SSL Visibility with Service Chaining

Transcription

1 F5 and Palo Alto Networks SSL Orchestration with Service Chaining RECOMMENDED DEPLOYMENT PRACTICES The F5 SSL Orchestrator and Palo Alto Networks Next-Gen Firewall Solution: SSL Visibility with Service Chaining October

2 Contents Introduction...3 The Integrated Solution...3 SSL visibility: How do we do it?...4 SSL orchestration using security service chains...4 Deployment Planning...6 Prerequisites...6 IP addressing...6 Architecture best practices...7 Initial Setup...7 Configure the Palo Alto Networks NGFW...7 Run the SSL Orchestrator Setup Wizard...8 Set up high availability...10 Update the SSL Orchestrator version...11 Back up your F5 system configuration...13 SSL Orchestrator Configuration...13 Set up the deployment...14 Create the Palo Alto Networks NGFW service...15 Configuring as an L2 service...16 Configuring as an L3 service...17 Configuring as a TAP service...20 Set up the SSL profile...21 Create service chains to link services...23 Create the interception rule...25 Handling NAT...27 Testing the Solution...28

3 Introduction The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. In short, the encrypted communications cannot be seen as clear text and are passed through without inspection, becoming security blind spots. This creates serious risks for businesses: What if attackers are hiding malware inside the encrypted traffic? However, performing decryption of SSL/TLS traffic on the security inspection devices, with native decryption support, can tremendously degrade the performance of those devices, especially given the demands of stronger, 2048-bit certificates. An integrated F5 and Palo Alto Networks solution solves these two SSL/TLS challenges. F5 SSL Orchestrator centralizes SSL inspection across complex security architectures, enabling flexible deployment options for decrypting and re-encrypting user traffic. It also provides intelligent traffic orchestration using dynamic service chaining and policybased management. The decrypted traffic is then inspected by one or more Palo Alto Networks next-generation firewalls (NGFWs), which can prevent previously hidden threats and block zero-day exploits. This solution eliminates the blind spots introduced by SSL and closes any opportunity for adversaries. This overview of the joint solution describes different deployment modes with reference to service chain architectures, recommends practices, and offers guidance on how to handle enforcement of corporate Internet use policies. The Integrated Solution The F5 and Palo Alto Networks integrated solution enables organizations to intelligently manage SSL while providing visibility into a key threat vector that attackers often use to exploit vulnerabilities, establish command and control channels, and steal data. Without SSL visibility, it is impossible to identify and prevent such threats at scale. Key highlights of the joint solution include: Flexible deployment modes that easily integrate into even the most complex architectures, consolidate the security stack to reduce complexity, and deliver SSL visibility across the security infrastructure. Centralized SSL decryption/re-encryption with best-in-class SSL hardware acceleration, eliminating the processing burden of multiple decryption/re-encryption workloads on every security inspection hop in the stack, which reduces latency while improving the user experience. Dynamic security service chaining, which provides policy-based traffic management, thus determining whether traffic should be allowed to pass or be decrypted and sent through a security device or service. An industry-leading application delivery controller that load balances traffic to multiple devices in the security services, enabling effortless scaling and growth. Built-in health monitors that detect security service failures and shifts or bypasses loads in real time to provide reliability and fault tolerance. Full cipher support, including support for the PFS-enabled ciphers, to ensure full traffic visibility. 3

4 Natively integrated security technologies that leverage a single-pass prevention architecture to exert positive control based on applications, users, and content to reduce the organization s attack surface. Automated creation and delivery of protection mechanisms to defend against new threats to network, cloud, and endpoint environments. Threat intelligence sharing that provides protection by taking advantage of the network effects of a community of comprehensive, global threat data to minimize the spread of attacks. SSL visibility: How do we do it? F5 s industry-leading full proxy architecture enables F5 SSL Orchestrator to install a decryption/clear text zone between the client and web server, creating an aggregation (and disaggregation) visibility point for security services. The F5 system establishes two independent SSL connections one with the client and the other with the web server. When a client initiates an HTTPS connection to the web server, SSL Orchestrator intercepts and decrypts the client-encrypted traffic and steers it to a pool of Palo Alto Networks firewalls for inspection before re-encrypting the same traffic to the web server. The return HTTPS response from the web server to the client is likewise intercepted and decrypted for inspection before being sent on to the client. Figure 1: The F5 full proxy architecture SSL orchestration using security service chains A typical security stack often begins with a firewall but almost never stops there. To solve specific security challenges, security administrators are accustomed to manually chaining multiple point products such as data loss prevention (DLP) scanners, web application firewalls, intrusion prevention systems (IPS), malware analysis tools, and more, creating a bare-bones security stack consisting of multiple services. In this model, all user sessions are provided the same level of security, as this daisy chain of services is hard-wired. 4

