F5BigFwPolicy

The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When a new F5BigFwPolicy CR configuration is applied, the firewall rules are first sent to the Application Firewall Management (AFM) Pod, where they are compiled into Binary Large Objects (BLOBs) to enhance processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Proxy Pod, which begins inspecting and filtering network packets based on the defined rules.

Parameters

The following tables describe the F5BigFwPolicy CR parameters.

metadata

Parameter	Description
name	The name of the Firewall Policy. This value is referencd by CNF Traffic Management CRs.
namespace	The Kubernetes namespace where the firewall policy is installed.

spec

Parameter	Description
rule.name	Specifies the name of the firewall rule. A single policy can contain multiple firewall rules.
rule.ipProtocol	Specifies the IP protocol against which the packet will be compared. The default value is "any". For a complete list of supported protocols, refer to the F5BigFwPolicy IP Protocols.
rule.action	Specifies the action to apply to a packet that matches the Access Control List (ACL) rule: "accept", "drop", or "reject".
rule.logging	Enables or disables logging for ACL rule matches. Valid values are true or false (default). When set to true, firewall actions (accept, drop, or reject) are logged. To enable logging, you must create a F5BigLogProfile CR to configure log message details and associate it with a F5BigLogHslpub CR to specify the log destination. Without these resources, no log messages will be generated.
rule.source.addresses	Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared. Supported formats include a single host (2002::33:22), a subnet (2003::/64), or an address range (2002::33:22-2002::33:50).
rule.source.addressLists	Specifies the F5BigCneAddressList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true: - This attribute is specifies one or more addressLists, and - All of these addressLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct source address. For more information, refer to the Defining Address and Port Lists.
rule.source.ports	Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.source.portLists	Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true: - This attribute is specifying one or more portLists, and - All of these portLists are empty or do not exist (soft-reference case,) and - The rule does not specify any direct source port. For more information, refer to the Defining Address and Port Lists.
rule.source.vlans	Specifies a list of F5BigNetVlans in an array.
rule.source.zones	Specifies an array of VLAN zone names (strings). By default, this is an empty array. The ACL/NAT rule is internally disabled and not used for matching traffic when: - This attribute specifies one or more zones, and - All of these zones are empty or do not exist (soft-reference case), or refer to only non-existent VLANs. For more information, refer to the F5BigCneZone CR.
rule.source.geos	Specifies the geographical location (country or region) from which the traffic originates. The GEO entries are considered as another way of specifying IP addresses, so they are ORed with IP addresses specified either directly in the rule or in referred address lists. Other matching criteria, like ports, are ANDed with GEOs/IP addresses, so for matching a firewall rule the traffic needs to match (a GEO or an IP) and all the other matching criteria. By default, traffic is allowed from all geographical locations. Use rule.source.geos to allow or block traffic based on the source location in the following formats: - Country Codes (2-letter codes): For example, "US" for the United States or "IN" for India. - Country and Region format: For example, "US:California" (CountryCode:RegionName) Notes: - The CountryCode must match the code2 value in the GeoIPv3_Countries_Regions.json file, which is part of the GeoIP Database. For more information, refer GeoIP Database. - The RegionName must match the name_f5 value (F5-assigned region names) in the same GeoIPv3_Countries_Regions.json file. For more information, refer GeoIP Database.
rule.destination.addresses	Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared. Supported formats include a single host 2002::33:22, subnet 2003::/64, or an address range 2002::33:22-2002::33:50.
rule.destination.addressLists	Specifies the F5BigCneAddressList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true: - This attribute is specifying one or more addressLists, and - All of these addressLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct destination address. For more information, reder to the Defining Address and Port Lists.
rule.destination.ports	Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.destination.portLists	Specifies the F5BigCnePortList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true: - This attribute is specifying one or more portLists, and - All of these portLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct destination port. For more information, reder to the Defining Address and Port Lists.
rule.destination.zones	Specifies an array of VLAN zone names (strings). By default, this is an empty array. The ACL/NAT rule is internally disabled and not used for matching traffic when: - This attribute specifies one or more zones, and - All of these zones are empty or do not exist (soft-reference case), or refer to only non-existent VLANs. For more information, refer to the F5BigCneZone CR.
rule.destination.geos	Specifies the geographical location (country or region) to which the traffic is directed. The GEO entries are considered as another way of specifying IP addresses, so they are ORed with IP addresses specified either directly in the rule or in referred address lists. Other matching criteria, like ports, are ANDed with GEOs/IP addresses, so for matching a firewall rule the traffic needs to match (a GEO or an IP) and all the other matching criteria. By default, traffic is allowed from all geographical locations. By default, traffic is allowed to all geographical locations. Use rule.destination.geos to allow or block traffic based on the destination location in the following formats: - Country Codes (2-letter codes): For example, "US" for the United States or "IN" for India. - Country and Region format: For example, "US:California" (CountryCode:RegionName) Notes: - The CountryCode must match the code2 value in the GeoIPv3_Countries_Regions.json file, which is part of the GeoIP Database. For more information, refer GeoIP Database. - The RegionName must match the name_f5 value (F5-assigned region names) in the same GeoIPv3_Countries_Regions.json file. For more information, refer GeoIP Database.
rule.ruleList	Specifies the name of the firewall rule list that this rule references.
servicePolicy	Specifies the service policy to apply.

