Forum Discussion

tpimpao's avatar
tpimpao
Icon for Altostratus rankAltostratus
Oct 26, 2023

F5 BigIP + TAP NetworkCritical + Fraud Detetion

Hi 👋 

From the past days I have been struggling with a weird problem. 
We have been migrating some web servers from HAProxy to the BigIP LTM. 
The migration it's straightforward, BigIP make de SSL termination to the client and use the respective Pool to the App servers. 

We have a solution that need to receive the same traffic (between the client and BigIP), and we are using a TAP device to SPAN all the traffic. The same traffic are been delivery to the TAP encrypted. 
In the other end the TAP delivery that traffic to a Fraud Detection solution, that have the ability to decrypt the traffic and run some signatures. 

The weird behaviour is from the Fraud Detection solution, it's not say that is unable to decrypt the traffic, but not process any traffic from the BigIP. If we switch back to the HAProxy web server's everything works. Both BigIP and HAProxy are using the same public and private key. We have compared some tcpdumps and don't see any difference between TLS protocol or cipher that are been negotiated. 
Any ideia if BigIP change something in the traffic? 

Thanks

TP

security

2 Replies

Sort By
  • Jeffrey_Granier's avatar
    Jeffrey_Granier
    Icon for Employee rankEmployee
    Nov 02, 2023

    I think we will need some more details about the Fraud Detection solution not being able to process any traffic.  Are there certain rules/settings that the Fraud Detection expect traffic to come from and will only process based off that rule?  Like source mac?  source IP?  There are a a number of changes in the traffic when it passes through a BIG-IP depending upon the configuration.  The virtual server configuration offers address translation as well as port translation.  Can you provide more info