Manual Chapter :
Logging Network Firewall Events to IPFIX Collectors
Applies To:
Show VersionsBIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP Analytics
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP PEM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP AFM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP DNS
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Logging Network Firewall Events to IPFIX Collectors
Overview: Configuring IPFIX logging for AFM
You can configure the BIG-IP system to log information about Advanced Firewall Manager (AFM) processes and send the log messages to remote IPFIX collectors.
The BIG-IP system supports logging of AFM events over the IPFIX protocol. IPFIX logs are raw, binary-encoded strings with their fields and field lengths defined by IPFIX templates.
IPFIX collectors
are external devices that can receive IPFIX templates and use them to interpret IPFIX logs.Enabling IPFIX logging impacts BIG-IP system performance.
About the configuration objects of IPFIX logging for AFM
The configuration process involves creating and connecting the following configuration objects:
Object |
Reason |
Applies to |
---|---|---|
Pool of IPFIX collectors |
Create a pool of IPFIX collectors to which the BIG-IP system can send IPFIX log messages. |
Assembling a pool of IPFIX collectors. |
Destination |
Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors. |
Creating an IPFIX log destination. |
Publisher |
Create a log publisher to send logs to a set of specified log destinations. |
Creating a publisher. |
Assembling a pool
of IPFIX collectors
Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors
that you want to include in the pool. Ensure that the remote IPFIX collectors are
configured to listen to and receive log messages from the BIG-IP system.
You can create a pool of IPFIX collectors to
which the system can send IPFIX log messages.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each IPFIX collector that you want to include in the pool:
- Type the collector's IP address in theAddressfield, or select a node address from theNode List.
- Type a port number in theService Portfield.By default, IPFIX collectors listen on UDP or TCP port4739and Netflow V9 devices listen on port2055, though the port is configurable at each collector.
- ClickAdd.
- ClickFinished.
Creating an IPFIX log destination
A log destination of the
IPFIX
type specifies that log
messages are sent to a pool of IPFIX collectors. Use these steps to create a log
destination for IPFIX collectors.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectIPFIX.
- From theProtocollist, selectIPFIXorNetflow V9, depending on the type of collectors you have in the pool.
- From thePool Namelist, select an LTM pool of IPFIX collectors.
- From theTransport Profilelist, selectTCP,UDP, or any customized profile derived from TCP or UDP.
- TheTemplate Retransmit Intervalis the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if theTransport Profileis aUDPprofile.AnIPFIX templatedefines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
- TheTemplate Delete Delayis the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
- TheServer SSL Profileapplies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if theTransport Profileis aTCPprofile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
- ClickFinished.
Creating a publisher
Ensure that at least one destination associated with a pool of remote log servers
exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for
specific resources.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- ClickFinished.
Creating a custom Network Firewall Logging profile
You create a custom Logging profile
to log messages about BIG-IP system Network Firewall events.
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Select theNetwork Firewallcheck box.
- If you want to enable optional subscriber ID logging:
- Select theNetwork Address Translationcheck box.
- Then in the Network Address Translation area, select theLog Subscriber IDcheck box.
- ClickNetwork Firewall.
- In the Network Firewall area, from thePublisherlist, select the IPFIX publisher the BIG-IP system uses to log Network Firewall events.
- Set anAggregate Rate Limitto define a rate limit for all combined network firewall log messages per second.Beyond this rate limit, log messages are not logged.Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
- For theLog Rule Matchessetting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.OptionEnables or disables logging of packets that match ACL rules configured with:Acceptaction=AcceptDropaction=DropRejectaction=RejectWhen an option is selected, you can configure a rate limit for log messages of that type.
- Select theLog IP Errorscheck box, to enable logging of IP error packets.When this setting is enabled, you can configure a rate limit for log messages of this type.
- Select theLog TCP Errorscheck box, to enable logging of TCP error packets.When this is enabled, you can configure a rate limit for log messages of this type.
- Select theLog TCP Eventscheck box, to enable logging of open and close of TCP sessions.When this is enabled, you can configure a rate limit for log messages of this type.
- Enable theLog Translation Fieldssetting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
- Enable theLog Geolocation IP Addresssetting to specify that when a geolocation event causes a network firewall action, the associated IP address is logged.
- From theStorage Formatlist, select how the BIG-IP system formats the log.OptionDescriptionNoneSpecifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example:"management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reasonField-ListAllows you to:
- Select, from a list, the fields to be included in the log.
- Specify the order the fields display in the log.
- Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
User-DefinedAllows you to:- Select, from a list, the fields to be included in the log.
- Cut and paste, in a string of text, the order the fields display in the log.
- In the IP Intelligence area, from thePublisherlist, select the publisher that the BIG-IP system uses to log source IP addresses, which are identified and configured for logging by an IP Intelligence policy.The IP Address Intelligence feature must be enabled and licensed.
- Set anAggregate Rate Limitto define a rate limit for all combined IP Intelligence log messages per second.Beyond this rate limit, log messages are not logged.Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
- Enable theLog Translation Fieldssetting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
- In the Traffic Statistics area, from thePublisherlist, select the publisher that the BIG-IP system uses to log traffic statistics.
- For theLog Timer Eventssetting, enableActive Flowsto log the number of active flows each second.
- For theLog Timer Eventssetting, enableReaped Flowsto log the number of reaped flows, or connections that are not established because of system resource usage levels.
- For theLog Timer Eventssetting, enableMissed Flowsto log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
- For theLog Timer Eventssetting, enableSYN Cookie (Per Session Challenge)to log the number of SYN cookie challenges generated each second.
- For theLog Timer Eventssetting, enableSYN Cookie (White-listed Clients)to log the number of SYN cookie clients whitelisted each second.
- ClickFinished.
Configuring an LTM
virtual server for Network Firewall event logging with IPFIX
Ensure that at least one log publisher exists on the BIG-IP system.
Assign a custom Network Firewall Logging profile
to a virtual server when you want the BIG-IP system to log Network Firewall events to
IPFIX collectors on the traffic that the virtual server processes.
This task
applies only to LTM-provisioned systems.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- On the menu bar, click.The screen displays policy settings for the virtual server.
- In theLog Profilesetting, selectEnabled. Then, select one or more profiles that log specific events to IPFIX collectors, and move them from theAvailablelist to theSelectedlist.To log global, self IP, and route domain contexts, you must enable a Publisher in theglobal-networkprofile.
- ClickUpdateto save the changes.
Implementation result
Now you have an implementation in which the BIG-IP system logs messages about AFM events and sends the log messages to a pool of IPFIX collectors.
Network firewall events are logged only for rules or policies for which logging is enabled.