VMware NSX for vSphere (NSX-V) and F5 BIG-IP Best Practices Guide

FireEye F5

3 FireEye 4 FireEye 6 SSL/TLS 11 SSL/TLS 12 12 13 SSL/TLS 14 SSL/TLS 14 2

SSL/TLS IPS IPS IDS IDS ディープ パケット インスペクション 境 界 ファイアウォール HTTP FTP および SMTP の 検 査 ネットワーク ファイアウォール サービス + 単 純 なロード バランシング 悪 意 のある HTTPS Web サイト 1. 1 FireEye F5 FireEye NX Series Web F5 BIG-IP SSL/TLS 2 FireEye SSL/TLS 3

FireEye BIG-IP 1 BIG-IP SSL/TLS FireEye FireEye 2 3 境 界 ファイアウォール ネットワーク ファイアウォール サービス + 単 純 なロード バランシング AFM 検 査 のために FireEye に 送 信 される 特 定 の トラフィック 安 全 なトラフィックだけが BIG-IP に 返 される 悪 意 のある HTTPS Web サイト ディープ パケット インスペクション HTTP FTP および SMTP の 検 査 2. FireEye F5 SSL/TLS BIG-IP FireEye 3 FireEye BIG-IP 2 3 4

VLAN VLAN fireeye_inside VLAN fireeye_outside VLAN ## Example Route-Domain Configuration [root@big-ip01: Active] ~ # tmsh list net route-domain one-line net route-domain 0 { vlans { inside fireeye _ inside net route-domain 1 { vlans { outside fireeye _ outside 2 3 fireeye_outside IP 2 MAC [root@bigip01: Active] ~ # tmsh show sys mac-address grep -i fireeye _ outside 00:23:e9:69:d8:c9 net vlan fireeye _ outside mac-true [root@bigip01: Active] ~ # tmsh list ltm rule Target _ FireEyenet ltm rule Target _ FireEye { when CLIENT _ ACCEPTED { nexthop fireeye _ inside 00:23:e9:69:d8:c9 VLAN MAC BIG-IP MAC 2 VLAN MAC https:// support.f5.com/kb/en-you/solutions/public/14000/500/sol14513.html {root@big-ip01: Active] ~ # tmsh show sys mac-address grep -i fireeye 00:23:e9:69:d8:c9 net vlan fireeye _ inside mac-true 00:23:e9:69:d8:c9 net vlan fireeye _ outside mac-true MAC [root@bigip01: Active] ~ # tcpdump -neqi 0.0 ether host 00:23:e9:ad:c0:03 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 18:11:31.554921 00:23:e9:ad:c0:03 > 00:23:e9:ad:c0:03, 802.1Q, length 78: vlan 2402, p 0, ethertype IPv4, 10.10.31.11.58636 > 10.10.31.14.http: tcp 0 MAC IP ## Modify each VLAN to have a unique masquerade mac address tmsh modify sys db tm.macmasqaddr _ per _ vlan value true ## Create the new Traffic Group tmsh create cm traffic-group traffic-group-2 mac 00:f5:f5:f5:00:00 ## Update the floating self-ip addresses to use the new traffic group tmsh modify net self 10.10.32.1 traffic-group traffic-group-2 5

IP MAC [root@ BigIP01: Active] ~ # ping 10.10.32.1 -c1 PING 10.10.32.1 (10.10.32.1) 56(84) bytes of data. 64 bytes from 10.10.32.1: icmp _ seq=1 ttl=255 time=0.291 ms [root@big-ip01: Active] ~ # arp -an 10.10.32.1? (10.10.32.1) at 00:f5:f5:f5:61:09 [ether] on fireeye _ outside MAC irule [root@bigip01: Active] ~ # tmsh list ltm rule Target _ FireEyenet ltm rule Target _ FireEye { when CLIENT _ ACCEPTED { nexthop fireeye _ inside f5:f5:f5:61:09 FireEye BIG-IP ## Create virtual server that will route traffic to the FireEye device for inspection tmsh create ltm virtual default _ egress _ http destination 0.0.0.0:80 profiles add { fastl4 vlans add { inside vlans-enabled rules { Target _ FireEye ## Create the default virtual to grab all traffic, this virtual will also match on traffic that leaves the FireEye device tmsh create ltm virtual default _ egress _ any destination 0.0.0.0:0 profiles add { fastl4 pool p _ Internet _ Gateway source-address-translation { type automap FireEye FireEye FireEye 6

