5.4. Defining a Traffic Policy

The SSL Orchestrator traffic policy enables policy-based traffic steering to the inspection services. The policy defines traffic conditions, and each condition defines a set of actions to take on matching flow.

A traffic policy is a combination of multiple rulesets, each with same or similar traffic conditions, but different potential actions.

  • The Traffic Rules ruleset controls blocking, TLS decrypt decisions, and steering to inspection services.
  • The Traffic Rules ruleset contains a single, immovable All Traffic condition that applies to all traffic flows that do not match any other (higher) condition. Its default and adjustable behavior is to Allow traffic and decrypt.
  • The Logging Rules ruleset controls logging behavior.

5.4.1. Create an SSL Orchestrator Traffic Policy

You will now create a traffic policy with a TLS decryption bypass rule for a specific hostname. The default rule will decrypt all other traffic.

  1. In the SSL Orchestrator menu, click on Policies.

  2. Click + Create in the top right to add a new traffic policy.

  3. In the Create Policy pane:

    • Enter my-sslo-policy-lab3 in the Name field and an optional description
    • Enter Traffic policy for lab 3 in the Description field (optional).
    • Set the Type to Inbound Gateway.
    ../../_images/policy-11.png

  4. Click the Next button to continue to the Rules configuration.

5.4.2. Create a Traffic Condition Rule - TLS Decryption Bypass

A Traffic Rule is generally made up of three parts, depending on the type of condition - the condition type (e.g., 'IP Protocol'), expression (e.g., 'equals'), and evaluation (what is being tested).

Now, you will create a TLS bypass rule for traffic destined for gwapp3.f5labs.com

  1. Click the + Create button to create a new traffic rule.

    ../../_images/policy-21.png

  2. In the Rule Properties section of the Create Traffic Rule panel:

    • Enter gwapp3 in the Name field.
    • Enter TLS bypass for gwapp3.f5labs.com in the Description field.

  3. Click on the Save & Continue button to continue to Conditions and Actions.

  4. In the Conditions section, click the Start Creating button and create a conditional expression:

    • Select a condition type of Server Name (TLS ClientHello).
    • Select an expression of Equals.
    • Enter an evaluation value of gwapp3.f5labs.com.

  5. Define the action to take when this conditional expression matches:

    Hint

    Scroll down if you not see the Actions section.

    • Set the Flow Action to Allow. This will allow the traffic to pass.
    • Set the SSL Action to Bypass. This will disable decryption of the traffic.
    • Set the Service Chain to my-service-chain-lab3. This will send the traffic through a specified Service Chain.
    ../../_images/policy-31.png

  6. Click the Save button.

You will now see 2 Traffic Rules (gwapp3 and All Traffic).

../../_images/policy-3b1.png

5.4.3. Edit Traffic Condition Rule - All Traffic (Default)

By default, the All Traffic rule does not have a Service Chain selected. Let's attach a Service Chain to ensure that traffic flows not matching other rules is sent through a service chain.

  1. Click the All Traffic rule to modify it.

  2. Click on Conditions and Actions.

  3. Set the Service Chain to my-service-chain-lab3.

    ../../_images/policy-41.png

  4. Click the Save button to close the panel.

5.4.4. Create a Logging Rule - Log all TCP traffic

  1. Now, create a single Logging Rules condition to log all incoming traffic. In the Logging Rules ruleset, click the Start Creating button.

  2. Enter all-logging in the Name field, and optional description.

  3. Click Save & Continue.

  4. In Conditions and Actions, click the Start Creating button.

  5. Configure a rule to log all TCP traffic.

    • Type: IP Protocol
    • Expression: Equals
    • Evaluation: TCP

  6. Click the Save button to close the Logging Rules panel.

    ../../_images/policy-51.png

5.4.5. Finish the Traffic Policy

  1. Click the Save and Finish button.

    ../../_images/policy-61.png

The traffic policy is now saved to the BIG-IP Central Manager. In the next section, you will deploy it to a BIG-IP instance by associating it with an application.

../../_images/policy-71.png

Note

The traffic policy is now complete with respect to this lab module, but other traffic and logging rules can also be applied (as required).