Firewall Policy in Gateway API¶
Introduction¶
Gateway resources can be configured to attach F5-specific firewall policies. This allows you to define ingress traffic rules, ensuring that data (traffic) is processed and flows securely through the data path.
This section shows how the Gateway API supports policies. The policy is attached to Gateway API objects by configuring the targetRefs parameter in the F5BigFwPolicy CRD. The F5 Controller handles the ACL policies configured using Gateway API objects.
For more details, refer to:
About F5GlobalOptions¶
The F5GlobalOptions CRD is used to configure multiple behaviors at the global level, such as the default action to apply on traffic.
Refer to F5GlobalOptions.
About F5BigFwPolicy CRD¶
The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Proxy Pod to begin inspecting and filtering network packets.
To integrate Gateway API, the targetRefs field must be added for direct policy attachment, according to GEP 2648: Direct Policy Attachment .
Refer to F5BigFWPolicy.
Attach firewall policy¶
You can attach the firewall policy to:
Gateway class
Gateway or Gateway Listener
Note: Make sure that to support ACL in Gateway API the firewall policy (F5BigFwPolicy) must be applied in the same namespace of the resource specified in the targetRefs field.
Add firewall policy to Gateway Class¶
When you add an ACL Policy to the Gateway Class, the ACL Policy is linked to the global context that is available for all TTMs in the cluster.
Sample CRs¶
You can review these sample CRs,
Gateway Class CR
Firewall Policy CR
This sample CR shows how the GatewayClass is configured and used within a cluster.
Gateway API CR
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: f5-gateway-class
spec:
controllerName: "f5.com/default-f5-cne-controller"
description: "F5 BIG-IP Kubernetes Gateway"
This sample CR shows how the F5 specific F5BigFwPolicy is attached to the GatewayClass. Here, both the CRs are applied to the default namespace.
Firewall Policy CR
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: policy-gw-class
namespace: default
spec:
targetRefs:
- name: f5-gateway-class
kind: GatewayClass
rule:
- name: rule-ingress-tcp-class
ipProtocol: tcp
action: accept
source:
addresses: ["0.0.0.0/0"]
Add firewall policy to Gateway or Gateway Listener¶
The firewall policy attached directly to a Gateway will be the default policy for that Gateway. This default policy will be applied to all other VSs created for the Gateway that do not have specific policies attached using the Gateway Name or Listener Name. A Gateway specifies one or more Listeners, and each Listener corresponds to a Virtual Server (VS) in TMM. If you attach the firewall policy to a Listener by specifying a Gateway Name or Listener Name, it will be linked to the VS in TMM.
This section provides sample CRs for applying a firewall policy in a Gateway.
Sample CRs¶
You can review these sample CRs,
Gateway API CR
Firewall Policy CR
These sample CRs show how to configure Gateway and L4Route resources in Kubernetes, integrated with F5’s GatewayClass to manage Layer 4 traffic (TCP). The Gateway API enables handling ingress traffic at Layer 4 (TCP/UDP) using F5-specific resources and annotations.
Note: Here, the Gateway named my-gwapi-l4route-tcp-gateway is in the gwapi namespace. The L4Route named l4-tcp-app is in the spk-test-app namespace.
Sample Gateway CR
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gwapi-l4route-tcp-gateway
namespace: gwapi
spec:
addresses:
- type: "IPAddress"
value: 192.168.10.239
- type: "IPAddress"
value: fe03:10::239
gatewayClassName: f5-gateway-class
infrastructure:
parametersRef:
name: test-bnkgateway
kind: F5BnkGateway
group: k8s.f5net.com
listeners:
- name: foo-gw
protocol: TCP
port: 80
allowedRoutes:
namespaces:
from: All
kinds:
- kind: L4Route
group: gateway.k8s.f5net.com
Sample L4Route CR
apiVersion: gateway.k8s.f5net.com/v1
kind: L4Route
metadata:
name: l4-tcp-app
namespace: spk-test-app
spec:
protocol: TCP
parentRefs:
- name: my-gwapi-l4route-tcp-gateway
namespace: gwapi
sectionName: foo-gw
rules:
- backendRefs:
- name: nginx-app-svc
namespace: spk-test-app
port: 80
This sample code for firewall policy (policy-gateway-gwapi) refers to Gateway and is in the gwapi namespace.