5 As shown in Figure 2, an F5 device can consolidate the security stack, including NGFW (anti-virus/malware, IPS), ICAP, and DLP, using intelligent traffic orchestration and policy-based steering. The F5 system does this by matching the URL and policies to determine whether to bypass or to decrypt, and whether to send to one set of security services or another. Internet Analytics SIEM Re-encrypt Firewall DLP (Pool) SSL Orchestrator IPS (Pool) Decrypt and steer traffic (based on policy, bypass options, URL categorization ) NGFW (Pool) IPS (Pool) Firewall Users / Devices Web Proxy User Figure 2: The security service chaining architecture This F5 SSL visibility solution provides a way to apply different service chains based on context derived from a powerful classification engine. That context can come from: Source IP/subnet. Destination IP/subnet. IP intelligence category. IP geolocation. Host and domain name. URL filtering category. Destination port. Protocol. 5

6 Deployment Planning Careful advance consideration of deployment options can ensure an efficient and effective implementation of the F5 integrated solution using Palo Alto Network s next-generation security system. Prerequisites The F5 SSL Orchestrator product line the i2800, i5800, i10800, i11800, i15800 supports this joint solution. SSL Orchestrator devices ship with an installed base module that provides both SSL interception and service chaining capabilities. SSL Orchestrator can also be deployed as an application on an existing F5 BIG-IP system. Please contact your local F5 representative to understand the licensing and deployment options. Unless otherwise noted, references to SSL Orchestrator and the BIG-IP system in this document (and some user interfaces) apply equally regardless of the F5 hardware used. The solution architecture and configuration are identical. Optionally, customers can consider adding the functionality of: An F5 URL filtering (URLF) subscription to access the URL category database. An F5 IP Intelligence subscription to detect and block known bad actors and bad traffic. A network hardware security module (HSM) to safeguard and manage igital keys for strong authentication. F5 Secure Web Gateway (SWG) Services to filter and control outbound web traffic using a URL database. F5 Access Manager to authenticate and manage user access. The following Palo Alto Networks products and subscriptions are needed for deploying the solution: A Palo Alto Networks Next-Generation Firewall for policy-based control of applications, users, and content A Threat Prevention subscription that includes malware, command-and-control, and vulnerability and exploit protection with IPS capabilities A WildFire subscription that expedites the response to threats by automatically detecting unknown malware and generating and distributing protections to subscribers. Refer to the Palo Alto Network technical documentation for complete guidance. (You may need to be registered with appropriate privileges to access this resource.) IP addressing When a Palo Alto Networks firewall is deployed as an L3/routed hop, F5 recommends configuring its IP addresses for connected inward and outward VLANs from default fixed addressing subnets. These subnets are provided by SSL Orchestrator and derived from a RFC2544 CIDR block of to minimize the likelihood of address collisions. For example, you can configure a firewall to use the IP address /25 on the inward VLAN and 6

7 /25 on the outward VLAN pointing to the SSL Orchestrator-connected interfaces. You will also need to configure static routes to the internal networks on the firewall inward VLAN and a default route to the Internet on the outward VLAN. The table below explains the IP addresses that you need to configure when deploying multiple firewalls in the service pool. Palo Alto Networks NGFW Inward Interface IP Inward / Internal Gateway Outward Interface IP Outward/ Default Gateway Palo Alto Networks NGFW-1 Palo Alto Networks NGFW / / / / / /25 Palo Alto Networks NGFW-n n=< n/ n/25 n=<8 Architecture best practices These recommended practices can help streamline the architecture to optimize performance, reliability, and security: Deploy inline. Any SSL visibility solution must be inline to the traffic flow to decrypt perfect forward secrecy (PFS) cipher suites such as ECDHE (elliptic curve Diffie-Hellman encryption). Deploy SSL Orchestrator in a device sync/failover device group (S/FDG) that includes the high-availability (HA) pair with a floating IP address. Use dual-homing. The Palo Alto Networks NGFWs must be dual-homed on the inward and outward VLANs with each F5 system in the device S/FDG. Achieve further interface redundancy with the Link Aggregation Control Protocol (LACP). LACP manages the connected physical interfaces as a single virtual interface (aggregate group) and detects any interface failures within the group. Unlike some competing solutions, the F5 system does not need direct physical connections to the Palo Alto Networks NGFWs. All that is required is L3 reachability however, we recommend deploying the NGFWs not more than one hop away. Generally, when inspection devices are not directly connected to the F5 system, we highly recommend the use of network and VLAN controls to restrict access to the unencrypted data only to the inspection devices. Initial Setup A few initial steps should be completed before moving into detailed configuration of SSL Orchestrator. Configure the Palo Alto Networks NGFW Palo Alto Networks next-generation firewalls allow administrators to safely enable applications and prevent known and 7

