Deployment Guide AX Series for Palo Alto Networks SSL Intercept and Firewall Load Balancing DG_PA-SSL_Intercept_2012.12.1
Deployment Guide
AX Series for Palo Alto Networks SSL Intercept and Firewall Load Balancing
DG_PA-SSL_Intercept_2012.12.1
Deployment Guide for SSL Intercept
2
Table of Contents
1 Overview ............................................................................................................................................... 4
2 Deployment Prerequisites .................................................................................................................... 4
3 Architecture Overview .......................................................................................................................... 4
3.1 SSL Intercept ............................................................................................................................... 6
3.2 Firewall Load Balancing (FWLB) ................................................................................................. 7
4 Configuration Overview ........................................................................................................................ 8
4.1 Access Credentials ...................................................................................................................... 8
4.2 AX Series Load Balancer Configuration Overview ...................................................................... 9
4.2.1 L2/L3 and High Availability ....................................................................................................... 9
4.2.2 SSL Intercept ........................................................................................................................... 9
4.2.3 Firewall Load Balancing Configuration Overview .................................................................. 11
4.3 Palo Alto Networks Firewall ....................................................................................................... 13
5 Configuration Steps for AX Series Load Balancer .............................................................................. 13
5.1 L2/L3 and High Availability on the AX Series Load Balancers ................................................... 13
5.2 SSL Intercept Configuration on the AX Series Load Balancers ................................................. 21
5.2.1 Internal AX Series Load Balancer .......................................................................................... 21
5.2.2 External AX Series Load Balancer ......................................................................................... 31
5.3 FWLB Configuration on the AX Series ADC .............................................................................. 38
5.3.1 Internal AX Series Load Balancer .......................................................................................... 38
5.3.2 External AX Series Load Balancer ......................................................................................... 40
6 Configuration Steps for Palo Alto Networks Firewall .......................................................................... 41
6.1 Zone Configuration .................................................................................................................... 41
6.2 VLAN Interface Configuration .................................................................................................... 42
6.3 Policy Configuration ................................................................................................................... 43
Deployment Guide for SSL Intercept
3
7 Summary ............................................................................................................................................ 44
Appendix A. Complete Configuration File for the AX Device .................................................................. 45
Appendix B. Detailed Walkthrough of SSL Intercept Packet Flow ......................................................... 48
Appendix C. Alternate Design for vWire Mode Firewalls ........................................................................ 49
Appendix D. Design and Configuration for Adding a DMZ ..................................................................... 50
Deployment Guide for SSL Intercept
4
1 Overview
Firewall or IPS/IDS (Intrusion Prevention System/ Intrusion Detection System) devices usually have difficulties inspecting SSL traffic because the content is encrypted. Some devices offer internal SSL decryption/encryption support but usually the performance requirements are not satisfied. To alleviate this problem, A10 Networks has introduced the “SSL Forward Proxy” feature, also known as “SSL Intercept”. When configured for SSL Intercept, the AX Series Application Deliver Controller (ADC/Load Balancer) intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or Intrusion Prevention System (IPS). Another AX Series Load Balancer then takes this traffic and encrypts it again, and sends it to the remote destination.
2 Deployment Prerequisites
Here are the deployment requirements for SSL Intercept and Firewall Load Balancing (FWLB):
• AX Series ADC/Load Balancer with Release 2.7.0 or later
• Palo Alto Networks Firewall Appliance with Release 4.1.6 or later
3 Architecture Overview
This section illustrates a joint solution of A10 Networks AX Series Application Delivery Controller/Load Balancers and Palo Alto Networks PA Series firewalls providing SSL Intercept and FWLB capabilities. This is a highly available solution, using VRRP-A for failover for the AX Series Load Balancers, and on multiple redundant paths for the Palo Alto PA series firewalls. The SSL Intercept services are provided by the A10 Load Balancers while the traffic inspection and monitoring services are provided by the Palo Alto PA Series firewalls.
Notes:
• The firewalls are set up in Layer 2 (L2) mode. The solution can work with firewalls in vWire mode as well; a sample for such a design is given in Appendix B. Be aware that the number of ports required on the AX device increases significantly while the firewall is in a vWire mode.
• VRRP-A is an AX Series high availability protocol optimized for Server Load Balancing (SLB), and differs significantly from the industry-standard implementation of Virtual Router Redundancy Protocol (VRRP). For purposes of operational familiarity, VRRP-A borrows concepts from VRRP, but is not VRRP. VRRP-A will not inter-operate with VRRP.
• SSL Intercept feature is only supported on AX devices that have hardware-based SSL cards. The SSL Intercept feature is not supported on SoftAX with software-based SSL. AX-V with hardware the standard SSL card can support up to 5 SoftAX instances which will be capable of supporting the SSL Intercept feature.
Deployment Guide for SSL Intercept
5
External External
Internal Internal
eth1 eth1
eth1 eth1
eth2 eth2
eth2eth2
eth1
eth3 eth4
eth2 eth1 eth2
eth3 eth4
eth20 eth20
eth20 eth20eth18 eth18
eth18 eth18AX Series ADC
Firewall
10.1.250.1110.1.250.12 10.1.250.13
10.1.240.1110.1.240.12 10.1.240.13VRID-‐5 (Green)
VRID-‐6 (Red)
10.1.240.110.1.240.2 10.1.240.3VRID-‐15 (Green)10.1.250.110.1.250.2 10.1.250.3 VRID-‐16 (Red)
20.1.1.120.1.1.2 20.1.1.3
10.1.1.110.1.1.2 10.1.1.3
vlan-‐15
vrid-‐5
vlan-‐1
5
vrid-‐5
vlan-‐16vrid-‐6 vlan-‐16
vrid-‐6
vlan-‐15
vrid-‐15
vlan-‐15vrid-‐15vlan-‐1
6
vrid-‐16vlan-‐16
vrid-‐16
vlan-‐20vrid-‐default
vlan-‐2
0
vrid-‐de
fault
vlan-‐20
vrid-‐de
fault
vlan-‐20vrid-‐default
Remote Server
Clients
AX Series ADC
AX Series ADCAX Series ADC
Firewall
Figure 1. SSL Intercept and Firewall Load Balancing (FWLB) topology example
Deployment Guide for SSL Intercept
6
3.1 SSL Intercept
The objective of the SSL Intercept feature is to transparently intercept SSL traffic, decrypt it and send it through the firewall. After the firewall has inspected the clear-text traffic, it is encrypted again in SSL and sent to the destination.
There are three distinct stages for traffic in such a solution, depicted in Figure 2:
1) From client to the internal AX Series Load Balancer, where traffic is encrypted
2) From the internal AX Series Load Balancer to the external AX Series Load Balancer, through the firewall. Traffic is in clear text in this segment
3) Traffic from external AX Series Load Balancer to the remote server, where traffic is encrypted again
Note: Please refer to the user documentation for ACOS Release 2.7 for additional details on the SSL Intercept feature.
SSL EncryptedConnection
Unencrypted Traffic Flow
SSL EncryptedConnection
AX Series ADC
AX Series ADC
Firewall Appliance
Server
Clients
Figure 2. SSL Intercept overview
Deployment Guide for SSL Intercept
7
3.2 Firewall Load Balancing (FWLB)
The FWLB feature allows load sharing between multiple firewalls. The typical deployment is in a sandwich style design where the AX device load balances the external and internal zones of the firewalls. The number of firewalls in the solution can be extended as required. The A10 FWLB solution can work with HTTP, HTTPS, Generic TCP, Generic UDP, DNS, SIP and FTP.
This design can scale up to 15 firewall paths.
AX Series ADC
AX Series ADC
PA FirewallPA Firewall
1
3
4
56
7
8
Traffic originated:Sent to default gateway
2
Traffic intercepted:-‐ A path through one of the firewalls is selected-‐ Load balancing happens here
-‐Traffic inspected by firewall-‐Forwarded to next hop
Traffic intercepted again:-‐ Session is created-‐ MAC address stored in session-‐ Traffic forwarded to default gateway
Traffic received by server
1
2
3
4
9
5
6
7
8
Response is sent
Traffic is matched with a stored session-‐ MAC address is retrieved-‐ Traffic is sent to the same MAC address
Return traffic ends up on same firewall
Traffic sent to load balancer9
End
vlan-‐1 vlan-‐2
Server
Clients
Figure 3. FWLB packet flow
Deployment Guide for SSL Intercept
8
4 Configuration Overview
The configuration for the SSL Intercept solution can be divided into the following portions:
1. Layer 2/3 (L2/L3) and High Availability on the AX Series Load Balancer
2. SSL Intercept configuration on the AX Series Load Balancer
3. FWLB configuration on the AX Series Load Balancer
4. Firewall rules and policy configuration on the PA firewalls
4.1 Access Credentials
The access credentials listed below are the default settings on the AX Series and Palo Alto Networks appliances.
A10 Networks AX Series access defaults:
• Default username is “admin”.
• Default password is “a10”.
• Default management IP address of the device is “172.31.31.31”.
Palo Alto Networks PA Series access defaults:
• Default username is “admin”.
