How to: Migrate SSL Orchestrator Configuration from BIG-IP to BIG-IP Next

Overview

You can migrate your SSL Orchestrator configurations from BIG-IP to BIG-IP Next using the SSL Orchestrator configuration converter (SCC). SSL Orchestrator Configuration Converter 2.0 (SCC 2.0) is a docker container that simplifies the process of migrating your SSL Orchestrator configurations. Using docker commands you can convert the existing SSL Orchestrator Configuration it into the format required by BIG-IP Next and also post the configurations to BIG-IP Next Central Manager.

Important: The iFiles generated from BIG-IP 9.0, 9.1, and 9.2, as well as all UCS files regardless of BIG-IP version, may contain sensitive information that must be handled with extreme caution. F5 recommends running SCC only in secure environments. For example, run SCC in a secured, local container environment and avoid running it on a shared Docker cluster. Also, nullify the sensitive data or secrets before sending the iFile to SCC.

Prerequisites

• SSL Orchestrator configuration converter 2.0 is supported for existing configuration of SSL Orchestrator 9.0, BIG-IP 16.1.0, and above.

• Ensure that you have pre-configured the required L1 Networks on BIG-IP Next Instance(s).

• SCC 2.0 is supported for BIG-IP Next Version 20.1.0 and above.

• If your configuration contains iRules or datagroups, you must create them in Central Manager before posting the payloads.

• Ensure to generate User Configuration Set (UCS) from BIG-IP. For more information, refer to Backing up and restoring BIG-IP configuration files with a UCS archive.

Limitations

SSL Orchestrator Config Converter currently supports the migration of:

• TAP, ICAP, L3 Inline, HTTP Transparent, HTTP Explicit Inspection Services

• Service Chains

• Inbound Type SSL Orchestrator Policies

Only the following policy conditions are supported:

• IP Protocol

• IP Version

• Client Port Match

• Server Port Match

• Client IP Subnet Match

• Server IP Subnet Match

• Server Name (TLS Client)

Only Allow, Reset, and Redirect flow actions are supported.

Only the Intercept and Bypass SSL actions are supported.

SCC 2.0 will convert features supported up to BIG-IP Next 20.2.1.

SCC 2.0 is supported by BIG-IP Next Central Manager 20.2.1. BIG-IP Next Central Manager 20.3.0 may not support some converted payloads.

SSL Orchestrator Topologies, SSL Configuration, and Authentication are not migrated via SCC 2.0.

Note: If your configuration has inspection services or policies that are not supported, you can still run the SSL Orchestrator configuration converter, but you will receive the payloads only for the inspection services or policies that are supported. The output will include the status for each object you are attempting to migrate from BIG-IP to BIG-IP Next. For detailed information on the output format, deployable, partially deployable, and undeployable objects refer to Converted Output Format.

Workflow Diagram

Following is the workflow diagram of SCC 2.0:

Procedure

To migrate SSL Orchestrator Configuration from BIG-IP to BIG-IP Next using SSL Orchestrator Config Converter:

1. Execute the docker pull command:

   docker pull f5devcentral/f5-ssl-orchestrator-config-converter:TAG
   

   Note: You must get the latest tag from dockerHub.

2. Create an output file using SSL Orchestrator Converter and grant write access on the file to other users including f5docker.

   touch scc_output.json
   chmod a+rw scc_output.json
   

3. Execute the converter container using docker command:

   docker run --rm -v "$PWD":/usr/app/data <IMAGE>:<TAG> -ucs "data/<local_ifile_path/<input_ifile_name>>" -o "data/<local_output_file_path>" -loglevel info -log "data/<local_output_log_file_path>"
   

Command Line Options

Default Docker Options

• --rm: Cleans up the container and removes the file system after the container exits.

• --v: Maps the current (on local) directory to the /usr/app/data directory in the container. This is used to read input and write output with the container. In this example we assume the input ifile and the output JSON file will be read from and written to the current (on local) directory.