8 unknown threats across the network. The native integration of the platform delivers a prevention architecture that provides a range of security features, including application-aware firewall, intrusion prevention, network anti-virus, antispyware/malware, URL filtering, and WildFire threat analysis services. Detection of previously unknown malware results in the automated creation of prevention signatures, which are delivered to all subscribers within minutes. With an open, fully documented API, the Palo Alto Networks NGFW is designed to integrate with automation and orchestration systems. Palo Alto Networks NGFWs can be configured in four modes. A single firewall can be deployed in multiple modes simultaneously: Virtual wire (V-wire): Transparent mode, where two interfaces are bound together and no switching or routing is needed Layer 2: Switching mode, where the firewall provides switching between two or more networks Layer 3: Routed mode, where the firewall provides routing between two or more networks TAP mode: Where the firewall passively monitors traffic copied from a span/monitor port Management of the firewall is accomplished through the management plane of the device, either through an API, CLI (SSH), or web UI interface. Most commonly, the web UI is used to configure and manage the device. Once logged into the web UI, administrators can configure trusted and untrusted zones, assign interfaces to the zones, and define and enforce policies. It is important that the policies to which the firewalls are configured permit the health monitoring traffic. For further details on how to configure the Palo Alto Networks NGFW, refer to the PAN-OS 7.1 Administrator s Guide. Run the SSL Orchestrator Setup Wizard After you plug in the F5 device, first things to set up are the management IP address, netmask, and default routing from the command line of your system. Log in to the web UI using the configured management IP address (default web interface credentials are admin/admin). The SSL Orchestrator Setup Wizard guides you through the basic configuration. (Note: The Setup Wizard is substantially the same regardless of whether you are deploying SSL Orchestrator on an existing F5 system or new hardware. The few exceptions, such as SSL certificate configuration, can readily be performed manually on current F5 systems.) Figure 3: Initial configuration of the management IP from the command line Note: If at any time during configuration you need to return to the Set-Up Wizard, simply click the F5 logo in the upper- 8

9 left corner of the Configuration utility, and on the Welcome screen, click Run the Setup Utility. 1. On the F5 Welcome screen, click Next. 2. On the License screen, click Activate. 3. Enter the Registration Key. Follow the F5 licensing steps to activate the SSL Orchestrator license. 4. On the EULA screen, click Accept. The license activates and the system reboots. 5. Once the system has rebooted, the Device Certificates screen displays. Here you can import a certificate authority (CA) signed device certificate or continue using the default self-signed certificate. Click Next. 6. The Platform screen displays. Complete the following steps: i. Enter the Host Name for this system. The Host Name must be a fully qualified domain name. ii. Under User Administration, enter and confirm the Root Account passwords, and click Next. The Root Account provides access to the command line, while the Admin Account accesses the user interface. Figure 4: Platform configuration 7. The system notifies you to log out and then log back in with your username (admin) and new password. Click OK. The system reboots. 8. Once you login, the Forward Proxy Certificate page displays. An SSL CA certificate preferably a subordinate CA and private key on the F5 system are needed to generate and issue certificates to the end host for client-requested HTTPS websites that are being intercepted. Enter the name for the certificate and import the sub CA certificate and Key, then click Next. 9. On the Network web page, click Next to configure network settings. 10. The Redundancy page displays. Deselect Config sync and click Next. (You will set up high availability [HA] after finishing the initial steps.) 11. When the Network Time Protocol (NTP) configuration screen displays, enter the IP Address of the NTP 9

