ASM deployment

Question

I have SLB in Reverse proxy mode for 3 internal vlan traffic.For those 3 vlan i'm using trunk on my slb for internal network. After the SLB i have WAF in Inline mode. Traffic is passing. i want to know how can i inspect the HTTPS traffic.

shopkeeper56_23 · Accepted Answer

You will need to set up your Big IP for SSL interception via Transparent Proxy.&nbsp;
Here is F5's guide on the process.&nbsp;
https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf&nbsp;

deepak_k_226543 · Answer

Nice Thanks

jason_meurer_39 · Answer

The SSL Intercept deployment is intended for outbound (forward proxy) traffic and may not be the correct solution here.  Is your issue that the WAF you have deployed cannot sit on the Trunked ports or that the traffic on the server side connection is HTTPS encrypted?

If the issue is that the server side connection is encrypted, you will want to ensure you are using an RSA based SSL cipher on the server side connection.  Most WAFs can import your RSA based key and decrypt in flight.  DHE/ECDHE based ciphers prevent L2 based WAFs from sitting inline.

shopkeeper56_23 · Answer

^ this is correct. I might have misunderstood the OP's question. I thought his/her intention was to inspect outgoing. I assumed any incoming SSL would be terminated on the Big IP, thus already visible for ASM.

Forum Discussion

ASM deployment

4 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Where are F5's archived deployment guides?

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

F5 BIG-IP deployment with OpenShift - multi-cluster architectures

F5 BIG-IP deployment with OpenShift - platform and networking options

Ensuring Security in Continuous Integration and Continuous Deployment (CI/CD) Pipelines