How To: Configure a TAP Inspection Service¶

Overview¶

A TAP inspection service is a passive service that only receives traffic for monitoring. It does not modify or block traffic. Each TAP service provides a packet-by-packet copy of the traffic (for example, plaintext), passing through it to an inspection device. TAP services contain no external IP addresses and only receive packet copies.

A TAP inspection service is defined by the following primary characteristics:

Passive: It contains no external IP addresses and must only receive a copy of packets.
BIG-IP Next SSL Orchestrator passes a wire copy of the traffic to the TAP service.

You can create a TAP inspection service in Big-IP Next Central Manager using the Central Manager GUI or using the Central Manager APIs. Also, the BIG-IP SSL Orchestrator supports the following ways to address a TAP server:

Destination Mac: Specifies a target VLAN to forward traffic.
Clone Pool: Specifies L4-Serverside servers that act as a clone pool to forward traffic.

TAP inspection service

Procedure¶

Central Manager GUI

To create a TAP inspection service using the BIG-IP Next Central Manager user interface:

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.
Click Inspection Services from the left navigation pane.
If you have not created any inspection service before, click Start Creating or click + Create if you already have some inspection services and want to create more inspection services.
In the Inspection Service drop-down list, select Generic TAP.
Click Start Creating.
Specify General Properties for the policy.
1. For Name, enter a name for the TAP Service.
2. For Description, add a description for the service, if required.
3. For Remap Port, specify the port to which you want to remap the traffic.
Toggle the iRules radio button in the Additional Features section, if you want to include iRules for creating the service. The iRules tab will be added to the left pane.
Select Save & Continue.
Specify Network settings for the policy.
1. For VLAN, specify the L1 Network VLAN created during BIG-IP Next Onboarding
2. If you want to configure additional feature such as the MAC Address, toggle the Show Advanced Fields radio button and specify the MAC Address.
3. If you want to create the inspection service using Clone Pool,
  1. Select pool.
  2. Enter the VLAN Name.
  3. In the Inspection Service Endpoints section. Click Start Adding to add an end-point. Note: You must enter at least one pool member.
  4. Enter the Server Address. Click +Create to add more server addresses.
If you selected iRules radio button in previous steps, you will be navigated to the iRules tab.
1. Click Start Adding
2. Select the required iRules from the drop-down list.
3. Click Add to List.
4. Select Save & Continue.
Select Review & Deploy to deploy the configuration.
Verify the details in the Summary section and click Start Adding.
Select the BIG-IP Next Instances to which you want to deploy the service.
Note: Ensure to add the BIG-IP Next instance to Central Manager before you can deploy your changes to the instance.
Click Add to List.
You can select each instance to which you want to deploy the inspection service and click Validate. It will validate whether the VLAN configured for this Inspection Service exists on the Instance and display the relevant status.
If you want to modify the network configuration for an instance or if the VLAN configured for this Inspection Service does not exist on the instances added, you can create VLANs or modify the netowrk configuration on the instances using the respective Configure icon. To create the VLAN:
1. Click the Configure icon.
2. Click the L1networks tab. Skip to Step c if you want to use an existing L1 network.
  1. Click +Create to create a new L1 Network.
  2. Enter a network name and interface name for the L1 network and the number of VLANs associated.
  3. Click Save.
3. Click the VLANs tab.
  1. Click +Create to create a new VLAN.
  2. Enter the VLAN name that you added at step 2a or enter a new VLAN name.
  3. Enter a tag and select the L1 Network from the dropdown.
  Note: You can also use an exisiting L1 Network without creating a new L1 Network.
4. Click the Addresses field or Click IP Addresses tab.
  1. Click + Create.
  2. Add a Device Name. Select the VLAN you created.
  3. Click Save. The VLAN is deployed on the BIG-IP Next Instance.
  Note: You can also use an exisiting VLAN without creating a new VLAN.
  
  Note: When you create and configure a new VLAN for an instance, the respective Vlan column is updated with the new VLAN name.

14.Select the instance(s).
15.Click Deploy Changes.
16. Click Yes, Deploy to deploy to the service to the selected instances.

Central Manager API (VLAN)

Configure network objects

Typically, a BIG-IP Next user configures L1-networks objects during BIG-IP Next onboarding, including VLANs and self-IPs. If any additional network configuration objects (Virtual Routing Function (VRFs)) are not available on the instance, they are auto generated when you deploy the service.

