F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
  5. About Logging DNS DoS Events to IPFIX Collectors
Manual Chapter : About Logging DNS DoS Events to IPFIX Collectors

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About Logging DNS DoS Events to IPFIX Collectors

Overview: Configuring IPFIX logging for DNS DoS

You can configure the BIG-IP® system to log information about DNS denial-of-service (DoS) events and send the log messages to remote IPFIX collectors.

IPFIX is a set of IETF standards. The BIG-IP system supports logging of DNS DoS events over the IPFIX protocol. IPFIX logs are raw, binary-encoded strings with their fields and field lengths defined by IPFIX templates. IPFIX collectors are external devices that can receive IPFIX templates and use them to interpret IPFIX logs.

The configuration process involves creating and connecting the following configuration objects:

Object to create in implementation Reason
Pool of IPFIX collectors Create a pool of IPFIX collectors to which the BIG-IP system can send IPFIX log messages.
Destination Create a log destination to format the logs in IPFIX templates, and forward the logs to the local-syslog database.
Publisher Create a log publisher to send logs to a set of specified log destinations.

Task summary

Perform these tasks to configure IPFIX logging of DNS DoS events on the BIG-IP system.
Note: Enabling IPFIX logging impacts BIG-IP system performance.

Creating a pool of IPFIX collectors

You must have one or more external IPFIX collectors to receive IPFIX logs of your CGNAT mappings, before you can group the collectors into an LTM® pool.

Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors that you want to include in the pool. Ensure that the remote IPFIX collectors are configured to listen to and receive log messages from the BIG-IP® system.

These are the steps for creating a pool of IPFIX collectors. The BIG-IP system can send IPFIX log messages to this pool.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each IPFIX collector that you want to include in the pool:
    1. Type the collector's IP address in the Address field, or select a node address from the Node List.
    2. Type a port number in the Service Port field.
      By default, IPFIX collectors listen on UDP or TCP port 4739 and Netflow V9 devices listen on port 2055, though the port is configurable at each collector.
    3. Click Add.
  5. Click Finished.

Creating an IPFIX log destination

A log destination of the IPFIX type specifies that log messages are sent to a pool of IPFIX collectors.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select IPFIX.
  5. From the Protocol list, select IPFIX or Netflow V9, depending on the type of collectors you have in the pool.
  6. From the Pool Name list, select an LTM® pool of IPFIX collectors.
  7. From the Transport Profile list, select TCP, UDP, or any customized profile derived from TCP or UDP.
  8. Type the Template Retransmit Interval, the time between transmissions of IPFIX templates to the pool of collectors.
    An IPFIX template defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 messages) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.

    The log destination periodically retransmits all of its IPFIX templates. The retransmissions are helpful for UDP connections, which are lossy, and they are also helpful for debugging a TCP connection.

  9. The Template Delete Delay is the time that the BIG-IP device should pause between deleting an obsolete template and using its template ID. This feature is not currently implemented.
  10. Click Finished.

Creating a publisher

A publisher specifies where the BIG-IP® system sends log messages for IPFIX logs.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. Use the Log Destinations area to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the Available list, and click << to move it to the Selected list.
  5. Click Finished.

Creating a custom DNS DoS Protection Logging profile

Create a custom Logging profile to log DNS DoS Protection events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The New Logging Profile screen opens.
  3. Select the DoS Protection check box.
  4. In the DNS DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  5. Click Finished.
Assign this custom DNS DoS Protection Logging profile to a virtual server.

Implementation result

Now you have an implementation in which the BIG-IP® system logs messages about DNS DoS events and sends the log messages to a pool of IPFIX collectors.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information