F5BigIpsPolicy¶
Overview¶
In Network Security, you can configure profiles to inspect traffic for protocol inspection items. These protocol inspection items can include compliance checks (looks for packet formation issues) and signatures, to detect potentially malicious packet information. The Protocol inspection items are arranged in categories by the Services like HTTP, SIP, or DNS.
The protocol inspection profile provides a traffic evaluation layer that supplements the standard firewall rules that are used to manage traffic based on the network configurations of traffic.
Depending on the configuration, the inspection profile can prompt the system to monitor suspicious traffic, or it can drop or reject traffic based on its packet formation or payload signatures.
The F5BigIpsPolicy Custom Resource (CR) allows you to filter inspected traffic (matched events) by various properties such as, the inspection profile’s host (virtual server or firewall policy), traffic properties, inspection action, or inspection service.
The F5BigIpsPolicy can be referenced by the F5BigContextSecure or F5BigDnsApp CRs to protect various service provider (internet and mobility) networks.
This document guides you through understanding, configuring and installing a simple F5BigIpsPolicy.
CR parameters¶
The tables below describe the F5BigIpsPolicy CR parameters.
metadata¶
Parameter | Description |
---|---|
name |
The name of the IPS policy. This value is referenced by the traffic management CNF CRs. |
namespace |
The Kubernetes namespace the IPS policy will install to. |
spec¶
Parameter | Description |
---|---|
stagingPeriod |
Specifies the autopublishing suggestion period (in minutes). The default is 10080. |
stagingConfidence |
Specifies the autopublishing suggestion confidence (percentage): 0 to 100. The default is 0. |
loggingGlobal |
Enables logging any of the configured compliances and signatures: true (default) or false. |
services |
Specifies a list of protocol services containing associated port numbers, compliance checks and signatures for the service. |
services.name |
Specifies the name of the service. Currently, only dns is available. |
services.ports |
Specifies the port for the service. |
services.compliances |
Specifics a list of compliance check for the service including its config value type and config value. |
services.compliances.name |
Specifies the name of the compliance check. For example, dns_disallowed_resource_records. For a full list of compliances, refer to F5BigIpsPolicy Compliance Checks. |
services.compliances.valueType |
Specifies the compliance check config value type: int, vector-int, string, vector-string, boolean, enum, or vector-enum. |
services.compliances.value |
Specifies the compliance check config value. |
services.compliances.action |
Specifies the compliance check config action: accept (default), reject, or drop. |
services.compliances.logging |
Enables logging a matching compliance inspection: global (default), enabled, or disabled. |
services.signatures |
Specifics a list of signatures for this service. |
services.signatures.name |
Specifies the name of the attack signature. For example, dns_query_amplification_attempt. For a full list of signatures, refer to F5BigIpsPolicy Attack Signatures. |
services.signatures.action |
Specifies the signature action: accept (default), reject, or drop. |
services.signatures.logging |
Enables logging a matching signature inspection: global (default), enabled, or disabled. |
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigIpsPolicy
metadata:
name: "ips-cr"
spec:
{
description: "ips profile",
services: [
{
name: "smtp",
ports: ["25"],
compliances: [
{
name: "smtp_malformed_pdu",
action: "accept",
}
],
signatures: [
{
name: "ipswitch_collaboration_suite_smtp_format_string_vulnerability_2",
action: "accept",
}
],
},
]
}
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigIpsPolicy CR shortName is ipspol.
View CR instance:
oc get ipspol -n <namespace>
View CR configuration:
oc get ipspol -n <namespace> -o yaml
Installation¶
Use these steps to install the example F5BigIpsPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "cnf-hslpool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "syslog-dest" format: "rfc5424" protocol: "udp" pool: "cnf-hslpool"
Install the F5BigLogHslpub CR:
oc apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: The example F5BigLogProfile CR specifies Protocol Inspection events to send to the remote log server. Copy and paste the example into a YAML file:
Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "cnf-logs" publisher: "cnf-hsl-pub" protocolInspection: enabled: true publisher: "cnf-hsl-pub" logPacket: true
Install the F5BigLogProfile CR:
oc apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
The example F5BigIpsPolicy CR rejects SOA record queries, and rejects dns_named_version_attempt and dns_os_solaris_exploit_sparc_overflow_attempt packet signatures. The F5BigIpsPolicy will log all configured
compliances
andsignatures
when thelogging
parameter is set to global (default). Copy and paste the CR into a YAML file:Note: The F5BigIpsPolicy CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigIpsPolicy metadata: name: "cnf-ips-policy" namespace: "cnf-gateway" spec: services: - name: dns ports: - "53" compliances: - name: dns_disallowed_query_type valueType: string value: SOA action: reject signatures: - name: dns_named_version_attempt action: reject - name: dns_os_solaris_exploit_sparc_overflow_attempt action: reject
Install the F5BigIpsPolicy CR:
oc apply -f cnf-ips-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigIpsPolicy CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5ProtocolInspectionProfile", ProtocolInspectionProfile cnf-gateway/cnf-ips-policy was added/updated
The example F5BigContextSecure CR accepts packets destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references the installed CRs. Copy and paste the CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-ips-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 53 ipProtocol: "any" profile: "fastL4" protocolInspectionProfile: "cnf-ips-policy" logProfile: "cnf-log-profile" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
oc apply -f f5-cnf-ips-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-ips-context was added/updated
Review the Additional CRs and IPS statistics sections.
Additional CRs¶
The F5BigIpsPolicy can also be referenced by the F5BigDnsApp CR.
IPS statistics¶
Use the steps below to verify the F5BigIpsPolicy CR statistics:
Important: IPS statistics are not available until a compliance or signature packet match occurs.
Connect to the debug sidecar:
tmctl -d blade protocol_inspection_stats
In this example, the IPS policy show 7 compliance check matches:
insp_id insp_name ------- ------------------------------- 10007 dns_disallowed_resource_records vs_name ------------------------------------------- cnf-gateway-cnf-dns-ips-context-secure-SecureContext_vs prof_name hit_count last_hit_time ---------------------------------------------- --------- ------------- cnf-gateway-cnf-dns-ips-profileprotocolinspection 7 1644624084
You can also view the TMM logs to verify packet matching:
oc logs -f f5-tmm-5576f687d5-bv2kx -c f5-tmm -n cnf-gateway | \ grep -i 'COMPL CHECK'
In this example, each of the log messages indicates the compliance check indicates the id and action:
IPS: ips_insp_callback/807: COMPL CHECK MATCH: id=10007, ctx='SOA', action=reject, support_id = 0001a91800002717 IPS: ips_insp_callback/807: COMPL CHECK MATCH: id=10007, ctx='SOA', action=reject, support_id = 0000525400002717 IPS: ips_insp_callback/807: COMPL CHECK MATCH: id=10007, ctx='SOA', action=reject, support_id = 0001673e00002717
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.