Configure Inline TLS/SSL Decryption Using GigaVUE‑FM

This section describes how to configure inline TLS/SSL decryption using GigaVUE‑FM.

Note:  Before configuring, review Get Started with Inline TLS/SSL Decryption for pre-requisites and review Introduction to Inline TLS/SSL Map Workflows.

Configure Inline TLS/SSL Decryption Using GigaVUE‑FM:

  • Keychain Password
  • Key Store
  • Signing CA
  • Trust Store
  • Policy Profile
  • Network Access

Inline TLS/SSL Map Workflow Steps (for Flow B) :

  • Inline Network(s)
  • Inline Tool(s)
  • GS Group
  • Virtual Port
  • GS Operation
  • Inline Rule Based Map
  • Inline First Level Map
  • Inline Second Level Map
  • Collector Map (bypass)
1 Select Inline TLS/SSL Configuration Workflow

Inline TLS/SSL L3 Tool NAT/PAT Support

This feature focuses on a new approach in GigaSMART to offload TLS decryption from Layer 3 inline-tools performing NAT/PAT (Network Address Translation / Port Address Translation) on the traffic passing through them. The GigaSMART engine maintains two separate sessions towards the client and server-side to achieve this.

Supported Platforms

■   Gen3 cards in HC1 and HC3
■   HC1-Plus

Topology

The following are the preferred topologies for connecting to L3 NAT/PAT tools. The tool must be connected to the Nb side of the inline-network pair and the network links must be connected to the Na side of the inline-network pair.

 

 

 

The traffic from the network is forwarded to the tool and the reverse traffic from the tool is forwarded to the server side.

Also due to separation of client and server side connections, it is possible to have the client and server connected across GS engines or devices as shown below.

However currently there is no communication mechanism between separate engines or devices. The fail-over action for these solutions must be vport-drop to avoid leaking of decrypted traffic to the network.

 

HTTP 2.0 Downgrade

In the Inline SSL APP, the HTTP2 Downgrade option is enabled by default, when the Nat-Pat Mode is enabled. The HTTP 2.0 traffic is downgraded to HTTP 1.1 and decrypted. When HTTP2 Downgrade option is disabled, the HTTP2 traffic is forwarded without decryption.

Cache Timeout

The server information is cached for performance optimization. The default time out is 30 minutes. The cache is flushed when the cache timeout value is set to zero. The cache is disabled when the timeout value is set to zero.

Refer to the following Gigamon Validated Design for more information:

Limitations

■   The decrypted data to inline tool is limited to HTTP/1.1 protocol over TLS, inline tool will only see encrypted data on other application protocols.
■   The StartTLS traffic will not be decrypted as it is non HTTP traffic.
■   It does not support bypass tool since all the packets from client or server need to pass to inline tool for NAT/PAT.
■   This feature cannot co-exist with features such as Network group multiple entries, Inline network high availability, RIA, Tool early engage, Tool early inspect, one-arm, and Destination port translation.
■   The IPv6 version is not supported in software release version 6.1.00. The IPv6 version is supported from software release version 6.2.00.