Bi-directional traffic cloning possible?

This is not true, at least not intentionally. Clone pool functionality is bi-directional. It does clone both ingress and egress packets (at least that is how it is implemented). If this is not working for you, please contact support.

 

 

You can also configure the clone pool to be on the clientside and/or the serverside. This distinction is important for cases where the BigIP is modifying the content, such as when terminating SSL. Cloning on the clientside would copy the encrypted traffic whereas cloning on the serverside would copy the unencrypted traffic.

 

 

To answer the second part of your question, though you could certainly setup a rule to trigger when server data arrives, we currently don't have a mechanism for outputting that packet to another destination.

 

So, are you saying that if I setup serverside pool cloning and terminate SSL on the BigIP, we will clone not only ingress traffic on the VIP to the clone pool but the response from the main server pool nodes as well? What happens if both ServerSide and CLientSide SSL profiles are used(i.e. BigIP terminates SSL, examines traffic, and then reencrypts and sends to the server? Is it possible to clone the unencrypted traffic? Thanks a lot once again.

 

 

Yes, both ingress and egress gets cloned regardless of side.

 

 

As for serverside re-encryption - currently, the re-encrypted traffic gets copied to the clone pool (we clone at ip input/output). We do have a feature request already on file for being able to clone the unencrypted traffic when serverside re-encryption is in effect.

As for serverside re-encryption - currently, the re-encrypted traffic gets copied to the clone pool (we clone at ip input/output). We do have a feature request already on file for being able to clone the unencrypted traffic when serverside re-encryption is in effect.

 

 

I was hoping to find some way of doing exactly this.