ディープ パケット インスペクション デバイス A HTTP FTP および SMTP の 検 査 検 査 のために FireEye に 送 信 される 特 定 のトラフィック 安 全 なトラフィックだけが BIG-IP に 返 される 境 界 ファイアウォール ネットワーク ファイアウォール サービス + 単 純 なロード バランシング AFM 悪 意 のある HTTPS Web サイト 検 査 のために FireEye に 送 信 される 特 定 のトラフィック 安 全 なトラフィックだけが BIG-IP に 返 される ディープ パケット インスペクション デバイス B HTTP FTP および SMTP の 検 査 3. FireEye 7

FireEye FireEye VLAN VLAN FireEye FireEye ## Creating the required VLANs to pass traffic to FireEye A tmsh create net vlan fireeye-01 _ inside tag 111 interfaces add { 1.1 { tagged tmsh create net vlan fireeye-01 _ outside tag 112 interfaces add { 1.2 { tagged ## Creating the required VLANs to pass traffic to FireEye B tmsh create net vlan fireeye-02 _ inside tag 121 interfaces add { 1.3 { tagged tmsh create net vlan fireeye-02 _ outside tag 122 interfaces add { 1.4 { tagged BIG-IP 2 MAC FireEye 3 2 MAC MAC VLAN IP traffic-group-2 ## Creating the self-ip used to source traffic to monitor FireEye A tmsh create net self 10.10.111.2 address 10.10.111.2/29 traffic-group traffic-grouplocal-only vlan fireeye-01 _ inside tmsh create net self 10.10.111.1 address 10.10.111.1/29 traffic-group traffic-group-1 vlan fireeye-01 _ inside ## Creating the self-ip used to target traffic to monitor FireEye A tmsh create net self 10.10.112.2 address 10.10.112.2/29 traffic-group traffic-grouplocal-only vlan fireeye-01 _ outside tmsh create net self 10.10.112.1 address 10.10.112.1/29 traffic-group traffic-group-2 vlan fireeye-01 _ outside ## Creating the self-ip used to source traffic to monitor FireEye B tmsh create net self 10.10.121.2 address 10.10.121.2/29 traffic-group traffic-grouplocal-only vlan fireeye-02 _ inside tmsh create net self 10.10.121.1 address 10.10.121.1/29 traffic-group traffic-group-1 vlan fireeye-02 _ inside ## Creating the self-ip used to target traffic to monitor FireEye B tmsh create net self 10.10.122.2 address 10.10.122.2/29 traffic-group traffic-grouplocal-only vlan fireeye-02 _ outside tmsh create net self 10.10.122.1 address 10.10.122.1/29 traffic-group traffic-group-2 vlan fireeye-02 _ outside 8

