Forum Discussion

cpt_154228's avatar
cpt_154228
Icon for Nimbostratus rankNimbostratus
Jun 26, 2017

Sending a traffic feed of decrypted TLS traffic to an external intrusion detection system

I'm trying to set up an intrusion detection system (Suricata) which inspects TLS decrypted traffic from our f5 (of VIPs on which we do TLS offloading).

 

My initial thoughts were that I could simply set up 'clone pools' or 'interface mirroring' [1], but based on what I've read in some other posts [2], both of these options will only result in encrypted traffic being made available. And that's not what I'm after -- we want a decrypted feed.

 

What's the recommended approach for achieving this?

 

[1] https://support.f5.com/csp/article/K13392 [2] https://devcentral.f5.com/questions/ssl-decryption-to-ids , https://devcentral.f5.com/questions/clone-pool-and-port-mirroring

 

1 Reply

  • Hi,

     

    You can do this by assigning the clone pool to the server side context:

     

    tmsh modify /ltm virtual 'virtual_name' clone-pools add { 'pool_name' {context serverside } }