How to: Configure HTTP Transparent Inline Service

Overview

An Inline HTTP Transparent service is a network configuration that allows for the inspection and processing of HTTP (Hypertext Transfer Protocol) traffic in a transparent manner. The term “inline” indicates that the service is inserted directly into the network path, allowing it to intercept and analyze traffic as it flows through the network.

It necessitates distinct “to-service” and “from-service” networks. This ensures that traffic flows from the BIG-IP to the device on one network and returns to the BIG-IP via a separate network. Although functionally equivalent to an inline Layer 3 (L3) inspection device, this proxy device specifically manages decrypted HTTP traffic.

In an HTTP Transparent Inline setup, the proxy intercepts and processes HTTP traffic without requiring explicit configuration on the client side. Clients are typically unaware that their traffic is being directed through a proxy.

Procedure

The following example creates an HTTP Transparent Inline inspection service using the BIG-IP Next Central Manager user interface.

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.

  2. If you have not created any inspection service before, click Start Creating or click + Create if you already have some inspection services and want to create more inspection services.

  3. In the Inspection Service drop-down list, select HTTP Transparent Inline.

  4. Click Start Creating.

  5. Specify General Properties for the policy.

    1. For Name, enter a name for the HTTP Transparent Inline Service.

    2. For Description, add a description for the service, if required.

  6. For Device Monitor, specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them.

  7. For Service Down Action, specify the action to be taken when a destination device associated with the service becomes unavailable or goes down. - Ignore: Skips forwarding traffic to the down service and forwards traffic to the next service in the chain. - Drop: Stops forwarding traffic to the affected service. - Reset: Resets the connection to the client.

  8. For SNAT, select whether you want to use a SNAT Pool or SNAT Auto Map to translate addresses. SNAT Auto Map uses a BIG-IP Next Self IP address to replace each client source-IP address. With SNAT Auto Map you do not have to define a pool of distinct host addresses for SNAT to use. Unless your traffic volume is small, you should define SNAT addresses instead of using SNAT Auto Map.

  9. For Remap Port, specify the port to which you want to remap the traffic.

  10. Toggle the iRules radio button in the Additional Features section, if you want to include iRules for creating the service. The iRules tab will be added to the left pane.

  11. Specify Network settings for the policy.

    1. In the To:VLAN section,

      1. For VLAN, Specify the L1 network VLAN created during BIG-IP Next Onboarding for entry of traffic. Entry refers to the traffic that leaves BIG-IP Next and enters the inspection device.

        Note: Do not use the same ‘TO VLAN’ for more than one inspection service.

      2. For Inspection Service Endpoint, specify the server address that BIG-IP will send traffic to.

    2. In the From:VLAN section,

      1. For VLAN, Specify the L1 network VLAN created during BIG-IP Next Onboarding for return of traffic. Return refers to the traffic that the device sends back to BIG-IP Next.

      2. For Inspection Service Endpoint, specify the server address that BIG-IP will receive traffic from.

  12. Optional: In the iRules tab,

    1. Click Start Adding.

    2. Select the required iRules from the drop-down list.

    3. Click Add to List.

    4. Click Save & Continue.

  13. Select Review & Deploy to deploy the configuration.

  14. Verify the details in the Summary section and click Start Adding.

  15. Select the BIG-IP Next Instances to which you want to deploy the service.

    Note: Ensure to add a BIG-IP Next instance to Central Manager before you can deploy your changes to the Instance.

  16. Click Add to List.

  17. You can select each instance to which you want to deploy the inspection service and click Validate. It will validate whether the VLAN configured for this Inspection Service exists on the Instance and display the relevant status.

  18. If you want to modify the network configuration for an instance or if the VLAN configured for this Inspection Service does not exist on the instances added, you can create VLANs or modify the netowrk configuration on the instances using the respective Configure icon. TTo modify the network configuration of an instance:

    1. Click the Configure icon. The Network page appears.

    2. In the To: VLAN section, select an available VLAN or click + Create Vlan to create a new VLAN.

    3. Click the L1networks tab. Skip to Step c if you want to use an existing L1 network.

      1. Click +Create to create a new L1 Network.

      2. Enter a network name and interface name for the L1 network and the number of VLANs associated.

      3. Click Save.

    4. Click the VLANs tab.

      1. Click +Create to create a new VLAN.

      2. Enter the VLAN names that you added at step 7 or enter a new VLAN name.

      3. Enter a tag and select the L1 Network from the dropdown.

      Note: You can also use an exisiting L1 Network without creating a new L1 Network.