10 server to synchronize the system clock with and click Add. Click Next. 12. (Optional, unless you plan to later use the DNSSEC option in the SSL Orchestrator configuration in which case this step is required.) The Domain Name Server (DNS) screen opens. Complete the following steps: i. To resolve host names on the system, set up the DNS and associated servers: For the DNS Lookup Server List, type the IP Address of the DNS server and click Add. ii. iii. If you use BIND servers, add them in the BIND Forwarder Server list. Add local domain lookups (to resolve local host names) in the DNS Search Domain list. 13. Click Next. The configuration screen appears with a complete menu on the left. (See Figure 5.) You are ready to set up high availability and finalize your system for SSL Orchestrator. Figure 5: The SSL Orchestrator configuration screen once the initial setup is complete Set up high availability F5 highly recommends deploying SSL Orchestrator in an HA pair to ensure a high level of operational performance. Before setting up HA, you should already have the secondary SSL Orchestrator unit installed and completed its initial setup. 1. Click the F5 logo in the upper-left corner of the Configuration utility, and on the Welcome screen, click Run Config Sync/HA Utility. 2. In the Standard Network Configuration section, click Next. 3. Leave the default settings for Redundant Device Wizard Options and click Next. 4. Enter the IP Address and add the VLAN interface for High Availability Network and VLAN configuration. 5. For Network Time Protocol Configuration, enter the NTP server IP address and click Add, if you didn t configure one during initial setup. Click Next. 10

11 6. For Domain Name Server Configuration, enter the DNS server IP address and click Add, if you didn t configure one during initial setup. Click Next. 7. For Configuration Sync Configuration, choose the Network IP Address you configured in step 4, then click Next. 8. For Failover Unicast Configuration, select the HA interface and management interface and click Next. 9. For Mirroring Configuration, select the HA interface as the Primary Local Mirror Address. 10. In the Standard Pair Configuration section, click Next. 11. Pause here, go to the secondary device, and complete steps 1-10 of this HA procedure for that device, too. 12. Returning to this primary device, under Discover Configure Peer or Subordinate Device, click Next. 13. Under Retrieve Device Credentials, enter the secondary SSL Orchestrator unit/peer IP Address, Administration Username, and credentials, then click Retrieve Device Information. 14. Once the peer Device Certificate is verified, click Device Certificate Matches. 15. Verify the peer Device Name and click Add Device. This completes the active-standby HA setup. Figure 6: Sample configuration for peer discovery to set up HA Update the SSL Orchestrator version Periodic updates are available for the SSL Orchestrator configuration utility. To download the latest, follow these steps: 1. Visit downloads.f5.com. You will need your registered F5 credentials to log in. 11

12 2. Click Find a Download. 3. Scroll to the Security product family and select SSL Orchestrator. Figure 7: F5 product download web page 4. Click the SSL Orchestrator container. 5. Select and download the latest version of the SSL Orchestrator.rpm file. 6. Read through the appropriate Release Notes before attempting to use the downloaded file. 7. Once you ve read the release notes, log in to the main tab of the F5 management interface and navigate to SSL Orchestrator > Updates. 8. Under File Name, click Browse and navigate to the.rpm file you downloaded. Click Open to select it. Figure 8: Updating SSL Orchestrator 9. Click Install. The latest version of the SSL Orchestrator configuration utility will be installed. Your system 12

13 may reboot to make the change effective. Back up your F5 system configuration Before beginning the detailed SSL Orchestrator configuration, we strongly recommend you back up the F5 system configuration using the following steps. This enables you to restore the previous configuration in case of any issues. 1. From the main tab of the F5 management interface, click System > Archives. 2. To initiate the process of creating a new UCS archive (backup), click Create. 3. Enter a unique File Name for the backup file. 4. Optional: If you want to encrypt the UCS archive file, from the Encryption menu, select Enabled and enter a passphrase. You must supply the passphrase to restore the encrypted UCS archive file. If you want to exclude SSL private keys from the UCS archive, from the Private Keys menu, select Exclude. Figure 9: New system archive creation 5. Click Finished to create the UCS archive file. 6. When the backup process is done, examine the status page for any reported errors before proceeding to the next step. 7. Click OK to return to the Archive List page. 8. Copy the.ucs file to another system. To restore the configuration from a UCS archive, navigate to System > Archives. Select the name of the UCS file you want to restore and click Restore. For details and other considerations for backing up and restoring the F5 system configuration, see Solution K13132 on AskF5: Backing up and restoring BIG-IP configuration files. SSL Orchestrator Configuration Before you proceed to deploy the SSL Orchestrator application, you must have configured the internal and external 13

