How to: Manage Security Policies¶
Overview¶
SSL Orchestrator security policies are the engine that drives traffic flow analysis and dynamic service chaining. With a security policy ruleset, you can define a wide array of conditions (traffic matching rules) and their corresponding actions.
To create a policy using BIG-IP Next Central Manager user interface:
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.
Click Policies from the left navigation pane.
Click +Click.
Enter a name and description for the policy.
From the Type drop-down list, select Inbound Gateway to configure the SSL Orchestrator policy to support incoming traffic in a gateway mode or select Inbound Application to configure the SSL Orchestrator policy to support incoming traffic in an application mode.
Select Next.
In the Traffic Rules section,
a. Select Start Creating to define conditions and actions for traffic management.
b. In the Create Traffic Rule page, enter a name and description for the Traffic Rule.
c. Select Save & Continue.
d. In the Conditions section, click Start Creating.
e. Select the required values in the Conditions fields. Following are the different combinations of conditions supported.
Parameter
Description
Operator
value
IP Protocol
Post decryption (interception), the security policy has an opportunity to inspect the application layer traffic, and in some cases, determine what the protocol is. This condition detects various types of TCP/UDP protocols. Note: After interception, the security policy removes the option to perform SSL intercept/bypass actions on the matching traffic.
- Equals
-Not Equals- TCP
- UDPIP Version
This condition matches the IP Version to specify the criteria for traffic handling.
- Equals
-IPV4
-IPV6Client Port Match
This condition matches the client (source) port.
- Equals
- Not Equals
- Less than
- Less than or equal to
- Greater than
- Greater than or equal toThe integer value entered by user.
Server Port Match
This condition matches the server (destination) port.
-Equals
-Not Equals
-Less than
-Less than or equal to
-Greater than
-Greater than or equal toThe integer value entered by user. The range of ports allowed is 0-65535.
Client IP Subnet Match
This condition matches the client (source) address directly and must contain both the IP address and a subnet (CIDR) mask. For example, to match a single IP address, you might enter “10.10.0.100/32” where 10.10.0.100 is the IP address and /32 is the CIDR mask indicating a single IP address. To cast a larger net, you could also do something like “10.10.0.0/24”, which matches every address in the 10.10.0.x range of addresses.
-Matches
-Does not matchThe IP address entered by user.
Server IP Subnet Match
This condition matches the server (destination) address directly and must contain both the IP address and a subnet (CIDR) mask. For example, to match a single IP address, you might enter “10.10.0.100/32” where 10.10.0.100 is the IP address and /32 is the CIDR mask indicating a single IP address. To cast a larger net, you could also do something like “10.10.0.0/24”, which matches every address in the 10.10.0.x range of addresses.
-Matches
-Does not matchThe IP address entered by user.
Server Name
This condition matches the specified server name.
-Equals
-Not equal
-Starts with
-Not Start with
-Ends with
-Not Ends with
-Contains
-Not Contains
-Exists
-Not ExistsThe custom value entered by user.
f. In the Actions section, select the required values for the Flow Action, SSL Action, and Service Chain fields. Following are the available actions:
Flow Action: Select an action (Allow or Reset) for the traffic flow.
SSL Action: Select an action (Intercept or Bypass) for the SSL traffic in the policy.
Service Chain: Select None or select an available service chain or create a new service chain.
In the Logging Rules section,
a. Select Start Creating to define conditions and actions for data logging.
b. Enter a name and description for the Logging Rule.
c. Select Save & Continue.
d. In the Conditions section, click Start Creating.
e. Select the appropriate values in the Conditions fields. Following are the different combinations of conditions supported.
Select Save & Finish. The policy is created with the selected conditions and actions.
To create a policy using BIG-IP Next Central Manager API:
To create a policy, send a PUT request to the /api/v1/spaces/default/security/policies endpoint.
In the following example:
a. policyType: Specifies the type of policy. It is set to inbound-gateway for inbound gateway mode and default for inbound application mode.
b. trafficRuleSets: Includes the rules (conditions and actions) for traffic flow.
c. loggingRuleSets: Includes the rules (conditions and actions) for collecting data.
Basic
POST /api/v1/spaces/default/security/policies{ "policyName": "my-sslo-policy", "policyType": "default", "trafficRuleSets": [ { "ruleType": "traffic", "rules": [ { "name": "All Traffic", "conditions": [], "actions": [ { "actionType": "SSL_PROXY_INTERCEPT" }, { "actionType": "SERVICE_CHAIN", "serviceChain": "[service-chain-id]" } ] } ] } ] }
Curl
POLICY=$(cat <<EOF { "policyName": "my-sslo-policy", "policyType": "default", "trafficRuleSets": [ { "ruleType": "traffic", "rules": [ { "name": "All Traffic", "conditions": [], "actions": [ { "actionType": "SSL_PROXY_INTERCEPT" }, { "actionType": "SERVICE_CHAIN", "serviceChain": "[service-chain-id]" } ] } ] } ] } EOF ) policy_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/policies" -d "${POLICY}") ``` For more information on API payloads, refer to [Open API documentation](https://clouddocs.f5.com/products/bigip-next/mgmt-api/latest/ApiReferences/bigip_public_api_ref/r_openapi-next.html).