Recent F5 Labs analysis shows that 71% of malware installed through phishing hides in encryption. However, security inspection tools—next-generation firewalls (NGFW), intrusion detection/prevention systems (IDS/IPS), data loss prevention systems (DLP), and others—are increasingly blind to SSL/TLS traffic. In many cases, they also introduce latency by decrypting and re-encrypting on multiple daisy-chained devices. The lack of a centralized point of encrypted traffic management also creates frustrating overhead when configuration changes are necessary.


The good news is that you don’t have to live with paying the high cost of breaches due to hidden malware. Adding F5 SSL Orchestrator to your environment ensures encrypted traffic can be decrypted, inspected by security controls, then re-encrypted. As a result, you can maximize your investments in security inspection technologies—preventing inbound and outbound threats including exploitation, callback, and data exfiltration.

F5 SSL Orchestrator does more than provide visibility to encrypted threats, though. It delivers dynamic service chaining and policy-based traffic steering, applying context-based intelligence to encrypted traffic handling. This allows you to intelligently manage the flow of all encrypted traffic across your entire security chain, which also ensures you appropriately bypass decryption of regulated privacy data within the traffic.

71% of malware installed through phishing hides in SSL/TLS encryption.


Designed to easily integrate with existing and changing architectures, and to centrally manage the SSL/TLS decrypt/encrypt function, F5 SSL Orchestrator delivers the latest SSL/TLS protocol versions and encryption ciphers across your entire security infrastructure.

SSL Orchestrator is vendor-agnostic when it comes to integrating with inspection tools, as it supports multiple topologies and protocols, so you can add and remove security services as needed without disrupting traffic flow. 

Read the technical integration guides below to see what practices some key F5 partners recommend.


  • Decrypts SSL/TLS traffic flowing into your applications or egressing your network, routes to security inspection tools to expose threats or stop attacks, and then re-encrypts before sending the traffic to its destination.

  • Dynamically chains security tools based on your custom polices and network/device conditions, providing resiliency to your security stack by monitoring health and load balancing.

  • Using the built-in context engine supporting geolocation, IP reputation, URL categorization, 3rd party ICAP integration and more, your custom policies define intelligent routing to appropriate security inspection tools.

  • Enable the bypassing of decryption for regulated privacy data, such as traffic to or from banking or healthcare related websites or applications.

  • Reduces administrative costs by delivering a single platform for centralizing cipher change management across the entire security infrastructure and minimizes architectural changes.

  • Re-enables passive inspection of traffic inbound to your applications with out-of-band tools even when the traffic is encrypted with perfect forward secrecy.

  • Supports any deployment mode by flexibly integrating into complex layer 2 or 3 architectures.



Visibility High performance SSL/TLS decryption/re-encryption Support for inbound and outbound encrypted traffic
Dynamic service chaining Policy-based steering of decrypted traffic
Decoupled from physical interface, port, or VLANs
Simplified security service insertion
Service monitoring and resiliency
Load balancing of multiple security devices
Contextual policy engine Source and destination IP and subnet Port
Protocol Domain
IP geolocation
IP reputation (subscription)
URL categorization (subscription)
Policy-based block, bypass, and forward for inspection actions
Granular control Header changes; Support for port translation
High availability with TCP session resiliency
Robust cipher and protocol support TLS 1/1.1/1.2/1.3
Forward secrecy/perfect forward secrecy RSA/DHE/ECDHE with forward secrecy support SHA, SHA2, AES, AES-GCM
Proxy-level control over ciphers and protocols
Deployment modes Outbound layer 3 explicit proxy
Outbound layer 3 transparent proxy
Inbound layer 3 reverse proxy
Outbound layer 2
Inbound layer 2
Existing application (existing LTM application)
Supported service types HTTP web proxy services
Inline layer 3 services
Inline layer 2 services
ICAP/DLP services
Tap services
Throughput Up to 9.3 Gbps on virtual edition
8500 transactions/second
Up to 24 Gbps on appliance
53K transactions/second

Speak to an F5 security expert

Got a security question, issue, or something else you’d like to discuss?
We’d love to hear from you!  

Are You Equipped to Decrypt?

Nearly 90% of page loads are encrypted with SSL/TLS, and attackers commonly use encryption to hide malicious payloads. If you’re not inspecting SSL/TLS traffic, you'll miss attacks and leave your organization vulnerable. 

Read the article
Watch the video



SSL Orchestrator Guided Demo

Watch the demo to see how SSL Orchestrator enables your security inspection tools to inspect encrypted traffic egressing your network.

Talk to F5

Speak with F5 Security Experts

Ready to understand how to identify hidden threats and prevent attacks with SSL Orchestrator? Contact F5 today.


SSL Orchestrator

Explore the latest SSL/TLS encryption management technologies, easily integrated into your entire infrastructure, and enabling your existing security inspection tool investments.


How to Uncover Attacks Hiding in Encryption

Hear from F5 security experts on the risks associated with encrypted traffic and how to manage inspection across all your security solutions.