F5BigAlgFtp

Overview

The F5BigAlgFtp Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to provide File Transfer Protocol (FTP) application layer gateway (ALG) services. The F5BigAlgFtp CR supports both active and passive modes.

This document guides you through configuring and installing a simple F5BigAlgFtp CR.

CR Parameters

The table below describe the F5BigAlgFtp CR spec parameters:

Parameter Description
destinationAddress The destination IPv4 address of the application.
ipv6destinationAddress The destination IPV6 address of the application.
destinationPort The destination service port of the application. The default value is 21.
natPolicy Specifies an F5BigNatPolicy CR using the metadata.name value.
firewallEnforcedPolicy Specifies an F5BigFwPolicy CR using the metadata.name value.
logProfile Specifies an F5BigLogProfile CR using the metadata.name value.
idleTimeout Specifies the number of seconds that a connection can remain idle before it is eligible for deletion: 0 - 4294967295. The default is 300.
vlans.vlanList Specify a list of VLANs to accept traffic on. Traffic can also be denied using the disableListedVlans parameter.
vlans.disableListedVlans Denies traffic specified with the vlanList parameter: true (default) or false.
tcpSettings.clientSide Specifies how TMM handles clientside TCP connections using the F5BigTcpSetting CR's metadata.name value.
tcpSettings.serverSide Specifies how TMM handles serverside TCP connections using the F5BigTcpSetting CR's metadata.name value.
irules Reference to a list of iRules.
ftpSession.translateExtended Enables automatically translating RFC2428 extended requests EPSV and EPRT to PASV and PORT when talking to IPv4 servers: true (default) or false.
ftpSession.inheritParentProfile When enabled, the data channel inherits the TCP profile used by the control channel. When disabled, the data channel uses FastL4 only: true (default) or false.
ftpSession.dataPort Specifies data channel port for the FTP profile. The default value is 20.
ftpSession.allowActiveMode Enables FTP Active Transfer mode: true (default) or false.
ftpSession.allowFtpsMode Specifies the FTPS mode field to use: DISALLOW (default) or ALLOW.
ftpSession.createWildCardVS Creates a wild card port (any port) for virtual server (destinationAddress) on the TMM. The value of this parameter can be true or false (default). This parameter is used only when the ftpsMode is set to ALLOW.

CR Example

apiVersion: k8s.f5net.com/v1
kind: F5BigAlgFtp
metadata:
  name: "cnf-ftp"
  namespace: "cnf-gateway"
spec:
   destinationAddress: "10.10.10.0/24"
   ipv6destinationAddress: "2001::1234:5678/96"
   destinationPort: 21
   logProfile: "cnf-log-profile"
   firewallEnforcedPolicy: "cnf-firewall-policy"
   natPolicy: "cnf-nat-policy"
   irules: ["cnf-irule"]
   tcpSettings:
     clientSide: "cnf-tcp-profile"
     serverSide: "cnf-tcp-profile"
   ftpSession:
     translateExtended: true
     allowFtpsMode: false 
     createWildCardVS: false

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigAlgFtp CR shortName is algftp.

View CR instance:

oc get algftp -n <namespace>

View CR configuration:

oc get algftp -n <namespace> -o yaml

Requirements

Ensure you have:

Installation

This installation procedure provides Optional examples, representing each of the CNFs Custom Resources (CRs) that can be referenced by the F5BigAlgFtp CR. Use the steps below to configure TMM:

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: Copy the example F5BigNatPolicy CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigNatPolicy
    metadata:
      name: "cnf-nat-policy"
      namespace: "cnf-gateway"
    spec:
      sourceTranslation:
        - name: "dynamic-trans"
          type: "dynamic-pat"
          addresses:
            - "10.200.2.1-10.200.2.10"
          port: "8000-8500"
          patMode: "napt"
          inbound:
            eifTimeout: 200
            mode: "endpoint-independent-filtering"
          mapping:
            mode: "endpoint-independent-mapping"
            timeout: 60
          routeAdvertisement: true
      rule:
        - name: 10-20-subnet
          ipProtocol: tcp
          source:
            addresses:
             - "10.20.2.0/24"
          sourceTranslation: "dynamic-trans"
    
  2. Install the F5BigNatPolicy CR:

    oc apply -f cnf-nat-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigNatPolicy CR was added/updated:

    I0202 12:00:00.12345   1 event.go:282 Event(v1.ObjectReference{Kind:"F5NatPolicy",
    NatPolicy cnf-gateway/cnf-nat-policy was added/updated
    
  3. Optional: Copy the example F5BigFwPolicy into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigFwPolicy
    metadata:
      name: "cnf-fw-policy"
      namespace: "cnf-gateway"
    spec:
      rule:
        - name: allow-10-30-ftp
          action: "accept"
          logging: true
          ipProtocol: tcp
          source:
            addresses:
              - "10.30.2.0/24"
          destination:
            ports:
              - "20"
              - "21"
    
  4. Install the F5BigFwPolicy CR:

    oc apply -f cnf-fw-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:

    I0202 12:00:00.12346   1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy",
    FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
    
  5. Optional: Copy the example F5BigLogHslpub CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: hsl-pool
        endpoint:
        - "10.30.2.220:514"
      syslog:
      - name: "cnf-syslog"
        distribution: "adaptive"
        format: "rfc5424"
        pool: "hsl-pool"
        protocol: "udp"
    
  6. Install the F5BigLogHslpub CR:

    oc apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
    F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
    
  7. Optional: Copy the example F5BigLogProfile CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogProfile
    metadata:
      name: "cnf-log-profile"
      namespace: "cnf-gateway"
    spec:
      name: "cnf-logs"
      nat:
        enabled: true
        logSubscriberID: true
        publisher: "cnf-hsl-pub"
        inbound:
          start:
            mode: "enabled"
          end:
            mode: "enabled"
        quotaExceeded:
          mode: "enabled"
        errors:
          mode: "enabled"
      firewall:
        enabled: true
        trafficStats:
          publisher: "cnf-hsl-pub"
          reapedFlows: true
          missedFlows: true
          activeFlows: true
        network:
          publisher: "cnf-hsl-pub"
          events:
            aclMatchAccept: true
            aclMatchDrop: true
            tcpEvents: true
            aclToBoxDeny: true
            translationFields: true
    
  8. Install the F5BigLogProfile CR:

    oc apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

    I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
    LogProfile cnf-gateway/cnf-log-profile was added/updated
    
  9. Optional: Copy the F5BigTcpSetting CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigTcpSetting
    metadata:
      name: "cnf-tcp-profile"
      namespace: "cnf-gateway"
    spec:
      nagle: true
      pushFlag: auto
      earlyRetransmit: false
    
  10. Install the F5BigTcpSetting CR:

    oc apply -f cnf-tcp-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CR was added/updated:

    I0202 12:00:00.12349   1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting",
    TcpSetting cnf-gateway/tcp-client was added/updated
    
  11. Copy the F5BigAlgFtp CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigAlgFtp
    metadata:
      name: "cnf-ftp"
      namespace: "cnf-gateway"
    spec:
       destinationAddress: "10.10.10.0/24"
       ipv6destinationAddress: "2001::1234:5678/96"
       destinationPort: 21
       logProfile: "cnf-log-profile"
       firewallEnforcedPolicy: "cnf-firewall-policy"
       natPolicy: "cnf-nat-policy"
       irules: ["cnf-irule"]
       tcpSettings:
         clientSide: "cnf-tcp-profile"
         serverSide: "cnf-tcp-profile"
       ftpSession:
         translateExtended: true
         allowFtpsMode: false 
         createWildCardVS: false
    
  12. Install the F5BigAlgFtp CR:

    oc apply -f f5-cnf-ftp.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigAlgFtp CR was added/updated:

    I0203 12:00:00:1245    1 event.go:282] Event(v1.ObjectReference{Kind:"F5FTP",
    F5FTP cnf-gateway/cnf-ftp was added/updated
    

Traffic statistics

If you have installed the TMM Debug container, use the following steps to gather traffic processing statistics for the F5BigNatPolicy, F5BigFwPolicy and F5BigContextSecure CRs.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify F5BigNatPolicy connection statistics:

    tmctl -d blade fw_nat_rule_stat
    
    context_type context_name                          rule_name
    --------- ---------------------------------------  --------------------------
    virtual   cnf-cnf-context-secure-SecureContext_vs  10-20-subnet-natpolicyrule
    
    micro_rules counter last_hit_time action
    ----------- ------- ------------- ------
              1       8    1643836695      0
    
    tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
    
    type         name        translation_requests
    ------------ ----------- --------------------
    fw_src_trans transparent                    0
    fw_dst_trans transparent                    8
    fw_src_trans automap                        0
    ```## Traffic statistics
    

If you have installed the TMM Debug container, use the following steps to gather traffic processing statistics for the F5BigNatPolicy, F5BigFwPolicy and F5BigContextSecure CRs.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify F5BigNatPolicy connection statistics:

    tmctl -d blade fw_nat_rule_stat
    
    context_type context_name                          rule_name
    --------- ---------------------------------------  --------------------------
    virtual   cnf-cnf-context-secure-SecureContext_vs  10-20-subnet-natpolicyrule
    
    micro_rules counter last_hit_time action
    ----------- ------- ------------- ------
              1       8    1643836695      0
    
    tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
    
    type         name        translation_requests
    ------------ ----------- --------------------
    fw_src_trans transparent                    0
    fw_dst_trans transparent                    8
    fw_src_trans automap                        0
    
  3. Verify the F5BigNatPolicy client IP address mappings:

    lsndb list all
    
    Client                                          Connections
    -----------------------------------------------------------
    0 client with 0 connection found.
    LSN Persistence Entries
    Client                                          Translation
    -----------------------------------------------------------
    10.20.2.220:52110                           10.200.2.8:8265
    10.20.2.220                                 10.200.2.8
    2 persist entries found.
    LSN port block allocations
    Client                                          Port block
    ----------------------------------------------------------
    0 port block entries found.
    LSN Inbound Mapping Entries
    Translation                                         Client
    ----------------------------------------------------------
    10.200.2.8:8265                          10.20.2.220:52110
    10.200.2.7:8397                          10.20.2.220:52106
    
  4. Verify the F5BigFwPolicy statistics:

    tmctl -d blade fw_rule_stat
    
    context_type context_name
    ------------ ------------------------------------------
    virtual      cnf-gateway-cnf-fw-policy-SecureContext_vs
    
    rule_name                            micro_rules counter last_hit_time action
    ------------------------------------ ----------- ------- ------------- ------
    allow-10-20-http-firewallpolicyrule            1       2    1638572860      2
    allow-10-30-ftp-firewallpolicyrule             1       5    1638573270      2
    
  5. Verify the F5BigAlgFtp statistics:

    tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
    
    name                                            clientside.tot_conns
    ----------------------------------------------- --------------------
    cnf-gateway-cnf-ftp-ftp-virtual-server          7
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental