Manual Chapter : IPFIX templates for AFM SIP events

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

IPFIX templates for AFM SIP events

Overview: IPFIX templates for AFM SIP events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log F5’s Application Firewall Manager (AFM) events related to the Session Initiation Protocol (SIP). An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a SIP session.

About IPFIX information elements for AFM SIP events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager (AFM) SIP event.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationIPv6Address 28 16
destinationTransportPort 11 2
ingressVRFID 234 4
observationTimeMilliseconds 323 8
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:

Information Element (IE) ID Size (Bytes)
action 12276 - 39 Variable
attackEvent 12276 - 41 Variable
attackId 12276 - 20 4
attackName 12276 - 21 Variable
bigipHostName 12276 - 10 Variable
bigipMgmtIPv4Address 12276 - 5 4
bigipMgmtIPv6Address 12276 - 6 16
contextName 12276 - 9 Variable
deviceProduct 12276 - 12 Variable
deviceVendor 12276 - 11 Variable
deviceVersion 12276 - 13 Variable
dnsQueryType 12276 - 8 Variable
errdefsMsgNo 12276 - 4 4
flowId 12276 - 3 8
ipfixMsgNo 12276 - 16 4
messageSeverity 12276 - 1 1
msgName 12276 - 14 Variable
packetsDropped 12276 - 23 4
packetsReceived 12276 - 22 4
partitionName 12276 - 2 Variable
queryName 12276 - 7 Variable
vlanName 12276 - 15 Variable
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

IPFIX templates for AFM SIP events

IPFIX template for SIP security

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
sipCallee 12276 - 19 Variable This IE is omitted for NetFlow v9.
sipCaller 12276 - 18 Variable This IE is omitted for NetFlow v9.
sipMethodName 12276 - 17 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.

IPFIX template for SIP DoS

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
attackEvent 12276 - 41 Variable This IE is omitted for NetFlow v9.
attackId 12276 - 20 4  
attackName 12276 - 21 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
sipCallee 12276 - 19 Variable This IE is omitted for NetFlow v9.
sipCaller 12276 - 18 Variable This IE is omitted for NetFlow v9.
sipMethodName 12276 - 17 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
packetsDropped 12276 - 23 4  
packetsReceived 12276 - 22 4