Manual Chapter : IPFIX Templates for AFM DNS Events

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AAM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Link Controller

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

IPFIX Templates for AFM DNS Events

Overview: IPFIX templates for AFM DNS events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log F5’s Application Firewall Manager (AFM) DNS events. An
IE
is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An
IPFIX template
is an ordered collection of specific IEs used to record one IP event, such as the denial of a DNS query.

About IPFIX information elements for AFM DNS events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager (AFM) DNS event.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.
Information Element (IE)
ID
Size (Bytes)
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
ingressVRFID
234
4
observationTimeMilliseconds
323
8
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:
Information Element (IE)
ID
Size (Bytes)
action
12276 - 39
Variable
attackEvent
12276 - 41
Variable
attackId
12276 - 20
4
attackName
12276 - 21
Variable
bigipHostName
12276 - 10
Variable
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
deviceProduct
12276 - 12
Variable
deviceVendor
12276 - 11
Variable
deviceVersion
12276 - 13
Variable
dnsQueryType
12276 - 8
Variable
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
msgName
12276 - 14
Variable
packetsDropped
12276 - 23
4
packetsReceived
12276 - 22
4
partitionName
12276 - 2
Variable
queryName
12276 - 7
Variable
vlanName
12276 - 15
Variable
IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

About individual IPFIX templates for each AFM DNS event

This section enumerates the IPFIX templates that F5 uses to publish AFM DNS Events.

IPFIX template for DNS security

Information Element (IE)
ID
Size (Bytes)
Notes
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
queryName
12276 - 7
Variable
This IE is omitted for NetFlow v9.
dnsQueryType
12276 - 8
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.

IPFIX template for DNS DoS

Information Element (IE)
ID
Size (Bytes)
Notes
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
attackEvent
12276 - 41
Variable
This IE is omitted for NetFlow v9.
attackId
12276 - 20
4
attackName
12276 - 21
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
queryName
12276 - 7
Variable
This IE is omitted for NetFlow v9.
dnsQueryType
12276 - 8
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.
packetsDropped
12276 - 23
4
packetsReceived
12276 - 22
4