In this blog

The need

Dynamically orchestrating security infrastructure is needed when an organization needs to seamlessly move traffic from one active security solution to another, and then change or update the first security solution. This process is performed without interrupting traffic flow or allowing encrypted traffic to bypass without a security check. When swapping out a security solution there may be a need to bypass that solution entirely. When updating a security solution, customers may only want to bypass the solution temporarily without interrupting the traffic flow, traffic decryption and inspection for the rest of the solutions in your security stack. Customers may want to direct traffic streams to new security solutions in a dynamic service chain to try them out.

F5's SSL Orchestrater simplifies many security solution changes while reducing time, cost and impact. It also alleviates potential traffic bypass and potential exploitation. By orchestrating the security stack, customers can streamline and minimize the often time-consuming and inefficient security change-management process, reducing the risk of time-consuming negative consequences. 

Introduction

This article explains how SSL Orchestrator is used as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

This article is divided into the following high level sections:

  • Create a new topology to perform testing
  • Monitor server statistics, change the weight ratio and check server stats again
  • Remove a single security device from the service
  • Perform maintenance on the removed security device
  • Add the security device to the new topology
  • Test functionality with a single client
  • Add security device back to the original topology
  • Test functionality again
  • Repeat to perform maintenance on the other security device

The steps in the article are explained expecting the SSL Orchestrator is configured on a BIG-IP device and AFM device is added as a service. In this article we are explaining the steps for an AFM device configured as a service as an example. The procedural steps would be almost similar for all security devices. Many other security devices like Palo Alto, Cisco Firepower and FireEye could be configured easily.

Create a new topology to perform testing

A new topology will be used to safely test the service after maintenance is performed. The topology should be similar to the one used for production traffic. This topology can be re-used in the future.

From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration. Click Add under Topologies.

0EM1T000002KyaQ.png

Scroll to the bottom of the next screen and click Next.

0EM1T000002KyaR.png

Give it a name, Topology_Staging in this example.

0EM1T000002KyaS.png

Select L2 Inbound as the topology type then click Save & Next.

0EM1T000002KyaT.png

For the SSL Configurations you can leave the default settings. Click Save & Next at the bottom.

0EM1T000002KyaU.png

Click Save & Next at the bottom of the Services List.

0EM1T000002KyaV.png

Click the Add button under Services Chain List. A new Service Chain is needed so we can remove AFM2 from the Production Service and add it here.

0EM1T000002KyaW.png

Give the Service Chain a name, Staging_Chain in this example. Click Save at the bottom.

0EM1T000002KyaX.png

Note: The Service will be added to this Service Chain later.

Click Save & Next.

0EM1T000002KyaY.png

Click the Add button on the right to add a new rule.

0EM1T000002Kyv0.png

For Conditions select Client IP Subnet Match.

0EM1T000002Kyv1.png

Enter the Client IP and mask, 10.1.11.52/32 in this example. Click New to add the IP/Subnet.

0EM1T000002dCw6.png

Set the SSL Proxy Action to Intercept.

0EM1T000002Kyv3.png

Set the Service Chain to the one created previously.

0EM1T000002Kyv4.png

Click OK.

0EM1T000002dCw7.png

Note: This rule is written so that a single client computer (10.1.11.52) will match and can be used for testing.

Select Save & Next at the bottom.

0EM1T000002Kyv6.png

For the Interception Rule set the Source Address to 10.1.11.52/32. Set the Destination Address/Mask to 10.4.11.0/24. Set the port to 443.

0EM1T000002dCw8.png

Select the VLAN for your Ingress Network and move it to Selected.

0EM1T000002Kyv8.png

Set the L7 Profile to Common/http.  

0EM1T000002Kyv9.png

Click Save & Next.

0EM1T000002KyvA.png

For Log Settings, scroll to the bottom and select Save & Next.

0EM1T000002KyvB.png

Click Deploy.

0EM1T000002KyvC.png

 

Monitor server statistics

Check the Virtual Server statistics on the BIG-IP we will be performing maintenance on. It's "AFM2" in this example.

Under Local Traffic click Virtual Servers.

0EM1T000002KyvD.png

Then select Statistics > Virtual Server.

0EM1T000002KyzP.png

Set Auto Refresh to 10 seconds.

0EM1T000002KyzQ.png

In this example you can see we have 5 Virtual Servers. The statistic counters should increment every time the screen refreshes. These servers appear to be healthy.

0EM1T000002KyzR.png

Change the weight ratio

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_IPS in this example.

0EM1T000002KyzS.png

Click the pencil icon to edit the Service.

0EM1T000002KyzT.png

Click the pencil icon to edit the Network Configuration for AFM1.

0EM1T000002KyzU.png

Set the ratio to 65535 and click Done.

0EM1T000002KyzV.png

Note: Alternately you could disable the Pool Member from LTM > Pools.

Click Save & Next at the bottom.

0EM1T000002KyzW.png

Click OK if presented with the following warning.

0EM1T000002KyzX.png

Click Deploy.

0EM1T000002KyzY.png

Click OK when presented with the Success message.

0EM1T000002KyzZ.png

Check server statistics again

Check the Virtual Server statistics on "AFM2" again. With Auto Refresh on, the statistics should no longer increment. Current Connections should eventually reach zero for all Virtual Servers.

0EM1T000002Kyza.png

Remove a single AFM device from the service

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_IPS in this example.

0EM1T000002Kyzb.png

Click the pencil icon to edit the Service.

