Manual Chapter : IPFIX templates for AFM SIP events

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

IPFIX templates for AFM SIP events

Overview: IPFIX templates for AFM SIP events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log F5’s Application Firewall Manager (AFM) events related to the Session Initiation Protocol (SIP). An
IE
is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An
IPFIX template
is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a SIP session.

About IPFIX information elements for AFM SIP events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager (AFM) SIP event.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.
Information Element (IE)
ID
Size (Bytes)
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
ingressVRFID
234
4
observationTimeMilliseconds
323
8
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:
Information Element (IE)
ID
Size (Bytes)
action
12276 - 39
Variable
attackEvent
12276 - 41
Variable
attackId
12276 - 20
4
attackName
12276 - 21
Variable
bigipHostName
12276 - 10
Variable
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
deviceProduct
12276 - 12
Variable
deviceVendor
12276 - 11
Variable
deviceVersion
12276 - 13
Variable
dnsQueryType
12276 - 8
Variable
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
msgName
12276 - 14
Variable
packetsDropped
12276 - 23
4
packetsReceived
12276 - 22
4
partitionName
12276 - 2
Variable
queryName
12276 - 7
Variable
vlanName
12276 - 15
Variable
IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

IPFIX template for SIP security

Information Element (IE)
ID
Size (Bytes)
Notes
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
sipCallee
12276 - 19
Variable
This IE is omitted for NetFlow v9.
sipCaller
12276 - 18
Variable
This IE is omitted for NetFlow v9.
sipMethodName
12276 - 17
Variable
This IE is omitted for NetFlow v9.
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.

IPFIX template for SIP DoS

Information Element (IE)
ID
Size (Bytes)
Notes
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
attackEvent
12276 - 41
Variable
This IE is omitted for NetFlow v9.
attackId
12276 - 20
4
attackName
12276 - 21
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
sipCallee
12276 - 19
Variable
This IE is omitted for NetFlow v9.
sipCaller
12276 - 18
Variable
This IE is omitted for NetFlow v9.
sipMethodName
12276 - 17
Variable
This IE is omitted for NetFlow v9.
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.
packetsDropped
12276 - 23
4
packetsReceived
12276 - 22
4