Manual Chapter :
IPFIX Templates for PEM Events
Applies To:
Show Versions
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
IPFIX Templates for PEM Events
Overview: IPFIX templates for PEM events
The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This
appendix defines the IPFIX Information Elements (IEs) and templates used to log F5
Policy Enforcement Manager™ (PEM™) events. An
IE
is the smallest form of useful information in an IPFIX log message, such as an
IP address or a timestamp for the event. An IPFIX template
is an ordered collection
of specific IEs used to record one IP event, such as the acceptance of a network packet. In PEM,
the IPFIX publisher delivers PEM records at the session, flow, and transaction level.About IPFIX
Information Elements for PEM events
Information Elements (IEs) are individual fields in an IPFIX template.
An IPFIX template describes a single Policy
Enforcement Manager(PEM) event.
IANA-defined IPFIX
information elements
IANA maintains a list of standard IPFIX information elements (IEs), each
with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these
IEs to publish AFM DNS events. This subset is summarized in the table.
Information Element (IE) |
ID |
Size (Bytes) |
|---|---|---|
destinationIPv4Address |
12 |
4 |
destinationIPv6Address |
28 |
16 |
destinationTransportPort |
11 |
2 |
ingressVRFID |
234 |
4 |
observationTimeMilliseconds |
323 |
8 |
sourceIPv4Address |
8 |
4 |
sourceIPv6Address |
27 |
16 |
sourceTransportPort |
7 |
2 |
IPFIX enterprise
information elements
IPFIX provides for enterprises to define their own information elements
(IEs). F5 currently uses the following non-standard IEs for AFM DNS events:
Information Element (IE) |
ID |
Size (Bytes) |
|---|---|---|
action |
12276 - 39 |
Variable |
attackEvent |
12276 - 41 |
Variable |
attackId |
12276 - 20 |
4 |
attackName |
12276 - 21 |
Variable |
bigipHostName |
12276 - 10 |
Variable |
bigipMgmtIPv4Address |
12276 - 5 |
4 |
bigipMgmtIPv6Address |
12276 - 6 |
16 |
contextName |
12276 - 9 |
Variable |
deviceProduct |
12276 - 12 |
Variable |
deviceVendor |
12276 - 11 |
Variable |
deviceVersion |
12276 - 13 |
Variable |
dnsQueryType |
12276 - 8 |
Variable |
errdefsMsgNo |
12276 - 4 |
4 |
flowId |
12276 - 3 |
8 |
ipfixMsgNo |
12276 - 16 |
4 |
messageSeverity |
12276 - 1 |
1 |
msgName |
12276 - 14 |
Variable |
packetsDropped |
12276 - 23 |
4 |
packetsReceived |
12276 - 22 |
4 |
partitionName |
12276 - 2 |
Variable |
queryName |
12276 - 7 |
Variable |
vlanName |
12276 - 15 |
Variable |
IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded
within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot
correctly process variable-length IEs, so they are omitted from logs sent to those collector
types.
