Configuring SPK Firewall Logging

Overview

NOTE: Firewall features introduced on SPK 1.8.0.

When you configure L4 Firewall Policies on the SPK Controller, you also can setup firewall logging which will send log messages to a remote syslog server during a firewall event. The guide will go through configuring firewall logging and enabling it for your firewall policies.

This guide will main be focused on getting firewall logging setup. We will show firewall log message examples at the end to show a working example.

Enable Secure SPK Logging

This section will go through setting up firewall logging.

Before You Begin

1. This guide assumes the SPK Controller is deployed in the spk-secure namespace so you will see references of that throughout this guide. Update the namespace to where your SPK Controller is deployed in your environment.
2. The guide assumes a remote syslog server with an IP of 10.10.20.11 on port 514.

Firewall Logging Configurations

1. Creating a file, hsl.yaml, based on the example below. The yaml is a F5BigLogHslpub CR that represents the high speed log publisher.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:  
     name: logpublisher
     namespace: spk-secure
   spec:  
     pool:
       - name: pool
         endpoint:
           - 10.10.20.11:514
     syslog:
       - name: syslog
         format: rfc5424
         protocol: udp
         distribution: adaptive
         pool: pool
   

2. Create the high speed log publisher.

   oc create -f hsl.yaml
   

3. Create a yaml, log-profile.yaml, based on the example below. This is the F5BigLogProfile that represents the logging profile.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogProfile
   metadata:  
     name: logprofile
     namespace: spk-secure
   spec:  
     publisher: logpublisher
     firewall:
       enabled: true
       network:
         events:
           aclMatchAccept: true
           aclMatchDrop: true
           aclMatchReject: true
   

4. Create the log profile.

   oc create -f log-profile.yaml
   

The configuration above is a basic log profile that will capture matching ACL accept, drop, or reject firewall events. Additional settings can be found in the CRD references below.

• F5BigLogHslpub
• F5BigLogProfile

Customize Logging Format

The log profile will use a default log format if it is not specified. The format itself is customizable. A snippet of a customized firewall log message format defined in the log profile is shown below.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogProfile
    spec:  
      firewall:
        network:
          format:
            type: user-defined
            userDefinedFieldList: "Firewall Policy Name: ${acl_policy_name}, Firewall Policy Type: ${acl_policy_type}, Firewall Rule Name: ${acl_rule_name}, Firewall Rule Action: ${action}, TMM Hostname: ${bigip_hostname}, Context Name: ${context_name}, Context Type: ${context_type}, Destination IP: ${dest_ip}, Destination Port: ${dest_port}, Drop Reason: ${drop_reason}, TMM IP: ${management_ip_address}, Protocol: ${protocol}, Source IP: ${src_ip}, Source Port: ${src_port}, Interface: ${vlan}"

Refer to the following K05327372 for all available fields.

We will show the default message output along with the user-defined customized one from the example format defined in the snippet above.

Associate Log Profile to Firewall Global Context

Now that a log profile is created, you can now enable firewall logging by associating the logging profile to the F5BigContextGlobal CR named global-context. Below show the spec.logProfile set to the log profile, logprofile, created above.

Be sure to also enable spec.defaultActionLog in your global-context so the log messages that do not match a firewall policy rule are also generated when the defaultAction is applied.

NOTE: Enabling logging on the global context can get verbose.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigContextGlobal
metadata:
  name: global-context
spec:
  logProfile: logprofile
  firewall:
    enforcedPolicy: firewallpolicy
    defaultAction: reject
    defaultActionLog: true

Be sure to also enable logging in any firewall policy rules defined. Below show a snippet where logging is set to true on a rule.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
  name: firewallpolicy
  namespace: spk-secure
spec:
  rule:
  - name: sc-rule-tcp
    logging: true

Example Firewall Log Messages

This section will show example log messages as a result of firewall events.

The remote syslog server is setup to output firewall log messages to /var/log/syslog so the example output in this section are lines from /var/log/syslog.

Default Firewall Log Messages

Below is a snippet of the default firewall log messages when spec.firewall.network.format is not defined.

Jul 17 22:22:12 f5-tmm-9cbcc4dbd-zr76f tmm[14] "10.131.0.151","f5-tmm-9cbcc4dbd-zr76f","Global","global-context","No-lookup","10.10.20.10","No-lookup","10.10.20.44","36664","9001","external","TCP","0","","","","","","","","Enforced","firewallpolicy-firewallpolicy","sc-rule-tcp-ingress-firewallpolicyrule","","Accept","","","","0000000000000000","unknown","unknown","unknown","unknown","","","","","No-lookup","No-lookup"
Jul 17 22:22:12 f5-tmm-9cbcc4dbd-zr76f tmm[14] "10.131.0.151","f5-tmm-9cbcc4dbd-zr76f","Virtual Server","spk-app-tcp-app-f5ing-testapp-virtual-server","No-lookup","10.10.20.10","No-lookup","10.10.20.44","36664","9001","external","TCP","0","","","","","","","","Enforced","","(Default)","","Accept","","","","0000000000000000","unknown","unknown","unknown","unknown","","","","","No-lookup","No-lookup"

User Defined Firewall Log Messages

Below is an example of firewall log messages using the user-defined format. The customized format shown in this example is the same one used in the example from the Customize Logging Format section above.

Jul 17 21:40:21 f5-tmm-9cbcc4dbd-zr76f tmm[14] Firewall Policy Name: firewallpolicy-firewallpolicy, Firewall Policy Type: Enforced, Firewall Rule Name: sc-rule-tcp-ingress-firewallpolicyrule, Firewall Rule Action: Accept, TMM Hostname: f5-tmm-9cbcc4dbd-zr76f, Context Name: global-context, Context Type: Global, Destination IP: 10.10.20.44, Destination Port: 9001, Drop Reason: , TMM IP: 10.131.0.151, Protocol: TCP, Source IP: 10.10.20.10, Source Port: 35154, Interface: external
Jul 17 21:40:21 f5-tmm-9cbcc4dbd-zr76f tmm[14] Firewall Policy Name: , Firewall Policy Type: Enforced, Firewall Rule Name: (Default), Firewall Rule Action: Accept, TMM Hostname: f5-tmm-9cbcc4dbd-zr76f, Context Name: spk-app-tcp-app-f5ing-testapp-virtual-server, Context Type: Virtual Server, Destination IP: 10.10.20.44, Destination Port: 9001, Drop Reason: , TMM IP: 10.131.0.151, Protocol: TCP, Source IP: 10.10.20.10, Source Port: 35154, Interface: external

Feedback

Provide feedback to improve this document by emailing spkdocs@f5.com.

Supplemental

• The SPK Firewall CRDs: Secure SPK section of the SPK CRs guide.