Sample Firewall policy CR referring to Gateway
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: policy-gateway-gwapi
namespace: gwapi
spec:
description: "some changes to reapply"
targetRefs:
- name: my-gwapi-l4route-tcp-gateway
kind: Gateway
rule:
- name: rule-ingress-tcp-gateway
ipProtocol: tcp
action: drop
source:
addresses:
- "0.0.0.0/0"
- "::/0"
logging: true
This sample code for firewall policy (policy-listener) refers to Gateway listener and is in the gwapi namespace.
Sample Firewall policy CR referring to listener
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: policy-listener
namespace: gwapi
spec:
targetRefs:
- name: test-gateway
kind: Gateway
sectionName: foo-gw
rule:
- name: rule-ingress-tcp-listener
ipProtocol: tcp
action: accept
source:
addresses: ["0.0.0.0/0"]
Sample Firewall policy status¶
You can view the status of the policy from the status section in the CR. This section provides the sample command and the output.
Sample command¶
kubectl describe -f <your-policy>.yaml
Sample status¶
<...>
Status:
Conditions:
Last Transition Time: 2025-03-20T00:27:51Z
Message:
Observed Generation: 0
Reason: Accepted
Status: True
Type: Accepted
Last Transition Time: 2025-03-20T00:27:51Z
Message: CR config sent to all grpc endpoints
Observed Generation: 2
Reason: Programmed
Status: True
Type: Programmed
Generation Id: 0
<...>
Applying firewall policy in Gateway API¶
Copy the Gateway or GatewayClass CR.
Paste the CR into a yaml
<f5-gateway-class.yaml>file.Apply the yaml
<f5-gateway-class.yaml>file in the namespace.Copy the firewall policy CR.
Paste the firewall policy CR into a yaml
<policy-gateway-gwapi.yaml>fileApply the yaml
<policy-gateway-gwapi.yaml>file in the same namespace as the Gateway or GatewayClass.
Note: If the firewall is attached to a GatewayClass then the policy becomes a global policy for all the Gateways of that class. However, for a Gateway, the policy is applied only to that specific Gateway.
Using HSL Profile¶
You can now attach a High-Speed Logging (HSL) profile to the Gateway Class. This feature enables centralized or standardized logging of ACL (Access Control List) events both in the global context and within individual Virtual Servers.
Attaching HSL Profile to GatewayClass¶
You can now use the back reference mechanism (targetRefs) to attach the HSL profile to GatewayClass. This works similar to the method followed to attach ACL policy to GatewayClass.
Sample CRs¶
In this sample CR, logprofile``1 is attached to the global context across all TMMs (Traffic Management Microkernel) in the cluster. It will be utilized to log events associated with all ACL Policies linked to either the GatewayClass or the individual Gateways.
Gateway API CR
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: f5-gateway-class
spec:
controllerName: "f5.com/f5-gateway-controller"
description: "F5 BIG-IP Kubernetes Gateway"
HSL Log profile (referring GatewayClass) and publisher
apiVersion: "k8s.f5net.com/v2"
kind: F5BigLogProfile
metadata:
name: "log-profile"
spec:
targetRefs:
- name: f5-gateway-class
kind: GatewayClass
publisher: "log-publisher"
firewall:
enabled: true
---
apiVersion: "k8s.f5net.com/v2"
kind: F5BigLogHslpub
metadata:
name: "log-publisher"
spec:
pool:
- name: "pool"
endpoint:
- 11.11.11.196:514
syslog:
- name: syslog
pool: pool
format: rfc5424
protocol: udp
distribution: balanced
Statistics¶
This section provides sample commands and output for TMSTL statistics.
