F5BigIpsPolicy

Overview

The F5BigIpsPolicy Custom Resource (CR) provides deep packet inspection, protecting applications from malignant network packet types and network traffic patterns. The F5BigIpsPolicy can be referenced by the F5BigContextSecure or F5BigDnsApp CRs to protect various types of 5G workloads.

This document guides you through understanding, configuring and installing a simple F5BigIpsPolicy.

CR parameters

The tables below describe the F5BigIpsPolicy CR parameters.

metadata

Parameter Description
name The name of the IPS policy. This value is referenced by the traffic management CNF CRs.
namespace The Kubernetes namespace the IPS policy will install to.

spec

Parameter Description
stagingPeriod Specifies the autopublishing suggestion period (in minutes). The default is 10080.
stagingConfidence Specifies the autopublishing suggestion confidence (percentage): 0 to 100. The default is 0.
loggingGlobal Enables logging any of the configured compliances and signatures: true (default) or false.
services Specifies a list of protocol services containing associated port numbers, compliance checks and signatures for the service.
services.name Specifies the name of the service. Currently, only dns is available.
services.ports Specifies the port for the service.
services.compliances Specifics a list of compliance check for the service including its config value type and config value.
services.compliances.name Specifies the name of the compliance check. For example, dns_disallowed_resource_records. For a full list of compliances, refer to F5BigIpsPolicy Compliance Checks.
services.compliances.valueType Specifies the compliance check config value type: int, vector-int, string, vector-string, boolean, enum, or vector-enum.
services.compliances.value Specifies the compliance check config value.
services.compliances.action Specifies the compliance check config action: accept (default), reject, or drop.
services.compliances.logging Enables logging a matching compliance inspection: global (default), enabled, or disabled.
services.signatures Specifics a list of signatures for this service.
services.signatures.name Specifies the name of the attack signature. For example, dns_query_amplification_attempt. For a full list of signatures, refer to F5BigIpsPolicy Attack Signatures.
services.signatures.action Specifies the signature action: accept (default), reject, or drop.
services.signatures.logging Enables logging a matching signature inspection: global (default), enabled, or disabled.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigIpsPolicy
metadata:
  name: "cnf-ips"
  namespace: "cnf-gateway"
spec:
  services:
    - name: dns
      ports:
        - "53"
      compliances:
        - name: "dns_disallowed_resource_records"
          valueType: "vector-enum"
          value: "SOA MX"
          action: "reject"
      signatures:
        - name: "dns_named_version_attempt"
          action: "reject"
        - name: "dns_os_solaris_exploit_sparc_overflow_attempt"
          action: "reject"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigIpsPolicy CR shortName is ipspol.

View CR instance:

kubectl get ipspol -n <namespace>

View CR configuration:

kubectl get ipspol -n <namespace> -o yaml

Requirements

Ensure you have:

Installation

Use these steps to install the example F5BigIpsPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:

    Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: "cnf-hslpool"
        endpoint:
        - "[2002::10:30:2:220]:514"
      syslog:
      - name: "syslog-dest"
        format: "rfc5424"
        protocol: "udp"
        pool: "cnf-hslpool"
    
  2. Install the F5BigLogHslpub CR:

    kubectl apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
    F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
    
  3. Optional: The example F5BigLogProfile CR specifies Protocol Inspection events to send to the remote log server. Copy and paste the example into a YAML file:

    Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogProfile
    metadata:
      name: "cnf-log-profile"
      namespace: "cnf-gateway"
    spec:
      name: "cnf-logs"
      publisher: "cnf-hsl-pub"
      protocolInspection:
        enabled: true
        publisher: "cnf-hsl-pub"
        logPacket: true
    
  4. Install the F5BigLogProfile CR:

    kubectl apply -f cnf-log-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

    I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
    LogProfile cnf-gateway/cnf-log-profile was added/updated
    
  5. The example F5BigIpsPolicy CR rejects SOA record queries, and rejects dns_named_version_attempt and dns_os_solaris_exploit_sparc_overflow_attempt packet signatures. The F5BigIpsPolicy will log all configured compliances and signatureswhen the logging parameter is set to global (default). Copy and paste the CR into a YAML file:

    Note: The F5BigIpsPolicy CR will be referenced by the F5BigContextSecure CR.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigIpsPolicy
    metadata:
      name: "cnf-ips-policy"
      namespace: "cnf-gateway"
    spec:
      services:
        - name: dns
          ports:
            - "53"
          compliances:
            - name: dns_disallowed_query_type
              valueType: string
              value: SOA
              action: reject
          signatures:
            - name: dns_named_version_attempt
              action: reject
            - name: dns_os_solaris_exploit_sparc_overflow_attempt
              action: reject
    
  6. Install the F5BigIpsPolicy CR:

    kubectl apply -f cnf-ips-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigIpsPolicy CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5ProtocolInspectionProfile",
    ProtocolInspectionProfile cnf-gateway/cnf-ips-policy was added/updated
    
  7. The example F5BigContextSecure CR accepts packets destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references the installed CRs. Copy and paste the CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
    metadata:
      name: "cnf-ips-context"
      namespace: "cnf-gateway"
    spec:
       ipv6destinationAddress: "2002::200:200:200:0/112"
       destinationPort: 53
       ipProtocol: "any"
       profile: "fastL4"
       protocolInspectionProfile: "cnf-ips-policy"
       logProfile: "cnf-log-profile"
       vlans:
         vlanList:
           - "subscriber-vlan"
    
  8. Install the F5BigContextSecure CR:

    kubectl apply -f f5-cnf-ips-context.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
    SecureContext cnf-gateway/cnf-ips-context was added/updated
    
  9. Review the Additional CRs and IPS statistics sections.

Additional CRs

The F5BigIpsPolicy can also be referenced by the F5BigDnsApp CR.

IPS statistics

Use the steps below to verify the F5BigIpsPolicy CR statistics:

_images/spk_warn.png Important: IPS statistics are not available until a compliance or signature packet match occurs.

  1. Connect to the debug sidecar:

    tmctl -d blade protocol_inspection_stats
    

    In this example, the IPS policy show 7 compliance check matches:

    insp_id insp_name
    ------- -------------------------------
    10007 dns_disallowed_resource_records
    
    vs_name
    -------------------------------------------
    cnf-gateway-cnf-dns-ips-context-secure-SecureContext_vs
    
    prof_name                                         hit_count last_hit_time
    ----------------------------------------------    --------- -------------
    cnf-gateway-cnf-dns-ips-profileprotocolinspection         7    1644624084
    
  2. You can also view the TMM logs to verify packet matching:

    kubectl logs -f f5-tmm-5576f687d5-bv2kx -c f5-tmm -n cnf-gateway | \
    grep -i 'COMPL CHECK'
    

    In this example, each of the log messages indicates the compliance check indicates the id and action:

    IPS: ips_insp_callback/807: COMPL CHECK MATCH: id=10007, ctx='SOA', action=reject, support_id = 0001a91800002717
    IPS: ips_insp_callback/807: COMPL CHECK MATCH: id=10007, ctx='SOA', action=reject, support_id = 0000525400002717
    IPS: ips_insp_callback/807: COMPL CHECK MATCH: id=10007, ctx='SOA', action=reject, support_id = 0001673e00002717
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental