This ATC Insight was created and contributed by NETSCOUT.

Maintaining security and delivering high-quality technology based digital services has never been more important or more challenging as the world has emerged from the recent pandemic and continues its transition to a multicloud world.  NETSCOUT and F5 have had a technology alliance partnership for nearly a decade and the resulting innovations have proved to be invaluable to our customers.  The latest F5 and NETSCOUT integration eliminates the blind spots introduced by SSL/TLS encrypted content, eliminates the need for additional packet acquisition hardware and increases the visibility of application performance while reducing ever-increasing cybersecurity risks.

The SSL Orchestrator from F5 centralizes and manages decryption of SSL/TLS traffic.  This enables security and monitoring tools to view the decrypted content and analyze it for performance analysis and threat detection while providing deep visibility into a variety of issues that can impact digital services.  The SSL Orchestrator removes the burden of decrypting content within packets, so your security and monitoring tools perform better while becoming far more scalable.  The nGenuisONE Platform from NETSCOUT utilizes its patented AI-based network packet analysis to monitor and measure the performance and reliability of digital services while being able to identify cybersecurity related anomalies and their impact.

Test Environment 

Integration testing was conducted over a two-week period in WWT's Advanced Technology Center (ATC) utilizing the following configuration:

  • F5 BIG-IP version 17.1
  • SSL Orchestrator version 11.0
  • NETSCOUT vStream version 6.3.4
  • NETSCOUT nGeniusONE version 6.3.4

VMware ESX Configuration

Create the following 3 Port Groups:

internal-north

internal-south

netscout-tap

Attach them to a vSwitch shown in this example:

Configure the BIG-IP virtual settings as follows:

NOTE: 

  • VM Network is used for Management
  • internal-north is used for connectivity to the North side of the network
  • internal-south is used for connectivity to the South side of the network
  • netscout-tap is used for decrypted connections from BIG-IP to NETSCOUT vStream

Configure the Netscout vStream virtual settings as follows:

NOTE: 

  • VM Network is used for Management

Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream

NETSCOUT Configuration

Use a web browser connect to the nGeniousONE management console.  Click Device Configuration.

You should have at least one vStream device configured here.

At this point NETSCOUT nGenuisONE should be configured properly and ready to accept decrypted content from SSL Orchestrator.

F5 BIG-IP SSL Orchestrator Configuration

The BIG-IP VLAN settings should look like the following:

Internal-north is used for network connectivity from the BIG-IP to the North

Internal-south is used for network connectivity from the BIG-IP to the South

Netscout-tap is used for decrypted connections from BIG-IP to NETSCOUT vStream

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Create the NETSCOUT Service

Under Services, click Add.

In the Service Catalog select the TAP tab then double click on NETSCOUT TAP

Give it a name, NETSCOUT in this example.  Enter the MAC Address of the vStream network adapter connected to the netscout-tap port group.

NOTE: You can find the MAC Address in the vStream VM network settings.

For the VLAN select Use Existing then netscout-tap

Enable Port Remap.  Set the Remap Port to 80

Click Save and Next.

Click the name of the Service Chain.

Select the NETSCOUT Service from the left and click the arrow to move it to the right.  Click Save.

Click OK

Click Save & Next at the bottom.

Click Deploy

Click OK to the Success message.

When done it should look like the following:

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://192.168.0.5

Test this connection now and it should look like the following:

We'll use tcpdump on the BIG-IP to verify connectivity.

The capture from the internal-south VLAN shows the encrypted HTTPS request

The capture from the netscout-tap vlan shows plain text HTTP content being sent to NETSCOUT for Inspection

NETSCOUT nGeniusONE Monitors

Check the Traffic Monitor to view statistics:

Zoom into the HTTP request that has been decrypted by SSL Orchestrator

You can also see the server response in clear text

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with vStream and nGenuisONE. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the NETSCOUT service and inspected.

Learn more about security transformation and NETSCOUT Contact a WWT expert

Technologies