-
Notifications
You must be signed in to change notification settings - Fork 6
/
inputs_firewall_v1.1.1.yaml
306 lines (290 loc) · 14.6 KB
/
inputs_firewall_v1.1.1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
# VNF Resource Information Collector inputs
ric_purchasing_model: perpetual # Purchasing model for licensing (options include: subscription or perpetual).
ric_vnfm_serial: # VNFM license key provided in your email from F5 (used for support purposes only).
ric_throughput: '10' # Desired throughput for the VNF layer, in Gbps (options include: 5, 10, 50 Gbps).
# vnf inputs
auto_last_hop: "disabled" # Controls how the DAG receives return traffic from the internet. Enable this input, if using an F5 device to NAT outbound connections; otherwise, disable.
ctrl_net: control # Control network name, where F5 NFV solutions connect to processes, like subscriber service-charging.
ctrl_subnet: control # Control network subnet name.
ha_net: ha_net # Hgh availability network name (for config. sync and network failover purposes).
ha_subnet: ha_net_subnet # High availability network subnet name.
# optional inputs:
bgp_dag_pgw_peer_ip: 192.168.1.103 # If using Border Gateway Protocol (BGP) on the client-side, then enter the neighbor address of the PGW to which the DAG BIG-IPs will advertise their default routes.
bgp_vnf_pgw_peer_ip: 192.168.21.11 # If using BGP on the client-side, then enter the neighbor address of the PGW, enabling the VNF to send traffic directly back to the client without passing it back through the DAG.
bgp_pgw_peer_as: '200' # If using BGP on the client-side, then enter the autonomous system number (ASN) for the BGP neighbor.
bgp_dag_egw_peer_ip: 192.168.11.104 # If using BGP on the external-side, then enter the BGP neighbor address.
bgp_egw_peer_as: '300' # If using BGP on the external-side, then enter the BGP ASN.
# min/max total number of 'instances' that can be created during scale out
# min/max dag group members
max_scale_dag_group: '1000' # Maximum number of layers to which the DAG group will scale.
# min/max
max_scale_vnf_group: '1000' # Maximum number of layers to which the VNF group will scale.
# max number of times that a heal can be tried before giving up.
max_heal_vnfd_dag_ve: '5' # Maximum number of times a DAG VE will heal before it stops trying and shows an error.
max_heal_vnf_layer: '5' # Maximum number of times a layer will heal before it stops trying and returns an error.
max_heal_vnf_slave_ve: '5' # Maximum number of times a slave VE will heal before it stops trying and returns an error.
# vnf layer scaling inputs
vnf_layer_cpu_threshold: '75' # Maximum number of times a slave VE will heal before it stops trying and returns an error.
vnf_layer_cpu_threshold_check_interval: '1' # Interval between checks, in minutes.
# vnf group scaling inputs
vnf_group_throughput: '10' # The desired aggregate throughput (Gigabits In Out) for every layer in the group. Example values: 5 for 5 gig, 0 for 10 gig, 0.5 for 500mb.
vnf_group_throughput_threshold: '75' # New layer is added to group when the percentage of average aggregate layer throughput exceeds this value (for example, 75).
vnf_group_throughput_check_interval: '1' # Interval between checks, in minutes.
# dag group scaling inputs
dag_group_cpu_threshold: '75' # New instance is added to group when the percentage of average aggregate Global TMM CPU usage of all DAG group instances exceeds this value (for example, 75).
dag_group_cpu_threshold_check_interval: '1' # Interval between checks, in minutes.
# monitoring inputs
floating_network_id: fa541932-4156-4185-8344-a961cf4c8e41 # The OpenStack ID or external network name where you assigned a floating IP addresses (for example, external_net).
# common inputs
manager_mgmt_host: 10.10.2.16 # Internal IP address of the VNF Manager instance.
default_gateway: 10.10.12.1 # Next hop IP address for outbound traffic egressing the VNF.
external_net: # External network name that connects to your users.
external_subnet: # Subnet name for the pre-existing external network.
internal_net: # Internal network name that connects to your servers.
internal_subnet: # Subnet name for the pre-existing internal network.
sw_ref_dag: # Dictionary that defines the OpenStack image name, flavor name, and revision number to use for the BIG-IP VE disaggregation instances.
data:
image: bigip-13.1.0.5-0.0.5.all_1slot
flavor: f5.cloudify_small
availability_zone: nova
revision: 0
sw_ref_vnf: # A dictionary that defines the OpenStack image name, flavor name, and revision number to use for the BIG-IP VE virtual network functions instances.
data:
image: bigip-13.1.0.5-0.0.5.all_1slot
flavor: f5.cloudify_medium
availability_zone: nova
revision: 0
sw_ref_nagios: # A dictionary that defines the OpenStack image name, flavor name, and availability zone (version 1.2) to use for the CentOS monitoring nodes.
data:
image: CentOS-7-x86_64-GenericCloud
flavor: f5.cloudify_small
availability_zone: nova
revision: 0
bigip_os_ssh_key: mysshkey # Name of the OpenStack SSH key into which you will import.
tenant:
# big-iq license manager
big_iq_host: 10.190.54.148 # IP address of the BIG-IQ VE instance that will assign licenses to the BIG-IP VE instances.
big_iq_lic_pool: vnfm-4 # BIG-IQ key or pool name used to assign licenses to the BIG-IP VE instances.