VLAN VLAN MAC ## Identify the MAC to target for FireEye A [root@bigip01: Active] ~ # ping 10.10.112.1 -c1 PING 10.10.32.1 (10.10.112.1) 56(84) bytes of data. 64 bytes from 10.10.112.1: icmp _ seq=1 ttl=255 time=0.291 ms [root@bigip01: Active] ~ # arp -an 10.10.112.1? (10.10.112.1) at 00:f5:f5:f5:61:09 [ether] on fireeye-01 _ outside ## Identify the MAC to target for FireEye B [root@bigip01: Active] ~ # ping 10.10.122.1 -c1 PING 10.10.32.1 (10.10.122.1) 56(84) bytes of data. 64 bytes from 10.10.122.1: icmp _ seq=1 ttl=255 time=0.291 ms [root@bigip01: Active] ~ # arp -an 10.10.122.1? (10.10.122.1) at 00:f5:f5:f5:63:09 [ether] on fireeye-02 _ outside FireEye ARP ARP VLAN ## Identify the MAC to target for FireEye A tmsh create net arp fireeye-01 _ outside ip-address 10.10.111.6 mac-address 00:f5:f5:f5:61:09 ## Identify the MAC to target for FireEye B tmsh create net arp fireeye-02 _ outside ip-address 10.10.121.6 mac-address 00:f5:f5:f5:63:09 VLAN ## Create the endpoint to target for FireEye A tmsh create ltm virtual _ fireeye-01 _ outside profiles add { fastl4 destination 10.10.111.6:0 vlans add {fireeye-01 _ outside vlans-enabled ## To keep the MAC address unique, you must make it a member of traffic-group-2 tmsh modify ltm virtual-address 10.10.111.6 traffic-group traffic-group-2 ## Create the endpoint to target for FireEye B tmsh create ltm virtual _ fireeye-02 _ outside profiles add { fastl4 destination 10.10.121.6:0 vlans add {fireeye-02 _ outside vlans-enabled ## To keep the MAC address unique, you must make it a member of traffic-group-2 tmsh modify ltm virtual-address 10.10.121.6 traffic-group traffic-group-2 9

TCPDUMP ping fireeye-01_inside fireeye-01_outside FireEye ## tcpdump of ICMP traffic traversing the FireEye device [root@bigip01: Active] ~ # tcpdump -neqi 0.0 host 10.10.111.6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 21:55:46.329862 00:23:e9:ae:16:0c > 00:f5:f5:f5:61:09, 802.1Q, length 58: vlan 111, p 0, ethertype IPv4, 10.10.111.3 > 10.10.111.6: ICMP echo request, id 58938, seq 581, length 20 21:55:46.330145 00:23:e9:ae:16:0c > 00:f5:f5:f5:61:09, 802.1Q, length 58: vlan 112, p 0, ethertype IPv4, 10.10.111.3 > 10.10.111.6: ICMP echo request, id 58938, seq 581, length 20 21:55:46.330163 00:f5:f5:f5:61:09 > 00:23:e9:ae:16:0c, 802.1Q, length 58: vlan 112, p 0, ethertype IPv4, 10.10.111.6 > 10.10.111.3: ICMP echo reply, id 58938, seq 581, length 20 21:55:46.330448 00:f5:f5:f5:61:09 > 00:23:e9:ae:16:0c, 802.1Q, length 58: vlan 111, p 0, ethertype IPv4, 10.10.111.6 > 10.10.111.3: ICMP echo reply, id 58938, seq 581, length 20 境 界 ファイアウォール ネットワーク ファイアウォール サービス + 単 純 なロード バランシング AFM fireeye-01_inside VLAN ID: 111 fireeye-01_outside VLAN ID: 112 ディープ パケット インスペクション デバイス A HTTP FTP および SMTP の 検 査 4. fireeye-01_inside fireeye-01_outside FireEye 10

BIG-IP FireEye ## Create the pool that will be used to load balance the FireEye devices tmsh create ltm pool p _ fireeye { members add{ n _ fireeye01:any { address 10.10.31.6 n _ fireeye02:any { address 10.10.31.14 monitor gateway _ icmp ## Create virtual server that will route traffic to the FireEye device for inspection tmsh create ltm virtual destination 0.0.0.0:0 profiles add { tcp vlans add { inside vlans-enabled pool fireeye _ inside _ tcp ## Create the default virtual to grab all traffic; this virtual will also match on traffic that leaves the FireEye device tmsh create ltm virtual default _ egress _ any destination 0.0.0.0:0 profiles add { fastl4 pool p _ Internet _ Gateway source-address-translation { type automap irule FireEye ltm rule FireEye _ Failback { when CLIENT _ ACCEPTED { if { [active _ members p _ fireeye] == 0 { virtual default _ egress _ any SSL/TLS SSL/TLS : BIG-IP Local Traffic Manager LTM SSL Forward Proxy BIG-IP Access Policy Manager APM Secure Web Gateway Services RootCA : RootCA FireEye RootCA URL SSL/TLS 2 11

