How To: Configure a Generic L3 Inline service

Overview

An Inline Layer 3 inspection service passes traffic through one or more service devices at Layer 3 (IP). You use inline services in service chains, where each service device communicates with BIG-IP Next on the ingress side and over two VLANs. These VLANs, called (From: VLAN and TO: VLAN), route traffic toward the intranet and the internet, respectively.

An Inline layer 3 service assigns IP addresses to network interfaces and participates in traffic routing. It has physically or logically separate inbound (to-device) and outbound (from-device) interfaces.

Note: Ensure that the ingress/egress VLANs are already defined on the BIG-IP Next Instance to which you want to deploy the service.

Procedure

Central Manager GUI

To create an L3 Inline inspection service using the BIG-IP Next Central Manager user interface:

1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.

2. At the top of the screen, click + Create.

3. In the Inspection Service drop-down list, select Generic Inline L3.

4. If you have not created any inspection service before, click Start Creating or click + Create if you already have some inspection services and want to create more inspection services.

5. Specify General Properties for the policy.

   1. For Name, enter a name for the TAP Service.

   2. For Description, add a description for the service, if required.

   3. For Device Monitor, specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them.

   4. For Service Down Action, specify the action to be taken when a destination device associated with the service becomes unavailable or goes down.

      • Ignore: Traffic to the service is ignored and is sent to the next service in the chain.

      • Drop: Stops forwarding traffic to the affected service.

      • Reset: Resets the connection to the client.

   5. For SNAT, select whether you want to use a SNAT Pool or SNAT Auto Map to translate addresses. SNAT Auto Map uses a BIG-IP Next Self IP address to replace each client source-IP address. With SNAT Auto Map you do not have to define a pool of distinct host addresses for SNAT to use. Unless your traffic volume is small, you should define SNAT addresses instead of using SNAT Auto Map.

   6. For Remap Port, specify the port to which you want to remap the traffic.

6. Toggle the iRules radio button in the Additional Features section, if you want to include iRules for creating the service. The iRules tab will be added to the left pane.

7. Specify Network settings for the policy.

   1. In the To:VLAN section,

      • For VLAN, specify the L1 network VLAN created during BIG-IP Next Onboarding for entry of traffic . Entry refers to the traffic that leaves BIG-IP Next and enters the inspection device.

        Note: Do not use the same ‘TO VLAN’ for more than one inspection service.

      • For Inspection Service Endpoint, specify the server addresses where network traffic is to be monitored and analyzed.

   2. In the From:VLAN section,

      • For VLAN, specify the L1 network VLAN created during BIG-IP Next Onboarding for return of traffic. Return refers to the traffic that the device sends back to BIG-IP Next.

      • For Inspection Service Endpoint, specify the server addresses where network traffic is to be monitored and analyzed.

8. In the iRules tab,

   • Click Start Adding.

   • Select the required iRules from the drop-down list.

   • Click Add to List.

   • Click Save & Continue.

9. Select Review & Deploy to deploy the configuration.

10. Verify the details in the Summary section and click Start Adding.

11. Select the BIG-IP Instances to which you want to deploy the service.

12. Click Add to List.

13. You can select each instance to which you want to deploy the inspection service and click Validate. It will validate whether the VLAN configured for this Inspection Service exists on the Instance and display the relevant status.

14. If you want to modify the network configuration for an instance or if the VLAN configured for this Inspection Service does not exist on the instances added, you can create VLANs or modify the netowrk configuration on the instances using the respective Configure icon. To modify the network configuration of an instance:

    1. Click the Configure icon. The Network page appears.

    2. In the To: VLAN section, select an available VLAN or click + Create Vlan to create a new VLAN.

    3. Click the L1networks tab. Skip to Step c if you want to use an existing L1 network.

       1. Click +Create to create a new L1 Network.

       2. Enter a network name and interface name for the L1 network and the number of VLANs associated.

       3. Click Save.

    4. Click the VLANs tab.

       1. Click +Create to create a new VLAN.

       2. Enter the VLAN names that you added at step 7 or enter a new VLAN name.

       3. Enter a tag and select the L1 Network from the dropdown.

       Note: You can also use an exisiting L1 Network without creating a new L1 Network.

    5. Click the Addresses field or Click IP Addresses tab.

       1. Click + Create.

       2. Add IP Address and Device Name.

       3. Select the VLAN you created.

    6. Repeat the above steps for From: VLAN configuration.

    7. Click Save. The VLANs are deployed on the BIG-IP Next Instance.

       Note: You can also use an exisiting VLAN without creating a new VLAN.