Options Provided by SCC

• -i: The file name of the input. If you are using -i with -postToCM then the input is the converted output. If you are using -i with -rollback then input is migrationSummary.json.

• -ucs: The filename of the UCS backup file. If UCS is encrypted, you will be prompted to enter the passphrase when you run the SCC command.

• -o: Filename of output JSON containing all API payloads.

• -postToCM: The IP address of CM to which you want to post the payloads.

• --rollback: The IP address of CM from which you want to roll back the migrated configuration.

• -log: The filename of the logs. If not specified in the docker run command, then the default log file would be the standard output file. If you specify a logs filename in the docker run command, you must create the file and provide write access to the file.

• -loglevel: Specifies severity of the issue/log. Different log levels are DEBUG, INFO, WARN, ERROR, FATAL (default is INFO).

Docker Usage

Usage	Command Parameters	Sample Docker Command	Output
Generate the output using UCS	-ucs, -o	docker run -it --rm -v "$PWD":/usr/app/data artifactory.f5net.com /f5-mbip-docker/f5-ssl-orchestrator-config-converter:TAG -ucs data/sslo.ucs -o data/output.json -loglevel info -log data/logfile.txt	Converted SCC output
Generate the output using UCS and post it to CM	-ucs, -o, -postToCM	docker run -it --rm -v "$PWD":/usr/app/data artifactory.f5net.com /f5-mbip-docker/f5-ssl-orchestrator-config-converter:TAG -ucs data/sslo.ucs -o data/output.json -loglevel info -log data/logfile.txt -postToCM <CM_IP>	Configuration posted to the Central Manager via curl post used in SCC docker.
Take previously converted output of SCC as input and post to CM	-i, -postToCM	docker run --rm -v "$PWD":/usr/app/data artifactory.f5net.com/f5-mbip-docker/f5-ssl-orchestrator-config-converter:[TAG] -i data/output.json -loglevel info -log "data/scc_log.txt" -postToCM <CM_IP>	Configuration posted to the Central Manager via curl post used in SCC docker.
Take migrationSummary.json as input and rollback	-rollback	docker run --rm -v "$PWD":/usr/app/data artifactory.f5net.com/f5-mbip-docker/f5-ssl-orchestrator-config-converter:[TAG] -loglevel info -log "data/scc_log.txt" -i data/migrationSummary.json -rollback <CM_IP>	The posted configuration will be deleted from the Central Manager based on the provided input file (migrationSummary generated via -postToCM flag) via -i flag.

The following combinations of docker usage are invalid:

• -i and -ucs together

• -i and -o together

• Only -i

• Only -ucs

• Only -o

• Only -postToCM

• Only -rollback

• -postToCM and -rollback together

• -rollback and -o together

• -i with ifile and -postToCM

• -i with some other file and -rollback

Next Steps

• If your configuration included an ICAP service, before deploying the service, you must update the VLAN name for the service (which is set to ‘fixMe’ by the converter).

• Deploy the inspections services to BIG-IP Next Instances. Refer to How To: Deploy a service to a BIG-IP Instance using CM APIs.

• Create Application stack with the appropriate migrated policies to simulate BIG-IP SSL Orchestrator Topologies and deploy the application stack to required BIG-IP Next instances. Refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

SCC as a REST Server

SCC v2.0 functions as a REST API server, implemented in Go (Golang) using Go’s standard library, the net/http package. This server is designed to handle POST requests only, including file uploads via multipart form data. It supports concurrent request handling and includes timeouts to prevent resource exhaustion and denial-of-service attacks.

The server is implemented using Go’s internal net/http package and operates in a multi-threaded manner to handle requests concurrently.

Usage of SCC as a REST Server

You can use SCC as a REST server to generate the converted output from iFile.

Important: The iFiles generated from BIG-IP 9.0, 9.1, and 9.2 may contain sensitive information that must be handled with extreme caution. F5 recommends running SCC only in secure environments. For example, run SCC in a secured, local container environment and avoid running it on a shared Docker cluster. Also, nullify the sensitive data or secret before sending the iFile to SCC.

Get the Configuration from BIG-IP SSL Orchestrator

1. Get the Configuration iFile from BIG-IP SSL Orchestrator. The iFile contains a backup of your BIG-IP configuration data. You can execute the following commands to obtain the iFile:

   • Get the iFile path:

     cachepath=$(curl -sku "admin:admin" https://MGMT-IP/mgmt/tm/sys/file/ifile/ssloF_global.app~SSLOiFile?options=-hidden -H "Content-Type: application/json" | jq '.cachePath' | sed -e 's/"//g')
     

     Replace MGMT-IP with BIG-IP management IP. Replace admin:admin with your User login credentials.

   • Copy the file from the path:

     scp root@MGMT-IP:$cachepath .
     

     You may substitute root with your User ID if console access is provided. Replace . with the location where you want to copy the file. Using . will copy the iFile to the current location. When prompted, enter the password for the User ID used in this command.

   For more information, refer to Backing up and restoring BIG-IP configuration files with a UCS archive.

   Important: The configuration iFile of BIG-IP Version 9.0, 9.1, or 9.2 can contain sensitive data or secrets. Such data should be nullified before sending the iFile to SCC via curl command.

Usage of SCC as a REST Server

1. Default Configuration: The REST API server runs when the container is started with the serve option. The server endpoint is /scc and it listens on the default service port 8080. You can configure the port via the PORT environment variable.

   • Running on Default Port (8080):

     docker run --rm -v "$PWD":/usr/app/data -p 1234:8080 <IMAGE>:<TAG> serve
     

     Call it:

     curl localhost:1234/scc -X POST --form "ifile=@/home/user/path/to/ifile_config.txt"
     

   • Running on a Custom Port: To run the service on a different port, use the PORT environment variable.

     docker run --rm -v "$PWD":/usr/app/data -p 1234:8111 -e PORT=8111 <IMAGE>:<TAG> serve
     

     Call it:

     curl localhost:1234/scc -X POST --form "ifile=@/home/user/path/to/ifile_config.txt"
     

Server Configuration

• HTTP Method: The server only accepts POST requests.

• Timeouts: To protect against DoS attacks (such as Slowloris), resource exhaustion, etc., the server enforces the following timeouts:

  • ReadTimeout: 15 seconds

  • WriteTimeout: 10 seconds

  • IdleTimeout: 30 seconds

• Access: The server is accessible only locally at localhost:8080 on the machine where it is running, and no authentication is required.

• File Uploads: The server accepts file uploads via multipart form data. The uploaded file is extracted and processed.

Form Attributes

• ifile (Mandatory): Specifies the path to the input JSON file for CBIP configuration. The default maximum file size is 100MB. To handle larger files, use the inputsize query parameter to increase the allowed file size, with a range from 1MB to 900MB. Example:

  curl -v localhost:1234/scc?inputsize=<value> -X POST --form "ifile=@<path_to_ifile>"
  

Output and Logging

• Output File: The converted JSON file is saved to /usr/app/output.json by default. You can specify a different output path if needed.

• Log File: Logs are written to standard output (os.Stdout) by default, but you can specify a custom log file path.

• Log Level: Set the log level with the loglevel attribute. Default is info. Other available levels are: DEBUG > INFO > WARN > ERROR > FATAL.

Additional References

Converted Output Format

Depending on your existing BIG-IP SSL Orchestrator configuration, you will get the output JSON file that will include the payloads for Inspection Services, Service Chains, and Policies; along with the statuses (that is, Deployable, Strictly Undeployable, or Partially Deployable).

The converted output will have the inspection services, service chains, and policies (based on your SSL Orchestrator configuration) and each object will have the following attributes:

• name: Refers to the name of the object.

• status: Refers to the status of the object that is deployable, partially deployable, or strictly undeployable.

  • strictly undeployable: The object cannot be deployed to Central Manager and you can view the reason in unsupportedProperties attribute.

  • partially deployable: The object can be deployed to Central Manager but certain unsupported attributes may have been removed from the payload.