• Default password is “admin”.
• Default management IP address of the device is “192.168.1.1”.
Note: Both the AX Series and PA Series appliances support a Graphical User Interface (GUI) and Command Line User Interface (CLI).To access the CLI interfaces for both AX Series and PA Series, you will be required to use an SSH client such as putty.exe.
Deployment Guide for SSL Intercept
9
4.2 AX Series Load Balancer Configuration Overview
The following sections provide more information about the AX configuration items listed above.
4.2.1 L2/L3 and High Availability
The solution has a pair of AX Series Load Balancers in the external zone of the firewalls and another pair in the internal zone of the firewalls. Each pair is running VRRP-A to provide redundancy.
A key requirement of this solution is to have each firewall in a separate VLAN. The topology shown in Figure 1 has a Red VLAN and a Green VLAN. There is one firewall in the Red VLAN and one in the Green VLAN. Each firewall is tied to one VRRP-A instance on the external load balancer pair, and one VRRP-A instance on the internal load balancer pair. The VRIDs must be unique on either side of the firewall to avoid MAC address conflicts.
Each VRRP-A instance is attached to a single VLAN and tracks the member interface and the upstream interface that connects to the gateway. This ensures that a failover occurs under any of the following circumstances:
• An interface goes down
• A cable is disconnected
• The entire device goes down
4.2.2 SSL Intercept
The SSL Intercept configuration is slightly different on the external AX Series Load Balancer compared to the internal AX Series Load Balancer. Additionally, the configuration is identical on both devices of the same high availability pair, except for the VRRP-A priority. This guide discusses the configuration of only one external AX Series Load Balancer and one internal AX Series Load Balancer.
SSL Intercept Configuration on Internal AX Load Balancer
A prerequisite for configuring the SSL Intercept feature is a CA certificate with a known private key. This CA certificate must be pushed to all client machines on the internal network. If the CA certificate is not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a site with SSL enabled.
The following two commands generate and initialize a CA Certificate on a Linux system with an OpenSSL package installed. Once generated, the certificate can be imported onto the AX device using FTP or SCP. openssl genrsa -out ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Deployment Guide for SSL Intercept
10
The root certificate must be imported onto the client machines. This can be done manually, or using an automated service such as Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that use Linux or Unix clients.
Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.aspx
The configuration of SSL Intercept on the internal AX Series Load Balancer has the following key elements:
• SSL traffic entering on port 443 is intercepted.
♦ Port 443 is defined under a wildcard VIP to achieve this.
• The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated, except for the issuer and base64 encoded public key.
♦ Client-SSL template is used for this. The Client-SSL template includes the required command forward-proxy-enabled, along with the local CA certificate and its private key used for signing dynamically forged certificates.
• The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP through the firewall.
• Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080. However, the destination IP remains unchanged (the server on the Internet).
♦ The command no-dest-nat port-translation achieves this.
• The remote VRRP-A address of each VLAN is added as an SLB server. Each firewall is associated with a single VLAN and thus traffic from the internal AX potentially will traverse each firewall. Port 8080 is defined for each remote host
♦ The command slb server defines a remote host and port number 8080 is added.
Deployment Guide for SSL Intercept
11
SSL Intercept Configuration on External AX Load Balancer
The configuration of SSL Intercept on the external AX Series Load Balancer is simpler than on the internal AX Series Load Balancer; it has the following characteristics:
• Clear-Text HTTP traffic entering on port 8080 is intercepted.
♦ Port 8080 is defined on a wildcard VIP to achieve this.
• Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.
♦ A server-SSL template is defined and applied to the VIP port. The template includes the command forward-proxy-enable. The next-hop IP address of the default router is defined as an SLB server. Optionally, a root CA certificate store file also may be applied to the server-SSL template.
• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
♦ Service group is defined with port 443 and bound to the virtual port.
• The destination IP is not changed.
♦ The command no-dest-nat port-translation achieves this.
• The source MAC of the incoming traffic is preserved so that the response traffic can be sent to the same address.
♦ The command use-rcv-hop-for-resp is used for this.
♦ Client-SSL template helps achieve this.
4.2.3 Firewall Load Balancing Configuration Overview
The FWLB configuration has many similarities to the SSL Intercept configuration. The primary difference is that no client-SSL or server-SSL templates are required for the client side or server side, respectively. Additionally, instead of intercepting traffic on a single port, all TCP and UDP traffic is intercepted.
Just as with SSL Intercept, the configuration on the two devices in each pair is identical, except for the VRRP-A priorities. This guide discusses the configuration of one external AX and one internal AX.
FWLB Configuration on Internal AX Series Load Balancer
• All TCP and UDP traffic is intercepted.
♦ Access Control List (ACL) is created to define traffic of interest.
♦ Wildcard VIP is defined, and uses this ACL.
Deployment Guide for SSL Intercept
12
♦ TCP port 0, UDP port 0 and “others” port 0 are defined on the wildcard VIP.
• Next-hop gateways are defined and added to a service group.
♦ The command slb server is used to define next-hop gateways. These are the VRRP-A addresses on the remote side, one VRRP-A address per VLAN.
• Once traffic is intercepted, it is routed to one of the firewalls based on the configured algorithm (in this case, round-robin). Destination-NAT is disabled for this traffic.
♦ The commands port 0 tcp and port 0 udp help achieve this.
♦ The command no-dest-nat helps achieve this.
FWLB Configuration on External AX Series Load Balancer
Another wildcard VIP is configured on the external AX. This wildcard VIP intercepts all incoming traffic and sends it to the default router. However, while doing so, the AX device also creates internal sessions. The MAC address of the host from which the traffic was received is also stored in this session. This step is to ensure that the return traffic belonging to this session will be sent to the same firewall through which it was received.
• All TCP, UDP and IP traffic is intercepted.
♦ ACL is created to define traffic of interest.
♦ Wildcard VIP is defined with this ACL.
♦ TCP port 0, UDP port 0 and “others” port 0 are defined on the wildcard VIP.
• Next-hop gateway (default router) is defined and added to a service group.
♦ The command slb server is used to define the next-hop gateway. The default router address is the next hop in this case.
• The incoming HTTP traffic is converted to SSL traffic and sent on port 443.
♦ A server-SSL template is defined and applied to the VIP port. The template includes command forward-proxy-enable. The next-hop IP address is defined as an SLB server.
• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
• Service group is defined with port 443 and bound to the virtual port.
• The destination IP is not changed.
♦ The command no-dest-nat port-translation achieves this.
Deployment Guide for SSL Intercept
13
• The source MAC address of the incoming traffic is preserved so that the response traffic can be sent to the same address.
♦ The command use-rcv-hop-for-resp is used for this.
4.3 Palo Alto Networks Firewall
The firewall should be configured according to the institutional security policy. Here are the key requirements for this solution to work:
• ARP packets should be allowed for VRRP-A packets on both internal and external AX Series Load Balancers.
• Health-check packets should be allowed from internal AX Series Load Balancers to the VRRP-A addresses on the external AX Series Load Balancers, since the firewalls are configured as SLB servers.
5 Configuration Steps for AX Series Load Balancer
This section provides detailed steps for configuring the AX Series Load Balancer for SSL Intercept.
5.1 L2/L3 and High Availability on the AX Series Load Balancers
The steps in this section configure the following L2/L3 parameters:
• VLANs and their router interfaces
• Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces
• VRRP-A for high availability
Configure the VLANs and add Ethernet and Router Interfaces
Configure the following VLAN parameters:
• VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet interface.
• VLAN-15: This is the path to the external AX Series Load Balancers through firewall-1. Add router-interface ve 15 along with the Ethernet interface.
Deployment Guide for SSL Intercept
14
• VLAN-16: This is the path to the external AX Series Load Balancers through firewall-2. Add router-interface ve 16 along with the Ethernet interface.
• VLAN-99: This is the VLAN for VRRP-A sync messages. Add router-interface ve 99 along with the Ethernet interface.
Using the CLI:
AX(config)#vlan 10
AX(config-vlan:10)#router-interface ve 10
AX(config-vlan:10)#untagged ethernet 20
AX(config-vlan:10)#exit
AX(config)#vlan 15
AX(config-vlan:15)#router-interface ve 15
AX(config-vlan:15)#untagged ethernet 1
AX(config-vlan:15)#exit
AX(config)#vlan 16
AX(config-vlan:16)#router-interface ve 16
AX(config-vlan:16)#untagged ethernet 2
AX(config-vlan:16)#exit
AX(config)#vlan 99
AX(config-vlan:99)#router-interface ve 99
AX(config-vlan:99)#tagged ethernet 18
AX(config-vlan:99)#exit
Using the GUI:
1. Navigate to Config Mode > Network > VLAN > VLAN.
2. Click Add.
3. Enter the VLAN ID, select the interfaces, and enter the VE ID (same as the VLAN number).
4. Click OK.
5. Repeat for each VLAN.
Deployment Guide for SSL Intercept
15
Figure 4. VLAN configuration
The VLAN configuration should be similar to the following after all four VLANs have been added.
Figure 5. VLAN settings
Deployment Guide for SSL Intercept
16
Configure IP Addresses on the VLAN Router Interfaces
Make sure to enable the promiscuous VIP option.
Using the CLI:
AX(config)#interface ve 10
AX(config-if:ve10)#ip address 203.0.113.2 255.255.255.0
AX(config-if:ve10)#ip allow-promiscuous-vip
AX(config-if:ve10)#exit
AX(config)#interface ve 15
AX(config-if:ve15)#ip address 198.51.100.2 255.255.255.0
AX(config-if:ve15)#exit
AX(config)#interface ve 16
AX(config-if:ve16)#ip address 192.0.2.2 255.255.255.0
AX(config-if:ve15)#exit
Using the GUI:
1. Navigate to Config Mode > Interface > Virtual. The interfaces configured above should be visible.
2. Click on “ve-10” and configure the IPv4 address.
3. Click on VIP to display the configuration options.
4. Select Allow Promiscuous VIP.
5. Click OK when done.
6. Repeat for each VE.
Deployment Guide for SSL Intercept
17
Figure 6. Virtual Ethernet (VE) interface configuration
Configure VRRP-A on the Internal AX Series Load Balancers
1. Set unique VRRP-A device IDs on both AX Series Load Balancers.
2. Configure the same set ID on both AX Series Load Balancers.
3. Configure VRIDs and assign floating IPs.
In this step, the following VRIDs are configured:
♦ VRID-Default: This VRID will be used for the enterprise switch, floating IP 203.0.113.1.
♦ VRID-15: This VRID will be used for VLAN-15, floating IP 198.51.100.1.
♦ VRID-16: This VRID will be used for VLAN-16, floating IP 192.0.2.1.
4. Configure and enable a VRRP-A interface.
5. Repeat the steps above on the external AX Series Load Balancer pair.
Note: The VRIDs must be unique on the internal and external AX Series Load Balancers.
Deployment Guide for SSL Intercept
18
Using the CLI:
AX(config)#vrrpa device-id 1
AX(config)#vrrpa set-id 1
AX(config)#vrrpa vrid default
AX(config-vrid-default)#floating-ip 203.0.113.1
AX(config-vrid-default)#priority 200
AX(config-vrid-default)#exit
AX(config)#vrrpa vrid 15
AX(config-vrid)#floating-ip 198.51.100.1
AX(config-vrid)#priority 200
AX(config-vrid)#exit
AX(config)#vrrpa vrid 16
AX(config-vrid)#floating-ip 192.0.2.1
AX(config-vrid)#priority 200
AX(config-vrid)#exit
AX(config)#vrrpa interface ethernet 18 vlan 99
Repeat on the external AX Series Load Balancer pair. Make sure to use unique IP addresses.
Using the GUI:
1. Navigate to Config Mode > VRRP-A > Setting > VRRP-A Global.
2. Select the Device ID. Each device in the VRRP-A set must have a unique VRRP-A device ID.
3. In the Set ID field, enter “1”.
Figure 7. VRRP-A global configuration
Deployment Guide for SSL Intercept
19
4. Click on VRID to display the options.
a. Select “default” from the VRID drop-down list.
b. Enter priority “200”.
c. Click Add.
d. Repeat for VRIDs 15 and 16.
Figure 8. VRRP-A global configuration - VRIDs
5. Click Float IP Address to display floating IP address options.
a. Select “default” from the VRID drop-down list.
b. Add IPv4 address 203.0.113.1.
c. Click Add.
d. Repeat for VRIDs 15 and 16.
Deployment Guide for SSL Intercept
20
Figure 9. VRRP-A global configuration - floating IP
6. Navigate to Config Mode > VRRP-A > VRRP-A Interface.
a. Click on Ethernet 18.
b. Configure VLAN 99.
c. Enable all options: Status, VRRP-A Status, Type, and Heartbeat.
d. Click OK.
Figure 10. VRRP-A interface configuration
Deployment Guide for SSL Intercept
21
7. Repeat the steps above on the external AX Series Load Balancer pair. Make sure to use unique IP addresses.
5.2 SSL Intercept Configuration on the AX Series Load Balancers
The following steps configure the SSL Intercept options.
5.2.1 Internal AX Series Load Balancer
Use the following steps to configure SSL Intercept parameters in the internal AX Series Load Balancer.
Configure Servers for VLAN-10 and VLAN-15
These steps configure a remote server with port 8080, and with the VRRP-A address of the first VLAN. Then a second server is configured, with the VRRP-A address of the second VLAN.
Using the CLI:
AX(config)#slb server FW1_Path 198.51.100.11
AX(config-real server)#port 8080 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server FW2_Path 192.0.2.11
AX(config-real server)#port 8080 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Using the GUI:
1. Navigate to Config Mode > Service > SLB > Server.
2. Click Add.
3. Enter the following settings:
♦ Name: “FW1_Path”
♦ IP Address: 198.51.100.11
Deployment Guide for SSL Intercept
22
4. Enter Port parameters:
♦ Port: "8080"
♦ Protocol: "TCP"
♦ Health Monitor: Select blank (disabled).
♦ Click Add.
5. Click OK.
6. Repeat for the second VLAN, using a unique IP address.
Figure 11. Server configuration (internal)
Figure 12. Server port configuration (internal)
Deployment Guide for SSL Intercept
23
Configure a Service Group
These steps add the servers to a service group.
Using the CLI:
AX(config)#slb service-group SSLfp tcp
AX(config-slb svc group)#slb service-group SSLfp tcp
AX(config-slb svc group)#member FW1_Path:8080
AX(config-slb svc group)#member FW2_Path:8080
AX(config-slb svc group)#exit
Using the GUI:
1. Navigate to Config Mode > Service > SLB > Service Group.
2. Click Add.
3. Enter the following parameters:
♦ Name: "SSLfp"
♦ Type: "TCP"
4. Click on Server.
5. Select the Server, "FW1_Path", from the drop-down list.
6. Select the Port, "80".
7. Click Add.
8. Repeat for the second server, "FW2_Path"
9. Click OK.
Deployment Guide for SSL Intercept
24
Figure 13. Service group configuration (internal)
Figure 14. Servers (internal)
Deployment Guide for SSL Intercept
25
Configure the ACL
These steps configure an extended ACL to intercept incoming traffic on VLAN-10. This ACL will be used as part of the wildcard VIP configuration, below.
Using the CLI:
AX(config)#access-list 100 permit ip any any vlan 10
Using the GUI:
1. Navigate to Config Mode > Network > ACL > Extended.
2. Click Add.
3. Enter or select the following settings:
♦ ID: "100"
♦ Action: "Permit"
♦ Protocol: "IP"
♦ Source Address: "Any"
♦ Destination Address: "Any"
♦ VLAN ID: "10"
4. Click OK.
Deployment Guide for SSL Intercept
26
Figure 15. Extended ACL configuration (internal)
Configure the Client-SSL Template
These steps configure the client-SSL template.
Note: These steps assume that the CA certificate and the private key have been uploaded to the AX device.
Using the CLI:
AX(config)#slb template client-ssl SSLIntercept_ClientSide
AX(config-client ssl)#forward-proxy-enable
AX(config-client ssl)#forward-proxy-ca-cert ca.cert
AX(config-client ssl)#forward-proxy-ca-key ca.key
AX(config-client ssl)#exit
Using the GUI:
1. Navigate to Config Mode > Service > Template > SSL > Client SSL.
2. Click Add.
3. Enter a Name, "SSLIntercept_ClientSide".
Deployment Guide for SSL Intercept
27
4. Select Enabled next to SSL Forward Proxy.
5. Select the CA certificate from the CA Certificate drop-down list.
6. Select the private key from the CA Private Key drop-down list.
7. Click OK.
Figure 16. Client-SSL configuration (internal)
Deployment Guide for SSL Intercept
28
Configure a wildcard VIP
These steps configure the wildcard VIP.
Using the CLI:
AX(config)#slb virtual-server outbound_wildcard
AX(config-slb vserver)#port 443 https
AX(config-slb vserver-vport)#service-group SSLfp
AX(config-slb vserver-vport)#template client-ssl SSLIntercept_ClientSide
AX(config-slb vserver-vport)#no-dest-nat port-translation
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
Using the GUI:
1. Navigate to Config Mode > Service > SLB > Virtual Server.
2. Click Add.
3. Enter or select the following settings:
♦ Name: “outbound_wildcard”
♦ Wildcard: Select the checkbox.
♦ Access List: "100"
4. Click Add in the Port section.
5. Enter or select the following settings:
♦ Type: "HTTPS"
♦ Port: "443"
♦ Service Group: "SSLfp"
♦ Direct Server Return: Select Enabled, and select the Port Translation checkbox.
♦ Client-SSL Template: “SSLIntercept_ClientSide”
6. Click OK to exit the Virtual Server Port configuration page.
7. Click OK to exit the Virtual Server configuration page.
Deployment Guide for SSL Intercept
29
Figure 17. Virtual server configuration (internal)
Deployment Guide for SSL Intercept
30
Figure 18. Virtual server port configuration (internal)
Deployment Guide for SSL Intercept
31
5.2.2 External AX Series Load Balancer
Use the following steps to configure SSL Intercept parameters in the external AX Series Load Balancer.