To add, modify, or delete the firewall rules easily, break the rules into multiple smaller units and store them in the F5BigFwRulelist CR.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
  name: "cnf-fw-policy"
  namespace: "cnf-gateway"
spec:
  rule:
    - name: allow-10-20-http
      action: "accept"
      logging: true
      servicePolicy: "service-policy1"
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:20:0:0/96"
        zones:
          - "zone1"
          - "zone2"     
      destination:
        ports:
          - "80"
        zones:
          - "zone3"
          - "zone4"

    - name: allow-10-30-ftp
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:30:0:0/96"
        zones:
          - "zone1"
          - "zone2"
      destination:
        ports:
          - "20"
          - "21"
        zones:
          - "zone3"
          - "zone4"

    - name: allow-us-traffic
      action: "accept"
      logging: true 
      source:
        geos:
          - "US:California"
      destination: 
        geos:
          - "MX:Baja California"
          - "MX:Chihuahua"

    - name: drop-all
      action: "drop"
      logging: true
      ipProtocol: any
      source:
        addresses:
          - "::0/0"
          - "0.0.0.0/0"

Maximum Firewall Rule Size Limit

When F5BigFwPolicy CRs are installed into the cluster, the firewall rule set is declared in the metadata.annotations section of the CR. It is important to note that Kubernetes does not allow the metadata.annotations section to exceed 262144 bytes of data, and will log an error message stating this size limitation.

CR ShortName

CR shortNames provide a convenient way to view installed CRs and their configuration parameters. They can also be used to delete CR instances more easily. The F5BigFwPolicy CR shortName is fwpol.

View CR instance:

oc get fwpol -n <namespace>

View CR configuration:

oc get fwpol -n <namespace> -o yaml

Defining Address and Port Lists

You can define complex lists of IP addresses and service ports using the F5BigCneAddresslist and F5BigCnePortlist CRs. These address and port list CRs can then be referenced by the F5BigDdosProfile CR.

Address list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: "allow-ipv6"
  namespace: "cnf-gateway"
spec:
  addresses:
   - "2002::33:22-2002::33:50"
   - "2003::/64"
   - "2004::1"

Port list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCnePortlist
metadata:
  name: allow-5000s
spec:
  ports:
  - "5000-5500"

Understanding CNF Firewall Modes

The default firewall mode for CNFs controls how network packets are handled when either of these conditions is met:

• None of the installed CNFs CRs reference a F5BigFwPolicy.

• A CNFs CR does reference a F5BigFwPolicy, however, packets do not match any of the rules.

The following table describes each of the default firewall mode settings:

Mode	Behavior
accept	Network packets are accepted and processed by TMM. This is the default setting.
drop	Network packets are silently dropped.
reject	Network packets are rejected. For TCP connections, a RST (reset) packet is sent in reponse.

By default, the firewall mode accepts all network packets not matching a F5BigFwPolicy firewall rule. You can modify this behavior prior using the F5BigContextGlobal Custom Resource (CR).

Configuring Firewall Rules for External Traffic with Logging Enabled

To configure firewall rules for external traffic and enable logging of firewall events, you must define a firewall policy, attach it to a secure context for enforcement, and set up logging components to capture and forward events to a defined log destination.

Prerequisites

• Ensure that you have the following:

• Installed the BIG-IP Controller. A Linux-based workstation.

Procedure

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. Copy the example F5BigFwPolicy CR below into a YAML file to create firewall rules that allow HTTP (port 80) and FTP (ports 20 and 21) traffic from the source subnet 2002::10:30:0:0/96 and drop all other traffic, with logging enabled for all rules.

   Note: The F5BigFwPolicy CR is referenced by the F5BigContextSecure CR to enforce firewall rules on application traffic.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigFwPolicy
   metadata:
     name: "cnf-fw-policy"
     namespace: "cnf-gateway"
   spec:
     rule:
       - name: allow-http
         action: "accept"
         logging: true
         ipProtocol: tcp
         source:
           addresses:
             - "2002::10:20:0:0/96"
           zones:
             - "zone1"
             - "zone2"
         destination:
           ports:
             - "80"
           zones:
             - "zone3"
             - "zone4"
       - name: allow-ftp
         action: "accept"
         logging: true
         ipProtocol: tcp
         source:
           addresses:
             - "2002::10:30:0:0/96"
           zones:
             - "zone1"
             - "zone2"
         destination:
           ports:
             - "20"
             - "21"
           zones:
             - "zone3"
             - "zone4"
       - name: drop-all
         action: "drop"
         logging: true
         ipProtocol: any
         source:
           addresses:
             - "::0/0"
             - "0.0.0.0/0"
   

2. Apply the F5BigFwPolicy CR that you have created.

   oc apply -f cnf-fw-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated.

   I0202 12:00:00.12346   1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy",
   FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
   

3. Copy the example F5BigContextSecure CR below into a YAML file to attach the firewall policy created in Step 1. This secure context protects traffic destined for the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface and forwards logs using a logging profile.

   Note: The F5BigContextSecure CR references the F5BigFwPolicy CR for firewall enforcement.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-context"
     namespace: "cnf-gateway"
   spec:
      ipv6destinationAddress: "2002::200:200:200:0/112"
      destinationPort: 0
      firewallEnforcedPolicy: "cnf-fw-policy"
      logProfile: "cnf-log-profile"
      ipProtocol: "any"
      profile: "fastL4"
      vlans:
        vlanList:
          - "subscriber-vlan"
   

4. Apply the F5BigContextSecure CR that you have created.

   oc apply -f f5-cnf-context.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated.

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-context was added/updated 
   

5. Copy the example F5BigLogProfile CR below into a YAML file to enable the logging of firewall events such as aclMatchAccept and aclMatchDrop, as well as TCP traffic events. This CR also references a publisher for delivering logs.

   Note: The F5BigLogProfile CR references the F5BigLogHslpub CR to publish logs.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigLogProfile
   metadata:
     name: "cnf-log-profile"
     namespace: "cnf-gateway"
   spec:
     name: "cnf-logs"
     firewall:
       enabled: true
       network:
         publisher: "cnf-hsl-pub"
         events:
           aclMatchAccept: true
           aclMatchDrop: true
           tcpEvents: true
           translationFields: true
   

6. Apply the F5BigLogProfile CR that you have created.

   oc apply -f cnf-log-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated.

   I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
   LogProfile cnf-gateway/cnf-log-profile was added/updated
   

7. Copy the example F5BigLogHslpub CR below into a YAML file to define a pool and syslog configuration that forwards logs to a remote syslog server.

   Note: The F5BigLogHslpub CR is referenced by the F5BigLogProfile CR for log delivery to external systems.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:
     name: "cnf-hsl-pub"
     namespace: "cnf-gateway"
   spec:
     pool:
     - name: "hsl-pool"
       endpoint:
       - "[2002::10:30:2:220]:514"
     syslog:
     - name: "cnf-syslog"
       format: "rfc5424"
       protocol: "udp"
       pool: "hsl-pool"
   

8. Apply the F5BigLogHslpub CR that you have created.

   oc apply -f cnf-hsl-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated.

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
   F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
   

Additional CRs

The F5BigFwPolicy can also be referenced by these CNFs CRs:

• F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.

• F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.

• F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.

• F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.

Verifying Firewall Statistics with TMM Debug Sidecar

If the TMM Debug sidecar is enabled (default), follow these steps to verify the firewall filtering statistics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the cnf-gateway namespace:

   oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
   

2. Verify the F5BigFwPolicy statistics:

   tmctl -d blade fw_rule_stat
   

   context_type context_name
   ------------ ------------------------------------------
   virtual      cnf-gateway-cnf-fw-policy-SecureContext_vs
   
   rule_name                            micro_rules counter last_hit_time action
   ------------------------------------ ----------- ------- ------------- ------
   allow-10-20-http-firewallpolicyrule            1       2    1638572860      2
   allow-10-30-ftp-firewallpolicyrule             1       5    1638573270      2
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.