  • deployable: The object can be deployed to Central Manager.

• associatedObjects: Refers to other objects it is associated with. An inspection service can have iRules as an associated object. A Service chain has inspection services as its associated object. A policy can have service chains as its associated objects.

• unsupportedProperties: Also includes the reason an object is partially deployable or undeployable.

• payload: The payload that you can post to save (inspection service, policy, or service chain) the object in Central Manager.

• error: If the conversion fails due to any reason, the error message is displayed in the error attribute of the converted output.

Status Association

If an associated object has the status of “strictly undeployable,” it will override the status of the referring object, even if the referring object’s status is “deployable.” The “Partially Deployable” status is only for the Inspection Service and doesn’t impact the payload; the payload is still deployable but unsupported attributes that are not critical for SSL Orchestrator will be dropped in the payload.

Example: If an inspection service is strictly undeployable, then the corresponding service chain that includes the inspection service would also become strictly undeployable. Similarly, if a service chain is strictly undeployable, then the corresponding policy that includes the service chain would also become strictly undeployable.

Conversion Mapping

If a policy is referenced by both Inbound Gateway and Inbound Application in BIG-IP, SCC will clone the policy in the converted output.

• The cloned Inbound Gateway type policy will have the suffix -gw added to the name (example, ssloP_inb-test-gw instead of ssloP_inb-test). The policyType is set to inbound-gateway.

• For the Inbound Application type policy, the policy name will remain the same (example, ssloP_inb-test). The policyType is set to default.

Following is an example output format:

SCC 2.0 Sample Output

Payload Examples

Sample payload of a TAP service

"payload": {
"name": "ssloS_RSA",
"description": "Type: tap",
"type": "tap-vlan",
"remapHttpsPort": 80,
"network": {
"vlan": "ssloN_vlan_tap",
"destinationMacAddress": "01:02:03:04:05:06"
},
"irules": []
}

Sample payload of an ICAP Service

"payload": {
"name": "ssloS_traffic_icap",
"description": "Type: icap",
"type": "icap",
"requestModificationURI": "",
"responseModificationURI": "",
"serviceDownAction": "ignore",
"headerFrom": "",
"host": "",
"referer": "",
"userAgent": "",
"previewLength": 1024,
"allowHTTP1.0": true,
"oneConnect": {
"sourceMask": ""
},
"network": {
"vlan": "fixMe",
"endpoints": [
{
"endpointType": "L4BasicEndpoint",
"address": "1.2.3.4:1344"
}
],
"snat": {
"snatType": ""
}
},
"monitor": {
"tcp": {}
},
"irules": []
}
},

Sample payload of HTTP explicit payload with SNAT type “create new”

{
"name": "ssloS_http_explicit",
"description": "Type: http-proxy",
"type": "http-explicit",
"serviceDownAction": "ignore",
"to": {
"network": {
"vlan": "ssloN_qwe",
"endpoints": [
{
"endpointType": "L4BasicEndpoint",
"address": "198.19.100.12:3128"
}
],
"snat": {
"snatType": "POOL",
"addresses": [
"44.33.22.11"
]
}
},
"monitor": {
"icmp": {}
},
"irules": []
},
"from": {
"network": {
"vlan": "ssloN_asass",
"endpoints": [
{
"endpointType": "L4BasicEndpoint",
"address": "0.0.0.0"
}
],
"snat": {
"snatType": "POOL"
}
},
"monitor": {},
"irules": []
}
}

Sample payload of L3 Inline service with port remap enabled and SNAT type AUTOMAP

{
"name": "ssloS_l3_scc2",
"description": "Type: L3",
"type": "l3",
"serviceDownAction": "ignore",
"remapHttpsPort": 80,
"to": {
"network": {
"vlan": "ssloN_hjhjh",
"endpoints": [
{
"endpointType": "L4BasicEndpoint",
"address": "198.19.70.12:80"
}
],
"snat": {
"snatType": "AUTOMAP"
}
},
"monitor": {
"icmp": {}
},
"irules": [
"myiRule"
]
},
"from": {
"network": {
"vlan": "ssloN_hghg",
"endpoints": [
{
"endpointType": "L4BasicEndpoint",
"address": "0.0.0.0"
}
],
"snat": {
"snatType": "NONE"
}
},
"monitor": {},
"irules": []
}
}