Sample command
#FLO - tmm is daemonset:
kubectl exec -it daemonsets/f5-tmm -c debug -- bash
Sample statistics
Sample command 1
tmctl -w 300 -d /var/tmstat/blade/ virtual_server_stat -s name,clientside.pkts_in,serverside.pkts_out,clientside.tot_conns,serverside.tot_conns
Sample output 1
f5-tmm-9cmv6
virtual_server_stat table
name clientside.pkts_in clientside.pkts_out serverside.pkts_out serverside.pkts_in
------------------------------------------------------ ------------------ ------------------- ------------------- ------------------
gwapi-demo-tcp-gateway-192.168.10.239-demo-listener-vs 80 40 80 40
gwapi-demo-tcp-gateway-fe03:10::239-demo-listener-vs 20 2 8 0
Sample command 2
tmctl -w 300 -d /var/tmstat/blade/ fw_hw_offload_stats
Sample output 2
fw_rule_stat table
context_type context_name rule_name micro_rules counter hw_counter last_hit_time action
------------ ------------------------------------------------------ ------------------------------------------- ----------- ------- ---------- ------------- ------
virtual gwapi-demo-tcp-gateway-192.168.10.239-demo-listener-vs rule-ingress-tcp-gateway-firewallpolicyrule 2 40 0 1742430496 2
virtual gwapi-demo-tcp-gateway-fe03:10::239-demo-listener-vs rule-ingress-tcp-gateway-firewallpolicyrule 2 2 0 1742430490 2
Sample HSL log example¶
Sample log message
Mar 20 23:27:18 11.11.11.201 1 2025-03-20T23:27:18.278437+00:00 f5-tmm-tvbcq tmm 23 23003137 [F5@12276 acl_policy_name="default-policy1-firewallpolicy" acl_policy_type="Enforced" acl_rule_name="rule-tcp-accept-firewallpolicyrule" acl_rule_uuid="" action="Accept" hostname="f5-tmm-tvbcq" bigip_mgmt_ip="10.244.99.83" context_name="global-context" context_type="Global" date_time="Mar 20 2025 23:27:17" dest_fqdn="unknown" dest_ip="44.44.44.1" dst_geo="No-lookup" dest_port="8050" device_product="Advanced Firewall Module" device_vendor="F5" device_version="10.14.0+0.1.5" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" flow_id="0000000000000000" ip_protocol="TCP" severity="8" partition_name="" route_domain="0" sa_translation_pool="" sa_translation_type="" source_fqdn="unknown" source_ip="11.11.11.1" src_geo="No-lookup" source_port="5000" source_user="unknown" source_user_group="unknown" translated_dest_ip="" translated_dest_port="" translated_ip_protocol="" translated_route_domain="" translated_source_ip="" translated_source_port="" translated_vlan="" vlan="client-1001" send_to_vs="" src_zone="" dest_zone="" dest_vlan="eth0" source_ipint_categories="No-lookup" dest_ipint_categories="No-lookup"] "10.244.99.83","f5-tmm-tvbcq","Global","global-context","No-lookup","11.11.11.1","No-lookup","44.44.44.1","5000","8050","client-1001","TCP","0","","","","","","","","Enforced","default-policy1-firewallpolicy","rule-tcp-accept-firewallpolicyrule","","Accept","","","","0000000000000000","unknown","unknown","unknown","unknown","","","","eth0","No-lookup","No-lookup"
Retrieving the HSL log message depends on the location and configuration of the external syslog server.
For example, if you use an external server and no filter is applied to collect messages within the HSL configuration (/var/log/messages) then you can use the tail command on the file to view firewall logs.
Sample log message on /etc/syslog-ng/syslog-ng.conf folder
source s_network { tcp(ip(192.168.10.190) port(514)); udp(ip(192.168.10.190) port(514)); }; destination d_messages { file("/var/log/messages"); }; log { source(s_network); destination(d_messages); };
Later, use tail -f /var/log/messages to view firewall logs.
For more details on HSL log message, see Hardware Acceleration for ACL.
Cross Reference¶
You can refer to specific page for parameter description.