Product Documentation

Selective SSL logging

In a large deployment comprising thousands of virtual servers, all SSL-related information is logged. However, if only a few virtual servers are critical to the deployment, you could not filter the client authentication and SSL handshake successes and failures for these critical virtual servers. Perusing through the entire log to get this information is a time-consuming and tedious task because the current infrastructure does not offer the control to filter the logs. With this enhancement, you can log SSL-related information, such as client authentication and SSL handshake failures only for a specific virtual server or for a group of virtual servers. This information is especially helpful in debugging failures. To log this information, you must add an SSL log profile.

SSL log profile

An SSL log profile provides control over logging only client authentication success and failures or only failures, and SSL handshake success and failures or only failures for a virtual server or a group of virtual servers. By default, all the parameters are disabled.

An SSL log profile can be set on an SSL profile, or on an SSL action. If set to an SSL profile, you can log both client authentication and SSL handshake success and failure information. If set to an SSL action, you can only log client authentication success and failure information because the handshake is complete before the policy is evaluated.

Client authentication and SSL handshake success and failures are logged even if you do not configure an SSL log profile. However, selective logging is possible only if SSL log profile is used.

Note:

SSL log profile is supported in high availability and cluster setups.

Add an SSL log profile by using the CLI

At the command prompt, type:

add ssl logprofile <name> [-sslLogClAuth ( ENABLED | DISABLED )] [-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )]

Parameters:

Name:

Name for the SSL log profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.

This is a mandatory argument.  Maximum Length: 127

sslLogClAuth:

Log all client authentication events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ssllogClAuthFailures:

Log all client authentication failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHS:

Log all SSL handshake-related events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHSfailures:

Log all SSL handshake-related failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

Example:

> add ssl logprofile ssllog10 -sslLogClAuth ENABLED -sslLogHS ENABLED

 Done

sh ssllogprofile ssllog10

1)      Name: ssllog10

        SSL log ClientAuth [Success/Failures] : ENABLED

        SSL log ClientAuth [Failures] : DISABLED

        SSL log Handshake [Success/Failures] : ENABLED

        SSL log Handshake [Failures] : DISABLED

 Done

Add an SSL log profile by using the GUI**

Navigate to System > Profiles > SSL Log Profile and add a new profile.

Modify an SSL log profile by using the CLI

At the command prompt type:

set ssl logprofile <name> [-sslLogClAuth ( ENABLED | DISABLED )][-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )]

Example:

set ssllogprofile ssllog10 -ssllogClAuth en -ssllogClAuthFailures en -ssllogHS en -ssllogHSfailures en

Done

sh ssllogprofile ssllog10

    1)            Name: ssllog10

                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : ENABLED
                    SSL log Handshake [Failures] : ENABLED
     Done

Modify an SSL log profile by using the GUI

  1. Navigate to System > Profiles > SSL Log Profile, select a profile, and click Edit.
  2. Make changes and click OK.

View all the SSL log profiles by using the CLI

At the command prompt, type:

sh ssl logprofile

Example:

sh ssl logprofile

    1)            Name: ssllogp1
                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : ENABLED

    2)            Name: ssllogp2
                    SSL log ClientAuth [Success/Failures] : DISABLED
                    SSL log ClientAuth [Failures] : DISABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : DISABLED

    3)            Name: ssllogp3
                    SSL log ClientAuth [Success/Failures] : DISABLED
                    SSL log ClientAuth [Failures] : DISABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : DISABLED

    4)            Name: ssllog10
                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : ENABLED
                    SSL log Handshake [Failures] : ENABLED
Done

View all the SSL log profiles by using the GUI

Navigate to System > Profiles > SSL Log Profile. All the profiles are listed.

Attach an SSL log profile to an SSL profile

You can attach (set) an SSL log profile on an SSL profile when you are creating an SSL profile, or later by editing the SSL profile. You can log both client authentication and handshake successes and failures.

Important:

The default SSL profile must be enabled before you can attach an SSL log profile.

Attach an SSL log profile on an SSL profile by using the CLI

At the command prompt, type:

set ssl profile <name> [-ssllogProfile <string>]

Example:

set ssl profile fron_1 -ssllogProfile ssllog10

Attach an SSL log profile to an SSL profile by using the GUI

  1. Navigate to System > Profiles > SSL Profile.
  2. Click Edit and in SSL Log Profile, specify a profile.

Attach an SSL log profile to an SSL action

You can set an SSL log profile only while creating an SSL action. You cannot modify an SSL action to set the log profile. Associate the action to a policy. You can only log client authentication successes and failures.

Attach an SSL log profile to an SSL action by using the CLI

At the command prompt, type:

add ssl action <name> -clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH ) -ssllogProfile <string>

Example:

> add ssl action act1 -clientAuth DoCLIENTAUTH -ssllogProfile ssllog10

Done

> sh ssl action act1

    1)            Name: act1
                    Type: Client Authentication (DOCLIENTAUTH)
                    Hits: 0
                    Undef Hits: 0
                    Action Reference Count: 0
                    SSLlogProfile: ssllog10
Done

Attach an SSL log profile to an SSL action by using the GUI

  1. Navigate to Traffic Management > SSL > Policies and click SSL Actions.
  2. Click Add.
  3. In Client Authentication, select ENABLED.
  4. In SSL Log Profile, select a profile from the list, or click “+” to create a profile.
  5. Click Create.