IPv4 or IPv6) from which subnets and addresses are assigned if necessary, but only before configuring in-line
services. However, changing an address block has several implications and must be done carefully, and is not recommended or
supported.
! Warning Replacing the service-network subnet blocks is NOT recommended and NOT SUPPORTED by F5. Only use
this option if you have a specific need and understand the consequences.
The IP subnets assigned to Inward and Outward VLAN pairs for in-line services must not collide with any intranet (local/private) or
Internet (remote/public) IP addresses. Those subnets are allocated from an IPv4 CIDR /19 block (which allows for thirty-two /24
subnets) and/or an IPv6 /48 prefix block.
If you replace a standard subnet block you assume responsibility for translating addresses shown in this iApp template for
configuring Layer 3 in-line services. That is straightforward for IPv6 addresses-- just replace the first three hextets. For IPv4
addresses you must replace the first two octets, then for the third octet, substitute the sum of the third octets of your base
value and the value shown in the iApp template. Besides address translation, you also assume full responsibility for any
address collisions or routing problems.
4. May in-line service devices initiate their own network traffic via Outward VLANs?
Choose whether in-line service devices can initiate their own network traffic using the outward VLANs. Normally all network traffic
reaching an SSL Intercept ingress device via an outward VLAN/subnet is part of a service-chain connection. For security, SSL
Intercept usually rejects unrecognized traffic trying to leave an outward VLAN using the ingress device as a gateway. However, you
may choose to allow in-line service devices to connect to remote network resources through the ingress device.
6. What is the unit number you want to use for this device?
Choose the unit number you want to assign to this BIG-IP device.
Note: T
his unit number is only used for identification purposes in this iApp and is not an existing unit identifier or used
outside the iApp.
For example, if you have two devices in your device service cluster for high availability, assign unit ID 1 to the first device. When
you are configuring this iApp on the other device in the cluster, assign that device unit ID 2.
The next task is to configure perform the in-line service(s) configuration for each service you specified in question #1.
• In-line Service 1
Complete the following for each in-line service.
As noted in the template, each in-line service has an Inward and Outward VLAN. Each Inward and Outward VLAN must be
connected to the same Layer 2 virtual network from both devices in the Sync-Failover group. Inward and Outward VLANs on
different BIG-IP devices may use different interfaces to connect to the same Layer 2 virtual networks.
c. What are the L2 service device VLANs and load balancing ratios?
Type the Layer 2 service device VLANs and load balancing ratio for each of the devices you specified in the
previous question. Click the Add button to include more rows. The number of rows must match the number you
selected in question b.
Ratio
If you choose to use the Ratio field, the BIG-IP system distributes connections among pool members in a static
rotation according to ratio weights that you define. In this case, the number of connections that each system
receives over time is proportionate to the ratio weight you defined for each pool member or node. This number
must be between 1-100.
For example, if you have five devices and you assign a ratio of 1 to the first three devices, and a ratio of 2 to the
fourth device, and a ratio of 3 to the fifth device; the first three devices with a ratio of 1 each receive 1/8 of the
traffic. The fourth device receives 1/4 of the traffic, and the fifth device receives 3/8 of the traffic.
VLANs
For each VLAN pair you must specify the BIG-IP interface and VLAN tag (if any; 0 means untagged) each VLAN
will use. On BIG-IP VE (Virtual Edition) the Inward and Outward VLANs for any particular Layer 2 service device
MUST use different interfaces (to avert MAC address collisions).
Keep track of the order in which you add VLAN pairs for specific service devices. When you add Inward/Outward
VLAN pairs for those service devices to the other BIG-IP devices in the Sync-Failover group, add them in the
same order. You should also assign the same load balancing ratio to each service device on all of the BIG-IP
devices in the Sync-Failover group.
! Critical Once you have completed all of the in-line services for a new in-line service (including any Layer 3
services), you must click Finished on the iApp
If you are using more than a single, standalone BIG-IP system, you must synchronize the
configuration across all the devices in the Sync-Failover group before continuing.
• Stage 1: Configure VLANs for Layer 3 (IP gateway)
Select this option if you are initially configuring a Layer 3 IP gateway service. Once you select this option, the following
questions appear about the name of the service and VLAN information. When you select this option, the service cannot
(yet) be added to any service chain you configure later, but it exists in the iApp configuration and will not be deleted.
VLANs
For each VLAN pair you must specify the BIG-IP interface and VLAN tag (if any; 0 means untagged) each VLAN
will use. On BIG-IP VE (Virtual Edition) the Inward and Outward VLANs for any particular Layer 2 service device
MUST use different interfaces (to avert MAC address collisions).
Each Inward VLAN must be connected to the same Layer 2 virtual network from every device in the Sync-Failover
Device Group— and each Outward VLAN likewise, but to a distinct Layer 2 virtual network. Inward and Outward
VLANs on different BIG-IP devices may use different interfaces and even tags (with external bridging) to connect to
the same Layer 2 virtual networks.
! Critical Once you have completed all of the in-line services for a new in-line service (including any Layer 2
services), you must click Finished on the iApp.
If you are using more than a single, standalone BIG-IP system, you must synchronize the
configuration across both the devices in the Sync-Failover group before continuing.
• Stage 2: Finalize Layer 2 (bump in the wire) configuration
Select this option when you are ready to include your Layer 2 in-line services in a service chain(s). Only select this
option when you have finished the Layer 2 Stage 1 questions and synchronized the configuration.
