Manual Chapter :
IPFIX Templates for AFM Events
Applies To:
Show Versions
BIG-IP AAM
- 12.1.1, 12.1.0
BIG-IP APM
- 12.1.1, 12.1.0
BIG-IP Link Controller
- 12.1.1, 12.1.0
BIG-IP Analytics
- 12.1.1, 12.1.0
BIG-IP LTM
- 12.1.1, 12.1.0
BIG-IP PEM
- 12.1.1, 12.1.0
BIG-IP AFM
- 12.1.1, 12.1.0
BIG-IP DNS
- 12.1.1, 12.1.0
BIG-IP ASM
- 12.1.1, 12.1.0
IPFIX Templates for AFM Events
Overview: IPFIX Templates for AFM Events
The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log F5’s Application Firewall Manager (AFM) events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a network packet.
About IPFIX Information Elements for AFM events
Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager™(AFM™) event.
IANA-defined IPFIX Information Elements
IANA maintains a list of standard IPFIX Information Elements (IEs), each with a unique Element Identifier. The F5® AFM™ IPFIX implementation uses a subset of these IEs to publish AFM events. This subset is summarized in the table.
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| destinationIPv4Address | 12 | 4 |
| destinationIPv6Address | 28 | 16 |
| destinationTransportPort | 11 | 2 |
| ingressVRFID | 234 | 4 |
| observationTimeMilliseconds | 323 | 8 |
| protocolIdentifier | 4 | 1 |
| sourceIPv4Address | 8 | 4 |
| sourceIPv6Address | 27 | 16 |
| sourceTransportPort | 7 | 2 |
IPFIX enterprise Information Elements
IPFIX provides for enterprises to define their own Information Elements. F5® currently uses the following non-standard IEs for AFM™ events:
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| aclPolicyName | 12276 - 26 | Variable |
| aclPolicyType | 12276 - 25 | Variable |
| aclRuleName | 12276 - 38 | Variable |
| action | 12276 - 39 | Variable |
| attackType | 12276 - 46 | Variable |
| bigipHostName | 12276 - 10 | Variable |
| bigipMgmtIPv4Address | 12276 - 5 | 4 |
| bigipMgmtIPv6Address | 12276 - 6 | 16 |
| contextName | 12276 - 9 | Variable |
| contextType | 12276 - 24 | Variable |
| destinationFqdn | 12276 - 99 | Variable |
| destinationGeo | 12276 - 43 | Variable |
| deviceProduct | 12276 - 12 | Variable |
| deviceVendor | 12276 - 11 | Variable |
| deviceVersion | 12276 - 13 | Variable |
| dosAttackEvent | 12276 - 41 | Variable |
| dosAttackId | 12276 - 20 | 4 |
| dosAttackName | 12276 - 21 | Variable |
| dosPacketsDropped | 12276 - 23 | 4 |
| dosPacketsReceived | 12276 - 22 | 4 |
| dropReason | 12276 - 40 | Variable |
| errdefsMsgNo | 12276 - 4 | 4 |
| flowId | 12276 - 3 | 8 |
| ipfixMsgNo | 12276 - 16 | 4 |
| ipintelligencePolicyName | 12276 - 45 | Variable |
| ipintelligenceThreatName | 12276 - 42 | Variable |
| logMsgDrops | 12276 - 96 | 4 |
| logMsgName | 12276 - 97 | Variable |
| logprofileName | 12276 - 95 | Variable |
| messageSeverity | 12276 - 1 | 1 |
| msgName | 12276 - 14 | Variable |
| partitionName | 12276 - 2 | Variable |
| saTransPool | 12276 - 37 | Variable |
| saTransType | 12276 - 36 | Variable |
| sourceFqdn | 12276 - 98 | Variable |
| sourceGeo | 12276 - 44 | Variable |
| sourceUser | 12276 - 93 | Variable |
| transDestinationIPv4Address | 12276 - 31 | 4 |
| transDestinationIPv6Address | 12276 - 32 | 16 |
| transDestinationPort | 12276 - 33 | 2 |
| transIpProtocol | 12276 - 27 | 1 |
| transRouteDomain | 12276 - 35 | 4 |
| transSourceIPv4Address | 12276 - 28 | 4 |
| transSourceIPv6Address | 12276 - 29 | 16 |
| transSourcePort | 12276 - 30 | 2 |
| transVlanName | 12276 - 34 | Variable |
| vlanName | 12276 - 15 | Variable |
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded
within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot
correctly process variable-length IEs, so they are omitted from logs sent to those collector
types.