Create an SLB Server Configuration for the Default Gateway
These steps create a server configuration for the default gateway, for HTTPS traffic (port 443).
Using the CLI:
AX(config)#slb server server-gateway 192.0.2.253
AX(config-real server)#port 443 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Using the GUI:
1. Navigate to Config Mode > Service > SLB > Server.
2. Click Add.
3. Enter the following settings:
♦ Name: “server-gateway”
♦ IP Address: 192.0.2.253
4. Enter Port parameters:
♦ Port: " 443"
♦ Protocol: "TCP"
♦ Health Monitor: Select blank (disabled).
♦ Click Add.
5. Click OK.
Deployment Guide for SSL Intercept
32
Figure 19. Server configuration (external)
Figure 20. Server port configuration (external)
Add the Server Configuration to a Service Group
These steps add the server to a service group.
Using the CLI:
AX(config)#slb service-group SG_443 tcp
AX(config-slb svc group)#member server-gateway:443
AX(config-slb svc group)#exit
Using the GUI:
1. Navigate to Config Mode > Service > SLB > Service Group.
2. Click Add.
3. Enter the following parameters:
♦ Name: "SG_443"
♦ Type: "TCP"
4. Click on Server.
5. Select the Server, "server-gateway", from the drop-down list.
6. Select the Port, " 443".
Deployment Guide for SSL Intercept
33
7. Click Add.
8. Click OK.
Figure 21. Service group configuration (external)
Figure 22. Servers (external)
Configure an ACL to intercept incoming traffic on VLAN-15 and VLAN-16 for the wildcard VIP
These steps configure an extended ACL to intercept traffic on VLAN-15 and VLAN-16. This ACL will be used as part of the wildcard VIP configuration, below.
Using the CLI:
AX(config)#access-list 100 permit ip any any vlan 15
AX(config)#access-list 100 permit ip any any vlan 16
Using the GUI:
1. Navigate to Config Mode > Network > ACL > Extended.
2. Click Add.
Deployment Guide for SSL Intercept
34
3. Enter or select the following settings:
♦ ID: "100"
♦ Action: "Permit"
♦ Protocol: "IP"
♦ Source Address: "Any"
♦ Destination Address: "Any"
♦ VLAN ID: "15"
4. Click OK.
5. Repeat to create a similar ACL rule for VLAN-16.
Figure 23. Extended ACL configuration (external)
Deployment Guide for SSL Intercept
35
Configure the Server-SSL Template
These steps configure the server-SSL template.
Using the CLI:
AX(config)#slb template server-ssl external-intercept
AX(config-server ssl)#forward-proxy-enable
AX(config-server ssl)#exit
Using the GUI:
1. Navigate to Config Mode > Service > Template > SSL > Server SSL.
2. Click Add.
3. Enter a Name, "external-intercept".
4. Select Enabled next to SSL Forward Proxy.
5. Leave other fields blank.
6. Click OK.
Figure 24. Server-SSL configuration (external)
Configure the wildcard VIP
These steps configure the wildcard VIP.
Using the CLI:
AX(config)#slb virtual-server external_in_to_out
AX(config-slb vserver)#port 80 http
Deployment Guide for SSL Intercept
36
AX(config-slb vserver-vport)#name ReverseProxy_Wildcard
AX(config-slb vserver-vport)#service-group SG_443
AX(config-slb vserver-vport)#template server-ssl external-intercept
AX(config-slb vserver-vport)#no-dest-nat port-translation
AX(config-slb vserver-vport)#use-rcv-hop-for-resp
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
AX(config)#exit
Using the GUI:
1. Navigate to Config Mode > Service > SLB > Virtual Server.
2. Click Add.
3. Enter or select the following settings:
♦ Name: “outbound_wildcard”
♦ Wildcard: Select the checkbox.
♦ Access List: "100"
4. Click Add in the Port section.
5. Enter or select the following settings:
♦ Type: "HTTPS"
♦ Port: "443"
♦ Service Group: "SG_443"
♦ Use received hop for response: Select the checkbox.
♦ Direct Server Return: Select Enabled, and select the Port Translation checkbox.
♦ Client-SSL Template: “SSLIntercept_ClientSide”
6. Click OK to exit the Virtual Server Port configuration page.
7. Click OK to exit the Virtual Server configuration page.
Deployment Guide for SSL Intercept
37
Figure 25. Virtual server configuration (external)
Figure 26. Virtual server port configuration (external)
Deployment Guide for SSL Intercept
38
5.3 FWLB Configuration on the AX Series ADC
FWLB configuration is very similar to SSL Intercept configuration, with the following difference: FWLB will intercept traffic on TCP port 0 and UDP port 0, and send the traffic out on the same ports to the remote hosts.
The same ACL wildcard VIPs used for SSL Intercept can be used for FWLB.
Note: For brevity, only the CLI commands are shown in this section.
5.3.1 Internal AX Series Load Balancer
The steps in this section configure FWLB parameters on the internal AX Series Load Balancer.
Add TCP Port 0 and UDP Port 0 to the Firewall Paths
AX(config)#slb server FW1_Path 198.51.100.11
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server FW2_Path 192.0.2.11
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Add the Firewall Paths to TCP and UDP Service Groups
AX(config)#slb service-group LB_Paths_UDP udp
AX(config-slb svc group)#member FW1_Path:0
AX(config-slb svc group)#member FW2_Path:0
Deployment Guide for SSL Intercept
39
AX(config-slb svc group)#exit
AX(config)#slb service-group LB_Paths_TCP tcp
AX(config-slb svc group)#member FW1_Path:0
AX(config-slb svc group)#member FW2_Path:0
AX(config-slb svc group)#exit
Add UDP port 0, TCP port 0 and Others Port 0 to the wildcard VIP
These commands add the service group to the UDP, TCP, and “others” wildcard ports. The no-dest-nat port-translation command is used to convert incoming 8080 traffic to 443, while preserving the destination IP address.
The command use-rcv-hop-for-resp is used so that response traffic goes back through the same path through which the request traffic arrives. The “others” wildcard port can take an already defined TCP service group or UDP service group. In this example, the TCP service group is used.
AX(config)#slb virtual-server outbound_wildcard 0.0.0.0 acl 100
AX(config-slb vserver)#port 0 tcp
AX(config-slb vserver-vport)#name internal1_in_to_out
AX(config-slb vserver-vport)#service-group LB_Paths_TCP
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 udp
AX(config-slb vserver-vport)#name internal1_in_to_out_UDP
AX(config-slb vserver-vport)#service-group LB_Paths_UDP
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 others
AX(config-slb vserver-vport)#name internal1_in_to_out_Others
AX(config-slb vserver-vport)#service-group LB_Paths_TCP
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
Deployment Guide for SSL Intercept
40
5.3.2 External AX Series Load Balancer
The steps in this section configure FWLB parameters on the external AX Series Load Balancer.
Add TCP Port 0 and UDP Port 0 to the Gateway Path
AX(config)#slb server server-gateway 192.0.2.253
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Add the TCP and UDP Gateway Paths to the Service Groups
AX(config)#slb service-group SG_TCP tcp
AX(config-slb svc group)#member server-gateway:0
AX(config-slb svc group)#exit
AX(config)#slb service-group SG_UDP udp
AX(config-slb svc group)#member server-gateway:0
AX(config-slb svc group)#exit
Add UDP port 0, TCP port 0 and Others Port 0 to the wildcard VIP
These commands add the service group to the UDP, TCP, and “others” wildcard ports. The no-dest-nat port-translation command is used to preserve the destination IP address.
The command use-rcv-hop-for-resp is used so that response traffic goes back through the same path through which the request traffic arrives.
AX(config)#slb virtual-server external_in_to_out 0.0.0.0 acl 100
AX(config-slb vserver)#port 0 tcp
AX(config-slb vserver-vport)#name _wildcard_v4_TCP_65535
AX(config-slb vserver-vport)#service-group SG_TCP
AX(config-slb vserver-vport)#use-rcv-hop-for-resp
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 udp
AX(config-slb vserver-vport)#name _wildcard_v4_UDP_65535
Deployment Guide for SSL Intercept
41
AX(config-slb vserver-vport)#service-group SG_UDP
AX(config-slb vserver-vport)#use-rcv-hop-for-resp
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 others
AX(config-slb vserver-vport)#name _wildcard_v4_UDP_65535
AX(config-slb vserver-vport)#service-group SG_UDP
AX(config-slb vserver-vport)#use-rcv-hop-for-resp
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
6 Configuration Steps for Palo Alto Networks Firewall
This section provides detailed steps for configuring Palo Alto Networks Firewall for SSL Intercept.
6.1 Zone Configuration
On the Palo Alto Networks appliance:
1. Navigate to Network > Zone.
2. Click Add.
3. Create the following configurations for Names, Locations and Type:
Diagram 27: Trusted and untrusted zone requirements for Palo Alto Networks Appliance
Note: The "Trusted" network segment is located in the internal section of the network topology. The "Untrusted" network segment of the topology is in the external section of the network topology. (See Figure 1.)
