Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL forward proxy integration with FireEye to inspect HTTPS

We are trying to integrate F5 with FireEye to be able to inspect HTTPS traffic with the FireEye NX solution.

We started off by creating a simple SSL forward proxy setup to verify the SSL proxy functionality as follows. We used the IAPP f5.airgap_egress.v1.0.0rc4 and modified some details, like we created a separate virtual server for 443 for testing purposes.

Image Text

Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this.

SSL forward proxy with route domains Lab setup After setting up the basic SSL forward proxy we continued creating to route domains. Created to routes one from route domain 0 to route domain 1 and one from route domain 1 to the external router. For your information we used only 1 Big IP device.

Image Text

Image Text

Considerations All traffic works fine UDP, HTTP, but HTTPS always results in an SSL error message, because there are two SSL client sessions.

Image Text

To be able to decrypt the traffic and forwarding it unencrypted from route domain 0 to route domain 1 we have to disable SSL on the server side on virtual server wildcard 443 in route domain 0 and we have to disable client side ssl on the SSL wildcard virtual server located in route domain 1 so it will accept connections unencrypted. The following Irule is being used to simply disable SSL traffic on the server side communicating towards route domain 1.

Image Text

On the SSL wildcard virtual server in route domain 1 we disable Client ssl profile and enable server SSL to re-encrypt the connection.

Image Text

Now when we try to open a SSL website like gmail.com we receive the following error. It happens with every SSL website w Image Text

In Wireshark we observer that the handshake is failing to the Gmail website, but the client proxy SSL connection is successfully setup with TLS 1.2. The TLS session towards google is TLSv1, so perhaps that’s the problem here.

Image Text

Does anyone has some recomendations why this is happening?

0
Rate this Question
Comments on this Question
Comment made 27-Jan-2018 by Marvin 412

Some images got mixed up from another article I don´t know why, please take that into account, the first Picture shouldn´t appear here, Also 4th, 5th and 6th.

https://devcentral.f5.com/questions/internal-gtm-integrate-with-external-ltm-57694

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Update on the original test;

Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this.

It is not needed to configure the F5 as the gateway when we have a Vlan group configured as a tranparent layer 2 setup. Also it is not needed to translate the original IP.

0
Comments on this Answer
Comment made 20-Feb-2017 by Harry 417

Hi Marvin,

could you please let me know if i dont want to change anything in my client or my deployed proxy solution, is it possible to connect bigip ssl intercept inline? if yes then what will be the physical connectivity and configuration points that needs to be taken care? Thanks

0
Comment made 20-Feb-2017 by Marvin 412

Hi Prak,

I never got this thing to work in a transparent Layer 2 setup, I was in contact with F5 USA and they provided me a layer 3 topology, using a routed setup. I agree with you the most prefered solution is Layer 2 transparent without the need to change anything in the current Network infrastructure. I do got this to work with a different vendor (will not mention it here though). But it should also work with F5, but still dont know how to configure it, the thing is that there isn´t a lot of documentation about this specific integration.

In a layer 2 setup it is needed to change the source mac address on the F5 side to be able to seperate the two TCP sessions at layer 2. Another thing to take into account is the bypass funcionality, you could implement a bypass switch for example to realize this.

If you have an existing explicit proxy setup and you want to maintain it and on the internal side you would like to decrypt and analyse the SSL traffic (with f.e. FireEye) you also need to configure proxy chaining to be able to decrypt and pass the explicit proxy traffic to the external existing proxy server. Actually you´ll have a combination of a transparent proxy in the F5 and the existing external explicit proxy server.

In a layer 2 setup it is not needed to change anything in the proxy settings configuration on the client side (browser settings). In a layer 3 setup you´ll need to rearchitect the routing in the Network.

Also a very important thing is that you need to bypass the specific sites and or categories in the F5 that are already configured on the existing explicit proxy server. This way you will have a seamless implementation withouth any disruptions or problems with connectivity to certain specific websites. Take into account the the URL categories may be different depending on your current explicit proxy setup. F5 uses Websense. If these are different then try to find the right match between them or analyze the applications that or in use to be able to manually exclude them.

Feel free to contact me here or at marvindehaas@hotmail.com.

0
Comment made 20-Feb-2017 by Harry 417

Hi Marvin,

thanks for your reply. actually i have some details and key points that how we can deploy this solution in inline mode but as per solution it requires two IP for both RDs like internal and external.but in entire solution i dont see that these IPs are in use. dont know why they are suggesting this?

0
Comment made 21-Feb-2017 by Marvin 412

Hi Prak, I also found it very strange, but indeed you need two IP addresses in both route domains to be able to pass the traffic from one to the other.

A 100% transparent solution does not use IP addresses I totally agree, so this is something in the middle, actually a layer 3 setup but after doing some finetuning it becomes "transparent".

As I mentioned before I never got it working in a transparent mode. Offcourse I would like to share my experience with you and try to resolve it :-)

0