Configure Inline TLS/SSL Decryption Solution with RIA
This section describes how to configure and deploy Resilient Inline TLS/SSL.
Prerequisites
|
■
|
Resilient Configuration requires two nodes . Ensure you have configured both devices with the required software constructs. |
|
■
|
Use inline-capable ports and, where applicable, inline bypass modules for fail-open behavior on power or device failure. |
|
■
|
Cable two inline nodes in path (client–device–server) with identical inline tool connectivity on each. |
|
■
|
Build an Inter-broker Pathway (IB‑P) using at least one—preferably two or more aggregated—tool ports between nodes, and set a minimum-up count for IB‑P status “Up.” |
|
■
|
For Inbound iSSL, prepare server private keys/certificates (RSA/ECDSA) with key pair aliases, define actions for unknown/invalid/self-signed certs, and set TLS policy (for example, decrypt TLS 1.2/1.3 and drop TLS 1.0/1.1). |
|
■
|
Ensure inline tools on both nodes are identical in count, type, speed, and capacity for consistent distribution and service behavior. |
|
■
|
Use only one RIA‑enabled iSSL app per two-node pair. |
Access Flexible Inline Canvas
|
1.
|
Go to  > Physical > Orchestrated Flows > Inline Flows > Configuration Canvas to create a new Flexible Inline Canvas. |
|
2.
|
In the displayed Flexible Inline Canvas, select the device where you want to configure the TLS/SSL decryption. |
You should proceed to configure the following software constructs for both nodes before you deploy your solution.
Configure Inline Network
|
1.
|
On the left pane, click the ‘+’ icon next to Inline Network option to create a new entry. |
|
2.
|
Enter a name and description for the inline network in the Alias and Description fields. Then, click Port Editor. |
|
3.
|
In the Alias and Description fields, enter a name and description for the inline network. |
|
4.
|
Click Port Editor. In the Quick Port Editor, scroll down to the inline network ports that you want to configure. Select Enable to administratively enable inline network ports, and click OK to apply the changes. |
|
5.
|
From the Port A and Port B drop-down lists, select the ports that you want to configure as the inline network pair. |
|
6.
|
From the Traffic Path drop-down list, select To Inline Tool. |
|
o
|
To Inline Tool—All traffic originating from the inline network is directed to the sequence of inline tools and inline tool groups and is guided through the inline tools and inline tool groups according to the current inline tool and inline tool group status.
|
|
7.
|
Click OK. You have successfully created an Inline Network. |
To explore additional options during configuration, refer to Inline Network Ports and Inline Network.
Note: If there are multiple Inline Network Ports, you can configure Inline Network bundle. Refer to Configure Inline Network Bundle.
Configure Inline Tool
|
1.
|
On the left pane, click the ‘+’ icon next to the Inline Tool option to create a new inline tool. |
|
2.
|
In the Properties pane, in the Alias and Description fields, enter a name and description for the inline tool. |
|
3.
|
From the Type drop-down list, select one of the following options: |
|
o
|
External- To configure a third-party tool. |
|
o
|
GigaVUE Node- To configure a GigaVUE node as a tool. |
|
4.
|
Click Port Editor. In the Quick Port Editor, scroll down to the inline tool ports that you want to configure. Select Enable to administratively enable the inline tool ports, and then click OK to apply the changes. |
|
5.
|
From the Port A and Port B drop-down lists, select the inline tool ports according to the direction the inline tool expects traffic from the network. |
|
6.
|
Verify that the Enabled check box is selected. |
|
7.
|
Click OK. You have successfully created an Inline Network. |
To explore additional options during configuration, refer to Inline Tool Ports and Inline Tools.
Create Inter-broker Pathway
The inter-broker pathway (IBP) links the two RIA nodes so flows that hash to one node can traverse to the peer when needed, ensuring symmetric inspection and continuous traffic forwarding across nodes even during asymmetric paths or node/tool events.