Note that each Layer 2 service (inspection) device must transfer packets between its Inward and Outward VLANs.
Packets will be sourced from various MAC's on each VLAN and destined for MAC's on the other (a Layer 2 device
logically resembles a bridge).
Note: E
ither action is taken only once for each connection, so if a long-lived connection is allowed to skip a
service which is offline (because all of its service devices are down at the moment it begins) none of
the packets for that connection will ever go through the service, even if it comes back online later.
c. Do you want to run all apparent HTTP traffic through one TCP port?
Select whether you want the system to use the original destination port, or to send all traffic that appears to be
HTTP through one TCP port (the original destination port is restored after). This question is necessary because
some service (inspection) devices do not recognize and analyze HTTP protocol streams on non-standard ports.
c. Do you want to run all apparent HTTP traffic through one TCP port?
Select whether you want the system to use the original destination port, or to send all traffic that appears to be
HTTP through one TCP port (the original destination port is restored after). This question appears because some
service (inspection) devices do not recognize and analyze HTTP protocol streams on non-standard ports.
Return to In-line Service 1 on page 25 to repeat this procedure for each of the in-line services you specified.
i Important Remember, if you just finished configuring Stage 1 for in-line services, you must click Finished.
If you are using more than a single, standalone BIG-IP device, you must repeat this section on each in the
Sync-Failover device group (the Ingress Sync-Failover group if using separate ingress/egress devices). After
completing the Stage 1 configuration on all ingress devices, synchronize the configuration (see Synchronizing the
BIG-IP configuration on page 50), before returning to select an Stage 2 service type and then completing the
in-line service configuration.
If you are using a standalone BIG-IP device, after clicking Finished, simply re-enter the template using the
Reconfigure option (click iApps > Application Services > name you gave the iApp > Reconfigure (on the Menu
bar)), and then configure Stage 2.
i Important If you choose to use Receive-Only services and are using more than a single, standalone BIG-IP system (two
devices in a Sync-Failover group) only:
After you click Finished on the device you are currently configuring, synchronize the configuration. On the other
device in the Sync-Failover group you must use the Reconfigure option (click iApps > Application Services >
name you gave the iApp > Reconfigure (on the menu bar)), and then click Finished (even if you do not make any
other changes) in order for the iApp to install the non-floating configuration for Receive-Only services on each
device.
If you do not have any receive-only devices you want to be a part of this configuration, continue with ICAP Services on page 30.
• Receive-Only Service 1
For each receive-only service you specified in question #1, you must complete the following.
• VLAN
Select the VLAN on which the receive-only device resides.
• Interface
Select the associated BIG-IP interface.
i Important T
he receive-only device does NOT have to recognize or use the nominal IP address. The nominal IP
address does NOT have to be on the same VLAN as the receive-only device. No IP packets will ever
be sent to the nominal IP address, but it must be unique on the network while it is assigned in this
solution.
• Repeat for each receive-only service you want to use in this deployment
Configure each of the receive-only services using the appropriate information for that service.
This completes the Receive-only service configuration. Continue with ICAP Services on page 30.
• ICAP Service 1
For each ICAP service you specified in question #1, you must complete the following.
b. Which ICAP device(s) will inspect HTTP requests for this service?
Specify a unique IP address and the port for each receive-only service you are configuring. If you add more than one ICAP
device, they become part of a BIG-IP load balancing pool with a TCP health monitor attached to each device.
• IP address
Type the IP address of one of your ICAP devices.
• ICAP Port
Type the port your ICAP service is using (if different from 1344, the default).
If your ICAP servers do not support multiple ICAP transactions per TCP connection, select No to disable OneConnect.
See https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7208.html for more information on OneConnect.
You can place the macros ${SERVER_IP} and ${SERVER_PORT} into a URI (for example,
icap://${SERVER_IP}:${SERVER_PORT}/REQMOD) and they will be replaced with the IP address and port of the
specific ICAP server chosen to handle a particular transaction.
• Repeat for each ICAP service you want to use in this deployment
Configure each of the ICAP services using the appropriate information for that service.
This completes the ICAP services configuration. Continue with Metrics Collector Services on page 32.
You can review the statistics accumulated by a metrics-collector service in the BIG-IP Configuration utility. Click Local Traffic >
Virtual Servers > Name of the virtual server associated with a metrics collector service > Statistics (on the menu bar). The name
of each metrics collector service appears in the Description field of its virtual server. You may also investigate statistical data using
TMSH or SNMP.
Note: M
etrics Collector services are an Early Access feature and may change or not be present in future versions of this
solution.
1. Service Chains
Use this section to configure the SSL Intercept service chains.
• Chain name
Type a short name for this service chain. A service chain name may contain 1-15 alphanumeric or underscore characters and
must start with a letter (not case-sensitive). Use spaces or commas to separate service names.
i Important Y
ou cannot use any of the keywords 'all', 'bypass', 'reject', or 'drop', nor the name of any (inspection)
service you previously configured in this iApp as a service chain name.
• Service List
Type the names of the services (in-line, receive-only, and/or ICAP) you defined in the iApp.
