F5BigFwPolicy

Overview

The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Proxy Pod to begin inspecting and filtering network packets.

This document guides you through understanding, configuring and installing a simple F5BigFwPolicy CR.

CR parameters

The tables below describe the F5BigFwPolicy CR parameters

metadata

Parameter	Description
name	The name of the Firewall Policy. This value is referencd by CNF Traffic Management CRs.
namespace	The Kubernetes Namespace the firewall Policy will install to.

spec

Parameter	Description
rule.name	The name of the firewall rule. A policy can contain multiple firewall rules.
rule.ipProtocol	Specifies the IP protocol against which the packet will be compared. The default value is "any". The F5BigFwPolicy IP Protocols document contains the full list of supported protocols.
rule.action	Specifies the action that will be applied to packet that matches ACL rule: "accept", "drop", or "reject".
rule.logging	Enables ACL rule match logging: true or false (default).
rule.source.addresses	Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
rule.source.addressLists	Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section below.
rule.source.ports	Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.source.portLists	Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section below.
rule.source.vlans	Specifies a list of F5BigNetVlans in an array.
rule.destination.addresses	Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
rule.destination.ports	Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.destination.addressLists	Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section below.
rule.destination.portLists	Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section below.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
  name: "cnf-fw-policy"
  namespace: "cnf-gateway"
spec:
  rule:
    - name: allow-10-20-http
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:20:0:0/96"
      destination:
        ports:
          - "80"
    - name: allow-10-30-ftp
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:30:0:0/96"
      destination:
        ports:
          - "20"
          - "21"
    - name: drop-all
       action: "drop"
       logging: true
       ipProtocol: any
       source:
         addresses:
           - "::0/0"
           - "0.0.0.0/0"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigFwPolicy CR shortName is fwpol.

View CR instance:

kubectl get fwpol -n <namespace>

View CR configuration:

kubectl get fwpol -n <namespace> -o yaml

Address and Port lists

Complex lists of IP addresses and service ports can be configured using the F5BigCneAddresslist and F5BigCnePortlist CRs. The address and port list CRs can then be referenced by the F5BigDdosPolicy CR.

Address list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: allow-ipv6
  namespace: cnf-gateway
spec:
  addresses:
   - "2002::192:168:10:1-2002::192:168:10:10"
   - "2002::10:10:10:0/112"

Port list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCnePortlist
metadata:
  name: allow-5000s
spec:
  ports:
  - "5000-5500"

Firewall mode

CNFs default firewall mode controls how network packets are handled when either of these conditions are met:

• None of the installed CNFs CRs reference a F5BigFwPolicy.
• A CNFs CR does reference a F5BigFwPolicy, however, packets do not match any of the rules.

The table below describes each of the default firewall mode settings:

Mode	Behavior
accept	Network packets are accepted and processed by TMM. This is the default setting.
drop	Network packets are silently dropped.
reject	Network packets are rejected. For TCP connections, a RST (reset) packet is sent in reponse.

By default, the firewall mode accepts all network packets not matching a F5BigFwPolicy firewall rule. You can modify this behavior prior to installing the BIG-IP Controller, using the defaultFirewallRule.action Helm parameter. For more information, see step 6 in the Installation section of the BIG-IP Controller guide.

afm:
  defaultFirewallRule:
    action: accept
    log: true

Requirements

Ensure you have:

• Installed the BIG-IP Controller.
• A Linux based workstation.

Installation

Use these steps to install the example F5BigFwPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:

   Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:
     name: "cnf-hsl-pub"
     namespace: "cnf-gateway"
   spec:
     pool:
     - name: "hsl-pool"
       endpoint:
       - "[2002::10:30:2:220]:514"
     syslog:
     - name: "cnf-syslog"
       format: "rfc5424"
       protocol: "udp"
       pool: "hsl-pool"
   

2. Install the F5BigLogHslpub CR:

   kubectl apply -f cnf-hsl-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
   F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
   

3. Optional: The example F5BigLogProfile CR specifies firewall events such as aclMatchAccept and aclMatchDrop, and sends them to the remove logging server. Copy and paste the example into a YAML file:

   Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigLogProfile
   metadata:
     name: "cnf-log-profile"
     namespace: "cnf-gateway"
   spec:
     name: "cnf-logs"
     firewall:
       enabled: true
       network:
         publisher: "cnf-hsl-pub"
         events:
           aclMatchAccept: true
           aclMatchDrop: true
           tcpEvents: true
           translationFields: true
   

4. Install the F5BigLogProfile CR:

   kubectl apply -f cnf-log-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

   I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
   LogProfile cnf-gateway/cnf-log-profile was added/updated
   

5. The example F5BigFwPolicy CR allows HTTP port 80 and FTP ports 20 and 21 from source IP subnet 2002::10:30:0:0/96. Copy and paste the example into a YAML file:

   Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigFwPolicy
   metadata:
     name: "cnf-fw-policy"
     namespace: "cnf-gateway"
   spec:
     rule:
       - name: allow-http
         action: "accept"
         logging: true
         ipProtocol: tcp
         source:
           addresses:
             - "2002::10:20:0:0/96"
         destination:
           ports:
             - "80"
       - name: allow-ftp
         action: "accept"
         logging: true
         ipProtocol: tcp
         source:
           addresses:
             - "2002::10:30:0:0/96"
         destination:
           ports:
             - "20"
             - "21"
       - name: drop-all
         action: "drop"
         logging: true
         ipProtocol: any
         source:
           addresses:
             - "::0/0"
             - "0.0.0.0/0"
   

6. Install the F5BigFwPolicy CR:

   kubectl apply -f cnf-fw-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:

   I0202 12:00:00.12346   1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy",
   FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
   

7. Optional: The example F5BigContextSecure CR listens for connections destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references all of the installed CRs. Copy and paste the example into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-context"
     namespace: "cnf-gateway"
   spec:
      ipv6destinationAddress: "2002::200:200:200:0/112"
      destinationPort: 0
      firewallEnforcedPolicy: "cnf-fw-policy"
      logProfile: "cnf-log-profile"
      ipProtocol: "any"
      profile: "fastL4"
      vlans:
        vlanList:
          - "subscriber-vlan"
   

8. Install the F5BigContextSecure CR:

   kubectl apply -f f5-cnf-context.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
   SecureContext cnf-gateway/cnf-context was added/updated
   

9. Continue to the Additional CRs and Firewall statistics sections.

Additional CRs

The F5BigFwPolicy can also be referenced by these CNFs CRs:

• F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
• F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
• F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
• F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.

Firewall statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the cnf-gateway namespace:

   kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
   

2. Verify the F5BigFwPolicy statistics:

   tmctl -d blade fw_rule_stat
   

   context_type context_name
   ------------ ------------------------------------------
   virtual      cnf-gateway-cnf-fw-policy-SecureContext_vs
   
   rule_name                            micro_rules counter last_hit_time action
   ------------------------------------ ----------- ------- ------------- ------
   allow-10-20-http-firewallpolicyrule            1       2    1638572860      2
   allow-10-30-ftp-firewallpolicyrule             1       5    1638573270      2
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.