GigaSMART SSL Decryption for Inline and Out-of-Band Tools
Required License: SSL Decryption for Inline and Out-of-Band Tools
SSL decryption for inline and out-of-band tools is described in Inline SSL Decryption. It is supported on all GigaVUE‑HC1, GigaVUE‑HC2, and GigaVUE‑HC3 devices.
Configuring SSL Decryption Examples
The following sections provide examples of SSL decryption. Refer to the following:
Example 1: SSL Decryption with a Regular Map on page 613 |
Example 2: SSL Decryption with De-duplication on page 615 |
Other Usage Examples on page 615 |
In Example 1, a regular map is configured to use with the SSL decryption GigaSMART operation.
Step |
Description |
Command |
|||
|
Upload a key and create a service. Refer to Working with Keys and Services on page 609. |
(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem (config) # apps ssl service alias service1 server-ip 192.168.1.1 server-port 443 |
|||
|
Configure a GigaSMART group.. |
(config) # gsgroup alias gsgrp1 port-list 1/1/e1 |
|||
|
Specify the GigaSMART group alias. |
(config) # gsparams gsgroup gsgrp1 |
|||
|
Specify a failover action. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt decrypt-fail-action drop |
|||
|
Configure session timeouts, in seconds. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt pending-session-timeout 60 (config gsparams gsgroup gsgrp1) # ssl-decrypt session-timeout 300 (config gsparams gsgroup gsgrp1) # ssl-decrypt tcp-syn-timeout 20 |
|||
|
Configure cache timeouts, in seconds. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt key-cache-timeout 9000 (config gsparams gsgroup gsgrp1) # ssl-decrypt ticket-cache-timeout 9000 |
|||
|
Configure a key/service mapping that maps how a key is assigned to an IP address of a server. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt key-map add service service1 key key1 |
|||
|
Enable SSL decryption. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt enable |
|||
|
Exit the GigaSMART group configuration mode. |
(config gsparams gsgroup gsgrp1) # exit (config) # |
|||
|
Configure a GigaSMART operation for SSL decryption. |
(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto port-list gsgrp1 |
In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.
Next, configure a traffic map, as follows:
Step |
Description |
Command |
|||
|
Specify a map alias (m1) and specify the map type and subtype. |
(config) # map alias m1 (config map alias m1) # type regular byRule |
|||
|
Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map. |
(config map alias m1) # use gsop gdssl1 |
|||
|
Specify a map rule. |
(config map alias m1) # rule add pass ipver 4 |
|||
|
Specify the destination for packets matching this map. |
(config map alias m1) # to 1/1/g2 |
|||
|
Specify the source port(s) for this map. |
(config map alias m1) # from 1/1/g1 |
|||
|
Exit the map prefix mode. |
(config map alias m1) # exit (config) # |
|||
|
Display the configuration. |
(config) # show gsop (config) # show map (config) # show gsparams |
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:
(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1
Two typical usage examples are as follows:
Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic. |
Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any. |