3.5. Creating a TAP Service

3.5.1. What it is

A TAP service is defined by the following primary characteristics:

  • Passive: It contains no external IP addresses and must only receive a copy of packets.


  • SSL Orchestrator passes a wire copy of the traffic to a TAP service interface.


    ../_images/image35.png

    Figure 35: TAP service


Many modern security products fit into this category, including products by Cisco, Symantec, FireEye and RSA. TAP devices are completely passive and only receive packet copies. Unlike inline services, TAP services are not able to affect traffic flows in real time, and typically used as passive detection systems.


3.5.2. How to build it

Either from a topology workflow or directly under the Services tab in the SSL Orchestrator user interface, click the Add button to create a new inline HTTP service.

TAP Service User Input
Service Properties Choose a TAP service from the catalog or select the “Generic TAP Service” and click the Add button.
Name Provide a name for this service.
Description Optionally provide a description.
MAC Address For a TAP service that is not directly connected to the F5 BIG-IP, enter the device’s layer 2 MAC address. For a TAP service that is directly connected, the MAC address is superfluous and can be arbitrarily defined.
VLAN

This defines the interface connecting the F5 BIG-IP to the TAP device.

  • If a VLAN already exists, select Use Existing and further select the existing VLAN and corresponding interface
  • If a VLAN does not already exist, select Create New, provide a name, and select the corresponding interface.

Note

While the Tag and Port Remap options are visible, they are generally not used in TAP service configurations.

Click Save & Next to proceed.


The workflow will proceed to the Service Chains page to allow adding of this new service to a service chain. Once complete here, if in a topology workflow click Save & Next to continue. If adding the service directly, click the Deploy button.


3.5.3. How it works

SSL Orchestrator uses the following configuration information to correctly address a TAP server.


  • MAC Address - a MAC address is only required when the TAP service is not directly connected, and the F5 BIG-IP must connect to the TAP service over some layer 2 adjacent hop. When the TAP service is directly connected, the MAC address input is required, but its value arbitrary.


  • VLAN - minimally you must only define physical connectivity to create a TAP service.