For example, if you used the iApp to configure two services that process HTTP traffic, one you named DLP and the other you
named AUP, you might define a service chain with the Chain Name web and with the Service List AUP, DLP which would first
check URL's against your Acceptable Use Policy, and then monitor web requests for sensitive data exfiltration. You do not have
to specify the decryption and re-encryption functions in this list – they bookend every chain.
hh The order of the services in the chain is the order in which the traffic will pass through the services,
hh If present, devices in the decrypt zone will see traffic after all services,
hh Returning traffic will pass through the services in the reverse order.
This completes the service chain configuration. Next, you configure the Service Chain classifier rules that determine which of the
service chains you just configured receive traffic. Continue with TCP Service Chain Classifier Rules on page 34.
For detailed information of the settings in this section, see Understanding Service Chain Classification on page 52.
Using BIG-IP Data Groups to match IP address, domain names, geolocations, or IPI/URL filtering categories (optional)
To match IP addresses, domain names, geolocations, or IPI/URL Filtering categories against the contents of data groups (which you
configure and maintain outside this iApp), insert the special match target @DG where DG is the name of a data group, such as
/Common/IPlist. The name (or IP address) of each record in the data group is the match target. For @DG domain-name matching
only, you can append an exclamation point (!) to a record name to indicate suffix-match instead of exact match. For example, the
record name F5.COM would NOT match destination www.f5.com but .F5.COM! would. Use leading dots (.) to avert errors like
F5.COM! matching www.not-f5.com.)
Each record's value is empty, or for Dst matches (only) is optionally a keyword or service-chain name as explained below. When you
use @DG syntax to match destinations against a data group, the chain name in the classifier rule becomes a default which you can
override by setting the data-group value for any particular match in the data group to a chain name or keyword.
For specific information on configuring data groups on the BIG-IP system (Local Traffic > iRules > Data Group list), see the
BIG-IP documentation or the Help tab on the Data Group List page.
• Phase
Choose which Phase you want for this classifier. The options are Normal, No TLS, Pre-handshake, and TLS handshake.
»» Normal
When Match Phase is Normal the rule may match TLS connections at TLS handshake time and possibly again-- more
specifically-- after SSL Intercept exposes the plaintext of the TLS connection (so you can manage HTTPS on non-
standard ports, for example). Normal rules may also match non-TLS traffic (so, for example, a single rule can handle
both HTTPS and HTTP).
• Src
The Src (source) filter is one or more IP subnet or host addresses. If the source IP of an ingress connection matches an
address in the Src filter, the other filters will be checked. Using * means all-addresses; @DG includes addresses from
a Data Group (see description earlier in this section). Specify source addresses as prefix/mask-length (CIDR format) like
203.0.113.0/24 or fdf5:f:5:cc0f::/64 (to specify a single host omit the mask-length, like 203.0.113.55). Use spaces or commas
to separate multiple filter items.
• Mode
Choose the mode you want to use for this classifier rule. The mode you choose determines the value you will use for the Dst
(destination). You can choose one of the following modes for each classifier rule:
»» Addr
If you select Addr (address(es)), the Dst filter you will configure consists of one or more IP subnet or host addresses just
like the Src filter.
»» Geo
If you select Geo (geolocation), the Dst you will configure contains 2-letter country and 3-letter continent codes
against which the IP Geolocation of the destination server is compared. The continent codes are: CAF=Africa,
CAN=Antarctica, CAS=Asia, CEU=Europe, CNA=North America, COC=Oceania, CSA=South. The country codes are
those of ISO 3166 alpha-2.
»» IPI
If you select IPI (IP inspection), the Dst you will configure contains one or more IP Intelligence categories against which
the destination IP address's reputation is matched. You must replace SPACE characters in names of IP Intelligence
categories with underscores (_) before adding them to Dst. While you must have an IP Intelligence license to use this
functionality, the iApp will not display an error if you do not, this classifier rule will just not match any connections.
»» DDB
If you select DDB (Dynamic Domain Bypass), the Dst you will configure contains one or more DNS domain names
(unique or wildcard) against which the destination hostname indicated by the client in TLS SNI is matched. This mode
is special because it classifies traffic before the SSL Intercept solution attempts any TLS handshake with the remote
server (that is, in Match Phase 'Pre-handshake'). You may use DDB to whitelist and bypass traffic to servers which
cause TLS handshake problems or that require TLS mutual (client-certificate/smart-card) authentication. For DDB, the
Chain value you will select MUST be bypass or reject. For DBB only, the tilde symbol (~) matches an empty/missing
hostname.
For security, the DDB facility ensures thetls destination IP address for each bypassed connection corresponds to the
allowed domain. DDB may replace the destination IP address supplied by the client with one freshly obtained from
DNS. See Dynamic Domain Bypass on page 55 for more information.
»» Name
If you select Name (domain name), the Dst you will configure contains one or more DNS domain names (unique or
wildcard) against which the connection's destination hostname is matched.
»» URLF
If you select URLF (URL Filtering), the Dst you will configure is one or more URL Filtering categories against which
the URL categorization of the destination server is compared. You must replace SPACE characters in names of URL
Filtering categories with underscores (_) before adding them to Dst. While you must have an URL Filtering license to
use this functionality, the iApp will not display an error if you do not. Instead this classifier rule will just not match any
connections. See Optional URL filtering on page 56 for instructions on updating the database and other useful
information.
