f5-declarative-onboarding icon indicating copy to clipboard operation
f5-declarative-onboarding copied to clipboard
verified publisher icon F5Networks

Firewall policies with DO : lack of features (compared to AS3).

Open LaurentGravier opened this issue 3 years ago • 3 comments

Is your feature request related to a problem? Please describe.

I use AS3 to create firewall policies, but I want to move this configuration to DO, as I need the policies to apply on Route Domains. Looking into the DO Schema Reference, I find the following problems :

  1. Firewall Policy :
  • In AS3, the property "rules" of the Firewall_Policy class has the format : array<Pointer_Firewall_Rule_List | Firewall_Rule> So in AS3, it is possible to create Rule-lists (class Firewall_Rule_List) and to reference them in a Firewall_Policy.
  • In DO, the property "rules" of the FirewallPolicy class is an array of FirewallPolicy_rules. It does not seem possible to reference Rule lists. And worse, it does not seem possible to create Rule lists with DO (apparently, no class equivalent to AS3's Firewall_Rule_List)

  1. Firewall Rules / protocol : In DO, the property "protocol" of the class "FirewallPolicy_rules" can only be equal to "any", "tcp", "udp". In AS3, the property "protocol" of the class "Firewall_Rule" can have many more values.

  2. Firewall Rules / source : In AS3, the Firewall_Rule_Source class has 3 properties : addressLists (array<Pointer_Firewall_Address_List>) portLists (array<Firewall_Rule_Source_portLists>) vlans (array) In DO, the corresponding class FirewallPolicy_rules_source does not have the "vlans" property (according to the Schema Reference). However, the example declaration contradicts the Schema Reference : https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/declarations/network-objects.html#configuring-a-firewall-policy-in-a-declaration

Describe the solution you'd like

I'd like the configuration of firewall policies to be equivalent between AS3 and DO (same features, similar classes, possibility to use pointers...)

Describe alternatives you've considered

So far I use AS3, but since I want the policy to apply on a route domain, I have to use a non declarative command to modify the route domain in order to add the firewall policy. I would be better if I could create the firewall policy and the route domain in DO.

Additional context

LaurentGravier avatar Jul 29 '22 10:07 LaurentGravier

Another alternative could be to keep the firewall policy defined with AS3, but to be able to apply it to a route-domain as part of the AS3 declaration.

Could this be an option ?

LaurentGravier avatar Sep 22 '22 15:09 LaurentGravier

@LaurentGravier please can you reach out to AS3/DO PM at [email protected] so i can understand the use-case of apply the firewall policy to a route-domain

mdditt2000 avatar Nov 29 '23 20:11 mdditt2000

@LaurentGravier please can you reach out to AS3/DO PM at [email protected] so i can understand the use-case of apply the firewall policy to a route-domain

Hi @mdditt2000 , as requested I sent an email to [email protected]. Do not hesitate to ask me if anything is unclear.

LaurentGravier avatar Nov 30 '23 07:11 LaurentGravier