Sample payload of a Service Chain

"payload": {
     "name": "ssloSC_service_chanin1122",
     "inspection_services": [
      "ssloS_Http_tx1122",
      "ssloS_ICAP_TEST1122",
      "ssloS_TAP1122",
      "ssloS_L3_serv112233"
     ]
    }

Sample payload of an Inbound Application Mode Policy

"payload": {
"attachIrule": false,
"description": "converted cBIP Policy",
"id": "",
"policyName": "ssloP_deployable",
"policyType": "default",
"trafficRuleSets": [
{
"ruleType": "traffic",
"ruleStrategy": "first-match",
"rules": [
{
"name": "Rule-1001",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
},
{
"actionType": "SERVICE_CHAIN",
"serviceChain": "ssloSC_chain1"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
443,
21
],
"operator": "equals",
"local": false
},
{
"conditionType": "IP_ADDRESS",
"values": [
"1.2.3.4/32",
"5.6.4.3/32"
],
"operator": "not-matches",
"local": false
}
]
},
{
"name": "Rule-1002",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"qwqw"
],
"operator": "equals",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1003",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "IP_ADDRESS",
"values": [
"1.2.3.4/32",
"66.55.44.33/32"
],
"operator": "matches",
"local": true
},
{
"conditionType": "L4_PORT",
"values": [
80
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1004",
"actions": [
{
"actionType": "REDIRECT",
"location": "https://www.scc.com"
},
{
"actionType": "SSL_PROXY_INTERCEPT"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": true,
"datagroup": "integerdg2"
},
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": true,
"datagroup": "integerdg1"
},
{
"conditionType": "L4_PORT",
"values": [
80
],
"operator": "equals",
"local": true
},
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": false,
"datagroup": "integerdg1"
}
]
},
{
"name": "Rule-1002_Copy_substring",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"asss"
],
"operator": "contains",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1002_Copy_suffix",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"sss"
],
"operator": "ends-with",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "All Traffic",
"actions": [
{
"actionType": "SSL_PROXY_INTERCEPT"
}
],
"conditions": []
}
]
}
]
}
}{
"name": "ssloP_deployable",
"status": "deployable",
"associatedObjects": {
"serviceChains": [
"ssloSC_chain1"
],
"dataGroups": [
"integerdg2",
"integerdg1"
]
},
"unsupportedProperties": null,
"payload": {
"attachIrule": false,
"description": "converted cBIP Policy",
"id": "",
"policyName": "ssloP_deployable",
"policyType": "default",
"trafficRuleSets": [
{
"ruleType": "traffic",
"ruleStrategy": "first-match",
"rules": [
{
"name": "Rule-1001",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
},
{
"actionType": "SERVICE_CHAIN",
"serviceChain": "ssloSC_chain1"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
443,
21
],
"operator": "equals",
"local": false
},
{
"conditionType": "IP_ADDRESS",
"values": [
"1.2.3.4/32",
"5.6.4.3/32"
],
"operator": "not-matches",
"local": false
}
]
},
{
"name": "Rule-1002",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"qwqw"
],
"operator": "equals",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1003",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "IP_ADDRESS",
"values": [
"1.2.3.4/32",
"66.55.44.33/32"
],
"operator": "matches",
"local": true
},
{
"conditionType": "L4_PORT",
"values": [
80
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1004",
"actions": [
{
"actionType": "REDIRECT",
"location": "https://www.scc.com"
},
{
"actionType": "SSL_PROXY_INTERCEPT"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": true,
"datagroup": "integerdg2"
},
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": true,
"datagroup": "integerdg1"
},
{
"conditionType": "L4_PORT",
"values": [
80
],
"operator": "equals",
"local": true
},
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": false,
"datagroup": "integerdg1"
}
]
},
{
