Air Gap Egress Inspection with SSL Intercept iApp Template

Problem this snippet solves:

Note F5 has released a new F5 supported iApp template (f5.ssl_intercept) that replaces all versions of Air Gap template. Find the template and details on AskF5: https://support.f5.com/kb/en-us/solutions/public/k/75/sol75104042.html

We strongly recommend using the fully supported SSL Intercept iApp instead of any of the Air Gap release candidates.



This is the F5 supported Release Candidate iApp template (v1.0.0rc4) for configuring LTM to decrypt outbound SSL traffic for inspection by a security device, such as an Intrusion Prevention System (IPS). BIG-IP intercepts and decrypts HTTPS client traffic, and forwards it to:

  • Layer 2 mode: The internal self IP address of the egress BIG-IP. The security device sits between the ingress (client-side) and egress (internet-side) BIG-IPs. Two BIG-IP systems are required for this scenario.

  • Layer 3 mode: The layer 3 IP address of the security device. The security device must be configured to route outbound traffic to the internal self IP address of the egress BIG-IP. This scenario supports deployment on a single BIG-IP system configured with separate ingress and egress networks, or two BIG-IP systems.

After inspection, the egress BIG-IP re-encrypts the SSL traffic and forwards it to a pool of routers or other devices.

Optional: If the ingress BIG-IP system is running BIG-IP version 11.5.0 or later and has Secure Web Gateway (SWG) provisioned and URL Filtering licensed, users may choose to bypass SSL decryption for selected SWG URL categories.

The template includes support for using the network firewall (AFM must be licensed and provisioned) to restrict outbound access to specific networks/addresses. Support for explicit forward proxy is also included.

The iApp supports decrypting HTTPS traffic over any TCP port, the use of a default route for forwarding of egress traffic, and selecting LTM data groups for bypassing SSL intercept by hostname, source IP address, or destination IP address.

How to use this snippet:

To get this template, click the link to the F5 ESD site. Log in (or register), click Find a Download, and then click either BIG-IP v11 or BIG-IP v12, select your version from the drop-down list if necessary, and then click iApp Templates. Click the link to download the zip file, and then extract the RELEASE_CANDIDATE directory.

Code :

https://downloads.f5.com/esd/index.jsp
Published Nov 17, 2015
Version 1.0
iApps
security

Was this article helpful?

No CommentsBe the first to comment