How to: Manage Security Policies¶
Overview¶
SSL Orchestrator security policies are the engine that drives traffic flow analysis and dynamic service chaining. With a security policy ruleset, you can define a wide array of conditions (traffic matching rules) and their corresponding actions.
To create a policy using BIG-IP Next Central Manager user interface:
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.
Click Policies from the left navigation pane.
Click +Create.
Enter a name and description for the policy.
From the Type drop-down list, select the policy type as per your requirement:
Inbound Gateway to configure the SSL Orchestrator policy to support incoming traffic in a gateway mode
Inbound Application to configure the SSL Orchestrator policy to support incoming traffic in an application mode.
Outbound Gateway to configure the SSL Orchestrator policy to support outgoing traffic in a gateway mode.
Select Next.
In the Traffic Rules section,
a. Select Start Creating to define conditions and actions for traffic management.
b. In the Create Traffic Rule page, enter a name and description for the Traffic Rule.
c. Select Save & Continue.
d. In the Conditions section, click Start Creating.
e. Select the required values in the Conditions fields. Following are the different combinations of conditions supported.
Parameter
Description
Operator
value
IP Protocol
Post decryption (interception), the security policy has an opportunity to inspect the application layer traffic, and in some cases, determine what the protocol is. This condition detects various types of TCP/UDP protocols.
Note: After interception, the security policy removes the option to perform SSL intercept/bypass actions on the matching traffic.- Equals
-Not Equals- TCP
- UDPIP Version
This condition matches the IP Version to specify the criteria for traffic handling.
- Equals
-IPV4
-IPV6Client Port Match
This condition matches the client (source) port.
- Equals
- Not Equals
- Less than
- Less than or equal to
- Greater than
- Greater than or equal toThe integer value entered by user.
Server Port Match
This condition matches the server (destination) port.
-Equals
-Not Equals
-Less than
-Less than or equal to
-Greater than
-Greater than or equal toThe integer value entered by user. The range of ports allowed is 0-65535.
Client IP Subnet Match
This condition matches the client (source) address directly and must contain both the IP address and a subnet (CIDR) mask. For example, to match a single IP address, you might enter “10.10.0.100/32” where 10.10.0.100 is the IP address and /32 is the CIDR mask indicating a single IP address. To cast a larger net, you could also do something like “10.10.0.0/24”, which matches every address in the 10.10.0.x range of addresses.
-Matches
-Does not matchThe IP address entered by user.
Server IP Subnet Match
This condition matches the server (destination) address directly and must contain both the IP address and a subnet (CIDR) mask. For example, to match a single IP address, you might enter “10.10.0.100/32” where 10.10.0.100 is the IP address and /32 is the CIDR mask indicating a single IP address. To cast a larger net, you could also do something like “10.10.0.0/24”, which matches every address in the 10.10.0.x range of addresses.
-Matches
-Does not matchThe IP address entered by user.
Server Name
This condition matches the specified server name.
-Equals
-Not equal
-Starts with
-Not Start with
-Ends with
-Not Ends with
-Contains
-Not Contains
-Exists
-Not ExistsThe custom value entered by user.
Note: If you have created data groups for the following parameters in the Application section of Central Manager, you can use the data groups while defining the conditions for a policy. Client IP subnet and Server IP subnet parameters support address type data groups. Client Port and Server Port parameters support integer type data groups. IP protocol and Server Name parameters support string type data groups. For more information on creating data groups, refer to [How to: Manage data groups for a BIG-IP Next instance using BIG-IP Next Central Manager] (https://clouddocs.f5.com/bigip-next/latest/use_cm/cm_create_data_groups.html)
In the Actions section, select the required values for the Flow Action, SSL Action, and Service Chain fields.
a. From the Flow Action drop-down list, select an action for the traffic flow:
Allow: Select this action to let the traffic to pass through without any changes.
Reset: Select this action to send a TCP reset to both client and server. This action terminates the session.
Drop: Select this action to drop the traffic. The packets will be discarded silently.
Redirect: Select this action to redirect the traffic to a different location.
b. If you selected the Allow flow action, select an action (Intercept or Bypass) for the SSL traffic from the SSL Action drop-down list.
Intercept: Select to allow SSL Orchestrator to decrypt the SSL traffic for inspection.
Bypass: Select to let the encrypted traffic to pass through the SSL Orchestrator without any inspection.
Note: For Redirect Flow Action, the SSL action is automatically set to Intercept.
c. If you selected Allow or Redirect flow action, you can add a Service Chain to inspect the traffic. In the Service Chain List, select None or select an available service chain or create a new service chain.
d. If you selected Redirect in the Flow Actions drop-down list, in the Location field, enter the URL to which you want to redirect the traffic.
Select the Log Action checkbox to add a log message and enter the log message in the text field.
Select the severity of the log message from the Log Level drop-down list.
In the Logging Rules section,
a. Select Start Creating to define conditions and actions for data logging.
b. Enter a name and description for the Logging Rule.
c. Select Save & Continue.
d. In the Conditions section, click Start Creating.
e. Select the appropriate values in the Conditions fields. Following are the different combinations of conditions supported.
Select Save & Finish. The policy is created with the selected conditions and actions.
To create a policy using BIG-IP Next Central Manager API:
To create a policy, send a PUT request to the
/api/v1/spaces/default/security/ssl-orchestrator-policies
endpoint.In the following example:
a. policyType: Specifies the type of policy. Set to
inbound-gateway
for inbound gateway mode,outbound-gateway
for outbound gateway mode, anddefault
for inbound application mode.b. trafficRuleSets: Includes the rules (conditions and actions) for traffic flow.
c. loggingRuleSets: Includes the rules (conditions and actions) for collecting data.
Basic
POST https://{{cm_mgmt_IP}}/api/v1/spaces/default/security/ssl-orchestrator-policies
{ "policyName": "my-sslo-policy", "policyType": "default", "trafficRuleSets": [ { "ruleType": "traffic", "rules": [ { "name": "All Traffic", "conditions": [], "actions": [ { "actionType": "SSL_PROXY_INTERCEPT" }, { "actionType": "SERVICE_CHAIN", "serviceChain": "[service-chain-id]" } ] } ] } ] }
Curl
POLICY=$(cat <<EOF { "policyName": "my-sslo-policy", "policyType": "default", "trafficRuleSets": [ { "ruleType": "traffic", "rules": [ { "name": "All Traffic", "conditions": [], "actions": [ { "actionType": "SSL_PROXY_INTERCEPT" }, { "actionType": "SERVICE_CHAIN", "serviceChain": "[service-chain-id]" } ] } ] } ] } EOF ) policy_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/policies" -d "${POLICY}")
For more information on API payloads, refer to Open API documentation.