A “vsys” is equivalent to an AX Series Application Delivery Partition (ADP). On the Palo Alto Networks Appliance, partitions such as “vsys1” or “vsys2” from the example above can be created dynamically.
Deployment Guide for SSL Intercept
42
Diagram 28: Palo Alto interface configuration
4. Click OK and save configuration.
6.2 VLAN Interface Configuration
To configure the interface VLAN:
1. Navigate to Network > VLAN.
2. Click Add.
3. Enter the Name of the VLAN: “15”
4. From the drop-down menu, select “vlan”.
5. Click Add and select the interface you wish to add from the VLAN.
Deployment Guide for SSL Intercept
43
Diagram 29: VLAN interface configuration
6. Click OK and save configuration.
6.3 Policy Configuration
This section is to configure the security policy rules of the firewall.
1. Navigate to the Policies and click Add.
2. Enter the following configuration you wish to allow or deny. The following policy information will be required:
♦ General
♦ Source
♦ User
♦ Destination
♦ Application
Deployment Guide for SSL Intercept
44
♦ Service/URL Category
♦ Actions
Diagram 30: Palo Alto Networks policy configuration
Note: Every network will have its own policy so the configuration within the Palo Alto Networks appliance will be used as a reference configuration.
7 Summary
The sections above show how to deploy the AX device with the Palo Alto Networks device for SSL Intercept. By using the AX device for SSL Intercept, the following key advantages are achieved:
• SSL traffic inspection: AX Series ADC/Load Balancer decrypts incoming packets before they pass to the firewall, then re-encrypts them before sending them to the destination/target server.
• Real-time traffic validation, dynamic traffic flow regulation and enhanced security checks.
• Seamless distribution of client traffic across multiple firewalls for site scalability.
• Improved site security performance and availability to end users.
For more information about AX Series products:
• http://www.a10networks.com/products/axseries.php
• http://www.a10networks.com/resources/solutionsheets.php
• http:/www.a10networks.com/resources/casestudies.php
Deployment Guide for SSL Intercept
45
Appendix A. Complete Configuration File for the AX Device
internal Primary unit Configuration internal Standby unit Configuration
! VRRP-A device-id 1 VRRP-A set-id 1 hostname 3000-11.80 ! vlan 10 untagged ethernet 20 router-interface ve 10 ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 99 tagged ethernet 18 router-interface ve 99 ! access-list 100 permit ip any any vlan 10 ! interface management ip address 192.168.223.80 255.255.255.192 ip default-gateway 192.168.223.65 ! interface ve 10 ip address 203.0.113.2 255.255.255.0 ip allow-promiscuous-vip ! interface ve 15 ip address 198.51.100.2 255.255.255.0 ! interface ve 16 ip address 192.0.2.2 255.255.255.0 ! interface ve 99 ip address 55.1.1.1 255.255.255.0 ! ip route 192.0.2.0 /24 198.51.100.11 ! VRRP-A enable VRRP-A vrid default floating-ip 203.0.113.1 priority 200
! VRRP-A device-id 2 VRRP-A set-id 1 hostname 3000-11.81 ! vlan 10 untagged ethernet 20 router-interface ve 10 ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 99 tagged ethernet 18 router-interface ve 99 ! access-list 100 permit ip any any vlan 10 ! interface management ip address 192.168.223.81 255.255.255.192 ip default-gateway 192.168.223.65 ! interface ve 10 ip address 203.0.113.3 255.255.255.0 ip allow-promiscuous-vip ! interface ve 15 ip address 198.51.100.3 255.255.255.0 ! interface ve 16 ip address 192.0.2.3 255.255.255.0 ! interface ve 99 ip address 55.1.1.2 255.255.255.0 ! ip route 192.0.2.0 /24 198.51.100.11 ! VRRP-A enable VRRP-A vrid default floating-ip 203.0.113.1 priority 180
Deployment Guide for SSL Intercept
46
internal Primary unit Configuration internal Standby unit Configuration
tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 15 floating-ip 198.51.100.1 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 16 floating-ip 192.0.2.1 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A interface ethernet 18 vlan 99 ! tftp blksize 32768 ! slb server FW1_Path 198.51.100.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW2_Path 192.0.2.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb service-group LB_Paths_UDP udp member FW1_Path:0 member FW2_Path:0 ! slb service-group LB_Paths_TCP tcp member FW1_Path:0 member FW2_Path:0 !
tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 15 floating-ip 198.51.100.1 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 16 floating-ip 192.0.2.1 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A interface ethernet 18 vlan 99 ! tftp blksize 32768 ! slb server FW1_Path 198.51.100.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW2_Path 192.0.2.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb service-group LB_Paths_UDP udp member FW1_Path:0 member FW2_Path:0 ! slb service-group LB_Paths_TCP tcp member FW1_Path:0 member FW2_Path:0 !
Deployment Guide for SSL Intercept
47
internal Primary unit Configuration internal Standby unit Configuration
slb service-group SSLfp tcp member FW1_Path:8080 member FW2_Path:8080 ! ! slb template client-ssl SSLIntercept_ClientSide forward-proxy-enable forward-proxy-ca-cert ca.cert forward-proxy-ca-key ca.key ! ! slb virtual-server outbound_wildcard 0.0.0.0 acl 100 port 0 tcp name internal1_in_to_out service-group LB_Paths_TCP no-dest-nat port 0 udp name internal1_in_to_out_UDP service-group LB_Paths_UDP no-dest-nat port 0 others name internal1_in_to_out_Others service-group LB_Paths_TCP no-dest-nat port 443 https name internal1_SSL_Intercept_443 service-group SSLfp template client-ssl SSLIntercept_ClientSide no-dest-nat port-translation ! ! ! End
slb service-group SSLfp tcp member FW1_Path:8080 member FW2_Path:8080 ! ! slb template client-ssl SSLIntercept_ClientSide forward-proxy-enable forward-proxy-ca-cert ca.cert forward-proxy-ca-key ca.key ! ! slb virtual-server outbound_wildcard 0.0.0.0 acl 100 port 0 tcp name internal2_in_to_out service-group LB_Paths_TCP no-dest-nat port 0 udp name internal2_in_to_out_UDP service-group LB_Paths_UDP no-dest-nat port 0 others name internal2_in_to_out_Others service-group LB_Paths_TCP no-dest-nat port 443 https name internal2_SSL_Intercept_443 service-group SSLfp template client-ssl SSLIntercept_ClientSide no-dest-nat port-translation ! ! ! end
Deployment Guide for SSL Intercept
48
Appendix B. Detailed Walkthrough of SSL Intercept Packet FLow
SYN
SYN/ACK
ACK
Client-‐Hello
SYN
SYN/ACK
ACK
Client-‐Hello
Server-‐Hello(Server Cert – Public KeySigned by well known CA)
1
If the certificate exists in cache, send it to client and move to (2). Otherwise, establish SSL connection with the remote server and get the certificate from the remote server
2
AX AX
1
2
Extract header information from server certificate. Change Issuer and the Public Key as exist in Client-‐SSL-‐Template. Reassign the new certificate using the CA-‐Certificate as exist in the Client-‐SSL-‐Template. Send the reconstructed Server-‐Hello to client
RST
Server-‐Hello(Server Cert +Local Public Key +Signed by Local CA)
SSL-‐HandshakeMessages+ Finished
Encrypted Application Data 3
3 Data decrypted and sent in clear text through firewall
4SYN
SYN/ACK
ACK
Client-‐Hello
SSL Handshake messages + Finished
Encrypted Application Response
5
4SSL-‐Reverse-‐Proxy:New SSL session initiated with remote server. Data encrypted and sent to remote server
Encrypted Application Data
5 Response is decrypted and sent through firewall
6
6 Response is encrypted again and sent to the client
EncryptedApplication Response
Encrypted Zone Clear Text Zone Encrypted Zone
SSL-‐Handshake Messages+ Finished
Clear Text Application Data
Clear Text Application Response
ClientsServer
Firewall
Deployment Guide for SSL Intercept
49
Appendix C. Alternate Design for vWire Mode Firewalls
External External
Internal Internal
eth1 eth1
eth1 eth1
eth2 eth2
eth2eth2
eth1 eth2
eth20 eth20
eth20 eth20eth18 eth18
eth18 eth18
Firewall / IPS
192.0.3.11192.0.3.12 192.0.3.13
198.51.100.11198.51.100.12 198.51.100.13VRID-‐5 (Green)
VRID-‐6 (Red)
198.51.100.1198.51.100.2 198.51.100.3VRID-‐5 (Green)192.0.3.1192.0.3.2 192.0.3.3 VRID-‐6 (Red)
192.0.2.1192.0.2.2 192.0.2.3
203.0.113.1203.0.113.2 203.0.113.3
Firewall / IPS Firewall / IPS
eth3 eth4 eth3 eth4
eth3 eth4 eth3 eth4
eth3 eth4
eth5 eth6 eth7 eth8 eth5 eth6 eth7 eth8
eth1 eth2 eth3 eth4
SSL Intercept and Firewall Load balancing
(Firewalls in vWire mode)Server
Clients
Deployment Guide for SSL Intercept
50
Appendix D. Design and Configuration for Adding a DMZ
A DMZ can be added to the main design. The basic concepts are the same except that a new wildcard VIP is configured on the external and internal AX Series Load Balancers. This new wildcard VIP will intercept incoming traffic from the external network and send it to either to the DMZ or to the internal network.