To create a new inter-broker pathway:
|
1.
|
Go to > Physical > Orchestrated Flows > Inline Flows > Configuration Canvas to create a new Flexible Inline Canvas. |
|
2.
|
In the displayed canvas, select the device where you want to create the inter-broker pathway. |
|
3.
|
Click the ‘+’ icon next to the IB Pathway option to create a new inter-broker pathway. |
|
4.
|
In the Properties pane, enter a name and description in the Alias and Description fields.. |
|
5.
|
From the Ports drop-down list, select the required tool ports to attach to the inter-broker pathway. |
Note: If the required tool ports are not available, you can enable them administratively. Click Port Editor, scroll to the tool ports you want to configure in the Quick Port Editor page, select Enable, and click OK.
|
6.
|
In the Minimum Ports Up field, enter the minimum number of tool ports that must be operational for the inter-broker pathway status to be "Up". |
|
7.
|
From the Traffic Path drop-down list, select one of the following options: |
|
o
|
Bypass—Traffic bypasses the inter-broker pathway and is redirected to the next inline network port. |
|
o
|
Monitoring—Traffic is forwarded to the sequence of inline tools in the monitoring mode. |
|
o
|
To Inline Tool—Traffic is forwarded to the sequence of inline tools you have configured. |
|
8.
|
Click OK to save the configuration. |
Configure Resilient Inline Arrangement
To configure a resilient inline arrangement:
|
1.
|
Drag and drop the required inline network or inline network LAG into the flexible inline canvas, and click Settings. |
|
2.
|
In the Settings pane, select the Enable check box next to Show Single Tag Options to configure the resilient inline arrangement with a single VLAN tag. |
Note: Enable Show Single Tag Options only if your inline tools do not support Q-in-Q VLAN tags.
|
3.
|
Select the Enable check box next to Show Resilient Inline Menu. |
|
4.
|
Select the required Node 1, Node 2, IB Pathway1, and IB Pathway2 for the resilient inline arrangement. |
|
5.
|
From the Hashing Source drop-down list, select one of the following options: |
|
o
|
Side A - Hashing uses source IP or source port from Side A; destination IP or destination port from Side B. |
|
o
|
Side B - Hashing uses source IP or source port from Side B; destination IP or destination port from Side A. |
|
6.
|
From the Hashing Type drop-down list, select one of the following options: |
|
o
|
L3 (IP Based) - Hashing uses the IP address. |
|
o
|
L4 (Port Based) - Hashing uses the transport layer port number. |
|
7.
|
From the Hashing LSB Node drop-down list, select one of the following options: |
|
o
|
Node 1 as 0 - Traffic from IPs ending in 0 is hashed to Node 2. |
|
o
|
Node 2 as 0 - Traffic from IPs ending in 0 is hashed to Node 1. |
Note: This option is available only if you selected L3 (IP Based) in the Hashing Type field.
|
8.
|
From the Hashing Port drop-down list, select one of the following options: |
|
o
|
Node 1 as odd - Traffic with odd port numbers is hashed to Node 2, while traffic with even port numbers is hashed to Node 1. |
|
o
|
Node 2 as odd - Traffic with odd port numbers is hashed to Node 1, while traffic with even port numbers is hashed to Node 2. |
Note: This field is available only if you select the L4 (Port Based) option in the Hashing Type field.
|
9.
|
Click OK to save the settings. |
|
10.
|
Drag and drop the flexible inline map into the canvas. Click the map to open the Properties pane. |
|
11.
|
In the Alias and Description fields, enter the name and description of the inline map. |
|
12.
|
To deploy the resilient inline arrangement with a single VLAN tag, select the Enable check box next to Single Tag Mode. . |
Note: You can choose to disable the Single Tag Mode for collector maps, if
required.
|
13.
|
Enter the Tool Side VLAN Tag for the inline network you are configuring. |
|
14.
|
Select the TPID for the Tool Side VLAN Tag. The default value is 0x8100. You can also choose from the supported values 0x9100 and 0x88a8 in the drop-down list. |
|
15.
|
From the FlexInline Failover drop-down list, select one of the following options: |
|
o
|
Bypass - Traffic passes directly between the respective inline network ports. |
|
o
|
Original Map - Traffic follows the path defined in this Flexible Inline Map. |
|
16.
|
Add the required rules for the inline map. Click OK to save the configuration. |
|
17.
|
Drag and drop the required Inline Tools or Inline Tool Group into the canvas. |
|
18.
|
If needed, drag and drop the OOB Copy into the canvas. |
|
19.
