Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for F5 Herculon SSL Orchestrator
Summary of Contents for F5 Herculon SSL Orchestrator
- Page 1 ® ™ ™ Herculon SSL Orchestrator : Setup Version 13.1-3.0...
-
Page 3: Table Of Contents
Exporting configurations for deployment................36 Setting up Herculon SSL Orchestrator in a High Availability Environment ....... 39 Overview: Setting up Herculon SSL Orchestrator in a high availability environment ..39 Task summary for deploying in a high availability environment........40 Installing an updated RPM file................41 Configuring the network for high availability............ - Page 4 Verifying the RPM file version on both devices............. 45 Configuring general properties and redeploying........... 45 Reviewing error logs and performing recovery steps..........45 Using Herculon SSL Orchestrator Analytics................47 Overview: About Herculon SSL Orchestrator analytics............47 About analytics dashboard capabilities................47 Timeline capabilities......................48 Customizing timeline capabilities..................48 Chart capabilities......................
-
Page 5: What Is F5 Herculon Ssl Orchestrator
SSL orchestration analytics that you can easily customize across multiple dimensions based on specified ranges of time. The Herculon SSL Orchestrator single platform for unified inspection allows for the greatest flexibly without architectural changes to prevent new blind spots from emerging. - Page 6 What is F5 Herculon SSL Orchestrator?
-
Page 7: Terminology For Herculon Ssl Orchestrator
BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (e.g. plaintext) passing through it to an inspection device. You can configure up to ten receive-only services using Herculon SSL Orchestrator. For more information on receive-only services, refer to the Creating receive-only services for traffic inspection section. - Page 8 • Service chains Herculon SSL Orchestrator service chains process specific connections based on classifier rules which look at protocol, source and destination addresses, and so on. These service chains can include four types of services (Layer 2 inline services, Layer 3 inline services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).
-
Page 9: Configuring The System For F5 Herculon Ssl Orchestrator
Configuring the System for F5 Herculon SSL Orchestrator Overview: Configuring the system for F5 Herculon SSL Orchestrator ® To set up your system for decrypting and encrypting outbound SSL/TLS traffic, you need to use the F5 ™ ™ Herculon SSL Orchestrator Setup Wizard which initially guides you through basic minimal setup configuration. - Page 10 Note: If you plan to later use the DNSSEC option in the configuration utility, you must set up DNS using the Herculon SSL Orchestrator Setup Wizard. Otherwise, this step is optional. 13. Specify the Self IP settings for the internal network: a) In the Address field, type a self IP address.
-
Page 11: Backing Up Your Big-Ip Configuration
Refer to the Backing up the BIG-IP Configuration section of this document for more information. You can modify your existing Herculon SSL Orchestrator configuration if you need to make changes. 1. On the Main tab, click SSL Orchestrator > Configuration. -
Page 12: Diagnosing Your Herculon Ssl Orchestrator Deployment
Configuring the System for F5 Herculon SSL Orchestrator See the Diagnosing your Herculon SSL Orchestrator deployment section for more detailed information on how to monitor the success or failure of your device undeployment. If successful, your entire configuration is now removed from your system. -
Page 13: Setting Up A Basic Configuration
Herculon SSL Orchestrator configuration utility. Note: By default, during the Herculon SSL Orchestrator deployment process, the system database value for Traffic Management Microkernel (TMM) fast forward is automatically disabled (set to “false”). To ensure your Herculon SSL Orchestrator deployment works properly, make sure the system database value for TMM fast forward remains disabled throughout the deployment. - Page 14 Setting Up a Basic Configuration Note: When configuring a single device Herculon SSL Orchestrator transparent proxy in front of an explicit proxy, Herculon SSL Orchestrator can transparently intercept SSL traffic tunneled through an explicit proxy and selectively forward the decrypted user traffic through the security service chain for proper inspections.
