SSL Intercept v1.0 (BIG-IP v11.4+, v12.0: LTM, AFM)

This document contains guidance on configuring the BIG-IP system to act as a forward proxy, decrypting outbound HTTPS traffic so it can be inspected by a security device, which then forwards the traffic to BIG-IP for re-encyption and delivery to the destination.  This guide includes instructions for using the fully supported iApp available on, as well as manual configuration guidance.

Note: The iApp template was previously known as f5.ssl_airgap_egress.  The deployment guide was previously known as Air Gap Egress Inspection with SSL Intercept.  This new guide and iApp template replaces both previous versions.

About this solution
SSL termination is resource-intensive. F5 BIG-IP devices include dedicated hardware processors specializing in SSL processing. In both inbound and outbound deployment scenarios, using F5 SSL Intercept solution provides uncompromising visibility into SSL traffic.

The proliferation of websites now leveraging SSL encryption to protect users poses a challenge to security sensor pools in their mission to eliminate malware and attacks for outbound application requests. With the BIG-IP LTM, SSL Intercept can be leveraged to provide full visibility into user traffic. 

For those with policy and privacy concerns, SSL category bypass can be configured to not decrypt requests to sites with sensitive data if using 11.5 or later and a URL Filtering subscription.

Published June 14, 2018