GigaSMART SSL Decryption for Inline and Out-of-Band Tools
Required License: SSL Decryption for Inline and Out-of-Band Tools
SSL decryption for inline and out-of-band tools is described in the following document: Inline SSL Decryption Guide. It is only supported on GigaVUE-HC2 and GigaVUE-HC3 in this software version.
Configuring SSL Decryption Examples
Writer Comment: This section hidden until UI version of examples can be created.
The following sections provide examples of SSL decryption. Refer to the following:
| • | Example 1: SSL Decryption with a Regular Map on page 613 |
| • | Example 2: SSL Decryption with De-Duplication on page 615 |
| • | Other Usage Examples on page 615 |
Example 1: SSL Decryption with a Regular Map
In Example 1, a regular map is configured to use with the SSL decryption GigaSMART operation.
|
Step |
Description |
Command |
|||
|
Upload a key and create a service. Refer to Working with Keys and Services on page 609. |
|
|||
|
Configure a GigaSMART group.. |
|
|||
|
Specify the GigaSMART group alias. |
|
|||
|
Specify a failover action. |
|
|||
|
Configure session timeouts, in seconds. |
|
|||
|
Configure cache timeouts, in seconds. |
|
|||
|
Configure a key/service mapping that maps how a key is assigned to an IP address of a server. |
|
|||
|
Enable SSL decryption. |
|
|||
|
Exit the GigaSMART group configuration mode. |
|
|||
|
Configure a GigaSMART operation for SSL decryption. |
|
In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.
Next, configure a traffic map, as follows:
|
Step |
Description |
Command |
|||
|
Specify a map alias (m1) and specify the map type and subtype. |
|
|||
|
Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map. |
|
|||
|
Specify a map rule. |
|
|||
|
Specify the destination for packets matching this map. |
|
|||
|
Specify the source port(s) for this map. |
|
|||
|
Exit the map prefix mode. |
|
|||
|
Display the configuration. |
|
Example 2: SSL Decryption with De-Duplication
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:
(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1Other Usage Examples
Two typical usage examples are as follows:
| • | Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic. |
| • | Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any. |
MORE INFORMATION 