-
Page 15: Configuring Logging
2. Scroll down to the Logging Confguration area to the What SSL Intercept logging level do you want to enable? list, and select the level of logging you want the system to perform. • Use Errors. Log only functional errors to log errors related to how Herculon SSL Orchestrator functions. •... -
Page 16: Configuring An Ingress And Egress Device On One System
5. Click Save. You have configured logging options and completed the basic Herculon SSL Orchestrator configuration. Configuring an ingress and egress device on one system The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The egress device is either a device or a Sync-Failover device group that receives traffic after a connection travels through the specified service chain and directs the traffic to the final destination. - Page 17 F5 Herculon SSL Orchestrator: Setup 5. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private key. You import the CA certificate and private key while configuring the Setup Wizard. If you did not use the Setup Wizard, you must import a CA certificate before you can use this functionality.
-
Page 18: Configuring An Ingress Device (For Separate Ingress And Egress Devices)
Setting Up a Basic Configuration • If you want outbound/Internet traffic out using the default route on the BIG-IP system, select No, send outbound/Internet traffic via the default route and proceed to step 19 to save. • If you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the share of traffic each is given), use Yes, send outbound/Internet traffic via specific gateways and proceed to step 18. - Page 19 F5 Herculon SSL Orchestrator: Setup 7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to enable cryptographic protection of the service chain control channel between the ingress and egress devices. 8. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
-
Page 20: Configuring An Egress Device (For Separate Ingress And Egress Devices)
Setting Up a Basic Configuration • In the What are the IPv4 decrypt zone gateway addresses? field, type the IPv4 gateway addresses. Proceed to step 22 to save. • In the What are the IPv6 decrypt zone gateway addresses? field, type the IPv6 gateway addresses. - Page 21 F5 Herculon SSL Orchestrator: Setup If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
- Page 22 Setting Up a Basic Configuration • In both the What are the IPv4 outbound gateway addresses? and What are the IPv6 outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to step 18. Click the + button to add additional addresses. You can enter multiple gateways if you have multiple systems and wish to load balance across them.
-
Page 23: Configuring The System For Transparent Proxy
You have now configured Herculon SSL Orchestrator to work in transparent proxy mode. This describes only the fields, lists, and areas needed to configure Herculon SSL Orchestrator to work in transparent proxy mode. You should also complete the other areas in General Properties before moving on to create services and service chains. -
Page 24: Configuring The System For Both Transparent And Explicit Proxies
You have now configured Herculon SSL Orchestrator to work in explicit proxy mode. This describes only the fields, lists, and areas needed to configure Herculon SSL Orchestrator to work in explicit proxy mode. You should also complete the other areas in General Properties before moving on to create services and service chains. - Page 25 You have now configured Herculon SSL Orchestrator to work in both transparent and explicit proxy modes. This describes only the fields, lists, and areas needed to configure Herculon SSL Orchestrator to work in both transparent and explicit proxy modes. You should also complete the other areas in General...
- Page 26 Setting Up a Basic Configuration...
-
Page 27: Creating Services, Service Chains, And Classifier Rules
Layer 3 inline services requires you to provide the IP address of the service devices from the present choices in the Herculon SSL Orchestrator configuration. If you are using Layer 3 inline services, this configuration sends and receives information from the services using a pre-defined set of addresses. - Page 28 Routes: • Default Gateway: 198.19.x.245 • Gateway to internal networks: While the base address can be changed if needed, F5 recommends leaving it set to the default: 198.19.0.0 You have now configured an inline service for Herculon SSL Orchestrator.
