3.5. Creating a TAP Service¶
3.5.1. What it is¶
A TAP service is defined by the following primary characteristics:
Passive: It contains no external IP addresses and must only receive a copy of packets.
SSL Orchestrator passes a wire copy of the traffic to a TAP service interface.
Many modern security products fit into this category, including products by Cisco, Symantec, FireEye and RSA. TAP devices are completely passive and only receive packet copies. Unlike inline services, TAP services are not able to affect traffic flows in real time, and typically used as passive detection systems.
3.5.2. How to build it¶
Either from a topology workflow or directly under the Services tab in the SSL Orchestrator user interface, click the Add button to create a new inline HTTP service.
|TAP Service||User Input|
|Service Properties||Choose a TAP service from the catalog or select the “Generic TAP Service” and click the Add button.|
|Name||Provide a name for this service.|
|Description||Optionally provide a description.|
|MAC Address||For a TAP service that is not directly connected to the F5 BIG-IP, enter the device’s layer 2 MAC address. For a TAP service that is directly connected, the MAC address is superfluous and can be arbitrarily defined.|
This defines the interface connecting the F5 BIG-IP to the TAP device.
While the Tag and Port Remap options are visible, they are generally not used in TAP service configurations.
Click Save & Next to proceed.
The workflow will proceed to the Service Chains page to allow adding of this new service to a service chain. Once complete here, if in a topology workflow click Save & Next to continue. If adding the service directly, click the Deploy button.
3.5.3. How it works¶
SSL Orchestrator uses the following configuration information to correctly address a TAP server.
MAC Address - a MAC address is only required when the TAP service is not directly connected, and the F5 BIG-IP must connect to the TAP service over some layer 2 adjacent hop. When the TAP service is directly connected, the MAC address input is required, but its value arbitrary.
VLAN - minimally you must only define physical connectivity to create a TAP service.