The F5BigDownloaderPolicy Custom Resource (CR) configures the Cloud-Native Network Functions (CNFs) Downloader Pod to download the latest IM installation packages from specified locations and at specified intervals. The CNFs Downloader Pod performs sanity checks on the downloaded IM package’s lists of applications and catagories, verifies the received Certificate Authority (CA) bundle, and the digital signature of the IM Package. The relevant classification data is converted into a Binary Large OBject (BLOB), and sent to the Traffic Management Microkernel (TMM) Proxy Pod’s Downloader sidecar. TMM uses the classification data when processing application traffic with the following traffic processing CRs; F5BigClassificationprofile, F5BigPePolicy and F5BigContextSecure.

Package types

The Downloader Pod can be configured to download the following package types:

  • IPS (intrusion prevention system) signatures.
  • IPI (IP reputation intelligence) databases.
  • CEC (classification engine core) signatures>
  • URLCAT (URL catagorization) databases.

This document guides you through understanding, configuring and installing the F5BigDownloaderPolicy CR.

CR parameters


Parameter Description
name A unique name for the downloader policy.
components.type Specifies the type of IM for the F5BigDownloaderPolicy: cec, wr-urldb or ips.
components.downloadUrl Specifies the URL to download the IM installed package. For cec and ips, an empty field uses the default F5 download endpoint.
components.pollInterval Specifies the polling time interval for downloading the latest IM Packages.
components.proxy The name of the proxy object.

CR Examples


apiVersion: "k8s.f5net.com/v1"
kind: F5BigDownloaderPolicy
  name: "cnf-downloadpolicy"
  namespace: "cnf-gateway"
    - type: "cec"
      downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-cec"
      pollInterval: "3m"
    - type: "wr-urldb"
      downloadUrl: "api-dualstack.bcti.brightcloud.com"
      pollInterval: "2m"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDownloaderPolicy CR shortName is downpol.

View CR instance:

kubectl get downpol -n <namespace>

View CR configuration:

kubectl get downpol -n <namespace> -o yaml

By default, the Download Pod is disabled. To enable the Downloader Pod, add the following parameters to the BIG-IP Controller Helm values file:

  enabled: true

      repository: "registry.com"

  enabled: true
    repository: "registry.com"

The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:

Note: In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.


      enabled: true
        repository: registry.com"

        host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local'


Ensure you have:


Use these steps to install the example F5BigDownloaderPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Copy the example F5BigDownloaderPolicy CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDownloaderPolicy
      name: "cnf-downloadpolicy"
      namespace: "cnf-gateway"
        - type: "cec"
          downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-cec"
          pollInterval: "3m"
        - type: "wr-urldb"
          downloadUrl: "api-dualstack.bcti.brightcloud.com"
          pollInterval: "2m"
  2. Install the F5BigDownloaderPolicy CR:

    kubectl apply -f cnf-download-cr.yaml
  3. Copy the example F5BigClassificationprofile CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigClassificationprofile
      name: "cnf-url-class-profile"
      namespace: "cnf-gateway"
      name: "url-class-profile"
      enableUrlCategorization: true
  4. Install the F5BigClassificationprofile CR:

    kubectl apply -f cnf-class-profile.yaml

    In this example, the BIG-IP Controller logs indicate the F5BigClassificationprofile CR was added/updated:

    I0624 12:00:00.12347   1 event.go:282] Event(v1.ObjectReference{Kind:"F5ClassificationProfile",
    F5ClassificationProfile cnf-gateway/cnf-url-class-profile was added/updated
  5. Copy the example F5BigPePolicy CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigPePolicy
      name: "cnf-url-pe-policy"
      namespace: "cnf-gateway"
      state: "Enabled"
        - name: "url-rule-1"
          precedence: 1
              - match: "match"
                category: "Search_Engines"
            gate: "Enabled"
  6. Install the F5BigPePolicy CR:

    kubectl apply -f cnf-pe-policy-cr.yaml

    In this example, the BIG-IP Controller logs indicate the F5BigPePolicy CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemPolicy",
    PemPolicy cnf-gateway/cnf-url-pe-policy was added/updated
  7. Copy the example F5BigPeProfile CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigPeProfile
      name: "cnf-url-pe-profile"
      namespace: "cnf-gateway"
        - "cnf-url-pe-policy"
  8. Install the F5BigPeProfile CR:

    kubectl apply -f cnf-pe-profile-cr.yaml

    In this example, the BIG-IP Controller logs indicate the F5BigPeProfile CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemProfile",
    PemProfile cnf-gateway/cnf-url-pe-profile was added/updated
  9. Copy the example F5BigContextSecure CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
      name: "cnf-url-class-context"
      namespace: "cnf-gateway"
       destinationAddress: ""
       ipv6destinationAddress: "::/0"
       destinationPort: 80
       ipProtocol: "tcp"
       profile: "tcp"
       classificationProfile: "cnf-url-class-profile"
       pemProfile: "cnf-url-pe-profile"
  10. Install the F5BigContextSecure CR:

    kubectl apply -f f5-cnf-context-cr.yaml

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
    SecureContext cnf-gateway/cnf-url-class-context was added/updated

Connection statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigClassificationprofile , F5BigPePolicy, and F5BigContextSecure statistics.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
  2. Verify the URL categorization stats:

    tmctl -d blade gpa_urlcat_stats
    name              count irule customdb wrdb cloud srdb bytes_in bytes_out
    ----------------- ----- ----- -------- ---- ----- ---- -------- ---------
    Unknown               0     0        0    0     0    0        0         0
    Search_Engines       10     0        0   10     0    0     4220      7550
    Social_Networking     5     0        0    5     0    0     1380      1380
    Shopping              7     0        0    7     0    0     2220      2220
  3. Verify the F5BigClassificationprofile statistics:

    tmctl -d blade gpa_classification_stats -w 200
    result                  count cec flbl srdb custom bytes_in bytes_out pkts_in pkts_out
    ------                  ----- --- ---- ---- ------ -------- --------- ------- --------
    tcp                         0   0    0    0      0        0         0       0        0
    udp                         0   0    0    0      0        0         0       0        0
    tcp.http.google             2   2    0    0      0      952      1096       9        7
    tcp.ssl.goole               1   1    0    0      0      618       152       3        2
    tcp.ssl.facebook            4   4    0    0      0    10226    127795     102      126
    tcp.http.cnn                4   4    0    0      0     2226      4018      20       20
    tcp.ssl.cnn                 2   2    0    0      0    40332   2515790     540     1846
    tcp.ssl.yahoo.yahoo_search  1   1    0    0      0      620       152       3        2
    tcp.http.bing               1   1    0    0      0      359       152       3        2
  4. Verify the F5BigPePolicy statistics:

    tmctl -d blade pem_actions_stat -s pass,drop,tcpopt_to_net,tcpopt_to_sub

    In this example, optimization is applied to both uplink (tcpopt_to_net) and downlink (tcpopt_to_sub) traffic.

    pass drop tcpopt_to_net tcpopt_to_sub
    ---- ---- ------------- -------------
      6    0             6             6
  5. Verify the F5BigContextSecure statistics:

    Clientside connections:

    tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
    name                                               clientside.tot_conns
    -------------------------------------------------- --------------------
    cnf-gateway-cnf-url-class-context-SecureContext_vs                    8

    Serverside connections:

    tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
    name                                               serverside.tot_conns
    -------------------------------------------------- --------------------
    cnf-gateway-cnf-url-class-context-SecureContext_vs                    8


Provide feedback to improve this document by emailing cnfdocs@f5.com.