       Note: When you create and configure a new VLAN for an instance, the respective Vlan column is updated with the new VLAN name.

14.Select the instance(s).
15.Click Deploy Changes.
16. Click Yes, Deploy to deploy to the service to the selected instances.

Central Manager API

Configure network objects

Typically, a BIG-IP Next user configures L1-networks objects during BIG-IP Next onboarding, including VLANs and self-IPs. If any additional network configuration objects (Virtual Routing Function (VRFs)) are not available on the instance, they are auto generated when you deploy the service.
You can create a VLAN during the onboarding and specify the VLAN while configuring an inspection service in Central Manager. For more details, see Getting Started with Installation. You can also create the VLAN from Central Manager before deploying the inspection service to an instance. For more details, see How to: Configure Instance Specific Network Settings using CM APIs

Configure an L3 Inline Service

To configure an L3 Inline service using Central Manager API:

1. Send a POST request to the /v1/spaces/default/security/inspection-services endpoint.

   POST {{CM}}/api/v1/spaces/default/security/inspection-services
   

2. For the API body, use the following example, substituting appropriate values for the service you want to create.

   For schema details, refer to the L3 Inline service section in the Reference: Inspection Service objects page.

   In the following example:

   type - For an L3 Inline service, the value of this property is set to l3 .

   to- Refers to To Service Configuration. Specifies the L4-serverside entry object for entry of traffic from BIG-IP Next to the inspection device.

   from - Refers to From Service Configuration. Specifies the L4-clientside return object for return of traffic from the inspection device to BIG-IP Next.

   For the Inline L3 inspection service, the minimum requirements for defining are illustrated in the following examples. The resulting ID will be at .id.

Basic

POST {{CM}}/api/v1/spaces/default/security/inspection-services

{
  "name": "my-sslo-ngfw",
  "description": "My SSLO L3 Inspection Service",
  "type": "l3",
  "serviceDownAction": "ignore",
  "to": {
    "network": {
      "vlan": "sslo-insp-l3-in",
      "endpoints": [
        {
          "address": "198.19.64.30:0"
        }
      ],
      "snat": {
        "snatType": "NONE"
      }
    },
    "monitor": {
      "icmp": {
        "interval": 5,
        "timeout": 16
      }
    }
  },
  "from": {
    "network": {
      "vlan": "sslo-insp-l3-out"
    }
  }
}

Curl

INSP=$(cat <<EOF
{
  "name": "my-sslo-ngfw",
  "description": "My SSLO L3 Inspection Service",
  "type": "l3",
  "serviceDownAction": "ignore",
  "to": {
    "network": {
      "vlan": "sslo-insp-l3-in",
      "endpoints": [
        {
          "address": "198.19.64.30:0"
        }
      ],
      "snat": {
        "snatType": "NONE"
      }
    },
    "monitor": {
      "icmp": {
        "interval": 5,
        "timeout": 16
      }
    }
  },
  "from": {
    "network": {
      "vlan": "sslo-insp-l3-out"
    }
  }
}
EOF
)
insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')

API Reference

Required	Attribute	Defaults	Notes
*	name	none
*	description	none
*	type	none	string: must be "l3"
*	serviceDownAction	none	"ignore", "drop", or "reset"
*	to: network: vlan	none	string: vlan-name
*	to: network: endpoints: address	none	string: ip-address:0
*	to: network: snat: snatType	none	"NONE", "AUTOMAP", or "POOL"
	to: network: snat: snatType: POOL	none	"addresses": [  "10.0.0.200",  "10.0.0.201" ]
*	monitor		"icmp": {  "interval": 5,  "timeout": 16 } "http" {  "interval": 5,  "timeout": 16,  "sendString": "",  "receiveString": "",  "receiveDisableString": "",  "username": "",  "password": "" } "tcp": {  "interval": 5,  "timeout": 16  "sendString": ""  "receiveString": ""  "receiveDisableString": "" }
*	from: network: vlan		string: vlan-name

For more information on the APIs, refer to Open API documentation https://clouddocs.f5.com/products/bigip-next/mgmt-api/latest/ApiReferences/bigip_public_api_ref/r_openapi-next.html

Note: To configure instance specific network settings, refer to How to: Configure Instance Specific Network Settings using CM APIs

Next Steps:

• How To: Deploy a service to a BIG-IP Instance using CM APIs