F5 BIG-IP SSL Orchestrator Training Lab > All SSL Orchestrator Lab Guides > [Archived] SSL Orchestrator v5 (Ravello | 4 hours) Source | Edit on
Appendix 6 - Demo Scripts¶
Lab 1 demo script¶
Configuration review and prerequisites
- Optionally define DNS, NTP and gateway route
- Click Next
Topology Properties
- Name: lab1_outbound
- Protocol: Any
- IP Family: IPv4
- Topology: L3 Outbound
- Click Save & Next
SSL Configuration
- Create a New SSL Profile
- Client-side SSL (Cipher Type): Cipher String
- Client-side SSL (Cipher String): DEFAULT
- Client-side SSL (Certificate Key Chain): default.crt and default.key
- Client-side SSL (CA Certificate Key Chain): subrsa.f5labs.com
- Server-side SSL (Cipher Type): Cipher String
- Server-side SSL (Cipher String): DEFAULT
- Server-side SSL (Trusted Certificate Authority): ca-bundle.crt
- Click Save & Next
Service List
- Inline Layer 2 service
- FireEye NX Inline Layer 2
- Name: some name (ex. FireEye)
- Network Configuration
- Ratio: 1
- From BIGIP VLAN: Create New, name (ex. FireEye_in), int 1.6
- To BIGIP VLAN: Create New, name (ex. FireEye_out), int 1.7
- Click Done
- Service Action Down: Ignore
- Enable Port Remap: Enable, 8080
- Click Save
- Inline layer 3 service
- Generic Inline Layer 3
- Name: some name (ex. IPS)
- IP Family: IPv4
- Auto Manage: Enabled
- To Service Configuration
- To Service: 198.19.64.7/25
- VLAN: Create New, name (ex. IPS_in), interface 1.3, tag 50
- Service Action Down: Ignore
- L3 Devices: 198.19.64.64
- From Service Configuration
- From Service: 198.19.64.245/25
- VLAN: Create New, name (ex. IP_out), interface 1.3, tag 60
- Enable Port Remap: Enabled, 8181
- Manage SNAT Settings: None
- Click: Save
- Inline HTTP service
- Cisco WSA HTTP Proxy
- Name: some name (ex. Proxy)
- IP Family: IPv4
- Auto Manage: Enabled
- Proxy Type: Explicit
- To Service Configuration
- To Service: 198.19.96.7/25
- VLAN: Create New, name (ex. Proxy_in), interface 1.3, tag 110
- Service Action Down: Ignore
- HTTP Proxy Devices: 198.19.96.66, Port 3128
- From Service Configuration
- From Service: 198.19.96.245/25
- VLAN: Create New, name (ex. Proxy_out), interface 1.3, tag 120
- Manage SNAT Settings: None
- Authentication Offload: Disabled
- Click Save
- ICAP Service
- Squid ICAP
- name: some name (ex. DLP)
- IP Family: IPv4
- ICAP Devices: 10.70.0.10, Port 1344
- Request URI Path: /squidclamav
- Response URI Path: /squidclamav
- Preview Max Length(bytes): 524288
- Service Action Down: Ignore
- Click Save
- TAP Service
- Cisco Firepower Thread Defense TAP
- Some Name (ex. TAP)
- Mac Address: 12:12:12:12:12:12
- VLAN: Create New, name (ex. TAP_in)
- Interface: 1.4
- Service Action Down: Ignore
- Click Save
- Click Save & Next
Service Chain List
- Add
- Name: some name (ex. all_service_chain)
- Services: all of the services
- Click Save
- Add
- name: some name (ex. sub_service_chain)
- Services: L2 and TAP services
- Click Save
- Click Save & Next
Security Policy
- Add a new rule
- Name: some name (ex. urlf_bypass)
- Conditions
- Category Lookup (All)
- SNI Category: Financial Data and Services, Health and Medicine
- Action: Allow
- SSL Forward Proxy Action: bypass
- Service Chain: L2/TAP service chain
- Click OK
- Modify the All rule
- Service Chain: all services chain
- Click OK
- Click Save & Next
Interception Rule
- Select Outbound Rule Type: Default
- Ingress Network (VLANs): client-side
- L7 Interception Rules: Apply FTP and email protocols as required.
- Click Save & Next
Egress Setting
- Manage SNAT Settings: Auto Map
- Gateways: New, ratio 1, 10.30.0.1
Summary
- Review configuration
- Click Deploy
Lab 2 demo script¶
Configuration review and prerequisites
- Optionally define DNS, NTP and gateway route
- Click Next
Topology Properties
- Name: some_name (ex. lab2_inbound)
- Protocol: TCP
- IP Family: IPv4
- Topology: L3 Inbound
- Click Save & Next
SSL Configuration
- Show Advanced Setting
- Client-side SSL (Cipher Type): Cipher String
- Client-side SSL (Cipher String): DEFAULT
- Client-side SSL (Certificate Key Chain): default.crt and default.key
- Server-side SSL (Cipher Type): Cipher String
- Server-side SSL (Cipher String): DEFAULT
- Server-side SSL (Trusted Certificate Authority): ca-bundle.crt
- Advanced (Expire Certificate Control): Ignore
- Advanced (Untrusted Certificate Authority): Ignore
- Click Save & Next
Services List
- Click Save & Next
Service Chain List
- Click Save & Next
Security Policy
- Remove Pinners_Rule
- Edit All Traffic rule and add L2/TAP service chain
- Click Save & Next
Interception Rule
- Gateway-mode
- Hide Advanced Setting
- Source Address: 0.0.0.0/0
- Destination Address/Mask: 0.0.0.0/0
- Port: 443
- VLANs: outbound
- Targeted-mode
- Show Advanced Setting
- Source Address: 0.0.0.0/0
- Destination Address: 10.30.0.200
- Port: 443
- VLANs: outbound
- Pool: webserver-pool
- Click Save & Next
Egress Settings
- Manage SNAT Settings: Auto Map
- Gateways: Default Route
Summary
- Review configuration
- Click Deploy
Lab 3 demo script¶
Configuration review and prerequisites
- Optionally define DNS, NTP and gateway route
- Click Next
Topology Properties
- Name: some name (ex. lab3_explicit)
- Protocol: TCP
- IP Family: IPv4
- Topology: L3 Explicit Proxy
- Click Save & Next
SSL Configuration
- SSL Profile: Use Existing, existing outbound SSL settings
- Click Save & Next
Services List
- Click Save & Next
Service Chain List
- Click Save & Next
Security Policy
- Type: Use Existing, existing outbound security policy
- Click Save & Next
Interception Rule
- IPV4 Address: 10.20.0.150
- Port: 3128
- VLANs: client-net
- Click Save & Next
Egress Settings
- Manage SNAT Settings: Auto Map
- Gateways: Existing Gateway Pool, -ex-pool-4 pool
Summary
- Review configuration
- Click Deploy
System Settings
- DNS Query Resolution: Local Forwarding Nameserver
- Local Forwarding Nameserver(s): 10.1.20.1
- Click Deploy