The configuration on the DMZ AX Series Load Balancers generally will be similar to what was configured on the external AX Series Load Balancers. In essence, there will be one wildcard VIP listening for traffic entering from the firewalls on both VLANs with the required command use-rcv-hop-for-resp. An additional wildcard VIP, optionally, can be configured to intercept traffic moving from the DMZ to either the external or internal networks.
Attention should be paid to the ACL definitions, as traffic now must be classified based on the destination. In particular, the ACL on the internal AX Series Load Balancer is modified and the AX device chooses the appropriate next-hop address.
Firewall policies should be updated in accordance with enterprise security policies.
Deployment Guide for SSL Intercept
51
External
External
Internal
Internal
eth1
eth1
eth1
eth1
eth2
eth2
eth2
eth2
eth1
eth3
eth4
eth2
eth1
eth2
eth3
eth4
eth2
0eth2
0
eth2
0eth2
0eth1
8eth1
8
eth1
8eth1
8
192.0.3.11
192.0.3.12
192.0.3.13
198.51
.100
.11
198.51
.100
.12
198.51
.100
.13
VRID-‐5 (G
reen
)
VRID-‐6 (R
ed)
198.51
.100.1
198.51
.100.2
198.51
.100.3
VRID-‐15 (Green
)192.0.3.1
192.0.3.2
192.0.3.3
VRID-‐16 (Red
)
192.0.2.1
192.0.2.2
192.0.2.3
203.0.113.1
203.0.113.2
203.0.113.3
vlan-‐15vrid-‐5
vlan-‐15
vrid-‐5
vlan-‐16
vrid-‐6
vlan-‐16vrid-‐6
vlan-‐15vrid-‐15
vlan-‐15
vrid-‐15
vlan-‐16
vrid-‐16
vlan-‐16vrid-‐16
vlan-‐10
vrid-‐defau
ltvlan-‐10
vrid-‐default
vlan-‐20
vrid-‐default
vlan-‐20
vrid-‐default
eth1
eth2
eth1
eth2
198.51
.100.21
198.51
.100
.22
198.51.100
.23
192.0.3.21
192.0.3.22
192.0.3.23
192.0.3.21
192.0.3.22
192.0.3.23
192.0.2.253
eth7
vlan-‐15
vrid-‐25
vlan-‐15
vrid-‐25
vlan-‐16
vrid-‐26
vlan-‐16
vrid-‐26
vlan-‐99
vlan-‐99
vlan-‐99
vlan-‐2
0
vrid-‐d
efault
vlan-‐20
vrid-‐default
eth7
Insid
e (Trust) Zon
eDM
Z
Outsid
e (Untrust)
Zone
DMZ Server
Laptop
Remote Server
AX
Ser
ies
AD
C
AX
Ser
ies
AD
C
AX
Ser
ies
AD
C
AX
Ser
ies
AD
C
AX
Ser
ies
AD
C
Deployment Guide for SSL Intercept
52
Internal - Primary Internal - Standby ! VRRP-A device-id 1 VRRP-A set-id 1 hostname 3000-11.80 ! clock timezone America/New_York ! vlan 10 untagged ethernet 20 router-interface ve 10 ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 99 tagged ethernet 18 router-interface ve 99 ! access-list 100 deny ip any 15.1.0.0 0.0.255.255 vlan 10 access-list 100 permit ip any any vlan 10 access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 10 access-list 106 permit ip any any vlan 15 access-list 106 permit ip any any vlan 16 ! interface management ip address 192.168.223.80 255.255.255.192 ip default-gateway 192.168.223.65 ! ! ! interface ve 10 ip address 203.0.113.2 255.255.255.0 ip allow-promiscuous-vip ! interface ve 15 ip address 198.51.100.2 255.255.255.0 ! interface ve 16 ip address 192.0.2.2 255.255.255.0 ! interface ve 99 ip address 55.1.1.1 255.255.255.0 ! ip route 192.0.2.0 /24 198.51.100.11 ip route 15.1.0.0 /16 198.51.100.21 ! ! VRRP-A enable VRRP-A vrid default floating-ip 203.0.113.1 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 15
! VRRP-A device-id 2 VRRP-A set-id 1 hostname 3000-11.81 ! clock timezone America/New_York ! vlan 10 untagged ethernet 20 router-interface ve 10 ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 99 tagged ethernet 18 router-interface ve 99 ! access-list 100 deny ip any 15.1.0.0 0.0.255.255 vlan 10 access-list 100 permit ip any any vlan 10 access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 10 access-list 106 permit ip any any vlan 15 access-list 106 permit ip any any vlan 16 ! interface management ip address 192.168.223.81 255.255.255.192 ip default-gateway 192.168.223.65 ! ! ! interface ve 10 ip address 203.0.113.3 255.255.255.0 ip allow-promiscuous-vip ! interface ve 15 ip address 198.51.100.3 255.255.255.0 ! interface ve 16 ip address 192.0.2.3 255.255.255.0 ! interface ve 99 ip address 55.1.1.2 255.255.255.0 ! ip route 192.0.2.0 /24 198.51.100.11 ip route 15.1.0.0 /16 198.51.100.21 ! ! VRRP-A enable VRRP-A vrid default floating-ip 203.0.113.1 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 15
Deployment Guide for SSL Intercept
53
Internal - Primary Internal - Standby floating-ip 198.51.100.1 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 16 floating-ip 192.0.2.1 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A interface ethernet 18 vlan 99 ! ! slb server FW1_Path 198.51.100.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW2_Path 192.0.2.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW1_Path_ToDMZ 198.51.100.21 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW2_Path_ToDMZ 192.0.2.21 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server internal_GW 203.0.113.253 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb service-group LB_Paths_UDP udp member FW1_Path:0 member FW2_Path:0 !
floating-ip 198.51.100.1 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 16 floating-ip 192.0.2.1 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A interface ethernet 18 vlan 99 ! ! slb server FW1_Path 198.51.100.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW2_Path 192.0.2.11 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW1_Path_ToDMZ 198.51.100.21 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server FW2_Path_ToDMZ 192.0.2.21 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb server internal_GW 203.0.113.253 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check ! slb service-group LB_Paths_UDP udp member FW1_Path:0 member FW2_Path:0 !
Deployment Guide for SSL Intercept
54
Internal - Primary Internal - Standby slb service-group LB_Paths_TCP tcp member FW1_Path:0 member FW2_Path:0 ! slb service-group SSLfp tcp member FW1_Path:8080 member FW2_Path:8080 ! slb service-group LB_Paths_ToDMZ_UDP udp member FW2_Path_ToDMZ:0 member FW1_Path_ToDMZ:0 ! slb service-group LB_Paths_ToDMZ_TCP tcp member FW2_Path_ToDMZ:0 member FW1_Path_ToDMZ:0 ! slb service-group internal_GW_UDP udp member internal_GW:0 ! slb service-group internal_GW_TCP tcp member internal_GW:0 ! ! slb template client-ssl SSLIntercept_ClientSide forward-proxy-enable forward-proxy-ca-cert ca.cert forward-proxy-ca-key ca.key ! ! slb virtual-server outbound_wildcard 0.0.0.0 acl 100 port 0 tcp name internal1_in_to_out service-group LB_Paths_TCP no-dest-nat port 0 udp name internal1_in_to_out_UDP service-group LB_Paths_UDP no-dest-nat port 443 https name internal1_in_to_out_443 service-group SSLfp template client-ssl SSLIntercept_ClientSide no-dest-nat port-translation port 0 others name internal1_in_to_out_others service-group LB_Paths_UDP no-dest-nat ! slb virtual-server ToDMZ_wildcard 0.0.0.0 acl 105 port 0 tcp name internal1_in_to_DMZ_TCP service-group LB_Paths_ToDMZ_TCP no-dest-nat port 0 udp name internal1_in_to_DMZ_UDP service-group LB_Paths_ToDMZ_UDP no-dest-nat port 0 others name internal1_in_to_DMZ_UDP service-group LB_Paths_ToDMZ_TCP no-dest-nat !
slb service-group LB_Paths_TCP tcp member FW1_Path:0 member FW2_Path:0 ! slb service-group SSLfp tcp member FW1_Path:8080 member FW2_Path:8080 ! slb service-group LB_Paths_ToDMZ_UDP udp member FW2_Path_ToDMZ:0 member FW1_Path_ToDMZ:0 ! slb service-group LB_Paths_ToDMZ_TCP tcp member FW2_Path_ToDMZ:0 member FW1_Path_ToDMZ:0 ! slb service-group internal_GW_UDP udp member internal_GW:0 ! slb service-group internal_GW_TCP tcp member internal_GW:0 ! ! slb template client-ssl SSLIntercept_ClientSide forward-proxy-enable forward-proxy-ca-cert ca.cert forward-proxy-ca-key ca.key ! ! slb virtual-server outbound_wildcard 0.0.0.0 acl 100 port 0 tcp name internal2_in_to_out service-group LB_Paths_TCP no-dest-nat port 0 udp name internal2_in_to_out_UDP service-group LB_Paths_UDP no-dest-nat port 443 https name internal2_in_to_out_443 service-group SSLfp template client-ssl SSLIntercept_ClientSide no-dest-nat port-translation port 0 others name internal2_in_to_out_others service-group LB_Paths_UDP no-dest-nat ! slb virtual-server ToDMZ_wildcard 0.0.0.0 acl 105 port 0 tcp name internal2_in_to_DMZ_TCP service-group LB_Paths_ToDMZ_TCP no-dest-nat port 0 udp name internal2_in_to_DMZ_UDP service-group LB_Paths_ToDMZ_UDP no-dest-nat port 0 others name internal2_in_to_DMZ_UDP service-group LB_Paths_ToDMZ_TCP no-dest-nat !
