Automate Policy Configuration on Multiple VNF

Overview

The tutorial Design a Simple Firewall Microservice on Linux demonstrated steps to design, develop and test a simple firewall service on a Linux based VNF.
This tutorial will now help illustrate the steps to automate the configuration of simple firewall policy for multiple Linux based VNF.
To achieve this automation, we will utilize a Workflow and a set of Processes.  Details are listed below.

getting the sources

Use Case Overview

  • The user selects one or several firewalls to manage
  • The user enters a new security rule (IP and port) to block
  • The user selects an existing security rule and deletes it from the firewall configuration

Implementation Steps of the Workflow

  • Step 1: Define the parameters
  • Step 2: Implement the process to instantiate a new service
  • Step 3: Implement the process to delete the service
  • Step 4: Implement the process to configure a new security policy
  • Step 5: Implement the process to remove existing security policies

Design & Implementation

Variable Definition

The basic fundamental task as for any design/development activity, the design of the functionality begins by defining the interface (or the API).

For this simple firewall function we need the following variables:

  • List of firewall devices
  • Rule ID / Rule IP / Rule Port
  • Array of (Rule ID / Rule IP / Rule Port)


Image

The List of Devices

The user will be able to select one or more devices to update. This list will be stored in an array in the $context of the workflow instance.

Create a variable $params.devices.0.id, with "Device" type.

The ".0." means the workflow engine will consider this variable as an array.  For our case, we will store a list of device IDs.

The Rule ID / IP / Port

We will require these three variables for the process that will create the rule. The IP and port should be typed as Integer and the IP should be typed as IP Address.

  • $params.id
  • $params.dst_port
  • $params.src_ip

The Array of Rules (ID / IP / Port)

Since we want to be able to manage the rules and therefore create them and delete them, we need to store the rules that were configured in the workflow instance.

We will use an array with 3 entries:

  • $params.rules.0.id
  • $params.rules.0.dst_port
  • $params.rules.0.src_ip

How to Handle the Rule Deletion

This implementation of a simple firewall management workflow provides a way to configure firewall policy and to un-configure the policies. In order to delete a rule, the rule should be removed from the workflow instance as well as from the device.

For this use case, we have chosen to use a flag "delete" to flag the rules that the deletion process will have to remove from the device but also from the $context of the workflow instance.

A boolean variable will be used:

  • $params.delete

Processes Definition

The Firewall Service Instance Creation/Deletion

These can be implemented by simple CREATE and DELETE processes.

The process to instantiate the workflow instance doesn't require any logic but should expose a selectable list of devices to choose.

The Process to Add a Rule on Multiple Devices

This process will use the microservice simple_firewall designed in the tutorial Design a Simple Firewall Microservice on Linux.

This process is providing the multi-device automation by applying the configuration on the list of devices selected during the service instantiation. It is also leveraging the abstraction layer provided by the microservice definition to allow multi-vendor policy configuration: as long as the vendor specific microservices are exposing the same interface (name and variables), the process will execute the order regardless of the vendor specificities. 

In order to apply the policy on multiple devices, use a foreach over the array "devices" in the $context

foreach ($context['devices'] as $deviceidRow)

extract the device database ID

 $devicelongid = substr($deviceidRow['id'], 3);

build the microservice JSON params for the CREATE operation

 $micro_service_vars_array = array ();
 $micro_service_vars_array ['object_id'] = $context ['id'];
 $micro_service_vars_array ['src_ip'] = $context ['src_ip'];
 $micro_service_vars_array ['dst_port'] = $context ['dst_port'];

 $object_id = $context ['id'];

 $simple_firewall = array (
   'simple_firewall' => array (
     $object_id => $micro_service_vars_array 
 );

Call the CREATE function of the microservice

 $response = execute_command_and_verify_response ( $devicelongid, CMD_CREATE, $simple_firewall, "CREATE simple_firewall" );

The Process to Remove a Rule on Multiple Devices

This process will iterate through the list of the rules stored in the array "rules" and for each array line with the flag "delete" set to true, it will call the DELETE operation of the microservice simple_firewall for each device stored in the array "devices"

For each rules and devices, create the jSON parameters to pass to the DELETE function of the microservice

   $object_id = $rule_id;
   $simple_firewall = array (
     'simple_firewall' => $object_id 
   );

Call the DELETE function of the microservice

   $response = execute_command_and_verify_response ( $device_id, CMD_DELETE, $simple_firewall, "DELETE simple_firewall" );

Wrap-Up

This tutorial provided a simple case of multi-device, multi-vendor firewall policy management. It utilized integration between the workflows and the microservices.

Feel free to download the source code from GitHub and run it on your setup.