# security groups in openstack
ctrl_sg_name: allow_22
external_sg_name: allow_22 # External security group name.
internal_sg_name: # Internal security group name.
mgmt_sg_name: allow_22 # Management security group name.
pgw_sg_name: allow_22 # Packet gateway (PGW) security group name.
pdn_sg_name: allow_22 # Provider data network (PDN) security group name.
snmp_sg_name: allow_22 # SNMP security group name.
# networks in openstack
mgmt_net: mgmt # Management network name in OpenStack, connecting the BIG-IQ licensing utility, VNFM, and related blueprints that orchestrate BIG-IP VE service layers.
mgmt_subnet: mgmt # Management network subnet name.
pgw_net: pgl # PGW network name.
pgw_subnet: pgl # PGW sub-network name.
pdn_net: pdn # PDN network name.
pdn_subnet: pdn # PDN network subnet name.
pgw_dag_net: vnfs # PGW-DAG (VNF ingress) network name.
pgw_dag_subnet: vnfs # GW-DAG network subnet name.
pdn_dag_net: vnfe # PDN-DAG (VNF egress) network name.
pdn_dag_subnet: vnfe # PDN-DAG network subnet name.
ntp_server: 132.163.96.1 # IP address or DNS name of the NTP server. If not specified, the default 132.163.96.4 value is used.
timezone: 'string' # Local timezone using the TZ database name for the location of your application server. https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
# configuration of the f5 vnf service layers in as3 declaration format
# example: your firewall configuration.
# example: your subscriber based policy enforcement configuration.
vnf_as3_nsd_payload:
vnf_as3_nsd_payload:
class: AS3
action: deploy
persist: true
declaration:
class: ADC
schemaVersion: 3.0.0
id: cfy_vnf_01
label: vnf
remark: VNF
f5vnf:
class: Tenant
Shared:
class: Application
template: shared
fwAllowedAddressList:
addresses:
- 10.0.0.0/8
- 172.20.0.0/16
- 192.168.0.0/16
class: Firewall_Address_List
fwAllowedPortList:
class: Firewall_Port_List
ports:
- 8080-8081
- 22
- 443
- 53
- 80
fwDefaultDenyAddressList:
addresses:
- 0.0.0.0/0
class: Firewall_Address_List
fwLogDestinationHsl:
class: Log_Destination
distribution: adaptive
pool:
use: poolHsl
protocol: tcp
type: remote-high-speed-log
fwLogDestinationSyslog:
class: Log_Destination
format: rfc5424
remoteHighSpeedLog:
use: fwLogDestinationHsl
type: remote-syslog
fwLogPublisher:
class: Log_Publisher
destinations:
- use: fwLogDestinationSyslog
fwPolicy:
class: Firewall_Policy
rules:
-
use: fwRuleList
fwRuleList:
class: Firewall_Rule_List
rules:
-
action: accept
destination:
portLists:
-
use: fwAllowedPortList
loggingEnabled: true
name: tcpAllow
protocol: tcp
source:
addressLists:
- use: fwAllowedAddressList
-
action: accept
loggingEnabled: true
name: udpAllow
protocol: udp
source:
addressLists:
- use: fwAllowedAddressList
-
action: drop
loggingEnabled: true
name: defaultDeny
protocol: any
source:
addressLists:
- use: fwDefaultDenyAddressList
fwSecurityLogProfile:
class: Security_Log_Profile
network:
logIpErrors: true
logRuleMatchAccepts: true
logRuleMatchDrops: true
logRuleMatchRejects: true
logTcpErrors: true
logTcpEvents: true
logTranslationFields: true
publisher:
use: fwLogPublisher
storageFormat:
fields:
- action
- bigip-hostname
- context-name
- context-type
- date-time
- dest-ip
- dest-port
- drop-reason
- protocol
- src-ip
- src-port
poolHsl:
class: Pool
members:
-
enable: true
serverAddresses:
- 255.255.255.254
servicePort: 514
monitors:
-
bigip: /Common/udp
lbSelectedRule:
class: iRule
iRule: when LB_SELECTED {log local0. "Selected server [LB::server]"}
remark: Log load balanced server
profileL4:
class: L4_Profile
serviceAddress:
class: Service_Address
arpEnabled: False
icmpEcho: disable
spanningEnabled: True
virtualAddress: 0.0.0.0
firewall_any:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/vnfs
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
policyFirewallEnforced:
use: /f5vnf/Shared/fwPolicy
profileL4:
use: /f5vnf/Shared/profileL4
securityLogProfiles:
- use: /f5vnf/Shared/fwSecurityLogProfile
snat: none
lastHop: disable
translateServerAddress: false
translateServerPort: false
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
firewall_fastL4:
class: Application
template: l4
serviceMain:
class: Service_L4
layer4: tcp
allowVlans:
- bigip: /Common/vnfs
profileL4:
use: /f5vnf/Shared/profileL4
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
translateServerAddress: false
translateServerPort: false
snat: none
lastHop: disable
iRules:
- /f5vnf/Shared/lbSelectedRule
policyFirewallEnforced:
use: /f5vnf/Shared/fwPolicy
securityLogProfiles:
- use: /f5vnf/Shared/fwSecurityLogProfile
firewall_inbound:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/vnfe
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
profileL4:
use: /f5vnf/Shared/profileL4
snat: none
translateServerAddress: false
translateServerPort: false
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0