Applies To:Show Versions
- 16.0.1, 15.1.0
Logging DNS DoS Events to IPFIX Collectors
Overview: Configuring IPFIX logging for DNS DoS
Pool of IPFIX collectors
Create a pool of IPFIX collectors to which the BIG-IP system can send IPFIX log messages.
Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors.
Create a log publisher to send logs to a set of specified log destinations.
Perform these tasks to configure IPFIX logging of DNS DoS events on the BIG-IP system.
Assemble a pool
of IPFIX collectors
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each IPFIX collector that you want to include in the pool:
- Type the collector's IP address in theAddressfield, or select a node address from theNode List.
- Type a port number in theService Portfield.By default, IPFIX collectors listen on UDP or TCP port4739and Netflow V9 devices listen on port2055, though the port is configurable at each collector.
Create an IPFIX log destination
- On the Main tab, click.The Log Destinations screen opens.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectIPFIX.
- From theProtocollist, selectIPFIXorNetflow V9, depending on the type of collectors you have in the pool.
- From thePool Namelist, select an LTM pool of IPFIX collectors.
- From theTransport Profilelist, selectTCP,UDP, or any customized profile derived from TCP or UDP.
- TheTemplate Retransmit Intervalis the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if theTransport Profileis aUDPprofile.AnIPFIX templatedefines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
- TheTemplate Delete Delayis the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
- TheServer SSL Profileapplies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if theTransport Profileis aTCPprofile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
Create a publisher
- On the Main tab, click.The Log Publishers screen opens.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
Create a custom
DNS DoS protection logging profile
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- In theProfile Namefield, type a unique name for the logging profile.
- In the Logging Profile Properties, select theDoS Protectioncheck box.The DoS Protection tab opens.
- In the DNS DoS Protection area, from thePublisherlist, select the publisher that the BIG-IP system uses to log DNS DoS events.You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
- ClickCreate.The logging profile is created.