14 networks including VLANs, IP addresses, and default gateway. Refer to Basic Network Settings support on AskF5 for the detailed steps. Set up the deployment This step must be completed before you can set up services and service chains. 1. On the F5 management console, click SSL Orchestrator > Deployment > Deployment Settings. 2. Answer the configuration questions (see Figure 10) to create the SSL Orchestrator application. (Refer to the User Input column below for examples and tips.) 3. Click Finished. Configuration Field User Input General Properties Application Service Name Type a name for the SSL Orchestrator deployment. (Deployment Name) Strict Update Deployed Network IP Family Select the check box if you want strict updates enforced to protect your configuration. If this is enabled, you cannot manually modify any of the settings produced by the application. Once this is disabled, you can manually change your configuration. However, we strongly recommend that you enable this setting to avoid misconfigurations that can render your application completely unusable. Specify the SSL Orchestrator deployed network as either layer 2 (L2) Wire or layer 3 (L3) Network. Specify whether you want this configuration to support IPv4 addresses, IPv6 addresses, or both. Egress Configuration Manage SNAT Settings Choose Auto Map to replace the client source IP address with the self IP address belonging to the egress for outbound traffic. This is recommended for small traffic volumes due to limitation of port numbers that can be allocated for translations. For larger volumes of traffic, F5 recommends use of a SNAT (Secure Network Address Translation) pool to scale translations instead of overloading the egress interface IP address. When SNAT is chosen, you will need to enter IPv4 SNAT addresses for the SNAT pool for translations. Gateway Specify whether to route outbound using the default route on the F5 system or enter the IP address to be used as the default gateway. DNS DNS Query Resolution This solution uses DNS extensively. You can either permit the system to send DNS queries directly out to Internet Authoritative Name Server or specify one or more Local Forwarding Name Servers to process all DNS queries. Direct resolution can be more reliable than using forwarders but requires outbound UDP/TCP port 53 access to the Internet. 14

15 Local Forwarding Nameserver(s) Local/Private Forward Zones DNSSec Validation If you selected Local Forwarding Name Servers, type the IP address of one or more of name server(s) which will resolve all DNS queries from this solution and click Add. If you selected Internet Authoritative Name Server, type the IP address of one or more Nameservers and click Add. Specify whether you want to use DNSSEC to validate the DNS information. Logging Configuration Logging Level F5 recommends leaving the Logging Level at the default, Errors. Log on functional errors, unless you need to troubleshoot. Figure 10: Sample SSL Orchestrator deployment configuration Create the Palo Alto Networks NGFW service You can configure the Palo Alto Networks NGFW either in inline mode as a L2 or L3 hop, or in TAP mode. 15

16 Configuring as an L2 service When the Palo Alto Networks NGFW is configured as a L2 service/v-wire as show in Figure 11, SSL Orchestrator steers the unencrypted and decrypted web traffic through the Palo Alto Networks NGFW pool, which is part of the service chain(s) of security devices. Corporate Employees Web Proxy Mirrored-Traffic Monitors SSL Orchestrator Internet Internet Users Data Center ICAP Palo Alto Network Service Pool Service Chains Figure 11: L2 service deployment architecture Before you follow the steps below to create the L2 service for the Palo Alto Networks NGFW, you must have created the inward and outward VLANs and assigned the interfaces on SSL Orchestrator that are connected to the NGFW(s). 1. On the main tab of the F5 management interface, navigate to SSL Orchestrator > Services > L2 Services. The L2 Services screen displays. 2. Click Create to create the L2 service and configure using the guidance below. 3. Leave other options at their defaults and click Finished. Configuration Field Name User Input Enter a Name for the L2 service. This name can contain 1-15 alphanumeric or underscore characters but must start with a letter. Letters are not case sensitive. L2 Service Paths Specify the VLAN pairs (inward and outward VLAN) on the F5 system that are connected to the NGFW. If you have configured SSL Orchestrator in a sync/failover eevice group for HA, then the VLAN pairs must be connected to the same layer 2 virtual network from every device. If you have multiple NGFWs, choose the respective VLAN pair and click Add. You can enter the ratio for every NGFW device in the pool to control the load it receives. Service Down Action Specify how you want the system to handle failure of an L2 service or when it is otherwise unavailable. Ignore: Specifies that the traffic to the service is ignored and is sent to 16