You can create a VLAN during the onboarding and specify the VLAN while configuring an inspection service in Central Manager. For more details, see Getting Started with Installation. You can also create the VLAN from Central Manager before deploying the inspection service to an instance. For more details, see How to: Configure Instance Specific Network Settings using CM APIs

Configure a TAP Service

To configure a TAP service using the destination Mac address:

Send a PUT request to the /v1/inspection-services endpoint. POST {{CM}}/api/v1/spaces/default/security/inspection-services
For the API body, use the following example, substituting appropriate values for the service you want to create.

In the following example:
- type: Specifies the type of Inspection Service, and in this case, it is set as tap-vlan for a TAP service.
- network: Specifies network-related settings for the Inspection Service.
- vlan: Specifies the VLAN to be monitored by the Inspection Service, and it is set as internal.
- destinationMacAddress: Specifies the destination MAC address to which the intercepted traffic will be sent.

Basic

POST {{CM}}/api/v1/spaces/default/security/inspection-services

{
  "name": "my-sslo-tap",
  "description": "My SSLO Tap Inspection Service",
  "type": "tap-vlan",
  "network": {
    "vlan": "sslo-insp-tap"
  }
}

Curl

INSP=$(cat <<EOF
{
  "name": "my-sslo-tap",
  "description": "My SSLO Tap Inspection Service",
  "type": "tap-vlan",
  "network": {
    "vlan": "sslo-insp-tap"
  }
}
EOF
)
insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')

The service is created and a unique inspectionService ID is generated in response to the request.

API Reference

Required	Attribute	Notes
*	name
*	description
*	type	string: must be "tap-vlan"
*	network: vlan
	network: destinationMacAddress

Central Manager API (Clone Pool)

This section gives instructions on configuring the network objects, TAP service, and application stack.

Typically, a BIG-IP Next user configures L1-networks objects during BIG-IP Next onboarding, including VLANs and self-IPs. The VLAN that was created during the onboarding must be specified while configuring a TAP Service in Central Manager. If the additional network configuration objects (L2, L3, and L4) are not available on the instance, they are auto generated when you deploy the service.

Configure a TAP Service

To configure a TAP service using clone pool:

Send a PUT request to the /v1/inspection-services endpoint.

POST {{CM}}/api/v1/spaces/default/security/inspection-services

For the API body, use the following example, substituting appropriate values for the service you want to create.

In the following example:

type: Specifies the type of Inspection Service, and in this case, it is set as tap-clone-pool for a TAP service.
network: Contains network-related settings for the Inspection Service.
- vlan: Specifies the L1 VLAN that was created during BIG-IP Next Onboarding.
- destinationMacAddress: Specifies the destination MAC address to which the intercepted traffic will be sent.
endpoints: Specifies the endpoints associated with the inspection service.

For the TAP-Pool variant, the requirements for defining are name, description, type (tap-clone-pool), a corresponding VLAN (L1-network), and an array of endpoint IP addresses. The resulting ID will be at .id.

Basic

POST {{CM}}/api/v1/spaces/default/security/inspection-services

{
  "name": "my-sslo-tap",
  "description": "My SSLO Tap Inspection Service",
  "type": "tap-clone-pool",
  "network": {
    "vlan": "sslo-insp-tap",
    "endpoints": [
      {
        "address": "198.19.97.10"
      },
      {
        "address": "198.19.97.11"
      }
    ]
  }
}

Curl

INSP=$(cat <<EOF
{
  "name": "my-sslo-tap",
  "description": "My SSLO Tap Inspection Service",
  "type": "tap-clone-pool",
  "network": {
    "vlan": "sslo-insp-tap",
    "endpoints": [
      {
        "address": "198.19.97.10"
      },
      {
        "address": "198.19.97.11"
      }
    ]
  }
}
EOF
)
insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')

API Reference

Required	Attribute	Notes
*	name
*	description
*	type	string: must be "tap-clone-pool"
*	network: vlan
*	network: endpoints	array: { "address":"ip-address" }

For more information on the APIs, refer to Open API documentation https://clouddocs.f5.com/products/bigip-next/mgmt-api/latest/ApiReferences/bigip_public_api_ref/r_openapi-next.html

Note: To configure instance specific network settings, refer to How to: Configure Instance Specific Network Settings using CM APIs

Next Steps

How To: Deploy a service to a BIG-IP Instance using CM APIs

Previous Next