F5BigClassificationprofile¶
Overview¶
The F5BigClassificationprofile Custom Resource (CR) provides options to configure dynamic identification and classification of application traffic. The F5BigClassificationprofile is required when the F5BigPePolicy CR is configured to identify application traffic using the classification filter. The F5BigClassificationprofile and F5BigPePolicy CRs are referenced by the F5BigContextSecure CR to accept and process application traffic
CR parameters¶
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the Classification policy. This value is referenced by the F5BigContextSecure CR. |
namespace |
The Kubernetes namespace the Classification policy will install to. |
spec¶
| Parameter | Description |
|---|---|
name |
Specifies a name for the Classification Profile. This value is not used as a reference by other CRs. |
description |
Specifies descriptive text that identifies the Profile. |
enableApplicationDetection |
Enables application detection: true (default) or false. |
enableLogUnclassifiedDomain |
Enables logging unclassified domains: true or false (default). |
enableUrlCategorization |
Enables URL categorization: true or false (default). |
preset.allowReclassification |
Enables transactional flows: true (default) or false. |
preset.enableFlowBundling |
Enables the correlation of flows or transactions lacking attributes for classification decision to an abstract key with associated classification tokens: true (default) or false. |
preset.enableCacheResults |
Enables caching classification results for the L4 destination. When the same traffic passes through, the result is taken from the cache: true (default) or false. |
preset.analyzeDns |
Enables the classification engine to inspect DNS responses and use the IP addresses returned, to enhance classification results for otherwise-unknown data-plane traffic: true (default) or false. When false, data-plane traffic for which no existing signatures exist gets generic classification. |
preset.analyzeSslServerside |
Enables the classification engine to process SSL Server Side Hello to inspect ALPN (primarily for HTTP2 / SPDY subclassification). If false the DNS traffic gets generic classification: true (default) or false. |
logPublisher |
Specifies the F5BigLogHslpub CR to log classification events using the metadata.name parameter. |
enableIruleEvent |
Enables iRule Events triggered by application in this classification settings: true (default) or false. |
CR Example¶
F5BigClassificationprofile
apiVersion: "k8s.f5net.com/v1"
kind: F5BigClassificationprofile
metadata:
name: "cnf-class-profile"
namespace: "cnf-gateway"
spec:
name: "cnf-class-profile"
enableApplicationDetection: true
enableLogUnclassifiedDomain: true
logPublisher: "cnf-hsl-pub"
preset:
enableFlowBundling: true
analyzeSslServerside: false
enableCacheResults: true
analyzeDns: true
CR shortName¶
CR shortName provide an easy way to view installed CRs, and their configuration parameter. The CR shortName can also be used to delete the CR instance. The F5BigClassificationprofile CR shortName is dpiprof.
View CR instance:
kubectl get dpiprof -n <namespace>
View CR configuration:
kubectl get dpiprof -n <namespace> -o yaml
Installation¶
Use these steps to install the example F5BigClassificationprofile CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by the F5BigClassificationprofile.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "hsl-pool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "cnf-syslog" format: "rfc5424" protocol: "udp" pool: "hsl-pool"
Install the F5BigLogHslpub CR:
kubectl apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
The example F5BigClassificationprofile enables important parameters such as ApplicationDetection, UrlCategorization, and analyzeDns. Copy the example CR into a YAML file:
Note: The F5BigClassificationprofile will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigClassificationprofile metadata: name: "cnf-class-profile" namespace: "cnf-gateway" spec: name: "cnf-class-profile" enableApplicationDetection: true enableUrlCategorization: true logPublisher: "cnf-hsl-pub" preset: enableFlowBundling: true analyzeSslServerside: false enableCacheResults: true analyzeDns: true
Install the F5BigClassificationprofile CR:
kubectl apply -f cnf-class-profile.yaml
In this example, the BIG-IP Controller logs indicate the F5BigClassificationprofile CR was added/updated:
I0624 12:00:00.12347 1 event.go:282] Event(v1.ObjectReference{Kind:"F5ClassificationProfile", F5ClassificationProfile cnf-gateway/cnf-class-profile was added/updated
Continue to the F5BigPePolicy guide to reference the Classification profile, and begin managing subscriber traffic using policy based classification criteria.
Classification statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigClassificationprofile statistics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigClassificationprofile statistics:
tmctl -d blade gpa_classification_stats -w 200
result count cec flbl srdb custom bytes_in bytes_out pkts_in pkts_out ------ ----- --- ---- ---- ------ -------- --------- ------- -------- tcp 0 0 0 0 0 0 0 0 0 udp 0 0 0 0 0 0 0 0 0 tcp.http.google 2 2 0 0 0 952 1096 9 7 tcp.ssl.goole 1 1 0 0 0 618 152 3 2 tcp.ssl.facebook 4 4 0 0 0 10226 127795 102 126 tcp.http.cnn 4 4 0 0 0 2226 4018 20 20 tcp.ssl.cnn 2 2 0 0 0 40332 2515790 540 1846 tcp.ssl.yahoo.yahoo_search 1 1 0 0 0 620 152 3 2 tcp.http.bing 1 1 0 0 0 359 152 3 2
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.
Supplemental¶
- The F5BigCecPeGlobaloptions CR can be used to modify some of F5BigPePolicy CR’s default behaviors.