• Dst
Dst is destination of the connection. The value of this field is based on the selection you made for the Mode (descriptions
are found in each mode listed above). If applicable, specify definition addresses as prefix/mask-length (CIDR format) like
203.0.113.0/24 or fdf5:f:5:cc0f::/64 (to specify a single host omit the mask-length, like 203.0.113.55). Use spaces or commas
to separate multiple filter items. You must replace SPACE characters in names of IP Intelligence and URL Filtering categories
with underscores (_) when adding them to Dst.
• Proto
The Proto (protocol) value specifies the protocol of the connection (based on port or protocol recognition). You can specify one
of the following protocols:
»» A ny
Select this option if you want to allow all protocols for this classifier rule.
»» HTTP
Select this option if you want to limit the protocol for this classifier rule to HTTP.
»» Mail
Select this option if you want to limit the classifier rule to the standard ports for SMTP, IMAP, and POP, plus SMTP
protocol recognition.
»» S
SLv2/3
Select this option if you want the rule to match only when SSLv2 and/or SSLv3 connections are treated as non-TLS.
»» O ther
Select this option if you want the limit the classifier rule to all other protocols except HTTP and Mail (SMTP, IMAP, and POP).
• Chain
Type the name of the Service Chain you configured that you want to use for this classifier rule. This must be the name you
gave a service chain or a special keyword: all, bypass, or reject. All means a chain including all services-- first receive-only
services, then ICAP services, then in-line services. Bypass lets the connection go to its destination without traversing any
service chain. Reject terminates the connection. When you use @DG syntax (as described at the beginning of this section)
to match destinations against a data group, the chain label in the classifier rule becomes a default which you can override by
setting the data-group value for any particular match in the data group to a chain label or keyword.
• REJECT them
Select this option if unmatched connections should be rejected by the system.
Using BIG-IP data groups to match IP address, domain names, geolocations, or IPI/URL filtering categories (optional)
To match IP addresses, domain names, geolocations, or IPI/URL Filtering categories against the contents of data groups (which you
configure and maintain outside this iApp), insert the special match target @DG where DG is the name of a data group, such as
/Common/IPlist. The name (or IP address) of each record in the data group is the match target. For @DG domain-name matching
only, you can append an exclamation point (!) to a record name to indicate suffix-match instead of exact match. For example, the
record name F5.COM would NOT match destination www.f5.com but .F5.COM! would. Use leading dots (.) to avert errors like
F5.COM! matching www.not-f5.com.
Each record's value is empty, or for Dst matches (only) is optionally a keyword or service-chain name as explained below. When you
use @DG syntax to match destinations against a data group, the chain name in the classifier rule becomes a default which you can
override by setting the data-group value for any particular match in the data group to a chain name or keyword.
For specific information on configuring Data Groups on the BIG-IP system (Local Traffic > iRules > Data Group list), see the
BIG-IP documentation or the Help tab on the Data Group List page. Also see Using the @pinners data group on page 34.
• Src
The Src (source) filter is one or more IP subnet or host addresses. If the source IP of an ingress connection matches an
address in the Src filter, the other filters will be checked. Using * means all-addresses; @DG includes addresses from a
Data Group (see description earlier in this section). Specify source addresses as prefix/mask-length (CIDR format) like
203.0.113.0/24 or fdf5:f:5:cc0f::/64 (to specify a single host omit the mask-length, like 203.0.113.55). Use spaces or commas
to separate multiple filter items.
• Mode
Choose the mode you want to use for this classifier rule. The mode you choose determines the value you will use for the Dst
(destination). You can choose one of the following modes for each classifier rule:
»» Addr
If you select Addr (address(es)), the Dst filter you will configure consists of one or more IP subnet or host addresses just
like the Src filter.
»» Geo
If you select Geo (geolocation), the Dst you will configure contains 2-letter country and 3-letter continent codes (see
Prerequisites and configuration notes on page 3 for continent codes) against which the IP Geolocation of the
destination server is compared.
»» IPI
If you select IPI (IP inspection), the Dst you will configure contains one or more IP Intelligence categories against which
the destination IP address's reputation is matched. You must replace SPACE characters in names of IP Intelligence
categories with underscores (_) before adding them to Dst. While you must have an IP Intelligence license to use this
functionality, the iApp will not display an error if you do not, this classifier rule will just not match any connections.
»» Port
If you select When mode is 'Port' . For Port, Dst contains one or more TCP port numbers or ranges like 5557-5559
(use 0 or * to match all) against which the destination port number is matched. The chief use of this mode is to control
non-TLS traffic such as SSH. If you select Port, the Proto value MUST be All.
• Proto
The Proto (protocol) value specifies the protocol of the connection (based on port or protocol recognition). You can specify one
of the following protocols:
»» A ll
Select this option if you want to specify all protocols for this classifier rule.
»» QUIC
Select this option if you want to limit the protocol for this classifier rule to QUIC (UDP ports 80 and 443).
the Proto value 'QQQQ'
»» QQQQ
Select this option if you want to limit the classifier rule to recognize QUIC connection attempts (but not session-
resumption!) dynamically on any port.
»» O ther
Select this option if you want the limit the classifier rule to all other protocols except QUIC and QQQQ.