-
Page 29: Creating Icap Services
If you select Custom, the Request and Response fields are empty and the entire URI content must be manually entered. In this case, Herculon SSL Orchestrator will not load balance traffic across the configured ICAP servers. For example, if the request URI for the ICAP server will be “icap://icap.example.com/request”, you enter the entire URI into the request field. -
Page 30: Creating Receive-Only Services For Traffic Inspection
Receive-only services only receive traffic for inspection and do not send the traffic back to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic passing through the ® service to an inspection device. You can configure up to ten receive-only services using the F5 ™ ™... -
Page 31: Creating Tcp Service Chain Classifier Rules
In addition, you can also choose to send decrypted or non-decrypted traffic to the inspection devices. Note: When configuring a single device Herculon SSL Orchestrator transparent proxy in front of an explicit proxy, Herculon SSL Orchestrator can transparently intercept SSL traffic tunneled through an explicit proxy and selectively forward the decrypted user traffic through the security service chain for proper inspections. - Page 32 Use Normal if the rule may match TLS connections at TLS handshake time and possibly again, more specifically, after Herculon SSL Orchestrator exposes the plaintext of the TLS connection (so you can manage HTTPS on nonstandard ports, for example). Normal rules may also match non-TLS traffic (so, for example, a single rule can handle both HTTPS and HTTP).
-
Page 33: Creating Udp Service Chain Classifier Rules
By default, the Decrypt check box is turned on and cannot be changed unless you have set the Phase field to Pre Handshake and the Service Chain classifier to All. Note: If you have upgraded to a new Herculon SSL Orchestrator version, or are using a previous configuration, the Decrypt check box is selected by default. - Page 34 Creating Services, Service Chains, and Classifier Rules destination, and the application protocol. Filters can also overlap, so the best matching classifer determines the service chain for a specific connection. Finally, classifiers can reject a connection or allow it to bypass the service chain. 1.
-
Page 35: Importing And Exporting Configurations For Deployment
You can also export previously successful deployment configurations as JSON files to use in any Herculon SSL Orchestrator environment. These exported configurations can be used to address other specific configuration issues. Importing new configurations for deployment Before you import new configurations for deployment, complete all areas in General Properties. -
Page 36: Importing Past Configurations For Deployment
SSL Orchestrator Configuration settings to a .json file?. 4. To export the current Herculon SSL Orchestrator settings into a JSON export file, click OK, or click Cancel to stop the export process. 5. Type the filename of the JSON file to export. - Page 37 F5 Herculon SSL Orchestrator: Setup The configuration information you selected to export is downloaded to your local system as a JSON file, and can be imported and used to deploy configurations in other Herculon SSL Orchestrator environments.
- Page 38 Importing and Exporting Configurations for Deployment...
-
Page 39: Setting Up Herculon Ssl Orchestrator In A High Availability Environment
Note: Herculon SSL Orchestrator high availability deployment is supported for use only with the Herculon SSL Orchestrator configuration utility versions 2.1 and later. Assumptions and dependencies To ensure that your Herculon SSL Orchestrator HA deployment succeeds, it is critical that you closely review and follow all assumptions and dependencies. •... -
Page 40: Task Summary For Deploying In A High Availability Environment
• While using the Herculon SSL Orchestrator Setup Wizard, you have noted the details used for NTP and DNS setup and made sure they will be identical on both devices. To verify duplication, on the Main tab, click System > Configuration > Device and select NTP or DNS. -
Page 41: Installing An Updated Rpm File
That system will copy it to the other systems in the ConfigSync group. Later, after a successful Herculon SSL Orchestrator HA deployment, you should verify that the same version appears on the BIG-IP HA peer device. See the section Updating the Herculon SSL Orchestrator version for more detailed installation instructions. - Page 42 Setting up Herculon SSL Orchestrator in a High Availability Environment The Self IP List screen opens. 7. Click Create. A New Self IP screen opens where you can configure your new self IP. 8. In the Name field, type the self IP name (for example, ha_self 9.