SSL/TLS SSL/TLS irule irule TCP ClientHELLO TCP SSL/TLS tcp fireeye_inside_tcp fireeye_outside_tcp tmsh creat ltm profile tcp tcp-fireeye { tcp-options {77 last fireeye_inside_tcp when CLIENT _ ACCEPTED { ## When TCP session initiation, it s not known if this is going to be SSL. ## Disable SSL and profiles and then collect the payload SSL::disable clientside SSL::disable serverside TCP::collect when CLIENT _ DATA { ## If the first packet(s) after the TCP handshake indicate a CLIENTHELLO, enable SSL binary scan [TCP::payload] c type if { $type == 22 { SSL::enable clientside SSL::enable serverside TCP::release ## Disconnect from the existing session after caching the SSL Certificate when CLIENTSSL _ HANDSHAKE { LB::detach SSL::disable serverside set _ tls 1 ## Insert the TCP option for TLS requests when SERVER _ CONNECTED { if {[info exist _ tls] { ## Populate option 77 so that the remote side knows it was a TLS connection TCP::option set 77 [binary format c 1] all SSL SSL/TLS SSL/TLS 12

境 界 ファイアウォール デフォルトの 暗 号 化 clientssl_proxy ネットワーク ファイアウォール サービス + 単 純 なロード バランシング AFM デフォルトの 暗 号 化 clientssl_proxy クリア テキスト クリア テキスト ディープ パケット インスペクション HTTP FTP および SMTP の 検 査 5. NULL SSL/TLS fireeye_outside_ tcp ## Create to handle SSL/TLS encryption after fireeye inspection tmsh create ltm virtual fireeye _ outside _ tcp profiles add { tcp destination 10.10.121.6:0 vlans add {fireeye-01 _ outside fireeye-02 _ outside rules { fireeye _ outside vlans-enabled fireeye_outside irule 13

when CLIENT _ ACCEPTED { TCP::collect 0 when CLIENT _ DATA { ## Populate the variable with the value of TCP Option 77 ## Should be NULL if SSL should be Disabled ## Should NOT be NULL if SSL should be Enabled set _ option77 [TCP::option get 77] if {$ _ option77 eq { log local0. [IP::local _ addr]:[tcp::local _ port] SSL::disable serverside SSL/TLS SSL/TLS ## ServerSSL Profile used to connect to the requested resource ltm profile server-ssl serverssl _ proxy { ca-file ca-bundle.crt defaults-from serverssl peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ## ClientSSL Profile that the user will match on ltm profile client-ssl clientssl _ proxy { defaults-from clientssl inherit-certkeychain false proxy-ca-cert proxy-ca.crt proxy-ca-key proxy-ca.key ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled SSL/TLS 14

bypass_category data-group SSL/TLS ltm data-group internal bypass _ category { records { /Common/Financial _ Data _ and _ Services { /Common/Online _ Brokerage _ and _ Trading { type string irule SSL/TLS when CLIENTSSL _ CLIENTHELLO { if { [SSL::extensions exists -type 0] { binary scan [SSL::extensions -type 0] @9a* ssl _ ext _ sn set category ## Identify the category for the requested site catch { set category [getfield [CATEGORY::lookup http://$ssl _ ext _ sn/] 1] when CLIENTSSL _ SERVERHELLO _ SEND { ## Bypass sites that match on the bypass datagroup if { [info exists ssl _ ext _ sn] && [ class match $category equals bypass _ category ] { SSL::forward _ proxy policy bypass 合 同 会 社 東 京 本 社 107-0052 東 京 都 港 区 赤 坂 4-15-1 赤 坂 ガーデンシティ19 階 TEL 03-5114-3210 FAX 03-5114-3201 www.f5networks.co.jp 西 日 本 支 社 530-0012 大 阪 府 大 阪 市 北 区 芝 田 1-1-4 阪 急 ターミナルビル 16 階 TEL 06-7222-3731 FAX 06-7222-3838 2015 F5 Networks, Inc. All rights reserved.f5 F5 Networks F5 F5 Networks, Inc. F5 f5.com F5 0615 RECP-SEC-56252638-fireeye-ss