• Chain
Type the name of the Service Chain you configured that you want to use for this classifier rule. This must be the name you
gave a service chain or a special keyword: all, bypass, or reject. All means a chain including all services-- first receive-only
services, then ICAP services, then in-line services. Bypass lets the connection go to its destination without traversing any
service chain. Reject causes the connection to be refused (With UDP classifier rules there is no + to re-classify.) When you use
@DG syntax (as described at the beginning of this section) to match destinations against a data group, the chain label in the
classifier rule becomes a default which you can override by setting the data-group value for any particular match in the data
group to a chain label or keyword.
• REJECT them
Select this option if unmatched connections should be rejected by the system.
Continue with either Explicit Proxy Configuration on page 39 if applicable, or Ingress Device Configuration on page 40.
2. What IPv4 address and port should the explicit proxy use?
This question only appears if you selected you are using IPv4 addresses
Specify the IPv4 address and port the system should use for the explicit proxy virtual server.
• IPv4 address
Type the IPv4 address you want to use for the explicit proxy virtual server.
• Port
Type the port for the explicit proxy, if different from the default, 3128.
3. What IPv6 address and port should the explicit proxy use?
This question only appears if you selected you are using IPv6 addresses
Specify the IPv6 address and port the system should use for the explicit proxy virtual server.
• IPv4 address
Type the IPv6 address you want to use for the explicit proxy virtual server.
• Port
Type the port for the explicit proxy, if different from the default, 3128.
i Important T
his iApp will configure initial DNSSEC keys (root Trust Anchor and dlv.isc.org DLV Anchor keys). When those
keys are updated (replaced) by their issuers, you may experience lookup failures as a result.
In this case, you must return to the iApp template using the Reconfigure option (iApps > Application Services
> name you gave this iApp > Reconfigure (on the menu bar)) and simply click Finished without making any
modifications. The iApp template automatically retrieves the new keys.
As stated in the prerequisites, if you are deploying the iApp template for DNSSEC, you must have DNS configured on the
BIG-IP system. To configure DNS on the BIG-IP system, go to System > Configuration > Device > DNS. In the DNS
Lookup Server List row, add your DNS servers. For complete instructions, see the BIG-IP documentation or the Help tab.
Choose whether or not you want to configure local/private DNS zones. Many organizations have some domain names in DNS
zones which are not visible to the Internet. We call those zones forward zones because we have to forward queries for records in
those zones to local nameservers inside the organization. If you want to use any local DNS forward zones select Yes.
Some zones will not have DLV RR's— just enter any which your DNS administrator supplies. To enter DLV RR's you will
probably wish to copy the DNSKEY and DS RR's into a text editor (just a single (long) line per RR— place a comma at
the end of each) then copy-and-paste the whole text at once into the DLV field in the iApp.
Note: T
he Service Chain Classification Previewer is an Early Access feature and may change or not be present in future
versions of this solution.
Type the IPv4 address you want to use for access to the previewer.
Type the IPv6 address you want to use for access to the previewer.
Type the IPv4 subnet you want clients to have to connect from. Use client subnet number(s) in CIDR format (like
203.0.113.0/24). The default value (*) allows all subnets.
Type the IPv6 subnet you want clients to have to connect from. Use client subnet number(s) in CIDR format (like
203.0.113.0/24). The default value (*) allows all subnets.
This completes the previewer section. Continue with the Egress device configuration on the next page.
SNAT Auto Map uses a BIG-IP Self IP address to replace each client source IP address. With SNAT Auto Map you do not
have to define a pool of distinct host addresses for SNAT to use. However, each TMM (Traffic Management Microkernel)
instance can only use a fraction of the port numbers associated with any Self IP address. As traffic volume increases,
TMM instances will exhaust their SNAT port allocations and start to drop connections. Counter-intuitively, more powerful
BIG-IP devices are more likely to drop connections when using SNAT Auto Map. Unless your traffic volume is small, we
recommend you define SNAT addresses instead of using SNAT Auto Map.
Type at least as many IPv4 host addresses as the number of CPUs on the ingress device. Each address must be
uniquely assigned and routed to the ingress device. It is best to assign addresses which are adjacent and grouped
under a CIDR mask, for example, 203.0.113.8 up through 203.0.113.15 which fill 203.0.113.8/29.
Type at least as many IPv6 host addresses as the number of CPUs on the ingress device. Each address must be
uniquely assigned and routed to the ingress device. It is best to assign addresses which are adjacent and grouped
under a CIDR mask.
Type the IPv4 address(es) of one or more exit gateways (routers). Make sure those gateways route return traffic (e.g.,
packets addressed to intranet networks) to the exit-VLAN floating Self IP address. Click Add include additional addresses.
Gateways should respond to a gateway_icmp monitor.
Type the IPv6 address(es) of one or more exit gateways (routers). Make sure those gateways route return traffic (e.g.,
packets addressed to intranet networks) to the exit-VLAN floating Self IP address. Click Add include additional addresses.
Gateways should respond to a gateway_icmp monitor.
This completes the egress device configuration for the single BIG-IP scenario. Continue with Logging Configuration on page 49.
1. Which VLAN(s) are part of the decrypt zone? (These bring traffic from the ingress device)
Select the BIG-IP VLAN(s) connected to the decrypt zone (on which traffic from the ingress BIG-IP device arrives). The VLAN(s)
must already exist on the system before you can select them here.
Type the IPv4 address(es) of one or more ingress gateways (ingress-device Self IPs for Layer 2 service devices, or IPs of
Layer 3 service devices).