17 the next in chain. Drop: Specifies that the system initiates a close on the client connection. Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same. Port Remap For the Palo Alto Network NGFW to recognize that the steered traffic has been decrypted, it needs to be sent on a non-443 TCP port. Select a non-443 port. Figure 12: Sample L2 service configuration Configuring as an L3 service When the Palo Alto Networks NGFW is configured as an L3 service as show in Figure 13, SSL Orchestrator routes the unencrypted and decrypted web traffic through the Palo Alto Networks NGFW pool, which is part of the service chain(s) of security devices. 17

18 Corporate Employees Web Proxy Mirrored-Traffic Monitors SSL Orchestrator G/W: G/W: Internet Internet Users Data Center ICAP /25 VLAN101 Palo Alto Networks NGFW Service Pool Service Chains /25 VLAN201 Figure 13: L3 service deployment architecture Before you follow the configuration steps to create the L3 service for the Palo Alto Networks NGFW, you must have configured the VLANs, IP addressing, and static routes on the NGFW to route the traffic to inside and outside networks with SSL Orchestrator as the next hop. 1. On the main tab of the F5 management interface, navigate to SSL Orchestrator > Services > L3 Services. The L3 Services screen displays. 2. Click Create to create the L3 service and configure using the guidance below. 3. Leave the other options at their defaults and click Finished. Configuration Field User Input General Properties Name Enter a Name for the L3 service. This name can contain 1-15 alphanumeric or underscore characters but must start with a letter. Letters are not case sensitive. Service Definition Auto Manager To Service VLAN Node From Service Select Auto Manage to use default F5 paths for each VLAN. You will see the Network Subnet that each VLAN on the F5 system will use to reach the NGFW(s). Specify the Outbound VLAN on the F5 system that that will send the decrypted and encrypted traffic to the NGFW(s) for inspection. Enter the IP address on the inward VLAN on NGFW connected to SSL Orchestrator and click Add. If you have multiple NGFWs, add the IP address for each. You will see the Inbound VLAN on the F5 system that will receive the return traffic from the NGFW(s) after inspection. 18

19 VLAN Service Down Action Specify the Inbound VLAN on the F5 system that will receive the return traffic from the NGFW(s) after inspection. Specify how you want the system to handle a failure of the L3 service or when it is otherwise unavailable. Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain. Drop: Specifies that the system initiates a close on the client connection. Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same Port Remap For the Palo Alto Networks NGFW to recognize that the steered traffic has been decrypted, it needs to be sent on a non-443 TCP port. Select a non-443 port. Figure 14: Sample L3 service deployment 19

20 Configuring as a TAP service As shown in Figure 15, in a TAP service mode, the F5 system copies the unencrypted and decrypted web traffic to the Palo Alto Network NGFW pool, which is part of the service chain(s) of security devices. Corporate Employees Web Proxy Inspection Devices SSL Orchestrator L2 Inspection Devices Internet Internet Users Data Center ICAP Palo Alto Networks Receive-Only Service Pool Service Chains Figure 15: TAP service deployment architecture Before you follow the configuration steps to create the TAP service for Palo Alto Networks NGFW devices, you must have created the VLAN(s) and assigned the respective interface on SSL Orchestrator that will be used to reach the firewalls. 1. On the main tab of the F5 management interface, navigate to SSL Orchestrator > Services > TAP Services. The TAP Services screen displays. 2. Click Create to create the TAP service and configure using the guidance below. 3. Leave other options at their defaults and click Finished. Configuration Field Name User Input Enter a Name for the TAP service. TAP Service MAC Address VLAN Interface Service Down Action Type the MAC Address of the receiving interface of the NGFW. This address must be reachable by an F5 system VLAN. Specify the VLAN where the NGFW device resides. Select the associated F5 system interface. Specify how you want the system to handle a failure of the TAP service or when it is otherwise unavailable. Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain. Drop: Specifies that the system initiates a close on the client connection. Reset: Specifies that the system immediately sends a RST on the client 20

