CLI Configuration Outbound Example
The following is an example of inline SSL decryption configuration for an outbound deployment using the CLI. Any CLI command or option that does not have to be configured because it has default values is not included.
Step |
Description |
Command |
|||
|
Configure a keychain password. Note: The keychain password must be configured before installing certificates and keys. If the key has a passphrase, in order to install it, the keychain password and the passphrase must match. |
(config) # apps inline-ssl keychain passwordCreating a new password for ssl keychain:Password: ******* Confirm: ******* |
|||
|
(Optional) Configure trust store, which installs trusted certificate authority (CA) for server certificate validation. |
(config) # apps inline-ssl trust-store fetch http://1.1.1.1/mitm/my_trust_store.pem |
|||
|
Configure the Man-in-the-Middle (MitM) primary CA private key and certificate. Then bind them to the primary CA. The primary CA re-signs certificates for servers that present a valid certificate. Note: The secondary CA private key and certificate can be configured, but is optional. |
(config) # apps keystore rsa primary private-key download url http://1.1.1.1/mitm/primary_ca.key (config) # apps keystore rsa primary certificate download url http://1.1.1.1/mitm/primary_ca.cert (config) # apps inline-ssl signing rsa for primary key primary |
|||
|
Configure an inline SSL profile. The profile specifies policy configuration, such as certificate handling and actions to take for the profile. Note: This sample profile is a decrypt all profile, meaning that all SSL traffic is decrypted. From a compliance point of view, check the necessary IT compliance criteria of your organization. The default value for tcp syn-retries is 3. The default value for tool fail-action is bypass-tool. |
(config) # apps inline-ssl profile alias sslprofile (config apps inline-ssl profile alias sslprofile) # certificate expired drop (config apps inline-ssl profile alias sslprofile) # certificate invalid decrypt (config apps inline-ssl profile alias sslprofile) # certificate revocation crl disable (config apps inline-ssl profile alias sslprofile) # certificate revocation ocsp disable (config apps inline-ssl profile alias sslprofile) # certificate self-signed decrypt (config apps inline-ssl profile alias sslprofile) # certificate unknown-ca decrypt (config apps inline-ssl profile alias sslprofile) # decrypt tcp inactive-timeout 5 (config apps inline-ssl profile alias sslprofile) # decrypt tcp portmap default-out-port disable (config apps inline-ssl profile alias sslprofile) # decrypt tool-bypass disable (config apps inline-ssl profile alias sslprofile) # default-action decrypt (config apps inline-ssl profile alias sslprofile) # no-decrypt tool-bypass disable (config apps inline-ssl profile alias sslprofile) # url-cache miss action decrypt (config apps inline-ssl profile alias sslprofile) # exit (config) # |
|||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias gs1 port-list 2/1/e1 |
|||
|
Configure the GigaSMART inline SSL operation, specify the profile, and assign the GigaSMART operation to the GigaSMART group. |
(config) # gsop alias issl inline-ssl sslprofile port-list gs1 |
|||
|
Configure a virtual port and assign it to the same GigaSMART group. Then configure a failover action on the virtual port. |
(config) # vport alias vport1 gsgroup gs1 (config) # vport alias vport1 failover-action vport-bypass |
|||
|
Configure tool ports with type tool, and administratively enable tool ports. These ports are optional, for the out-of-band map. |
(config) # port 10/1/x13..x16 type tool (config) # port 10/1/x13..x16 params admin enable |
|||
|
Configure inline network ports with type inline-network, and administratively enable inline network ports. |
(config) # port 2/2/x11..x12 type inline-network (config) # port 2/2/x11..x12 params admin enable (config) # port 2/2/x13..x14 type inline-network (config) # port 2/2/x13..x14 params admin enable (config) # port 2/2/x17..x18 type inline-network (config) # port 2/2/x17..x18 params admin enable (config) # port 2/2/x19..x20 type inline-network (config) # port 2/2/x19..x20 params admin enable |
|||
|
Configure inline networks. In this example, the inline networks are unprotected. Note: Only one inline network needs to be specified. The others are optional. |
(config) # inline-network alias inline-net1 pair net-a 2/2/x19 and net-b 2/2/x20 (config) # inline-network alias inline-net2 pair net-a 2/2/x13 and net-b 2/2/x14 (config) # inline-network alias inline-net3 pair net-a 2/2/x17 and net-b 2/2/x18 (config) # inline-network alias inline-net4 pair net-a 2/2/x11 and net-b 2/2/x12 |
|||
|
(Optional) Configure inline network group. This example has four inline networks in an inline network group. Note: If only one inline network is specified, the inline network group is optional. |
