Forum Discussion

Mike12345's avatar
Mike12345
Icon for Nimbostratus rankNimbostratus
Jul 28, 2024

F5 LTM SSL Bridging - send decrypted traffic to clone pool

Hi,

I'm trying to lab a scenario I was asked about at work. Whether it is possible to send decrypted TLS/SSL traffic to an IDS through the clone pool. I have seen an overview stating this is possible, but when I have built my lab the traffic being sent to the IDS is still encrypted.

I have the rootCA certificate added to the server-ssl profile and it is using the 'serverssl-secure' parent profile.

The client-ssl profile I have created has a certificate for the URL generated from the F5s CSR by the private (lab) CA.

Does anyone have any idea why the clone pool is still forwarding TLS traffic rather than the decrypted plain HTTP traffic

Thanks

 

  • Very simply, in the proxy "HUD" chain, a clone pool sits at layer 2, whereas TLS decryption happens at layer 6. In other words, you're seeing encrypted traffic at the clone pool because decryption hasn't happened yet.

    To get decrypted traffic to a clone pool you have to get past layer 6. If you're not re-encrypting to the server, you can put the clone on the server side of the proxy. If you are re-encrypting to the backend, then you'd need a VIP-target solution:

    client-side VIP --> (vip target) --> server-side VIP

    The client-side VIP has a client SSL profile and an iRule that VIP targets to the server-side VIP that has the server SSL profile. You can then put your clone pool on the server side (inside) of the client-side VIP, or client side (inside) of the server-side VIP.

     

  • Very simply, in the proxy "HUD" chain, a clone pool sits at layer 2, whereas TLS decryption happens at layer 6. In other words, you're seeing encrypted traffic at the clone pool because decryption hasn't happened yet.

    To get decrypted traffic to a clone pool you have to get past layer 6. If you're not re-encrypting to the server, you can put the clone on the server side of the proxy. If you are re-encrypting to the backend, then you'd need a VIP-target solution:

    client-side VIP --> (vip target) --> server-side VIP

    The client-side VIP has a client SSL profile and an iRule that VIP targets to the server-side VIP that has the server SSL profile. You can then put your clone pool on the server side (inside) of the client-side VIP, or client side (inside) of the server-side VIP.

     

    • Mike12345's avatar
      Mike12345
      Icon for Nimbostratus rankNimbostratus

      So essentially the cloe ports pick up the traffic too early i the service process. eg prior to using i-rules for traffic manipulation.

      To use clone pools to view plain HTTP traffic two sets of services are needed
      two services "SSLO Offload" (decrypt) and "SSL Onload" (encrypt) and place the clone pool on the server side of the first service.



      • Kevin_Stewart's avatar
        Kevin_Stewart
        Icon for Employee rankEmployee

        Yes, or client side of second VIP.

        I'd also comment that SSL Orchestrator will also do this for you automatically, and also enable a policy to dynamically control decryption and traffic steering.

    • Mike12345's avatar
      Mike12345
      Icon for Nimbostratus rankNimbostratus

      A short course on i-rules and I managed to get something working as a POC.
      Thanks for the pointers.

      I totally agree this is much easier if you have SSLO running on the appliance

  • No exact experience, but this article suggests you will have to internally forward to another virtual server unencrypted and from there do the encryption again.

    https://clouddocs.f5.com/training/community/firewall/html/class1/module1/lab7.html

    In this solution, since the BIG-IP is terminating SSL, traffic is forwarded to the secondary virtual server in clear-text so that an unencrypted copy of the application traffic is sent to an external sensor such as an IDS for further security assessment.