SSL Orchestrator Use Case: SWGaaS
Introduction
BIG-IP 16.0 with SSL Orchestrator 9.0 has support for running Secure Web Gateway (SWG) “as a Service” inside the Service Chain. This allows you to take an existing F5 SWG solution and migrate or move it to the same BIG-IP as SSL Orchestrator.
Typical SWG features include:
User authentication (not covered here)Enforcement of an Acceptable Use Policy (AUP)
Website category database (google.com = Search Engines)
Logging and Reporting (not covered here)
A typical SWG deployment will have a Per-Session Policy that handles authentication. Then a Per-Request Policy that enforces the AUP.
User authentication (not covered here)
Refer to this Dev/Central Article for more information on this topic.
Enforcement of an Acceptable Use Policy (AUP)
A Per-Request Policy is used to enforce the AUP. You can find this from the Configuration Utility under Access > Profiles / Policies > Per-Request Policies. Click Edit for the Per-Session Policy and a new window like this should open:
This policy does a Protocol Lookup to determine if the content is HTTP, then performs a Category Lookup based on the host header in the URI. Response Analytics will check for malicious content and pass that information on to the URL Lookup Agent. The Category is compared to the URL Filter which maps URL categories to Allow/Deny Actions. As a final result the request is either Allowed or Denied (Reject).
Note: In a per-request SWG policy you would typically have a Protocol Lookup for HTTP and HTTPS. But in this case the SSL Orchestrator will perform SSL decryption so the SWG Service will receive plain-text, HTTP content. Therefore, this SWG policy is ready to be used with SSL Orchestrator.
Website category database (google.com = Search Engines)
The URL Filter is configured from Access > Secure Web Gateway > URL Filters.
Select CorporateURLFilter in this example.
This opens the Category editor. Different Categories and sub-categories are available to make Allow or Deny decisions. In this example the Games and Shopping categories have been set to Deny.
Logging and Reporting (not covered here) Refer to the AskF5 Knowledge Center for more information.
Configuration
Export / Import the SWG Per-Request Policy
The SWG Per-Request Policy is easy to export from one BIG-IP to another. From the Configuration Utility select Access > Profiles / Policy > Per-Request Policies.
Click Export then OK to save the policy.
The policy file can be directly imported into another BIG-IP device. On the Per-Request Policies screen click Import.
Give the Policy a name, click Browse to select the policy file then Import.
This policy is ready for SSL Orchestrator to use with SWGaaS. You can click Edit to verify the policy is correct.
Configure the F5 SWGaaS
From the SSL Orchestrator Configuration page select Services then click Add.
F5 Secure Web Gateway is available on the F5 tab. Double-click the icon to configure.
Give it a name. Set the Access Profile Scope to Profile. Set the Per Request Policy to the policy imported previously. Click Save and Next.
Add the newly created SWGaaS to an existing Service Chain or create a new one.
Select the F5_SWG Service on the left and click the right arrow to move it to the Selected column. Click Save.
Save & Next.
Then Deploy.
Test SWG Functionality
Note: be sure that a Security Policy has the Service Chain applied. Go to a client computer and test access to various web sites. News sites are allowed but Shopping is set to Block so sites like amazon.com and walmart.com should be blocked.
Details from espn.com. The padlock indicates the connection is encrypted. The Issued By field indicates that this was intercepted & signed by SSL Orchestrator.
Any attempts to visit a site categorized as Shopping or Games will be blocked.
The configuration is now complete.
