Manual Chapter : IPFIX Templates for AFM Events

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

IPFIX Templates for AFM Events

Overview: IPFIX Templates for AFM events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log the F5 Application Firewall Manager (AFM) events. An
IE
is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An
IPFIX template
is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a network packet.

About IPFIX Information Elements for AFM events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager(AFM) event.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.
Information Element (IE)
ID
Size (Bytes)
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
ingressVRFID
234
4
observationTimeMilliseconds
323
8
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:
Information Element (IE)
ID
Size (Bytes)
action
12276 - 39
Variable
attackEvent
12276 - 41
Variable
attackId
12276 - 20
4
attackName
12276 - 21
Variable
bigipHostName
12276 - 10
Variable
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
deviceProduct
12276 - 12
Variable
deviceVendor
12276 - 11
Variable
deviceVersion
12276 - 13
Variable
dnsQueryType
12276 - 8
Variable
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
msgName
12276 - 14
Variable
packetsDropped
12276 - 23
4
packetsReceived
12276 - 22
4
partitionName
12276 - 2
Variable
queryName
12276 - 7
Variable
vlanName
12276 - 15
Variable
IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

About individual IPFIX Templates for each AFM DNS event

This section enumerates the IPFIX templates used by F5 to publish AFM DNS Events.

Network accept or deny

This IPFIX template is used whenever a network packet is accepted or denied by an AFM firewall.
Information Element (IE)
ID
Size (Bytes)
Notes
aclPolicyName
12276 - 26
Variable
This IE is omitted for NetFlow v9.
aclPolicyType
12276 - 25
Variable
This IE is omitted for NetFlow v9.
aclRuleName
12276 - 38
Variable
This IE is omitted for NetFlow v9.
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
contextType
12276 - 24
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationFqdn
12276 - 99
Variable
This IE is omitted for NetFlow v9.
destinationGeo
12276 - 43
Variable
This IE is omitted for NetFlow v9.
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
dropReason
12276 - 40
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
protocolIdentifier
4
1
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
saTransPool
12276 - 37
Variable
This IE is omitted for NetFlow v9.
saTransType
12276 - 36
Variable
This IE is omitted for NetFlow v9.
sourceFqdn
12276 - 98
Variable
This IE is omitted for NetFlow v9.
sourceGeo
12276 - 44
Variable
This IE is omitted for NetFlow v9.
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
sourceUser
12276 - 93
Variable
This IE is omitted for NetFlow v9.
transDestinationIPv4Address
12276 - 31
4
transDestinationIPv6Address
12276 - 32
16
transDestinationPort
12276 - 33
2
transIpProtocol
12276 - 27
1
transRouteDomain
12276 - 35
4
transSourceIPv4Address
12276 - 28
4
transSourceIPv6Address
12276 - 29
16
transSourcePort
12276 - 30
2
transVlanName
12276 - 34
Variable
This IE is omitted for NetFlow v9.
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.

DoS device

Information Element (IE)
ID
Size (Bytes)
Notes
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
dosAttackEvent
12276 - 41
Variable
This IE is omitted for NetFlow v9.
dosAttackId
12276 - 20
4
dosAttackName
12276 - 21
Variable
This IE is omitted for NetFlow v9.
dosPacketsDropped
12276 - 23
4
dosPacketsReceived
12276 - 22
4
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.

IP intelligence

Information Element (IE)
ID
Size (Bytes)
Notes
action
12276 - 39
Variable
This IE is omitted for NetFlow v9.
attackType
12276 - 46
Variable
This IE is omitted for NetFlow v9.
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
contextType
12276 - 24
Variable
This IE is omitted for NetFlow v9.
observationTimeMilliseconds
323
8
destinationIPv4Address
12
4
destinationIPv6Address
28
16
destinationTransportPort
11
2
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
flowId
12276 - 3
8
ipfixMsgNo
12276 - 16
4
ipintelligencePolicyName
12276 - 45
Variable
This IE is omitted for NetFlow v9.
ipintelligenceThreatName
12276 - 42
Variable
This IE is omitted for NetFlow v9.
protocolIdentifier
4
1
messageSeverity
12276 - 1
1
partitionName
12276 - 2
Variable
This IE is omitted for NetFlow v9.
ingressVRFID
234
4
saTransPool
12276 - 37
Variable
This IE is omitted for NetFlow v9.
saTransType
12276 - 36
Variable
This IE is omitted for NetFlow v9.
sourceIPv4Address
8
4
sourceIPv6Address
27
16
sourceTransportPort
7
2
transDestinationIPv4Address
12276 - 31
4
transDestinationIPv6Address
12276 - 32
16
transDestinationPort
12276 - 33
2
transIpProtocol
12276 - 27
1
transRouteDomain
12276 - 35
4
transSourceIPv4Address
12276 - 28
4
transSourceIPv6Address
12276 - 29
16
transSourcePort
12276 - 30
2
transVlanName
12276 - 34
Variable
This IE is omitted for NetFlow v9.
vlanName
12276 - 15
Variable
This IE is omitted for NetFlow v9.

Log Throttle

Information Element (IE)
ID
Size (Bytes)
Notes
bigipHostName
12276 - 10
Variable
This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address
12276 - 5
4
bigipMgmtIPv6Address
12276 - 6
16
observationTimeMilliseconds
323
8
deviceProduct
12276 - 12
Variable
This IE is omitted for NetFlow v9.
deviceVendor
12276 - 11
Variable
This IE is omitted for NetFlow v9.
deviceVersion
12276 - 13
Variable
This IE is omitted for NetFlow v9.
msgName
12276 - 14
Variable
This IE is omitted for NetFlow v9.
errdefsMsgNo
12276 - 4
4
ipfixMsgNo
12276 - 16
4
messageSeverity
12276 - 1
1
contextType
12276 - 24
Variable
This IE is omitted for NetFlow v9.
contextName
12276 - 9
Variable
This IE is omitted for NetFlow v9.
logprofileName
12276 - 95
Variable
This IE is omitted for NetFlow v9.
logMsgName
12276 - 97
Variable
This IE is omitted for NetFlow v9.
logMsgDrops
12276 - 96
4