Deployment Guide for SSL Intercept
55
Internal - Primary Internal - Standby slb virtual-server TointernalGW_wildcard 0.0.0.0 acl 106 port 0 tcp name internal_out_to_in_TCP service-group internal_GW_TCP use-rcv-hop-for-resp no-dest-nat port 0 udp name internal_out_to_in_UDP service-group internal_GW_UDP use-rcv-hop-for-resp no-dest-nat ! end
slb virtual-server TointernalGW_wildcard 0.0.0.0 acl 106 port 0 tcp name internal_out_to_in_TCP service-group internal_GW_TCP use-rcv-hop-for-resp no-dest-nat port 0 udp name internal_out_to_in_UDP service-group internal_GW_UDP use-rcv-hop-for-resp no-dest-nat ! end
External - Primary External - Standby ! VRRP-A device-id 3 VRRP-A set-id 2 hostname 3000-11.78 ! clock timezone America/Los_Angeles ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 20 untagged ethernet 20 router-interface ve 20 ! vlan 99 tagged ethernet 18 router-interface ve 99 ! access-list 100 deny ip any 198.51.100.0 /24 access-list 100 deny ip any 192.0.2.0 /24 access-list 100 permit ip any any vlan 15 access-list 100 permit ip any any vlan 16 access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 20 access-list 106 deny ip any 15.1.0.0 0.0.255.255 vlan 20 access-list 106 permit ip any any vlan 20 ! interface management ip address 192.168.223.78 255.255.255.192 ip default-gateway 192.168.223.65 ! interface ve 15 ip address 198.51.100.12 255.255.255.0 ip allow-promiscuous-vip !
! VRRP-A device-id 4 VRRP-A set-id 2 hostname 3000-11.79 ! clock timezone America/Los_Angeles ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 20 untagged ethernet 20 router-interface ve 20 ! vlan 99 tagged ethernet 18 router-interface ve 99 ! access-list 100 deny ip any 198.51.100.0 /24 access-list 100 deny ip any 192.0.2.0 /24 access-list 100 permit ip any any vlan 15 access-list 100 permit ip any any vlan 16 access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 20 access-list 106 deny ip any 15.1.0.0 0.0.255.255 vlan 20 access-list 106 permit ip any any vlan 20 ! interface management ip address 192.168.223.79 255.255.255.192 ip default-gateway 192.168.223.65 ! interface ve 15 ip address 198.51.100.13 255.255.255.0 ip allow-promiscuous-vip !
Deployment Guide for SSL Intercept
56
External - Primary External - Standby interface ve 16 ip address 192.0.2.12 255.255.255.0 ip allow-promiscuous-vip ! interface ve 20 ip address 192.0.2.2 255.255.255.0 ip allow-promiscuous-vip ! interface ve 99 ip address 99.1.1.1 255.255.255.0 ! ip route 203.0.113.0 /24 198.51.100.1 ip route 15.1.0.0 /16 198.51.100.21 ! ! VRRP-A enable VRRP-A vrid default floating-ip 192.0.2.1 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 5 floating-ip 198.51.100.11 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 6 floating-ip 192.0.2.11 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A interface ethernet 18 vlan 99 ! slb template server-ssl external-intercept forward-proxy-enable ! ! slb server server-gateway 192.0.2.253 port 0 udp no health-check port 0 tcp no health-check port 443 tcp no health-check ! slb server FW1_Path_Tointernal 198.51.100.1 port 0 tcp no health-check port 0 udp no health-check ! slb server FW2_Path_Tointernal 192.0.2.1 port 0 tcp
interface ve 16 ip address 192.0.2.13 255.255.255.0 ip allow-promiscuous-vip ! interface ve 20 ip address 192.0.2.3 255.255.255.0 ip allow-promiscuous-vip ! interface ve 99 ip address 99.1.1.2 255.255.255.0 ! ip route 203.0.113.0 /24 198.51.100.1 ip route 15.1.0.0 /16 198.51.100.21 ! ! VRRP-A enable VRRP-A vrid default floating-ip 192.0.2.1 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 5 floating-ip 198.51.100.11 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A vrid 6 floating-ip 192.0.2.11 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 20 priority-cost 60 ! VRRP-A interface ethernet 18 vlan 99 ! slb template server-ssl external-intercept forward-proxy-enable ! ! slb server server-gateway 192.0.2.253 port 0 udp no health-check port 0 tcp no health-check port 443 tcp no health-check ! slb server FW1_Path_Tointernal 198.51.100.1 port 0 tcp no health-check port 0 udp no health-check ! slb server FW2_Path_Tointernal 192.0.2.1 port 0 tcp
Deployment Guide for SSL Intercept
57
External - Primary External - Standby no health-check port 0 udp no health-check ! slb server FW1_Path_ToDMZ 198.51.100.21 port 0 tcp no health-check port 0 udp no health-check ! slb server FW2_Path_ToDMZ 192.0.2.21 port 0 tcp no health-check port 0 udp no health-check ! slb service-group SG_TCP tcp member server-gateway:0 ! slb service-group SG_UDP udp member server-gateway:0 ! slb service-group SG_443 tcp member server-gateway:443 ! slb service-group LB_Paths_Tointernal_UDP udp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_Tointernal_TCP tcp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_ToDMZ_UDP udp member FW1_Path_ToDMZ:0 member FW2_Path_ToDMZ:0 ! slb service-group LB_Paths_ToDMZ_TCP tcp member FW1_Path_ToDMZ:0 member FW2_Path_ToDMZ:0 ! ! slb virtual-server external_in_to_out 0.0.0.0 acl 100 port 0 tcp name _wildcard_v4_TCP_65535 service-group SG_TCP use-rcv-hop-for-resp no-dest-nat port 0 udp name _wildcard_v4_UDP_65535 service-group SG_UDP use-rcv-hop-for-resp no-dest-nat port 0 others name _wildcard_v4_UDP_65535 service-group SG_UDP use-rcv-hop-for-resp no-dest-nat port 8080 http name ReverseProxy_Wildcard service-group SG_443 use-rcv-hop-for-resp
no health-check port 0 udp no health-check ! slb server FW1_Path_ToDMZ 198.51.100.21 port 0 tcp no health-check port 0 udp no health-check ! slb server FW2_Path_ToDMZ 192.0.2.21 port 0 tcp no health-check port 0 udp no health-check ! slb service-group SG_TCP tcp member server-gateway:0 ! slb service-group SG_UDP udp member server-gateway:0 ! slb service-group SG_443 tcp member server-gateway:443 ! slb service-group LB_Paths_Tointernal_UDP udp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_Tointernal_TCP tcp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_ToDMZ_UDP udp member FW1_Path_ToDMZ:0 member FW2_Path_ToDMZ:0 ! slb service-group LB_Paths_ToDMZ_TCP tcp member FW1_Path_ToDMZ:0 member FW2_Path_ToDMZ:0 ! ! slb virtual-server external_in_to_out 0.0.0.0 acl 100 port 0 tcp name _wildcard_v4_TCP_65535 service-group SG_TCP use-rcv-hop-for-resp no-dest-nat port 0 udp name _wildcard_v4_UDP_65535 service-group SG_UDP use-rcv-hop-for-resp no-dest-nat port 0 others name _wildcard_v4_UDP_65535 service-group SG_UDP use-rcv-hop-for-resp no-dest-nat port 8080 http name ReverseProxy_Wildcard service-group SG_443 use-rcv-hop-for-resp
Deployment Guide for SSL Intercept
58
External - Primary External - Standby template server-ssl external-intercept no-dest-nat port-translation ! slb virtual-server Inbound_ToDMZ_Wildcard 0.0.0.0 acl 105 port 0 tcp name _wildcard_v4_106_TCP_0 service-group LB_Paths_ToDMZ_TCP no-dest-nat port 0 udp name _wildcard_v4_106_UDP_0 service-group LB_Paths_ToDMZ_UDP no-dest-nat ! slb virtual-server Inbound_Tointernal_Wildcard 0.0.0.0 acl 106 port 0 tcp name external1_out_to_in service-group LB_Paths_Tointernal_TCP no-dest-nat port 0 udp name internal1_out_to_in service-group LB_Paths_Tointernal_UDP no-dest-nat ! end