"name": "Rule-1002_Copy_substring",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"asss"
],
"operator": "contains",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1002_Copy_suffix",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"sss"
],
"operator": "ends-with",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "All Traffic",
"actions": [
{
"actionType": "SSL_PROXY_INTERCEPT"
}
],
"conditions": []
}
]
}
]
}
}{
"name": "ssloP_deployable",
"status": "deployable",
"associatedObjects": {
"serviceChains": [
"ssloSC_chain1"
],
"dataGroups": [
"integerdg2",
"integerdg1"
]
},
"unsupportedProperties": null,
"payload": {
"attachIrule": false,
"description": "converted cBIP Policy",
"id": "",
"policyName": "ssloP_deployable",
"policyType": "default",
"trafficRuleSets": [
{
"ruleType": "traffic",
"ruleStrategy": "first-match",
"rules": [
{
"name": "Rule-1001",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
},
{
"actionType": "SERVICE_CHAIN",
"serviceChain": "ssloSC_chain1"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
443,
21
],
"operator": "equals",
"local": false
},
{
"conditionType": "IP_ADDRESS",
"values": [
"1.2.3.4/32",
"5.6.4.3/32"
],
"operator": "not-matches",
"local": false
}
]
},
{
"name": "Rule-1002",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"qwqw"
],
"operator": "equals",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1003",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "IP_ADDRESS",
"values": [
"1.2.3.4/32",
"66.55.44.33/32"
],
"operator": "matches",
"local": true
},
{
"conditionType": "L4_PORT",
"values": [
80
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1004",
"actions": [
{
"actionType": "REDIRECT",
"location": "https://www.scc.com"
},
{
"actionType": "SSL_PROXY_INTERCEPT"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": true,
"datagroup": "integerdg2"
},
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": true,
"datagroup": "integerdg1"
},
{
"conditionType": "L4_PORT",
"values": [
80
],
"operator": "equals",
"local": true
},
{
"conditionType": "L4_PORT",
"operator": "equals",
"local": false,
"datagroup": "integerdg1"
}
]
},
{
"name": "Rule-1002_Copy_substring",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"asss"
],
"operator": "contains",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "Rule-1002_Copy_suffix",
"actions": [
{
"actionType": "SSL_PROXY_BYPASS"
}
],
"conditions": [
{
"conditionType": "L4_PORT",
"values": [
80,
443
],
"operator": "equals",
"local": true
},
{
"conditionType": "SSL_EXTENSION_SERVERNAME",
"values": [
"sss"
],
"operator": "ends-with",
"local": false
},
{
"conditionType": "IP_PROTOCOL",
"values": [
17
],
"operator": "equals",
"local": false
}
]
},
{
"name": "All Traffic",
"actions": [
{
"actionType": "SSL_PROXY_INTERCEPT"
}
],
"conditions": []
}
]
}
]
}
}

Sample payload of an Inbound Gateway Mode Policy

    "payload": {
     "attachIrule": true,
     "description": "converted cBIP Policy",
     "id": "",
     "policyName": "ssloP_inb_app-gw",
     "policyType": "inbound-gateway",
     "trafficRuleSets": [
      {
       "ruleType": "traffic",
       "ruleStrategy": "first-match",
       "rules": [
        {
         "name": "Rule-1001",
         "actions": [
          {
           "actionType": "SSL_PROXY_BYPASS"
          }
         ],
         "conditions": [
          {
           "conditionType": "L4_PORT",
           "values": [
            44,
            80,
            443
           ],
           "operator": "equals",
           "local": false
          },
          {
           "conditionType": "IP_PROTOCOL",
           "values": [
            17
           ],
           "operator": "equals",
           "local": false
          }
         ]
        },
        {
         "name": "All Traffic",
         "actions": [
          {
           "actionType": "SSL_PROXY_INTERCEPT"
          }
         ],
         "conditions": []
        }
       ]
      }
     ]
    }