nerdexam
F5

101 · Question #40

Which statement is true concerning SSL termination.

The correct answer is A. A virtual server that has both ClientSSL and ServerSSL profiles can still support cookie. When a virtual server has both ClientSSL and ServerSSL profiles, the BIG-IP decrypts inbound SSL traffic, enabling L7 features like cookie persistence to inspect and act on the cleartext payload.

Section 4: Security Basics

Question

Which statement is true concerning SSL termination.

Options

  • AA virtual server that has both ClientSSL and ServerSSL profiles can still support cookie
  • BDecrypting traffic at the BIG-IP allows the use of iRules for traffic management, but increases the
  • CWhen any virtual server uses a ClientSSL profile, all SSL traffic sent to the BIG-IP is decrypted
  • DIf a virtual server has both a ClientSSL and ServerSSL profile, the pool members have less SSL

How the community answered

(16 responses)
  • A
    50% (8)
  • B
    6% (1)
  • C
    19% (3)
  • D
    25% (4)

Why each option

When a virtual server has both ClientSSL and ServerSSL profiles, the BIG-IP decrypts inbound SSL traffic, enabling L7 features like cookie persistence to inspect and act on the cleartext payload.

AA virtual server that has both ClientSSL and ServerSSL profiles can still support cookieCorrect

Having both a ClientSSL profile (client-side SSL termination) and a ServerSSL profile (re-encryption toward pool members) places the BIG-IP in an SSL bridging or full-proxy mode where cleartext is available between the two SSL sessions. This cleartext window allows L7 features such as cookie persistence, HTTP profiles, and iRules to inspect and manipulate the payload before traffic is re-encrypted and forwarded to the pool members.

BDecrypting traffic at the BIG-IP allows the use of iRules for traffic management, but increases the

Decrypting traffic at the BIG-IP offloads SSL processing from pool members, reducing their CPU overhead - it does not increase backend burden; the added load is borne by the BIG-IP itself.

CWhen any virtual server uses a ClientSSL profile, all SSL traffic sent to the BIG-IP is decrypted

A ClientSSL profile only decrypts SSL traffic directed to the specific virtual server it is associated with, not all SSL traffic arriving anywhere on the BIG-IP.

DIf a virtual server has both a ClientSSL and ServerSSL profile, the pool members have less SSL

When both ClientSSL and ServerSSL profiles are configured, the BIG-IP re-encrypts traffic before sending it to pool members, meaning pool members still perform full SSL processing and do not benefit from reduced SSL overhead.

Concept tested: F5 BIG-IP SSL bridging and L7 feature visibility

Source: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-local-traffic-management-profiles-reference/ssl-profiles.html

Topics

#SSL termination#ClientSSL ServerSSL#cookie persistence SSL#iRules SSL

Community Discussion

No community discussion yet for this question.

Full 101 Practice