21 connection for TCP and UDP traffic. Port Remap For the NGFW to recognize that the steered traffic has been decrypted, it needs to be sent on a non-443 TCP port. Select a non-443 port. Figure 16: Sample TAP service deployment Set up the SSL profile An SSL CA certificate preferably a subordinate certificate authority (CA) and private key on the F5 system are needed to generate and issue certificates to the end host for client-requested HTTPS websites that are being intercepted. For the complete procedure, see solution K13302 on AskF5: Configuring the BIG-IP system to use an SSL chain certificate. 1. On the main tab of the F5 management interface, navigate to SSL Orchestrator > SSL Management > SSL Settings. The SSL Settings Services screen displays. 2. Click Create to create and configure the SSL profile using the guidance below. 3. Click Finished. 21

22 Configuration Field User Input General Properties Application Service Name Type a Name for the SSL profile. Proxy Section Forward Proxy Bypass on Handshake Alert Bypass on Client Cert Failure Leave the enable box selected. Leave the default disabled option selected to disable SSL forward proxy bypass on receiving a handshake failure, protocol version, or unsupported extension alert message during the server-side SSL handshake. Leave the default disabled option selected to disable SSL forward proxy bypass on failure to receive the requested client certificate. Client-Side SSL Cipher Type Certificate Key Chains CA Certificate Key Chains Select Cipher String for the default cipher list. Select the default.crt certificate, default.key key, and default.crt chain, and leave the Passphrase field empty. Click Add. Specify one or more configured Subordinate Certificate Authority (CA) certificates and keys to associate with the SSL profile. Select Certificate, Key Chain, and Passphrase settings for the certificate key chain. (If the key does not have a passphrase, leave that field blank.) Then click Add. Server-Side SSL Cipher Type Ciphers Expired Certificate Response Control Untrusted Certificate Response Control OCSP CRL Select Cipher String for the default cipher list. Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for client-side processing. Select whether to drop or ignore the connection even if the specified Certificate Response Control (CRL) file has expired. Select drop or ignore the connection even if the specified Certificate Response Control (CRL) file is not trusted. Specify the supported OCSP. Specify the supported CRL. 22

23 Figure 17: Sample SSL profile configuration Create service chains to link services Before you can set up service chains, you must have configured all the services (HTTP, ICAP, L2, L3, and TAP). By default, SSL Orchestrator steers traffic through all the services. You can create a new service chain by defining the preferred order in which traffic should be steered. Each service chain is linked to service chain classifier rules and processes specific connections based on those rules, which look at protocol, source, and destination addresses. Service chains can include each of the three types of services (inline, ICAP, or receive-only), as well as decryption zones between separate ingress and egress devices. 1. From the F5 device management interface, navigate to SSL Orchestrator > Policies> Access Per- Request Policies. The Per-Request Policies screen displays. 2. Click Create to create and configure the per-request service chain using the guidance below. 23

24 Configuration Field User Input General Properties Name Type a Name for the per-request service chain. TCP Service Chain Intercept Chain Non-Intercept Chain In the order you want SSL Orchestrator to steer traffic, select an Available Service and click < to move it to the Selected Services box. Repeat or rearrange until all services in the chain are listed in the order you prefer. Specify, and order as necessary, available services for the non-decrypted chain. UDP Service Chain Service Chain Sequence In the order you want SSL Orchestrator to steer traffic, select an Available Service and click < to move it to the Selected Services box. Repeat or rearrange until all services in the chain are listed in the order you prefer. Figure 18: Sample per-request policy configuration 24