    5. Click the Addresses field or Click IP Addresses tab.

      1. Click + Create.

      2. Add IP Address and Device Name.

      3. Select the VLAN you created.

    6. Repeat the above steps for From: VLAN configuration.

    7. Click Save. The VLANs are deployed on the BIG-IP Next Instance.

      Note: You can also use an exisiting VLAN without creating a new VLAN.

      Note: When you create and configure a new VLAN for an instance, the respective Vlan column is updated with the new VLAN name.

14.Select the instance(s).
15.Click Deploy Changes.
16.Click Yes, Deploy to deploy to the service to the selected instances.

Configure network objects

Typically, a BIG-IP Next user configures L1-networks objects during BIG-IP Next onboarding, including VLANs and self-IPs. If any additional network configuration objects (Virtual Routing Function (VRFs)) are not available on the instance, they are auto generated when you deploy the service.
You can create a VLAN during the onboarding and specify the VLAN while configuring an inspection service in Central Manager. For more details, see Getting Started with Installation. You can also create the VLAN from Central Manager before deploying the inspection service to an instance. For more details, see How to: Configure Instance Specific Network Settings using CM APIs

Configure an HTTP Tranparent Service

For the Inline HTTP Transparent inspection service, the minimum requirements for defining are illustrated in the following examples. The resulting ID will be at .id.

  1. Send a POST request to the /v1/inspection-services endpoint.
    POST {{CM}}/api/v1/spaces/default/security/inspection-services

  2. For the API body, use the following example, substituting appropriate values for the service you want to create.
    In the following example:

  • Type - For an Inline HTTP Transparent inspection service, the value of this property is set to http-transparent.

  • to (network)- Specify the L1 network VLAN created during BIG-IP Next Onboarding for entry of traffic.

  • from (network)- Specify the L1 network VLAN created during BIG-IP Next Onboarding for return of traffic.

  • monitor: Specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them. BIG-IP Next SSL Orchestrator currently supports only the ICMP monitor.

    Basic

    POST {{CM}}/api/v1/spaces/default/security/inspection-services

    {
"name": "my-sslo-tproxy",
"description": "My SSLO HTTP Transparent Service",
"type": "http-transparent",
"serviceDownAction": "ignore",
"to": {
    "network": {
    "vlan": "sslo-insp-tproxy-in",
    "endpoints": [
        {
        "address": "198.19.98.30:0"
        }
    ],
    "snat": {
        "snatType": "NONE"
    }
    },
    "monitor": {
    "icmp": {
        "interval": 5,
        "timeout": 16
    }
    }
},
"from": {
    "network": {
    "vlan": "sslo-insp-tproxy-out"
    }
}
}

    Curl

    INSP=$(cat <<EOF
{
"name": "my-sslo-tproxy",
"description": "My SSLO HTTP Transparent Service",
"type": "http-transparent",
"serviceDownAction": "ignore",
"to": {
    "network": {
    "vlan": "sslo-insp-tproxy-in",
    "endpoints": [
        {
        "address": "198.19.98.30:0"
        }
    ],
    "snat": {
        "snatType": "NONE"
    }
    },
    "monitor": {
    "icmp": {
        "interval": 5,
        "timeout": 16
    }
    }
},
"from": {
    "network": {
    "vlan": "sslo-insp-tproxy-out"
    }
}
}
EOF
)
insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')

API Reference

Required Attribute Defaults Notes
* name none
* description none
* type none string: must be "http-transparent"
* serviceDownAction none "ignore", "drop", or "reset"
* to: network: vlan none string: vlan-name
* to: network: endpoints: address none string: ip-address:0
* to: network: snat: snatType none "NONE", "AUTOMAP", or "POOL"
to: network: snat: snatType: POOL none "addresses": [
 "10.0.0.200",
 "10.0.0.201"
]
* monitor "icmp": {
 "interval": 5,
 "timeout": 16
}

"http" {
 "interval": 5,
 "timeout": 16,
 "sendString": "",
 "receiveString": "",
 "receiveDisableString": "",
 "username": "",
 "password": ""
}
"tcp": {
 "interval": 5,
 "timeout": 16
 "sendString": ""
 "receiveString": ""
 "receiveDisableString": ""
}
* from: network: vlan string: vlan-name

Note: To configure instance specific network settings, refer to How to: Configure Instance Specific Network Settings using CM APIs

Next Steps: