F5BigAlgTftp¶
Overview¶
The F5BigAlgTftp Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to provide secure File Transfer Protocol (FTP) application layer gateway (ALG) services.
This document guides you through understanding, configuring and installing a simple F5BigAlgTftp CR.
CR Parameters¶
The table below describes the CR spec
parameters:
Parameter | Description |
---|---|
destinationAddress |
The destination IPv4 address of the application. |
ipv6destinationAddress |
The destination IPv6 address of the application. |
destinationPort |
The destination server port of the application. The default is 69. |
natPolicy |
Specifies a NAT Policy by metadata.name . |
firewallEnforcedPolicy |
Specifies a Firewall ACL Policy by metadata.name . |
logProfile |
Specifies a Log Profile by metadata.name . |
tftpSession.idleTimeout |
Specifies the number of seconds that a connection can remain idle before deletion: 1 to 4294967295. The default is 30. |
vlans.vlanList |
Specify a list of VLANs to accept traffic on. Traffic can also be denied using the disableListedVlans parameter. |
vlans.disableListedVlans |
Denies traffic specified with the vlanList parameter: true (default) or false . |
CR Example¶
apiVersion: k8s.f5net.com/v1
kind: F5BigAlgTftp
metadata:
name: "cnf-tftp"
namespace: "cnf-gateway"
spec:
destinationAddress: "0.0.0.0/0"
ipv6destinationAddress: "::/0"
destinationPort: 69
natPolicy: "cnf-nat-policy"
logProfile: "cnf-log-profile"
firewallEnforcedPolicy: "cnf-fw-policy"
tftpSession:
idleTimeout: 35
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigAlgTftp CR shortName is algtftp.
View CR instance:
oc get algtftp -n <namespace>
View CR configuration:
oc get algtftp -n <namespace> -o yaml
Installation¶
This installation procedure provides Optional examples, representing each of the CNFs Custom Resources (CRs) that can be referenced by the F5BigAlgTftp CR. Use the steps below to configure TMM:
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: Copy the example F5BigNatPolicy CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigNatPolicy metadata: name: "cnf-nat-policy" namespace: "cnf-gateway" spec: sourceTranslation: - name: "dynamic-trans" type: "dynamic-pat" addresses: - "10.200.2.1-10.200.2.10" port: "8000-8500" patMode: "napt" inbound: eifTimeout: 200 mode: "endpoint-independent-filtering" mapping: mode: "endpoint-independent-mapping" timeout: 60 routeAdvertisement: true rule: - name: 10-20-subnet ipProtocol: udp source: addresses: - "10.20.2.0/24" sourceTranslation: "dynamic-trans"
Install the F5BigNatPolicy CR:
oc apply -f cnf-nat-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigNatPolicy CR was added/updated:
I0202 12:00:00.12345 1 event.go:282 Event(v1.ObjectReference{Kind:"F5NatPolicy", NatPolicy cnf-gateway/cnf-nat-policy was added/updated
Optional: Copy the example F5BigFwPolicy CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "cnf-fw-policy" namespace: "cnf-gateway" spec: rule: - name: allow-10-30-tftp action: "accept" logging: true ipProtocol: udp source: addresses: - "10.30.2.0/24" destination: ports: - "69"
Install the F5BigFwPolicy CR:
oc apply -f cnf-fw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
Optional: Copy the example F5BigLogHslpub CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-pub" namespace: "cnf-gateway" spec: pool: - name: hsl-pool endpoint: - "10.30.2.220:514" syslog: - name: "cnf-syslog" distribution: "adaptive" format: "rfc5424" pool: "hsl-pool" protocol: "udp"
Install the F5BigLogHslpub CR:
oc apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: Copy the example F5BigLogProfile CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "cnf-logs" nat: enabled: true logSubscriberID: true publisher: "cnf-pub" inbound: start: mode: "enabled" end: mode: "enabled" quotaExceeded: mode: "enabled" errors: mode: "enabled" firewall: enabled: true trafficStats: publisher: "cnf-pub" reapedFlows: true missedFlows: true activeFlows: true network: publisher: "cnf-pub-pub" events: aclMatchAccept: true aclMatchDrop: true aclToBoxDeny: true translationFields: true
Install the F5BigLogProfile CR:
oc apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
Copy the F5BigAlgTftp CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigAlgTftp metadata: name: "cnf-tftp" namespace: "cnf-gateway" spec: destinationAddress: "0.0.0.0/0" ipv6destinationAddress: "::/0" destinationPort: 69 natPolicy: "cnf-nat-policy" logProfile: "cnf-log-profile" firewallEnforcedPolicy: "cnf-fw-policy" tftpSession: idleTimeout: 35
Install the F5BigAlgTftp CR:
oc apply -f f5-cnf-tftp.yaml
In this example, the BIG-IP Controller logs indicate the F5BigAlgTftp CR was added/updated:
I0203 12:00:00.1234519 1 event.go:282] Event(v1.ObjectReference{Kind:"F5TFTP", F5TFTP cnf-gatway/cnf-tftp was added/updated
Traffic statistics¶
If you have installed the TMM Debug container, use the following steps to gather traffic processing statistics for the F5BigNatPolicy, F5BigFwPolicy and F5BigContextSecure CRs.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify F5BigNatPolicy connection statistics:
tmctl -d blade fw_nat_rule_stat
context_type context_name rule_name --------- --------------------------------------- -------------------------- virtual cnf-cnf-context-secure-SecureContext_vs 10-20-subnet-natpolicyrule micro_rules counter last_hit_time action ----------- ------- ------------- ------ 1 8 1643836695 0
tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
type name translation_requests ------------ ----------- -------------------- fw_src_trans transparent 0 fw_dst_trans transparent 8 fw_src_trans automap 0
Verify the F5BigNatPolicy client IP address mappings:
lsndb list all
Client Connections ----------------------------------------------------------- 0 client with 0 connection found. LSN Persistence Entries Client Translation ----------------------------------------------------------- 10.20.2.220:52110 10.200.2.8:8265 10.20.2.220 10.200.2.8 2 persist entries found. LSN port block allocations Client Port block ---------------------------------------------------------- 0 port block entries found. LSN Inbound Mapping Entries Translation Client ---------------------------------------------------------- 10.200.2.8:8265 10.20.2.220:52110 10.200.2.7:8397 10.20.2.220:52106
Verify the F5BigFwPolicy statistics:
tmctl -d blade fw_rule_stat
context_type context_name ------------ ------------------------------------------ virtual cnf-gateway-cnf-fw-policy-SecureContext_vs rule_name micro_rules counter last_hit_time action ------------------------------------ ----------- ------- ------------- ------ allow-10-30-tftp-firewallpolicyrule 1 5 1638573270 2
Verify the F5BigAlgFtp statistics:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns ----------------------------------------------- -------------------- cnf-gateway-cnf-tftp-alg-virtual-server 7
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.