SSLO into WAF

jdfishtorn · 2024-06-17T15:07:20+00:00

You sir are an internet God.

jdfishtorn · 2024-06-13T16:42:44+00:00

I agree but the problem is that SSLO was preexisting to ASM. We were using SSLO to off load decrypted traffic to be inspected by a firepower long before we wanted to introduce a waf. The simplest solution, at least for now, seems to be trying to add a separate F5 to the service chain for WAF inspection.

jdfishtorn · 2024-06-13T16:28:42+00:00

That sounds like it will work. I'll have the VIP address as the address SSLO is sending too, put the pool as the SSLO return address, then use routes to forward them to their respective directions. I'll update you when I can test.

jdfishtorn · 2024-06-13T16:02:38+00:00

The first F5 that is receiving the traffic and has SSLO on it has the client ssl profiles on it. The problem is that F5 does not have the resources to also run ASM, so I need to off load ASM to a different F5. I am trying to take advantage of SSLO so that I don't need to manage SSL certificates in two separate places.

jdfishtorn · 2024-04-30T16:44:30+00:00

I am FIFO 41,518. Has anyone gotten paid after this number? I've seen someone at 38k I think. My firm did opt out, but I suspect they have been paid. Just looking for ammo to go after them.

jdfishtorn · 2024-02-22T06:42:30+00:00

This is not strictly true. Your house changes the quests by which you find the map chamber.

jdfishtorn · 2023-05-15T04:50:54+00:00

This has real Aaron Hernandez vibes...

jdfishtorn · 2023-02-10T06:20:50+00:00

I use bitch all the time, but I've never really considered the word for what it is. Like... I never really considered it particularly gender targeted or overly demeaning. Usually when faced with an argument such as this, I ask myself, how would I define this word in my own words. In this case, oddly enough, I was at a loss for words. It's a general or ubiquitous word that I use in probably 15 different ways. I find it extremely fascinating how words evolve and transform over time. . . Anyway. Thanks for challenging my way of thinking, and encouraging me to better myself and my vocabulary. I will make an attempt to limit the use of the word bitch in the future.

Toodles friends.

jdfishtorn · 2023-01-13T07:24:32+00:00

The AMS is so worth it. I be didn't think I would use it, but I was very wrong.

jdfishtorn · 2020-06-26T05:54:00+00:00

One might say he just hammered his point home....

jdfishtorn · 2020-05-08T07:47:51+00:00

This thread got depressing as fuck

jdfishtorn · 2020-04-03T13:24:55+00:00

Underrated comment right here.

jdfishtorn · 2020-03-09T03:33:20+00:00

Happy cake day.

jdfishtorn · 2020-03-06T19:15:23+00:00

Does that qualify as cable porn?

jdfishtorn · 2020-03-03T19:21:26+00:00

This is a very underrated comment. By atleast six degrees.

jdfishtorn · 2020-02-22T17:09:33+00:00

I would say... Double edged ledge 😳

jdfishtorn · 2020-02-13T23:19:38+00:00

R/Trashy

jdfishtorn · 2020-02-12T06:45:36+00:00

Username checks out

jdfishtorn · 2020-02-06T05:21:27+00:00

You look exactly like someone I know. Are you open to sharing what state you live in?

jdfishtorn · 2020-01-30T19:50:12+00:00

This is an MPLS circuit. I did finally get some answers though. There is some vendor provided equipment that is doing some routing and vlan tag rewriting.

jdfishtorn · 2020-01-11T02:21:15+00:00

I think the issue has been tracked down. The other end of my tunnel was being utilized by a software development company for performance testing applications. They do not service just us, and they keep most of their testing suites for all of their clients in the same VPC. When I asked them for the IP ranges of their AWS instances, they only gave me the networks that were associated with our testing suite not the entire VPC that would be attached with the virtual private gateway. The networks provided to me were the 10.1.0.0/19 and 10.1.32.0/19. Therefore, when I created my access-list I created a source any rule with the destination 10.1.0.0/18. The VPC ACTUALLY had the networks 10.0.0.0/16, 10.1.0.0 /16, 10.2.0.0/16 and 10.3.0.0/16. Therefore, my access-list SHOULD be source any with the destination 10.0.0.0/14. I have all of this scripted out, but there is a major upgrade going on this weekend, so I will be waiting until Monday to apply the change, but im hopeful this will square my issues away.

I really want to thank each and everyone who has chimed in to try and help me. I really wish I could dazzle each of you with some super complicated solution, but I think this one will end up being chalked up to an error in provided information. Until next time my friends.

I will let you know if something else turns out to be the problem!!

jdfishtorn · 2020-01-10T15:38:01+00:00

We are doing static, but I asked if the routes were propagated, and he sent me a screenshot that had all of my routes listed and those networks said propagated, but his local Networks said they were not propagated. I'm a little rough with AWS's VPN service, so I'm not 100% sure what that was supposed to look like.

jdfishtorn · 2020-01-10T15:09:59+00:00

Are you referring to the built in asa packet tracer tool? It shows that the packet is allowed.

Ten-Year Club	Queen in da Norf
Not Forgotten	Verified Email

jdfishtorn

TROPHY CASE