4.4. Defining a Traffic Policy

The SSL Orchestrator traffic policy enables policy-based traffic steering to the inspection services. The policy defines traffic conditions, and each condition defines a set of actions to take on matching flow.

A traffic policy is a combination of multiple rulesets, each with same or similar traffic conditions, but different potential actions.

  • The Traffic Rules ruleset controls blocking, TLS decrypt decisions, and steering to inspection services.
  • The Traffic Rules ruleset contains a single, immovable All Traffic condition that applies to all traffic flows that do not match any other (higher) condition. Its default and adjustable behavior is to Allow traffic and decrypt.
  • The Logging Rules ruleset controls logging behavior.

4.4.1. Create an SSL Orchestrator Traffic Policy

You will now create a traffic policy with a TLS decryption bypass rule for a specific hostname. The default rule will decrypt all other traffic.

  1. In the SSL Orchestrator menu, click on Policies.

  2. Since there are no Policies yet, click on the Start Creating button to get started.

  3. In the Create Policy panel's General Properties section:

    • Enter my-sslo-policy-lab2 in the Name field and an optional description
    • Enter Traffic policy for lab 2 in the Description field (optional).
    • Ensure the Type is set to Inbound Application.
    ../../_images/policy-1.png

  4. Click the Next button to continue to the Rules configuration.

4.4.2. Create a Traffic Rule - TLS Decryption Bypass

A Traffic Rule is generally made up of three parts, depending on the type of condition - the condition type (e.g., 'IP Protocol'), expression (e.g., 'equals'), and evaluation (what is being tested).

Now, you will create a TLS bypass rule for traffic destined for test.f5labs.com

  1. Click the + Create button to create a new traffic rule.

    ../../_images/policy-2.png

  2. In the Rule Properties section of the Create Traffic Rule panel:

    • Enter rule1 in the Name field.
    • Enter TLS bypass for test.f5labs.com in the Description field.
    ../../_images/policy-2a.png

  3. Click on the Save & Continue button to continue to Conditions and Actions.

    ../../_images/policy-2b.png

  4. In the Conditions section, click the Start Creating button and create a conditional expression:

    • Select a condition type of Server Name (TLS ClientHello).
    • Select an expression of Equals.
    • Enter an evaluation value of test.f5labs.com.

  5. Define the action to take when this conditional expression matches:

    Hint

    Scroll down if you not see the Actions section.

    • Set the Flow Action to Allow. This will allow the traffic to pass.
    • Set the SSL Action to Bypass. This will disable decryption of the traffic.
    • Set the Service Chain to my-service-chain-lab2. This will send the traffic through a specified Service Chain.
    ../../_images/policy-3.png

  6. Click the Save button.

You will now see 2 Traffic Rules (rule1 and All Traffic).

../../_images/policy-3b.png

4.4.3. Edit Traffic Condition Rule - All Traffic (Default)

By default, the All Traffic rule does not have a Service Chain selected. Let's attach a Service Chain to ensure that traffic flows not matching other rules is sent through a service chain.

  1. Click the All Traffic rule to modify it.

  2. Click on Conditions and Actions.

  3. Set the Service Chain to my-service-chain-lab2.

    ../../_images/policy-4.png

  4. Click the Save button to close the panel.

4.4.4. Create a Logging Rule - Log all TCP traffic

Finally, you will configure a rule to log all TCP traffic.

  1. In the Logging Rules section, click the Start Creating button.

  2. Enter all-logging in the Name field

  3. Enter Log all traffic in the Description field.

  4. Click on the Save & Continue button to continue to Conditions and Actions.

  5. In the Conditions section, click the Start Creating button and create a conditional expression:

    • Select a condition type of IP Protocol.
    • Select an expression of Equals.
    • Select the evaluation value to TCP.

  6. Click the Save button to close the Logging Rules panel.

    ../../_images/policy-5.png

4.4.5. Finish the Traffic Policy

  1. Click the Save and Finish button.

    ../../_images/policy-6.png

The traffic policy is now saved to the BIG-IP Central Manager. In the next section, you will deploy it to a BIG-IP instance by associating it with an application.

../../_images/policy-7.png

Note

The traffic policy is now complete with respect to this lab module, but other traffic and logging rules can also be applied (as required).