Lab 3.1: Reviewing the Policies

Task 1 - View the Per-Request Policies

  1. Login to the BIG-IP with Firefox

  2. Navigate to SSL Orchestrator ‣ Policies ‣ Access Per-Request Policies

    image57

  3. Click the plus sign next to Show all for the ssloP_outbound_ssl row

  4. Select the ssloP_outbound_ssl_prpTcp Per-Request policy

    image58

  5. Review the general flow from categorization through Intercept policy to Service Chain

    image59

  6. Expand the Macro: Categorization macro by clicking on Categorization in the boxed area or the plus symbol in the macro section.

    image60

  7. Explore the SSL Check advanced Action Properties

    image61 image62

  8. Expand the SSL Intercept Policy macro. Notice that the Not Intercepted and Intercepted terminal endings differ based on the category and setting interception.

    image63

  9. Explore the Category Branching Action Property

    image64

  10. Expand the macros Service Chain Intercepted and Service Chain Not Intercepted

    image65

  11. Explore the Action Properties in the Service Chains and notice the Connector Profiles

    image66

Task 2 - Modify the Intercept Policy

  1. Expand the macro SSL Intercept Policy and click the Intercepted terminal ending

    image67

  2. Select the Not Intercepted radio button, then Save

    image68

    Note

    Notice that now all traffic is bypassed and therefore not decrypted

    image69

  3. Repeat the test from Lab 1.8 and notice that traffic is not decrypted. Notice that this had the impact of all traffic bypassing inspection zone.

  4. Undo the change by setting the terminal ending back to Intercepted and repeat test.

Task 3 - Modify Service Chain

  1. Expand the macro named Service Chain Not Intercepted and remove the HTTP Service node by selecting the X in the corner. The X will turn red when you hover over it.

    image70

  2. Click the Delete button in the Item delete confirmation dialogue box

    image71

  3. View your results

    image72

  4. Add the HTTP Service node back by selecting the plus key between TAP and L3 services

    image73

  5. Select the Traffic Management tab, then the Service Connect item and click Add Item

    image74

  6. Change the Name to HTTP Service, choose the HTTP Service item from the Connector Profile drop down menu named /Common/ssloS_HTTP_server.app/ssloS_HTTP_service-t-connector and then click Save at the bottom

    image75