F5BigFwPolicy

The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Pod to begin inspecting and filtering network packets.

CR parameters

The tables below describe the F5BigFwPolicy CR parameters

metadata

Parameter	Description
name	The name of the Firewall Policy. This value is referencd by BIG-IP Next for KubernetesTraffic Management CRs.
namespace	The Kubernetes Namespace the firewall Policy will install to.

spec

Parameter	Description
rule.name	The name of the firewall rule. A policy can contain multiple firewall rules.
rule.ipProtocol	Specifies the IP protocol against which the packet will be compared. The default value is "any". The F5BigFwPolicy IP Protocols document contains the full list of supported protocols.
rule.action	Specifies the action that will be applied to packet that matches ACL rule: "accept", "drop", or "reject".
rule.logging	Enables ACL rule match logging: true or false (default).
rule.source.addresses	Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
rule.source.addressLists	Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address
rule.source.ports	Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.source.portLists	Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port
rule.source.vlans	Specifies a list of F5BigNetVlans in an array.
rule.destination.addresses	Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
rule.destination.ports	Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.destination.addressLists	Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section below. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address
rule.destination.portLists	Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port
rule.ruleList	Specifies the firewall rulelist name this rule references.

To add, modify, or delete the firewall rules easily, you need to break the firewall rules list into multiple smaller units and store them in F5BigFwRulelist CR.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
  name: "fw-policy"
  namespace: "gateway"
spec:
  rule:
    - name: allow-10-20-http
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:20:0:0/96"        
      destination:
        ports:
          - "80"
    - name: allow-10-30-ftp
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:30:0:0/96"    
      destination:
        ports:
          - "20"
          - "21"
    - name: drop-all
      action: "drop"
      logging: true
      ipProtocol: any
      source:
        addresses:
          - "::0/0"
          - "0.0.0.0/0"

Maximum rule size

When F5BigFwPolicy CRs are installed into the cluster, the firewall rule set is declared in the metadata.annotations section of the installed CR. It is important to note that Kubernetes does not allow the metadata.annotations section to exceed 262144 bytes of data, and will log an error message stating this size limitation.

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigFwPolicy CR shortName is fwpol.

View CR instance:

kubectl get fwpol -n <namespace>

View CR configuration:

kubectl get fwpol -n <namespace> -o yaml

Address and Port lists

Complex lists of IP addresses and service ports can be configured using the F5BigCneAddresslist and F5BigCnePortlist CRs. The address and port list CRs can then be referenced by the F5BigDdosProfile CR.

Address list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: allow-ipv6
  namespace: default
spec:
  addresses:
   - "2002::192:168:10:1-2002::192:168:10:10"
   - "2002::10:10:10:0/112"

Port list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCnePortlist
metadata:
  name: allow-5000s
spec:
  ports:
  - "5000-5500"

Requirements

Ensure you have:

• A Linux based workstation.

Installation

Use these steps to install the example F5BigFwPolicy CR, and the optional BIG-IP Next for Kubernetes CRs. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the BIG-IP Next for Kubernetes Event Logs while installing.

1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:

   Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:
     name: "hsl-pub"
     namespace: "gateway"
   spec:
     pool:
     - name: "hsl-pool"
       endpoint:
       - "[2002::10:30:2:220]:514"
     syslog:
     - name: "syslog"
       format: "rfc5424"
       protocol: "udp"
       pool: "hsl-pool"
   

2. Install the F5BigLogHslpub CR:

   kubectl apply -f spk-hsl-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
   F5Hslpub gateway/hsl-pub was added/updated
   

3. Optional: The example F5BigLogProfile CR specifies firewall events such as aclMatchAccept and aclMatchDrop, and sends them to the remove logging server. Copy and paste the example into a YAML file:

   Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigLogProfile
   metadata:
     name: "log-profile"
     namespace: "gateway"
   spec:
     name: "spk-logs"
     firewall:
       enabled: true
       network:
         publisher: "hsl-pub"
         events:
           aclMatchAccept: true
           aclMatchDrop: true
           tcpEvents: true
           translationFields: true
   

4. Install the F5BigLogProfile CR:

   kubectl apply -f spk-log-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

   I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
   LogProfile gateway/spk-log-profile was added/updated
   

5. The example F5BigFwPolicy CR allows HTTP port 80 and FTP ports 20 and 21 from source IP subnet 2002::10:30:0:0/96. Copy and paste the example into a YAML file:

   Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigFwPolicy
   metadata:
     name: "fw-policy"
     namespace: "gateway"
   spec:
     rule:
       - name: allow-http
         action: "accept"
         logging: true
         ipProtocol: tcp
         source:
           addresses:
             - "2002::10:20:0:0/96"
         destination:
           ports:
             - "80"
       - name: allow-ftp
         action: "accept"
         logging: true
         ipProtocol: tcp
         source:
           addresses:
             - "2002::10:30:0:0/96"
   
         destination:
           ports:
             - "20"
             - "21"
       - name: drop-all
         action: "drop"
         logging: true
         ipProtocol: any
         source:
           addresses:
             - "::0/0"
             - "0.0.0.0/0"
   

6. Install the F5BigFwPolicy CR:

   kubectl apply -f spk-fw-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:

   I0202 12:00:00.12346   1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy",
   FirewallPolicy gateway/fw-policy was added/updated
   

7. Optional: The example F5BigContextSecure CR listens for connections destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references all of the installed CRs. Copy and paste the example into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "context"
     namespace: "gateway"
   spec:
      ipv6destinationAddress: "2002::200:200:200:0/112"
      destinationPort: 0
      firewallEnforcedPolicy: "fw-policy"
      logProfile: "spk-log-profile"
      ipProtocol: "any"
      profile: "fastL4"
      vlans:
        vlanList:
          - "subscriber-vlan"
   

8. Install the F5BigContextSecure CR:

   kubectl apply -f f5-spk-context.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
   SecureContext gateway/context was added/updated
   

9. Continue to the Firewall statistics section.

Firewall statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the gateway namespace:

   kubectl exec -it deploy/f5-tmm -c debug -n gateway -- bash
   

2. Verify the F5BigFwPolicy statistics:

   tmctl -d blade fw_rule_stat
   

   context_type context_name
   ------------ ------------------------------------------
   virtual      cnf-gateway-cnf-fw-policy-SecureContext_vs
   
   rule_name                            micro_rules counter last_hit_time action
   ------------------------------------ ----------- ------- ------------- ------
   allow-10-20-http-firewallpolicyrule            1       2    1638572860      2
   allow-10-30-ftp-firewallpolicyrule             1       5    1638573270      2