You can control the share of traffic sent to each ingress gateway IP by adjusting its ratio value (for example, if one gateway
can handle 45 Mbit/sec and another 150 Mbit/sec, give them ratio values 1 and 3 respectively).
Click Add include additional addresses. Note these gateways should respond to a gateway_icmp monitor.
Type the IPv4 address(es) of one or more ingress gateways (ingress-device Self IPs for Layer 2 service devices, or IPs of
Layer 3 service devices).
You can control the share of traffic sent to each ingress gateway IP by adjusting its ratio value (for example, if one gateway
can handle 45 Mbit/sec and another 150 Mbit/sec, give them ratio values 1 and 3 respectively).
Click Add include additional addresses. Note these gateways should respond to a gateway_icmp monitor.
This solution makes outbound TLS connections on behalf of clients. You can control which remote server certificates will be
trusted and how problems with remote TLS servers should be handled. If you want to trust a custom bundle of Certificate Authority
(CA) certificates (root and intermediate) to authenticate remote servers, you must load that bundle into the BIG-IP (System > File
Management > SSL Certificate List) then select it here. Only CA bundles that already exist on the system appear in the list, so if
you add a bundle while configuring the iApp, you will not be able to select it until you exit and then re-enter the template.
SNAT Auto Map uses a BIG-IP Self IP address to replace each client source IP address. With SNAT Auto Map you do not
have to define a pool of distinct host addresses for SNAT to use. However, each TMM (Traffic Management Microkernel)
instance can only use a fraction of the port numbers associated with any Self IP address. As traffic volume increases,
TMM instances will exhaust their SNAT port allocations and start to drop connections. Counter-intuitively, more powerful
BIG-IP devices are more likely to drop connections when using SNAT Auto Map. Unless your traffic volume is small, we
recommend you define SNAT addresses instead of using SNAT Auto Map.
Type at least as many IPv4 host addresses as the number of CPUs on the BIG-IP device. Each address must be
uniquely assigned and routed to the device. It is best to assign addresses which are adjacent and grouped under
a CIDR mask, for example, 203.0.113.8 up through 203.0.113.15 which fill 203.0.113.8/29.
Type at least as many IPv6 host addresses as the number of CPUs on the BIG-IP device. Each address must be
uniquely assigned and routed to the device. It is best to assign addresses which are adjacent and grouped under
a CIDR mask.
Type the IPv4 address(es) of one or more exit gateways (routers). Make sure those gateways route return traffic (e.g.,
packets addressed to intranet networks) to the exit-VLAN floating Self IP address. Click Add include additional addresses.
Gateways should respond to a gateway_icmp monitor.
Type the IPv6 address(es) of one or more exit gateways (routers). Make sure those gateways route return traffic (e.g.,
packets addressed to intranet networks) to the exit-VLAN floating Self IP address. Click Add include additional addresses.
Gateways should respond to a gateway_icmp monitor.
This completes the egress device configuration for the separate device scenario. Continue with Logging Configuration on page 49.
Client configuration
If you chose the explicit proxy option (or both explicit and transparent), ensure that your network infrastructure routes packets
addressed to the explicit proxy address to the BIG-IP system.
If you selected the transparent proxy option (or both explicit and transparent), you must ensure the default route for all SSL (TLS)
clients whose traffic you want to inspect leads to a Self IP address configured on one of the ingress VLANs you selected for client-side
traffic on the ingress BIG-IP system (or the ingress BIG-IP device in a two-device configuration).
i Important As stated in the prerequisites, DO NOT configure your Sync-Failover device group for Automatic Sync. You must
manually synchronize the configuration using the following guidance.
2. In the Device Groups area of the screen, from the Name column, select the name of the relevant device group.
The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the
individual devices within the device group.
3. In the Devices area of the screen, in the Sync Status column, select a device.
4. From the Sync options list, select to either Sync Device to Group or Sync to Device.
5. Click Sync.
1. On the Main tab, click iApp > Application Services > name of your Application Service > Reconfigure.
2. M
ake any modifications to the template. If you modify in-line services, see Modifying or deleting an in-line service you already
created on page 10.
3. Click the Finished button.
1. Use the Reconfigure option on the Application service to re-enter the template.
2. In the Welcome section at the top, from the Do you want to remove this application service? question, select the Yes option.
3. From the Which step do you want to perform now? question, select First step-- remove floating objects.
4. Click Finished, and then synchronize the configuration.
5. Use the Reconfigure option to re-enter the template again.
6. From the Which step do you want to perform now? question, select Final step-- remove static objects (like VLANs).
7. Click Finished, and then synchronize the configuration.
8. Click iApps > Application Services, click the box next to the name of your iApp service and then click Delete.
! Critical Once you specify you want to delete the configuration, when you select either of the steps (first or final) and then
click Finished, the configuration objects are completely deleted. You cannot get them back unless you restore the
entire BIG-IP configuration from a previous archive.
Backing up the BIG-IP configuration before starting the configuration (or before major changes to the iApp)
Before beginning the iApp configuration, or before you make substantial changes, we strongly recommend you back up the BIG-IP
configuration using the following guidance. This allows you to restore the previous configuration in case of any issues.
For more details, complete instructions, and other considerations for backing up and restoring the BIG-IP configuration, see SOL
13132 on Ask F5: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html.