IPFIX Templates for PEM Events
Session logs
This IPFIX template is used for session records used for HSL reporting.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
|---|---|---|---|
reportId |
12276 - 55 |
4 |
|
observationTimeSeconds |
12276 - 90 |
8 |
|
timestampMsec |
12276 - 91 |
2 |
|
recordType |
12276 - 54 |
1 |
|
subscriberId |
12276 - 71 |
Variable |
This IE is omitted for NetFlow v9. |
subscriberIdType |
12276 - 72 |
Variable |
This IE is omitted for NetFlow v9. |
3gppParameters |
12276 - 57 |
Variable |
This IE is omitted for NetFlow v9. |
applicationCategoryId |
12276 - 48 |
2 |
|
lastRecordSent |
12276 - 63 |
8 |
|
uplinkVolume |
12276 - 89 |
8 |
|
downlinkVolume |
12276 - 88 |
8 |
|
concurrentFlows |
12276 - 59 |
2 |
|
newFlows |
12276 - 64 |
2 |
|
terminatedFlows |
12276 - 69 |
2 |
|
totalTransactions |
12276 - 73 |
2 |
|
successfulTransactions |
12276 - 68 |
4 |
|
durationSec |
12276 - 60 |
2 |
|
recordReason |
12276 - 66 |
1 |
|
reportVersion |
12276 - 56 |
Variable |
This IE is omitted for NetFlow v9. |
Flow logs
This IPFIX template is used for flow records used for HSL reporting.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
|---|---|---|---|
reportId |
12276 - 55 |
4 |
|
observationTimeSeconds |
12276 - 90 |
8 |
|
timestampMsec |
12276 - 91 |
2 |
|
recordType |
12276 - 54 |
1 |
|
subscriberId |
12276 - 71 |
Variable |
This IE is omitted for NetFlow v9. |
subscriberIdType |
12276 - 72 |
Variable |
This IE is omitted for NetFlow v9. |
sourceIPv4Address |
8 |
4 |
|
sourceIPv6Address |
27 |
16 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
destinationIPv6Address |
28 |
16 |
|
destinationTransportPort |
11 |
2 |
|
protocolIdentifier |
4 |
1 |
|
applicationCategoryId |
12276 - 48 |
2 |
|
urlCategoryId |
12276 - 87 |
2 |
|
flowStartSeconds |
12276 - 51 |
8 |
|
flowStartMilliSeconds |
12276 - 50 |
2 |
|
flowStopSeconds |
12276 - 53 |
8 |
|
flowStopMilliSeconds |
12276 - 52 |
2 |
|
totalTransactions |
12276 - 73 |
2 |
|
uplinkVolume |
12276 - 89 |
8 |
|
downlinkVolume |
12276 - 88 |
8 |
|
reportVersion |
12276 - 56 |
Variable |
This IE is omitted for NetFlow v9. |
ingressVRFID |
234 |
4 |
|
vlanId |
12276 - 92 |
2 |
Transaction logs
This IPFIX template is used for transactional records used for HSL reporting.
Information Element (IE) |
ID |
Size (Bytes) |
Notes |
|---|---|---|---|
reportId |
12276 - 55 |
4 |
|
recordType |
12276 - 54 |
1 |
|
reportVersion |
12276 - 56 |
Variable |
This IE is omitted for NetFlow v9. |
transactionNumber |
12276 - 81 |
2 |
|
subscriberId |
12276 - 71 |
Variable |
This IE is omitted for NetFlow v9. |
subscriberIdType |
12276 - 72 |
Variable |
This IE is omitted for NetFlow v9. |
sourceIPv4Address |
8 |
4 |
|
sourceIPv6Address |
27 |
16 |
|
sourceTransportPort |
7 |
2 |
|
destinationIPv4Address |
12 |
4 |
|
destinationIPv6Address |
28 |
16 |
|
destinationTransportPort |
11 |
2 |
|
protocolIdentifier |
4 |
1 |
|
ingressVRFID |
234 |
4 |
|
vlanId |
12276 - 92 |
2 |
|
applicationCategoryId |
12276 - 48 |
2 |
|
urlCategoryId |
12276 - 87 |
2 |
|
classification |
12276 - 49 |
Variable |
This IE is omitted for NetFlow v9. |
transactionStartSeconds |
12276 - 84 |
8 |
|
transactionStartMilliSeconds |
12276 - 83 |
2 |
|
transactionStopSeconds |
12276 - 86 |
8 |
|
transactionStopMilliSeconds |
12276 - 85 |
2 |
|
uplinkVolume |
12276 - 89 |
8 |
|
downlinkVolume |
12276 - 88 |
8 |
|
skippedTransactions |
12276 - 82 |
2 |
|
httpResponseCode |
12276 - 76 |
2 |
|
httpHostnameTruncated |
12276 - 75 |
1 |
|
httpHostname |
12276 - 74 |
Variable |
This IE is omitted for NetFlow v9. |
httpUserAgentTruncated |
12276 - 80 |
1 |
|
httpUserAgent |
12276 - 79 |
Variable |
This IE is omitted for NetFlow v9. |
httpUrlTruncated |
12276 - 78 |
1 |
|
httpUrl |
12276 - 77 |
Variable |
This IE is omitted for NetFlow v9. |