(config) # inline-network-group alias ing1 (config inline-network-group alias ing1) # network-list inline-net1,inline-net2, inline-net3, inline-net4 (config inline-network-group alias ing1) # exit (config) # |
|||
|
Configure inline tool ports with type inline-tool, and administratively enable inline tool ports. |
(config) # port 2/2/x3..x4 type inline-tool (config) # port 2/2/x3..x4 params admin enable (config) # port 2/2/x5..x6 type inline-tool (config) # port 2/2/x5..x6 params admin enable |
|||
|
Configure inline tools and enable them. Note: Only one inline tool needs to be specified. The others are optional. |
(config) # inline-tool alias it1 pair tool-a 2/2/x3 and tool-b 2/2/x4 (config) # inline-tool alias it2 pair tool-a 2/2/x5 and tool-b 2/2/x6 it1 enable (config) # inline-tool alias it2 enable |
|||
|
Enable default heartbeat. |
(config) # inline-tool alias it1 heart-beat (config) # inline-tool alias it2 heart-beat |
|||
|
Specify that inline tools are going to be shared by different sources. When shared is enabled (true), the inline tool can receive traffic from multiple sources (inline networks and GigaSMART). |
(config) # inline-tool alias it1 shared true (config) # inline-tool alias it2 shared true |
|||
|
(Optional) Configure inline tool group and parameters. Then enable inline tool group. This example has two inline tools in an inline tool group. Note: If only one inline tool is specified, the inline tool group is optional. |
(config) # inline-tool-group alias itg1 (config inline-tool-group alias itg1) # tool-list it1,it2 (config inline-tool-group alias itg1) # minimum-group-healthy-size 2 (config inline-tool-group alias itg1) # enable (config inline-tool-group alias itg1) # exit (config) # |
|||
|
Configure first level inline SSL map. This map has a rule that passes TCP traffic, and then directs it from the inline network group to a virtual port (and to GigaSMART). This map (and the next) is for traffic that needs to be decrypted so the tools can inspect it, such as HTTPS traffic. The map type and subtype are determined by the from and to parameters (inLineFirstLevel, ingresstovp).
|
(config) # map alias inline-issl-L1map1 (config map alias inline-issl-L1map1) # rule add pass protocol tcp (config map alias inline-issl-L1map1) # to vport1 (config map alias inline-issl-L1map1) # from ing1 (config map alias inline-issl-L1map1) # exit (config) # |
|||
|
Configure classic inline map. This map directs traffic from the inline network group to the inline tool group, using a specified rule. It has the same from port as the first level inline SSL map and the same to port as the second level inline SSL map. This map is for traffic that does not need to be decrypted for the tools to inspect it, such as non-HTTPS traffic or UDP traffic.
|
(config) # map alias inline-bypass1 (config map alias inline-bypass1) # rule add pass ipver 4 (config map alias inline-bypass1) # to itg1 (config map alias inline-bypass1) # from ing1 (config map alias inline-bypass1) # exit (config) # |
|||
|
Configure a shared collector for any unmatched traffic including non-TCP traffic, which is directed to bypass.
|
(config) # map-scollector alias isslscoll (config map alias isslscoll) # from ing1 (config map alias isslscoll) # collector bypass (config map alias isslscoll) # exit (config) # |
|||
|
Configure second level inline SSL map. This map directs traffic from the virtual port, uses the inline SSL GigaSMART operation, and sends traffic to the inline tool group. The map type and subtype are determined by the from and to parameters (inLineSecondLevel, egressfromvp).
|
(config) # map alias inline-issl-L2map1 (config map alias inline-issl-L2map1) # use gsop issl (config map alias inline-issl-L2map1) # to itg1 (config map alias inline-issl-L2map1) # from vport1 (config map alias inline-issl-L2map1) # exit (config) # |
|||
|
(Optional) Configure an out-of-band map to a single tool port, multiple tool ports, single hybrid port, GigaStream, or port group with tool or hybrid ports, or combination of these. This example has multiple tool ports.
|
(config) # map alias gs-oob (config map alias gs-oob) # use gsop issl (config map alias gs-oob) # to 10/1/x13..x16 (config map alias gs-oob) # from vport1 (config map alias gs-oob) # exit (config) # |
|||
|
Configure the path of the traffic to inline tool on the inline networks. |
(config) # inline-network alias inline-net1 traffic-path to-inline-tool (config) # inline-network alias inline-net2 traffic-path to-inline-tool (config) # inline-network alias inline-net3 traffic-path to-inline-tool (config) # inline-network alias inline-net4 traffic-path to-inline-tool |
|||
|
(Optional) If the inline networks are protected, disable physical bypass. |
(config) # inline-network alias inline-net1 physical-bypass disable (config) # inline-network alias inline-net2 physical-bypass disable (config) # inline-network alias inline-net3 physical-bypass disable (config) # inline-network alias inline-net4 physical-bypass disable |