Any security tool attached to an SSLV appliance will receive all the traffic that is flowing through the segment that the SSLV is a bump in the wire on. An Active or Passive security tool attached to SSLV will receive the following :
- All non SSL traffic that passes through the SSLV appliance bump in the wire.
- All SSL flows that SSLV policy determines should not be inspected. The attached security tool will see the full encrypted flow just as they would if they had been attached to a network tap or connected as an in-line device when SSLV was not present.
- All SSL flows that SSLV policy determines should be inspected. The attached security tool will receive the TCP handshake followed by decrypted data, it will not see any of the SSL handshake. SSLV Copy ports feed passive security devices with all the traffic described above.
Note that if you run the packet capture utility, then it only captures packets that are sent over PCIe from the NFP flow processor to the X86 processing complex.
The only packets that the NFP sends to the X86 are:
- packets that the NFP thinks are part of an SSL handshake.
- packets on an SSL flow that policy has determined will be made visible, i.e. inspected.
Detection of SSL flows is done by the NFP so no TCP handshake packets or packets from non SSL flows are ever sent over PCIe to the X86.
Every time a new TCP flow begins, the NFP starts detecting SSL flows by watching to see if it can detect the Client Hello message that indicates the start of an SSL handshake. It will continue to watch the flow for 32 payload packets.