template server-ssl external-intercept no-dest-nat port-translation ! slb virtual-server Inbound_Tointernal_Wildcard 0.0.0.0 acl 106 port 0 tcp name external1_out_to_in service-group LB_Paths_Tointernal_TCP no-dest-nat port 0 udp name internal1_out_to_in service-group LB_Paths_Tointernal_UDP no-dest-nat ! slb virtual-server Inbound_ToDMZ_Wildcard 0.0.0.0 acl 105 port 0 tcp name _wildcard_v4_106_TCP_0 service-group LB_Paths_ToDMZ_TCP no-dest-nat port 0 udp name _wildcard_v4_106_UDP_0 service-group LB_Paths_ToDMZ_UDP no-dest-nat ! end
DMZ - Primary DMZ - Standby ! VRRP-A device-id 5 VRRP-A set-id 3 hostname 3000-11.88 ! clock timezone Europe/Dublin ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 20 untagged ethernet 3 ethernet 7 router-interface ve 20 ! vlan 99 untagged ethernet 8 router-interface ve 99 ! access-list 100 deny ip any 198.51.100.0 /24 access-list 100 deny ip any 192.0.2.0 /24 access-list 100 permit ip any any vlan 15 access-list 100 permit ip any any vlan 16 access-list 105 permit ip any 10.1.0.0 0.0.255.255 vlan 20 access-list 106 deny ip any 10.1.0.0 0.0.255.255 vlan 20 access-list 106 permit ip any any vlan 20
! VRRP-A device-id 6 VRRP-A set-id 3 hostname 3000-11.89 ! clock timezone Europe/Dublin ! vlan 15 untagged ethernet 1 router-interface ve 15 ! vlan 16 untagged ethernet 2 router-interface ve 16 ! vlan 20 untagged ethernet 3 ethernet 7 router-interface ve 20 ! vlan 99 untagged ethernet 8 router-interface ve 99 ! access-list 100 deny ip any 198.51.100.0 /24 access-list 100 deny ip any 192.0.2.0 /24 access-list 100 permit ip any any vlan 15 access-list 100 permit ip any any vlan 16 access-list 105 permit ip any 10.1.0.0 0.0.255.255 vlan 20 access-list 106 deny ip any 10.1.0.0 0.0.255.255 vlan 20 access-list 106 permit ip any any vlan 20
Deployment Guide for SSL Intercept
59
DMZ - Primary DMZ - Standby ! interface management ip address 192.168.223.88 255.255.255.0 ip default-gateway 192.168.223.1 ! ! interface ve 15 ip address 198.51.100.22 255.255.255.0 ip allow-promiscuous-vip ! interface ve 16 ip address 192.0.2.22 255.255.255.0 ip allow-promiscuous-vip ! interface ve 20 ip address 15.1.250.2 255.255.255.0 ip allow-promiscuous-vip ! interface ve 99 ip address 99.1.1.1 255.255.255.0 ! ip route 192.0.2.0 /24 198.51.100.11 ip route 203.0.113.0 /24 198.51.100.1 ! ! VRRP-A enable VRRP-A vrid default floating-ip 15.1.250.21 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 3 priority-cost 60 ! VRRP-A vrid 25 floating-ip 198.51.100.21 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 3 priority-cost 60 ! VRRP-A vrid 26 floating-ip 192.0.2.21 priority 200 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 3 priority-cost 60 ! VRRP-A interface ethernet 8 vlan 99 ! ! slb server DMZ-gateway 15.1.250.10 port 0 udp no health-check port 0 tcp no health-check ! slb server FW1_Path_Tointernal 198.51.100.1 port 0 tcp no health-check
! interface management ip address 192.168.223.89 255.255.255.0 ip default-gateway 192.168.223.1 ! ! interface ve 15 ip address 198.51.100.23 255.255.255.0 ip allow-promiscuous-vip ! interface ve 16 ip address 192.0.2.23 255.255.255.0 ip allow-promiscuous-vip ! interface ve 20 ip address 15.1.250.3 255.255.255.0 ip allow-promiscuous-vip ! interface ve 99 ip address 9.1.1.2 255.255.255.0 ! ip route 192.0.2.0 /24 198.51.100.11 ip route 203.0.113.0 /24 198.51.100.1 ! ! VRRP-A enable VRRP-A vrid default floating-ip 15.1.250.21 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 3 priority-cost 60 ! VRRP-A vrid 25 floating-ip 198.51.100.21 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 3 priority-cost 60 ! VRRP-A vrid 26 floating-ip 192.0.2.21 priority 180 tracking-options interface ethernet 1 priority-cost 60 interface ethernet 2 priority-cost 60 interface ethernet 3 priority-cost 60 ! VRRP-A interface ethernet 8 vlan 99 ! ! slb server DMZ-gateway 15.1.250.10 port 0 udp no health-check port 0 tcp no health-check ! slb server FW1_Path_Tointernal 198.51.100.1 port 0 tcp no health-check
Deployment Guide for SSL Intercept
60
DMZ - Primary DMZ - Standby port 0 udp no health-check ! slb server FW2_Path_Tointernal 192.0.2.1 port 0 tcp no health-check port 0 udp no health-check ! slb server FW1_Path_Toexternal 198.51.100.11 port 0 tcp no health-check port 0 udp no health-check ! slb server FW2_Path_Toexternal 192.0.2.11 port 0 tcp no health-check port 0 udp no health-check ! slb service-group DMZ_SG_TCP tcp member DMZ-gateway:0 ! slb service-group DMZ_SG_UDP udp member DMZ-gateway:0 ! slb service-group LB_Paths_Tointernal_UDP udp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_Tointernal_TCP tcp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_Toexternal_UDP udp member FW1_Path_Toexternal:0 member FW2_Path_Toexternal:0 ! slb service-group LB_Paths_Toexternal_TCP tcp member FW1_Path_Toexternal:0 member FW2_Path_Toexternal:0 ! ! slb virtual-server Inbound_ToDMZ 0.0.0.0 acl 100 port 0 tcp name DMZ_Wildcard_TCP service-group DMZ_SG_TCP use-rcv-hop-for-resp no-dest-nat port 0 udp name DMZ_Wildcard_UDP service-group DMZ_SG_UDP use-rcv-hop-for-resp no-dest-nat ! slb virtual-server DMZ_To_internal 0.0.0.0 acl 105 port 0 tcp name Inbound service-group LB_Paths_Tointernal_TCP no-dest-nat port 0 udp
port 0 udp no health-check ! slb server FW2_Path_Tointernal 192.0.2.1 port 0 tcp no health-check port 0 udp no health-check ! slb server FW1_Path_Toexternal 198.51.100.11 port 0 tcp no health-check port 0 udp no health-check ! slb server FW2_Path_Toexternal 192.0.2.11 port 0 tcp no health-check port 0 udp no health-check ! slb service-group DMZ_SG_TCP tcp member DMZ-gateway:0 ! slb service-group DMZ_SG_UDP udp member DMZ-gateway:0 ! slb service-group LB_Paths_Tointernal_UDP udp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_Tointernal_TCP tcp member FW1_Path_Tointernal:0 member FW2_Path_Tointernal:0 ! slb service-group LB_Paths_Toexternal_UDP udp member FW1_Path_Toexternal:0 member FW2_Path_Toexternal:0 ! slb service-group LB_Paths_Toexternal_TCP tcp member FW1_Path_Toexternal:0 member FW2_Path_Toexternal:0 ! ! slb virtual-server Inbound_ToDMZ 0.0.0.0 acl 100 port 0 tcp name DMZ_Wildcard_TCP service-group DMZ_SG_TCP use-rcv-hop-for-resp no-dest-nat port 0 udp name DMZ_Wildcard_UDP service-group DMZ_SG_UDP use-rcv-hop-for-resp no-dest-nat ! slb virtual-server DMZ_To_internal 0.0.0.0 acl 105 port 0 tcp name Inbound service-group LB_Paths_Tointernal_TCP no-dest-nat port 0 udp
Deployment Guide for SSL Intercept
61
DMZ - Primary DMZ - Standby name internal1_out_to_in service-group LB_Paths_Tointernal_UDP no-dest-nat ! slb virtual-server DMZ_To_external 0.0.0.0 acl 106 port 0 tcp name _wildcard_v4_106_TCP_0 service-group LB_Paths_Toexternal_TCP no-dest-nat port 0 udp name _wildcard_v4_106_UDP_0 service-group LB_Paths_Toexternal_UDP no-dest-nat ! end
name internal1_out_to_in service-group LB_Paths_Tointernal_UDP no-dest-nat ! slb virtual-server DMZ_To_external 0.0.0.0 acl 106 port 0 tcp name _wildcard_v4_106_TCP_0 service-group LB_Paths_Toexternal_TCP no-dest-nat port 0 udp name _wildcard_v4_106_UDP_0 service-group LB_Paths_Toexternal_UDP no-dest-nat ! end