Manual Chapter :
Configuring CGNAT IPFIX Logging
Applies To:
Show VersionsBIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP Analytics
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP PEM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP AFM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP DNS
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Configuring CGNAT IPFIX Logging
Overview: Configuring IPFIX logging for CGNAT
You can configure the BIG-IP® system to log information about carrier
grade network address translation (CGNAT) processes and send the log messages to remote IPFIX
collectors.
IPFIX is a set of IETF standards described in RFCs 5101 and 5102. The BIG-IP system supports
logging of CGNAT translation events over the IPFIX protocol. IPFIX logs are raw, binary-encoded
strings with their fields and field lengths defined by IPFIX templates.
IPFIX
collectors
are external devices that can receive IPFIX templates, and use them to
interpret IPFIX logs.Task summary
Perform these tasks to configure IPFIX logging of CGNAT
processes on the BIG-IP system. Enabling IPFIX logging impacts BIG-IP system
performance.
About the configuration objects of IPFIX logging
The configuration process involves creating and connecting the following configuration
objects.
Object |
Reason |
Applies to |
---|---|---|
Pool of IPFIX collectors |
Create a pool of remote log servers to which the BIG-IP® system can send log messages.
|
Assembling a pool of IPFIX collectors. |
Destination |
Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors. |
Creating an IPFIX log destination. |
Publisher |
Create a log publisher to send logs to a set of specified log destinations. |
Creating a publisher. |
Logging Profile (optional) |
Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations. |
Creating an LSN logging profile. |
LSN pool |
Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool. |
Configuring an LSN pool. |
Assembling a pool
of IPFIX collectors
Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors
that you want to include in the pool. Ensure that the remote IPFIX collectors are
configured to listen to and receive log messages from the BIG-IP system.
You can create a pool of IPFIX collectors to
which the system can send IPFIX log messages.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each IPFIX collector that you want to include in the pool:
- Type the collector's IP address in theAddressfield, or select a node address from theNode List.
- Type a port number in theService Portfield.By default, IPFIX collectors listen on UDP or TCP port4739and Netflow V9 devices listen on port2055, though the port is configurable at each collector.
- ClickAdd.
- ClickFinished.
Creating an IPFIX log destination
A log destination of the
IPFIX
type specifies that log
messages are sent to a pool of IPFIX collectors. Use these steps to create a log
destination for IPFIX collectors.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectIPFIX.
- From theProtocollist, selectIPFIXorNetflow V9, depending on the type of collectors you have in the pool.
- From thePool Namelist, select an LTM pool of IPFIX collectors.
- From theTransport Profilelist, selectTCP,UDP, or any customized profile derived from TCP or UDP.
- TheTemplate Retransmit Intervalis the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if theTransport Profileis aUDPprofile.AnIPFIX templatedefines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
- TheTemplate Delete Delayis the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
- TheServer SSL Profileapplies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if theTransport Profileis aTCPprofile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
- ClickFinished.
Creating a publisher
Ensure that at least one destination associated with a pool of remote log servers
exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for
specific resources.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- ClickFinished.
Creating an LSN logging profile
You can create an LSN logging profile to allow you to configure logging options for
various LSN events that apply to high-speed logging destinations.
For
configuring remote high-speed logging of CGNAT processes on the BIG-IP system, these steps are optional.
- On the Main tab, click.The LSN logging profiles screen opens.
- ClickCreate.The New LSN Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (CSV) format.Start Outbound SessionGenerates event log entries at the start of a translation event for an LSN client.End Outbound SessionGenerates event log entries at the end of a translation event for an LSN client.Start Inbound SessionGenerates event log entries at the start of an incoming connection event for a translated endpoint.End Inbound SessionGenerates event log entries at the end of an incoming connection event for a translated endpoint.Quota ExceededGenerates event log entries when an LSN client exceeds allocated resources.ErrorsGenerates event log entries when LSN translation errors occur.Subscriber IDAllows for subscriber ID logging.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Configuring an LSN
pool
You can associate an LSN pool with a log publisher
and logging profile that the BIG-IP system uses to send log messages to a specified
destination.
- On the Main tab, click.The LSN Pool List screen opens.
- Select an LSN pool from the list.The configuration screen for the pool opens.
- From theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- Optional: From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
- ClickFinished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified
logging profile.