25 3. Click Finished. 4. On the Access Per-Request Policies screen that appears, click + Show All below the per-request policy and click the TCP policy name to review it. The policy editor page will display so you can further finetune the policy using advanced configurations as desired. In the sample in Figure 19, for example, you could click SSL Intercept Policy to bypass SSL traffic destined to websites that expose personal user information, such as banking, financial, or government sites. Figure 19: Sample per-request TCP policy Create the interception rule Before you create an interception rule, you must create one or more service chains. 1. On the F5 device management interface, navigate to SSL Orchestrator > Deployment > Interception Rules. The SSL Settings Services screen displays. 2. Click Edit Default Outbound Rules to create and configure the rule using the guidance below. 3. Click Finished. Configuration Field General Properties User Input Leave all General Properties settings at their defaults. Proxy Setting Proxy Scheme Classify UDP Allow Non-UDP/Non-TCP SSL Orchestrator can operate in transparent and/or explicit proxy mode. If you choose explicit proxy, enter the IP address and port number of the explicit proxy. If you selected Transparent Proxy above, by default TCP traffic will be managed but UDP traffic will pass through unexamined. Ensure Classify UDP is selected to manage UDP as well as TCP traffic. If you selected Transparent Proxy above, non-tcp, non-udp traffic (such as IPSec, SCTP, and OSPF) will be blocked. Ensure this option is selected to pass non-udp and non-tcp traffic. Security SSL Per Request Policy Select the SSL profile. Select the per-request policy you want. 25

26 Ingress Network VLANs Select one or more Ingress VLANs where the client traffic will arrive. L7 Interception Rules Protocols Specify the protocol of the connection (based on port or protocol recognition) for interception. Figure 20: Sample intercept rule configuration 26

27 Handling NAT When a firewall is deployed as a service in the SSL Orchestrator service chain, it is no longer the Internet edge device. So performing the network address translation (NAT) on this firewall is no longer advisable. It is also important to perform NAT of the client s outbound traffic after the firewall default routes to the F5 device for re-encryption. There are two ways to handle this: Option A: Implement NAT on the F5 system using the SNAT pool feature. (See Figure 21.). In this case the NAT will be performed for the client s outbound traffic on the egress of the F5 system. In the case of firewalls deployed as a sandwich pool using two F5 systems, NAT should be implemented on the egress F5 system. Corporate Employees Web Proxy Mirrored-Traffic Monitors SSL Orchestrator NAT on F5 system Internet Internet Users Data Center ICAP Palo Alto Networks Service Pool Service Chains Figure 21: NAT on the F5 system (Option A) Traditionally, an edge firewall is often implemented on the perimeter to inspect/control access to multiple protocols, and not all of these protocols are supported by SSL Orchestrator. When this firewall is moved from the edge and configured in the service chain to inspect decrypted traffic, any unsupported protocol traffic that goes around SSL Orchestrator is not inspected and therefore potentially vulnerable. The second option, Option B below, recommends the needed design change to overcome this challenge, as well as NAT recommendations. Option B: A Palo Alto Networks NGFW platform can perform more than firewall functions; it can also inspect and protect from threats. Segregate the firewall and inspection functionalities of the NGFW onto two different physical or virtual systems (vsys), and implement NAT post re-encryption on the edge firewall while the inspection modules (IPS and WildFire) remain part of the system in the service chain. (See Figure 22.) In this case, the F5 system can either hand off the re-encrypted packets to the edge firewall, or forward and re-route the traffic from the edge firewall to the gateway. 27

28 Corporate Employees Web Proxy Mirrored-Traffic Monitors SSL Orchestrator NAT on Firewall Internet Internet Users Data Center ICAP Palo Alto Networks Service Pool Service Chains Figure 22: NAT on the Palo Alto Networks NGFWs (Option B) Testing the Solution You can test the deployed solution using the following options: Server certificate test Open a browser on the client system and navigate to an HTTPS site, for example, Once the site opens in the browser, check the server certificate of the site and verify that it has been issued by the local CA set up on the F5 system. This confirms that the SSL forward proxy functionality enabled by SSL Orchestrator is working correctly. Decrypted traffic analysis on the F5 system Perform a TCP dump on the F5 system to observe the decrypted clear text traffic. This confirms SSL interception by the F5 device. tcpdump lnni eth<n> -Xs0 Decrypted traffic analysis on the Palo Alto Networks NGFW From the web UI, go to Monitoring > Packet Capture > Create, and enable a Packet Filter. Create stages to capture packets, specify file names, and then click OK. Download the captured file(s) and analyze the HTTP packets. The packet header and payload should be in clear text, indicating SSL decryption. It is very important to turn off packet capture once the job completes. US Headquarters: 401 Elliott Ave W, Seattle, WA // Americas: info@f5.com // Asia-Pacific: apacinfo@f5.com // Europe/Middle East/Africa: emeainfo@f5.com // Japan: f5j-info@f5.com 2018 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of the respective owners with no endorsement or affiliation, expressed or implied, claimed by F5. TMPL-CORE

29 29