0EM1T000002Kyzc.png

Under Network Configuration, delete AFM2.

0EM1T000002Kyzd.png

Click Save & Next at the bottom.

0EM1T000002Kyze.png

Click OK if presented with the following warning.

0EM1T000002Kyzf.png

 

Click Deploy.

0EM1T000002Kyzg.png

Click OK when presented with the Success message.

0EM1T000002Kyzh.png

 

Perform maintenance on the AFM device

At this point AFM2 has been removed from the Incoming_Security Topology and is no longer handling production traffic. AFM1 is now handling all of the production traffic.

We can now perform a variety of maintenance tasks on AFM2 without disrupting production traffic. When done with the task(s) we can then safely test/verify the health of AFM2 prior to moving it back into production.

Some examples of maintenance tasks:

  • Perform a software upgrade to a newer version.
  • Make policy changes and verify they work as expected.
  • Physically move the device.
  • Replace a hard drive, fan and/or power supply.

Add the AFM device to the new topology

This will allow us to test its functionality with a single client computer, prior to moving it back to production.

From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging.

0EM1T000002Kyzi.png

Click the pencil icon on the right to edit the Service.

0EM1T000002Kyzj.png

Click Add Service.

0EM1T000002Kyzk.png

Select the Generic Inline Layer 2 Service and click Add.

0EM1T000002Kyzl.png

Give it a name or leave the default. Click Add under Network Configuration.

0EM1T000002Kyzm.png

Set the FROM and TO VLANS to the following and click Done.

0EM1T000002Kyzn.png

Click Save at the bottom.

0EM1T000002Kyzo.png

Click the Service Chain icon.

0EM1T000002Kyzp.png

Click the Staging_Chain.

0EM1T000002Kyzq.png

Move the GENERIC Service from Available to Selected and click Save.

0EM1T000002Kyzr.png

Click OK.

0EM1T000002Kyzs.png

Click Deploy.

0EM1T000002Kyzt.png

Click OK.

0EM1T000002Kyzu.png

 

Test functionality with a single client

We created a policy with source IP = 10.1.11.52 to use the new AFM Service that we just performed maintenance on.

Go to that client computer and verify that everything is still working as expected.

As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. 

0EM1T000002Kyzv.png

You can view the Certificate and see that it is not the same as the Production Certificate.

0EM1T000002Kyzw.png

To ensure that everything is working as expected you can view the Virtual Server Statistics on AFM2, which was the AFM device removed from the Production network.

From Local Traffic select Virtual Servers > Statistics > Virtual Server.

0EM1T000002Kyzx.png

Statistics can be cleared by checking the box and selecting Reset. After a reset, you should see Bits and Packets for 10.4.11.56, assuming you reload the browser a few times from the test client.

0EM1T000002Kyzy.png

It is advisable to check that all of the Virtual Servers are working this way.

Add AFM device back to the original topology

From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains.

0EM1T000002Kyzz.png

Select the Staging_Chain.

0EM1T000002Kz00.png

Select ssloS_Generic on the right and click the left arrow to remove it from Selected.

0EM1T000002Kz01.png

Click Deploy when done.

0EM1T000002Kz02.png

Click OK.

0EM1T000002Kz03.png

Click OK to the Success message.

0EM1T000002Kz04.png

From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services.

0EM1T000002L06i.png

Select the GENERIC Service and click Delete.

0EM1T000002L06j.png

Click OK to the Warning.

0EM1T000002L06k.png

When that is done click the ssloS_IPS Service.

0EM1T000002L06l.png

Click the Pencil icon to edit the Service.

0EM1T000002L06m.png

Under Network Configuration click Add.

0EM1T000002L06n.png

Set the Ratio to the same value as AFM1, 65535 in this example. Set the From and To VLAN the following and click Done.

0EM1T000002L06o.png

Click Save & Next at the bottom.

0EM1T000002L06p.png

Click OK.

0EM1T000002L06q.png

Click Deploy.

0EM1T000002L06r.png

Click OK.

0EM1T000002L06s.png

 

Test functionality again

Make sure AFM2 is working properly.

To ensure that everything is working as expected you can view the Virtual Server Statistics on AFM2.

From Local Traffic select Virtual Servers > Statistics > Virtual Server.

0EM1T000002L06t.png

Click Refresh or set Auto Refresh to 10 seconds. When the statistics reload it should look something like the following.

0EM1T000002L06u.png

Note: Repeat the above steps to perform maintenance on the other AFM device.

Summary

In this article we learned how to use SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process. We configured AFM as a service in the article as an example and tested the process. Check out the lab in the references for a hands on experience for the steps involved and to work with Adv-WAF as a service. Articles with detailed steps for different security services like Palo Alto, FireEye and Cisco Firepower are provided in the references.

References

F5 deployment basic articles:

F5 SSLO Deployment Guides

Related change at speed of business articles:

Change at Speed of Business : FireEye NX

Change at Speed of Business: Palo Alto

Change at Speed of Business: Cisco Firepower

Other SSLO articles:

ATC tests F5 SSLO in the Lab  

F5 BIG-IP SSL Orchestrator (SSLO) 

F5 BIG-IP Advanced Web Application Firewall (WAF) 

F5 BIG-IP Access Policy Manager (APM) 

F5 BIG-IP Advanced Firewall Manager (AFM) 

Service Chain Management Process with F5 SSLO

Start your Journey of F5 + WWT  

Labs:

Service Chain Management Process with SSLO

Technologies