Client Connection
No
Bypass
No
Reject
TLS Client No
Hello? Classifier Phase: No-TLS
Yes
The classifier has a set of rules for TCP connections, and another set of rules for UDP when UDP service chains are enabled.
No TLS phase
When a connection does not use TLS the classifier can recognize the application protocol (such as HTTP) for that connection as
it starts. A classifier rule which applies in this No TLS phase can select a service chain which will not change during the life of the
connection. Since UDP connections never use TLS, UDP classifier rules have only one matching phase, which is equivalent to the
TCP No TLS phase.
Things are different when a connection does use TLS. The three classifier phases in that case are "Pre-handshake," "Handshake,"
and "Intercepted."
Pre-handshake phase
The classifier matches Pre-handshake rules in the interval after recognizing that a connection will use TLS (because the client has sent
a TLS Client Hello message) but before SSL Intercept attempts TLS handshakes with the server or client. Only in the Pre-handshake
phase is it possible to totally bypass TLS interception; that is, to allow the client to establish a TLS channel to the server without any
disturbance from the SSL Intercept solution. Pre-handshake rules may only select the special reject or bypass chains because in
order to get data to run through a regular service chain the SSL Intercept solution must participate in TLS handshakes— and then the
classifier can match rules in the Handshake or Intercepted phases.
In the Pre-handshake phase the classifier does not yet know the verified name(s) of the server because a TLS handshake with the
server is needed to get that information. Therefore Pre-handshake rules match server names in a special manner called Dynamic
Domain Bypass (DDB) matching which is detailed in Dynamic Domain Bypass on page 55. DDB matching is just like Name
matching except the server name which DDB (and URLF) classifier rules match in the Pre-handshake phase is taken from the Server
Name Indication (SNI) value supplied in the TLS Client Hello message and validated in a special way using DNS. As explained on
page 55, DDB makes it possible to match server-names and URL Filtering categories securely in the Pre-handshake phase.
Handshake phase
The classifier matches Handshake-phase rules after performing a TLS handshake with the remote server but before completing a
TLS handshake with the client. Sometimes SSL Intercept will use cached information about the server in lieu of completing an extra
handshake with it. In this phase, the server's verified names are available from its PKI certificate to support normal Name and URLF
matching. Most commonly, decisions to bypass based on server identity or URL Filtering category are made in the Handshake phase
using the reliable name information available in this phase. A regular service chain (or reject) may also be chosen in this phase. If the
connection is not rejected or bypassed, it is intercepted, which means that the TLS armor is stripped from the flow so the application
protocol data inside it can be serviced/inspected by the service chain.
When the classifier finds no matching rule for a TLS connection in the Pre-handshake or Handshake phase it selects the default
service chain, which is commonly all. That means the connection is intercepted (decrypted), giving the classifier one last chance to
find a matching rule in the Intercepted phase.
Intercepted phase
In the Intercepted phase the classifier matches rules after it gets a chance to recognize the application protocol which was concealed
beneath TLS encryption in earlier phases. A rule which matches in this phase may override the service chain selected in an earlier
phase. If a client makes a TLS connection to server port 200, a Handshake-phase rule might select a service chain with only an IDS
service in it for that connection, because port 200 is not associated with any popular protocol. Stripping TLS from that connection,
however, might reveal that the real application protocol is HTTP (so the connection is really “HTTPS to a non-standard port”). An
Intercept-phase rule could then replace the service chain with one that includes an ICAP anti-malware service as well.
A classifier rule might change the service chain to bypass in the Intercepted phase. At that point it is too late to avoid decrypting the
TLS connection, so the SSL Intercept solution simply forwards the application data through a TLS connection to the remote server
without steering it through any local services, so no cleartext data ever leaves the BIG-IP system.
Pre-handshake rules match TLS connections early, using SNI values tempered by DNS lookups to match server names (called DDB
instead of Name as a sort of reminder) and URL Filtering categories (as explained later).
Otherwise, classifier rules may match according to: server IP address; server port; server geolocation; server IP reputation; server
name; and server URL Filtering category; as well as application protocol.
Note that protocol Any means any protocol, but Other means any protocol other than HTTP, Mail, SSH, or DNS.
In every phase, when the matching expression in a rule uses a data-group lookup (@data-group), the service-chain selection may also
be taken from that data group, overriding the (default) service chain specified at the end of the rule.
Multiple-Name Matching
Often a TLS server will have multiple names, perhaps with wildcards, to identify the services it hosts. When a client uses SNI to
name the service it wants to contact and that name is one the server owns (per the server's certificate, according to RFC 6125), then
the classifier will use precisely that name for rule matching. For example, when a client asks (using SNI) for www.f5.com and the
server certificate names both f5.com and *.f5.com, the classifier will use www.f5.com to match Name and URLF rules (URL Filtering
categories are keyed by server name). When a client does not supply an SNI value (or the SNI is invalid) the classifier cannot know
which of the server's names is the right one for the connection, so the classifier uses all of the server's names to match Name rules.
For URLF matching when there is no SNI, the classifier looks up the URL Filtering category of the server's first non-wildcard name, or
when all the server's names have wildcards, the URLF category of the parent domain of the first wildcard name (the example.com part
of *.example.com). Classifier CPU cycles are minimized when clients use SNI.
