F5BigDPIprofile

Overview

The F5BigDPIprofile Custom Resource (CR) provides options to enable Deep Packet Inspection (DPI), which dynamically identifies the application traffic and enables URL categorization for the DPI to access iRule events in the application. The F5BigDPIprofile is required when the F5BigPePolicy CR is configured to identify application traffic using the DPI filter. The F5BigContextSecure CR references the F5BigDPIprofile and F5BigPePolicy CRs to accept and process application traffic.

CR Parameters

metadata

Parameter	Description
name	Specifies the name of the Deep Packet Inspection profile. The F5BigContextSecure CR references this value

spec

Parameter	Description
name	Specifies a name for the DPI Profile. This value is not used as a reference by other CRs.
description	Specifies descriptive text that identifies the Profile.
enableApplicationDetection	Specifies application detection. Value can be True (default) or False.
enableLogUnclassifiedDomain	Setting this parameter to True, will log all unclassified domains in the HSL. The value can be True or False (default).
enableUrlCategorization	Specifies the URL categorization. Value can be True or False (default).
preset.allowReclassification	Specifies transactional flows. Value can be True (default) or False.
preset.enableFlowBundling	Specifies the relationship of flows or transactions lacking attributes for Deep Packet Inspection decision to an abstract key with associated Deep Packet Inspection tokens. Value can be True (default) or False.
preset.enableCacheResults	Specifies that the system caches Deep Packet Inspection results for the L4 destination. When the same traffic passes through, the result is taken from the cache. Value can be True (default) or False.
preset.analyzeDns	Allows the Deep Packet Inspection engine to inspect DNS responses and use the returned IP addresses to enhance the Deep Packet Inspection results for otherwise-unknown data-plane traffic. Value can be True or False (default). If the value is False, ‌data-plane traffic for which no existing signatures exist gets a generic Deep Packet Inspection.
preset.analyzeSslServerside	Enables Deep Packet Inspection engine to process SSL Server Side Hello to inspect ALPN (primarily for HTTP2 / SPDY sub-classification). Value can be True or False (default). If False, the DNS traffic gets generic Deep Packet Inspection.
logPublisher	Specifies the F5BigLogHslpub CR to log DPI events using the metadata.name parameter.
enableIruleEvent	Enables the Deep Packet Inspection Policy to have access to iRules in the application when attached to it. Value can be True (default) or False.

CR Example

F5BigDPIprofile

Following is an example F5BigDPIProfile CR:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDpiProfile
metadata:
  name: "dpi-profile"
spec:
  name: "dpiprofile-cnf"
  enableApplicationDetection: true
  enableLogUnclassifiedDomain: true
  enableIruleEvent: true
  preset:
    enableFlowBundling: true
    analyzeSslServerside: true
    enableCacheResults: true
    analyzeDns: true
    allowReclassification: true 

CR shortName

CR shortName provide an easy way to view installed CRs, and their configuration parameter. The CR shortName can also be used to delete the CR instance. The F5BigDPIprofile CR shortName is dpiprof.

View CR instance:

kubectl get dpiprof -n <namespace>

View CR configuration:

kubectl get dpiprof -n <namespace> -o yaml

Requirements

Ensure you have:

• Installed the BIG-IP Controller.
• A Linux based workstation.

Procedure

Following is the procedure to install the example F5BigDPIprofile CR.

Apply DPI Profile

The example F5BigDPIprofile enables required parameters such as ApplicationDetection, UrlCategorization, and analyzeDns.

1. Copy the folowing example CR into a YAML file:

   Note: The F5BigDPIprofile will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDpiProfile
   metadata:
     name: "dpi-profile"
   spec:
     name: "dpiprofile-cnf"
     enableApplicationDetection: true
     enableLogUnclassifiedDomain: true
     enableIruleEvent: true
     preset:
       enableFlowBundling: true
       analyzeSslServerside: true
       enableCacheResults: true
       analyzeDns: true
       allowReclassification: true 
   

2. Run the following command to apply the F5BigDPIprofile Profile CR.

   kubectl apply -f dpi-profile.yaml -n <name_space>
   

3. Verify that the F5BigDPIprofile Profile CR is applied by checking the BIG-IP controller logs.

   Sample output:

   Following is an example output where the BIG-IP Controller logs indicate that the F5BigDPIprofile CR was added/updated:

   I0624 12:00:00.12347   1 event.go:282] Event(v1.ObjectReference{Kind:"F5DPIProfile", F5DPIProfile cnf-gateway/cnf-class-profile was added/updated
   

4. Continue to the F5BigPePolicy guide to reference the DPI profile, and begin managing subscriber traffic using policy based classification criteria.

Supplemental

The F5BigDpiPeOptions CR can be used to modify some of the default behaviors of the F5BigPePolicy CR.

Feedback

To provide feedback and help improve this document, please email us at cnfdocs@f5.com.