|
From the Destination Ports drop-down list, select the required hybrid or tool ports. |
|
20.
|
From the VLAN Tag drop-down list, select one of the following options: |
|
o
|
None - No VLAN tag is used; traffic is routed to a different destination. |
|
o
|
Original - Uses the original VLAN tag from the packet received from the inline network. |
|
o
|
As Inline - Uses the VLAN tag configured for the Flexible Inline Map. |
Note: The As Inline option is available only when you configure the Resilient Inline Arrangement with a single VLAN tag.
|
21.
|
Click Deploy, select a traffic path and click OK. |
Create an Inline SSL APP
|
1.
|
On the left pane, click the ‘+’ icon next to the Inline SSL APP option. |
|
2.
|
Enter a name for the Inline SSL APP. |
|
3.
|
Enable Resilient Inline Arrangements check box. |
|
4.
|
Select the nodes that would be configured and their respective GigaSMART modules. |
|
5.
|
Select the required GigaSMART engines. |
|
6.
|
Under Deployment Type, set up Key chain Password: |
|
a.
|
Click Keychain Password, and then choose either Add or Reset. |
|
b.
|
If you choose to reset the Keychain Password, enter a password that is 8 to 30 characters long and contains at least one numerical character, one uppercase character, one lowercase character, and one special character. |
|
c.
|
Select the Auto Login check box to enable GigaVUE-FM to unlock the keystore when the device reboots. |
|
d.
|
Click OK to save the Key chain Password. |
|
7.
|
Configure Keys and Certificates. A key in an inbound deployment can be selected only for decryption or for re-signing and re-encryption in an outbound deployment. |
|
a.
|
Click Add new keys to open the Key page.
|
|
b.
|
Enter a name and description for the key. |
|
c.
|
Select the required Key Type and File Type. |
|
d.
|
If using PEM or PKCS12 as file type, optionally include a passphrase. |
|
e.
|
You can choose to include a Passphrase for the key when you select PEM or PKCS12 as file type if required. |
|
f.
|
When you choose Luna-HSM, enter the Key label for the key. |
|
g.
|
Add the required Private Key and Certificate. |
|
h.
|
Click OK to save the configuration. |
|
8.
|
Select the required deployment type. |
|
o
|
Outbound - Add the configured primary and a secondary signing Certificate Authorities (CA). |
|
o
|
Inbound - Add a new Server Key Mapping. Enter the domain name or IP address of the server, and select the required Key Pair Alias. |
|
o
|
Hybrid - Add a new Server Key Mapping, and a primary and a secondary signing CA. |
|
9.
|
The platform pushes the added keys to both nodes. To delete a key, delete it from each node individually. |
|
10.
|
Click OK to save the Inline SSL App configuration. You can configure Inline SSL App for any one of the nodes. It will be available for the second node as well. |
Deploy Inline TLS/SSL Decryption Solution
In the Flexible Inline Canvas:
|
1.
|
Drag and drop the required inline network or inline network bundle. |
|
2.
|
Drag and drop the flexible inline map into the canvas. Use the Flex Map, Inline Tools, and Inline SSL App—available on both nodes with the same alias—to configure the Flex Inline TLS/SSL maps. |
|
3.
|
Under the Settings option, enable the 'Show Resilient Inline Menu' check-box and setup the Node, IB Pathway, and Hashing configurations. |
Verify the Solution
|
■
|
In GigaVUE‑FM, open the Flexible Inline Canvas: Physical > Orchestrated Flows > Inline Flows > Configuration Canvas, select the target device, and open the deployed solution on the canvas. Confirm the solution shows as deployed for both nodes. |
|
■
|
Ensure Resilient Inline settings (node selection, hashing/IP parity) are correct and the Inter-broker Pathway (IBP) state is Up. |
|
■
|
Check that traffic and sessions appear on both nodes, with asymmetric flows traversing the IBP as designed. |
|
■
|
If Single VLAN Tag (SVT) is used, confirm it’s enabled and tool-side VLANs match your policy. |
What to Do Next
After deployment, you can view the Monitor and Session statistics. Refer to View Inline TLS-SSL Session Statistics. You can also view the Inline TLS/SSL Dashboards. Refer to View Inline TLS/SSL Dashboards.