The match score for an IP address match (client/Src or server/Dst) is the length of the IPv6 CIDR mask for the address in the rule
plus 1. For example, every exact (host) IP match has a match score of 129. The match scores for IPv4 subnets are scaled up to IPv6
proportions so that an IPv4 /24 (Class C) roughly equals an IPv6 /64. A rule with an exact (host) match for both Src and Dst IP would
have a final match score of 258 (which is the highest possible match score). A rule for which neither Src nor Dst matches at all has a
The match scores for other criteria are based on the precision and accuracy of each criterion. For example, the score for an exact
server-name (domain-name) match is 129 like the score for an exact (host) address match. However, the score for a partial name
match depends on the number and type of components and wildcards in the name-matching expression. A match to *.com, for
example, has a score of 32. The match score for example.com is 48. For svr[0-9].example.com, 64.
For IP gelocation, matching a continent yields a score of 16 and matching a country is worth 24. An IP Intelligence (reputation)
category match scores 40. A URL Filtering category match has a score of 32. The score for an exact TCP or UDP port match is 17,
and port-range match scores are equal to (17 - log2(size-of-range)), so narrow ranges have higher scores (for example, port range
20-21 is worth 16 while port range 52000-57000 would score only 5).
You can test and review the ways your classifier rules match using the Service Chain Classification Previewer (see Service Chain
Classification Previewer on page 42).
Dynamic Domain Bypass works as follows: when the classifier selects a service chain on the basis of an SNI value supplied by the
client (for example, when matching rules in the Pre-handshake phase), SSL Intercept independently resolves that SNI domain name
to one or more IP addresses, using DNSSEC for verification when possible. If the server (destination) address specified by the client
is one of the addresses obtained by SSL Intercept, the connection is made to that address. Otherwise, SSL Intercept replaces the
server address specified by the client with one that it trusts (because it has independently obtained and verified it). This frustrates any
malicious client which tries to fool gateways like SSL Intercept into allowing connections to malicious server IP’s by placing domain
names of trusted servers into SNI. With DDB, when a client uses SNI to ask for a connection to a trusted domain, that client gets a
connection to that trusted domain—only. Legitimate clients are satisfied, and malicious clients are frustrated.
The DDB process inside SSL Intercept supports server persistence for good application performance.
4. Click Update.
First, ensure you can reach download.websense.com on port 80 from the BIG-IP command line (using curl for example).
Next, from the BIG-IP command line, use the following commands to view and update the URL category database.
tmsh list sys url-db download-result
This command lists the current version number for the master and real-time security update URL category databases.
tmsh list sys url-db
This command lists the configuration settings for the URL categorization database.
tmsh list sys url-db url-category
This command lists the current URL categories.
tmsh modify sys url-db download-schedule urldb start-time HH:MM end-time HH:MM
This command schedules a daily download of the URL categorization database between what you configure as the “start-time” and
“end-time”.
tmsh modify sys url-db download-schedule urldb download-now true
This command initiates a one-time download of the URL categorization database.
i Important W
e strongly recommend using the download-schedule command to set up regular, recurring downloads of the
URL category database.
For more information on these and other TMSH commands, see the Traffic Management Shell (tmsh) Reference Guide for the BIG-IP
version you are using. For example, if you are using BIG-IP version 12.0, the guide can be found at:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmsh-reference-12-0-0.html.
ICAP servers are responding with 400-level errors when they should be giving 200 or 204 messages
If you experience a scenario where traffic is sent to an ICAP server in the service chain, and the ICAP server response is a 400 level
error when it should respond with a 200 or 204 message, use the following guidance.
In answer to the What is the ICAP Request processing URI? and What is the ICAP Response processing URI, use the whole request
string, including the request/response URI, for example, icap://${SERVER_IP}:${SERVER_PORT}/reqmod.
You may experience a "cannot delete" error in certain situations after configuring the Egress device to send traffic to the
Internet via specific gateways
You may receive an error stating an object cannot be deleted because it is in use by a static route if, in the Egress device
configuration (or the Egress side of a single device), you specified that traffic should go to the Internet via specific gateways, and
then configured gateway addresses. The error will look similar to the following:
The Pool (/Common/intercept.app/intercept-70) cannot be deleted because it is in use by a static route (/Common/
intercept.app/intercept-70-tgt-4
Port ranges in classifier rules don't work and errors are logged
In the initial release of this solution, port ranges like "20-21" in classifier rules don't work. Port number lists like "20, 21" may be used
in lieu of port ranges.
Service-chain previewer rule list may not show some lower-scoring rules
In the initial release of this solution, the list of rules (other than the best-matching rule) which match a connection may not include
some rules with lower match scores.
.
1.0 New guide for the latest version of the iApp template, f5.ssl_intercept_svc_chain.v1.5.0. 08-23-2016
1.1 Updated the diagram and clarified some of the information in Understanding Service Chain Classification on page 52. 08-26-2016
Updated this guide for iApp version f5.ssl_intercept_svc_chain.v1.5.8. This version contains the following changes:
- In the General Information section of the iApp, there are new questions asking about how you want to handle
1.2 04-05-2017
SSLv3 and SSLv2 connections, as well as how to enforce TLS secure renegotiation. See questions 5-7 in General
Configuration on page 19.
- In the In-Line Services section of the iApp, there are new questions asking if Layer 3 services devices should see
real client IP and port, and if in-line services devices may initiate their own network traffic via outward VLANs. See
questions 3 and 4 in In-line Services on page 23.
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0412