F5 BIG-IP SSL Orchestrator Training Lab > All SSL Orchestrator Lab Guides > [Archived] SSL Orchestrator v5 (Ravello | 4 hours) Source | Edit on

Appendix 6 - Demo Scripts¶

Lab 1 demo script¶

Configuration review and prerequisites

Optionally define DNS, NTP and gateway route
Click Next

Topology Properties

Name: lab1_outbound
Protocol: Any
IP Family: IPv4
Topology: L3 Outbound
Click Save & Next

SSL Configuration

Create a New SSL Profile
Client-side SSL (Cipher Type): Cipher String
Client-side SSL (Cipher String): DEFAULT
Client-side SSL (Certificate Key Chain): default.crt and default.key
Client-side SSL (CA Certificate Key Chain): subrsa.f5labs.com
Server-side SSL (Cipher Type): Cipher String
Server-side SSL (Cipher String): DEFAULT
Server-side SSL (Trusted Certificate Authority): ca-bundle.crt
Click Save & Next

Service List

Inline Layer 2 service
1. FireEye NX Inline Layer 2
2. Name: some name (ex. FireEye)
3. Network Configuration
  - Ratio: 1
  - From BIGIP VLAN: Create New, name (ex. FireEye_in), int 1.6
  - To BIGIP VLAN: Create New, name (ex. FireEye_out), int 1.7
  - Click Done
4. Service Action Down: Ignore
5. Enable Port Remap: Enable, 8080
6. Click Save
Inline layer 3 service
1. Generic Inline Layer 3
2. Name: some name (ex. IPS)
3. IP Family: IPv4
4. Auto Manage: Enabled
5. To Service Configuration
  - To Service: 198.19.64.7/25
  - VLAN: Create New, name (ex. IPS_in), interface 1.3, tag 50
6. Service Action Down: Ignore
7. L3 Devices: 198.19.64.64
8. From Service Configuration
  - From Service: 198.19.64.245/25
  - VLAN: Create New, name (ex. IP_out), interface 1.3, tag 60
9. Enable Port Remap: Enabled, 8181
10. Manage SNAT Settings: None
11. Click: Save
Inline HTTP service
1. Cisco WSA HTTP Proxy
2. Name: some name (ex. Proxy)
3. IP Family: IPv4
4. Auto Manage: Enabled
5. Proxy Type: Explicit
6. To Service Configuration
  - To Service: 198.19.96.7/25
  - VLAN: Create New, name (ex. Proxy_in), interface 1.3, tag 110
7. Service Action Down: Ignore
8. HTTP Proxy Devices: 198.19.96.66, Port 3128
9. From Service Configuration
  - From Service: 198.19.96.245/25
  - VLAN: Create New, name (ex. Proxy_out), interface 1.3, tag 120
10. Manage SNAT Settings: None
11. Authentication Offload: Disabled
12. Click Save
ICAP Service
1. Squid ICAP
2. name: some name (ex. DLP)
3. IP Family: IPv4
4. ICAP Devices: 10.70.0.10, Port 1344
5. Request URI Path: /squidclamav
6. Response URI Path: /squidclamav
7. Preview Max Length(bytes): 524288
8. Service Action Down: Ignore
9. Click Save
TAP Service
1. Cisco Firepower Thread Defense TAP
2. Some Name (ex. TAP)
3. Mac Address: 12:12:12:12:12:12
4. VLAN: Create New, name (ex. TAP_in)
5. Interface: 1.4
6. Service Action Down: Ignore
7. Click Save
Click Save & Next

Service Chain List

Add
1. Name: some name (ex. all_service_chain)
2. Services: all of the services
3. Click Save
Add
1. name: some name (ex. sub_service_chain)
2. Services: L2 and TAP services
3. Click Save
Click Save & Next

Security Policy

Add a new rule
1. Name: some name (ex. urlf_bypass)
2. Conditions
  - Category Lookup (All)
  - SNI Category: Financial Data and Services, Health and Medicine
3. Action: Allow
4. SSL Forward Proxy Action: bypass
5. Service Chain: L2/TAP service chain
6. Click OK
Modify the All rule
1. Service Chain: all services chain
2. Click OK
Click Save & Next

Interception Rule

Select Outbound Rule Type: Default
Ingress Network (VLANs): client-side
L7 Interception Rules: Apply FTP and email protocols as required.
Click Save & Next

Egress Setting

Manage SNAT Settings: Auto Map
Gateways: New, ratio 1, 10.30.0.1

Summary

Review configuration
Click Deploy

Lab 2 demo script¶

Configuration review and prerequisites

Optionally define DNS, NTP and gateway route
Click Next

Topology Properties

Name: some_name (ex. lab2_inbound)
Protocol: TCP
IP Family: IPv4
Topology: L3 Inbound
Click Save & Next

SSL Configuration

Show Advanced Setting
Client-side SSL (Cipher Type): Cipher String
Client-side SSL (Cipher String): DEFAULT
Client-side SSL (Certificate Key Chain): default.crt and default.key
Server-side SSL (Cipher Type): Cipher String
Server-side SSL (Cipher String): DEFAULT
Server-side SSL (Trusted Certificate Authority): ca-bundle.crt
Advanced (Expire Certificate Control): Ignore
Advanced (Untrusted Certificate Authority): Ignore
Click Save & Next

Services List

Click Save & Next

Service Chain List

Click Save & Next

Security Policy

Remove Pinners_Rule
Edit All Traffic rule and add L2/TAP service chain
Click Save & Next

Interception Rule

Gateway-mode
1. Hide Advanced Setting
2. Source Address: 0.0.0.0/0
3. Destination Address/Mask: 0.0.0.0/0
4. Port: 443
5. VLANs: outbound
Targeted-mode
1. Show Advanced Setting
2. Source Address: 0.0.0.0/0
3. Destination Address: 10.30.0.200
4. Port: 443
5. VLANs: outbound
6. Pool: webserver-pool
Click Save & Next

Egress Settings

Manage SNAT Settings: Auto Map
Gateways: Default Route

Summary

Review configuration
Click Deploy

Lab 3 demo script¶

Configuration review and prerequisites

Optionally define DNS, NTP and gateway route
Click Next

Topology Properties

Name: some name (ex. lab3_explicit)
Protocol: TCP
IP Family: IPv4
Topology: L3 Explicit Proxy
Click Save & Next

SSL Configuration

SSL Profile: Use Existing, existing outbound SSL settings
Click Save & Next

Services List

Click Save & Next

Service Chain List

Click Save & Next

Security Policy

Type: Use Existing, existing outbound security policy
Click Save & Next

Interception Rule

IPV4 Address: 10.20.0.150
Port: 3128
VLANs: client-net
Click Save & Next

Egress Settings

Manage SNAT Settings: Auto Map
Gateways: Existing Gateway Pool, -ex-pool-4 pool

Summary

Review configuration
Click Deploy

System Settings

DNS Query Resolution: Local Forwarding Nameserver
Local Forwarding Nameserver(s): 10.1.20.1
Click Deploy

Previous Next