-
Page 43: Synchronizing The Device Group
8. In the Name field, type the name of the device you are adding. 9. Click Add Device. At the upper right, next to the F5 logo, the status of your device should show ONLINE (ACTIVE) and Connected, with a green indicator next to them showing its active and connected status. -
Page 44: Setting Up A Basic Configuration For Deployment
Setting up Herculon SSL Orchestrator in a High Availability Environment Setting up a basic configuration for deployment You must create identical information on each device before deploying the configuration. You can now setup a basic configuration for deployment on your active device. -
Page 45: Verifying The Rpm File Version On Both Devices
Note: If synchronization or deployment issues persist after deploying after each section, attempt to deploy after updating each item (instead of after each section) in the Herculon SSL Orchestrator configuration utility and verify that all new objects are properly synced and deployed. - Page 46 Setting up Herculon SSL Orchestrator in a High Availability Environment c) If redeploy or undeploy fails, do the following: 1. From command line (back door), run > touch /var/config/rest/iapps/enable 2. Refresh the Herculon SSL Orchestrator menu UI. 3. Select the deployed application from the list and delete the application.
-
Page 47: Using Herculon Ssl Orchestrator Analytics
Virtual Servers • Servers (the final destination) • Actions You can also use the Herculon SSL Orchestrator analytics Scheduled Reports to set up an automatic reporting schedule and later view any stored scheduled statistical records. About analytics dashboard capabilities ® ™... -
Page 48: Timeline Capabilities
Using Herculon SSL Orchestrator Analytics Timeline capabilities The customizable timeline capabilities give you the ability to produce a statistical analysis based on a specified range of time. When you first open the analytics dashboard, the default refresh time is set at 5 minutes. -
Page 49: Customizing Chart Capabilities
F5 Herculon SSL Orchestrator: Setup Customizing chart capabilities Within each line chart, you can identify a specific day and time within the time range selected. You can also select a block of time to be further analyzed. By leveraging the multiple options available, you can analyze dimensions individually, compare groups of dimensions and their statistics, and sort the charts as you diagnose the performance and health of your system’s SSL orchestration. -
Page 50: Charting Bytes In, Bytes Out, And Hit Count Over Time
Using Herculon SSL Orchestrator Analytics You can also individually select each row within a table to update the statistics within each available chart. You can also launch a comparison chart based on the table and the column of data that you selected to sort by. -
Page 51: Viewing The Top Sites Bypassed
F5 Herculon SSL Orchestrator: Setup 4. To compare another statistic, in the chart legend click Hit Count and select a statistic. For example, select Duration or Hit Count Per Second. A line graph displays for the statistic you selected. The comparison chart remains available on your screen as long as you keep your browser open. -
Page 52: Viewing The Most Used Client Ciphers And Protocols
Using Herculon SSL Orchestrator Analytics Viewing the most used client ciphers and protocols ® ™ ™ You can use F5 Herculon SSL Orchestrator statistics to view and analyze which client ciphers and protocols are used the most. The customizable charts, which graphically display the results, enable you to flexibly choose the information you want to view based on specified ranges of time that you select and can easily adjust. - Page 53 F5 Herculon SSL Orchestrator: Setup send reports so they can track CPU, disk, and memory utilization, and other system statistics. Many other reports are available that you can schedule to be sent regularly. Select the information to include in the report.
- Page 54 Using Herculon SSL Orchestrator Analytics...
-
Page 55: Legal Notices
2017, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. - Page 56 Legal Notices residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.
- Page 57 Index Index device group (continued) synchronizing analytics device trust about Herculon SSL Orchestrator implementing analytics charts diagnostics about customizing analytics scheduled reports about egress device analytics tables configuring 16, about configuring on system with ingress device customizing on one system...
- Page 58 Index high availability (continued) service chain classifier (continued) synchronizing the device group rule task summary for deploying viewing logs for failures service chains VLANs about hit count over time configuring charting services about sites bypassed viewing sites decrypted ICAP services viewing creating SSL Orchestrator...
Need help?
Do you have a question about the Herculon SSL Orchestrator and is the answer not in the manual?
Questions and answers