About individual IPFIX templates for each event
F5® uses IPFIX templates to publish AFM™ events.
Network accept or deny
This IPFIX template is used whenever a network packet is accepted or denied by an AFM™ firewall.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| aclPolicyName | 12276 - 26 | Variable | This IE is omitted for NetFlow v9. |
| aclPolicyType | 12276 - 25 | Variable | This IE is omitted for NetFlow v9. |
| aclRuleName | 12276 - 38 | Variable | This IE is omitted for NetFlow v9. |
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| contextType | 12276 - 24 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationFqdn | 12276 - 99 | Variable | This IE is omitted for NetFlow v9. |
| destinationGeo | 12276 - 43 | Variable | This IE is omitted for NetFlow v9. |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| dropReason | 12276 - 40 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| protocolIdentifier | 4 | 1 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| saTransPool | 12276 - 37 | Variable | This IE is omitted for NetFlow v9. |
| saTransType | 12276 - 36 | Variable | This IE is omitted for NetFlow v9. |
| sourceFqdn | 12276 - 98 | Variable | This IE is omitted for NetFlow v9. |
| sourceGeo | 12276 - 44 | Variable | This IE is omitted for NetFlow v9. |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| sourceUser | 12276 - 93 | Variable | This IE is omitted for NetFlow v9. |
| transDestinationIPv4Address | 12276 - 31 | 4 | |
| transDestinationIPv6Address | 12276 - 32 | 16 | |
| transDestinationPort | 12276 - 33 | 2 | |
| transIpProtocol | 12276 - 27 | 1 | |
| transRouteDomain | 12276 - 35 | 4 | |
| transSourceIPv4Address | 12276 - 28 | 4 | |
| transSourceIPv6Address | 12276 - 29 | 16 | |
| transSourcePort | 12276 - 30 | 2 | |
| transVlanName | 12276 - 34 | Variable | This IE is omitted for NetFlow v9. |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
DoS device
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| dosAttackEvent | 12276 - 41 | Variable | This IE is omitted for NetFlow v9. |
| dosAttackId | 12276 - 20 | 4 | |
| dosAttackName | 12276 - 21 | Variable | This IE is omitted for NetFlow v9. |
| dosPacketsDropped | 12276 - 23 | 4 | |
| dosPacketsReceived | 12276 - 22 | 4 | |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
IP intelligence
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| attackType | 12276 - 46 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| contextType | 12276 - 24 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| ipintelligencePolicyName | 12276 - 45 | Variable | This IE is omitted for NetFlow v9. |
| ipintelligenceThreatName | 12276 - 42 | Variable | This IE is omitted for NetFlow v9. |
| protocolIdentifier | 4 | 1 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| saTransPool | 12276 - 37 | Variable | This IE is omitted for NetFlow v9. |
| saTransType | 12276 - 36 | Variable | This IE is omitted for NetFlow v9. |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| transDestinationIPv4Address | 12276 - 31 | 4 | |
| transDestinationIPv6Address | 12276 - 32 | 16 | |
| transDestinationPort | 12276 - 33 | 2 | |
| transIpProtocol | 12276 - 27 | 1 | |
| transRouteDomain | 12276 - 35 | 4 | |
| transSourceIPv4Address | 12276 - 28 | 4 | |
| transSourceIPv6Address | 12276 - 29 | 16 | |
| transSourcePort | 12276 - 30 | 2 | |
| transVlanName | 12276 - 34 | Variable | This IE is omitted for NetFlow v9. |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
Log Throttle
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| observationTimeMilliseconds | 323 | 8 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| messageSeverity | 12276 - 1 | 1 | |
| contextType | 12276 - 24 | Variable | This IE is omitted for NetFlow v9. |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| logprofileName | 12276 - 95 | Variable | This IE is omitted for NetFlow v9. |
| logMsgName | 12276 - 97 | Variable | This IE is omitted for NetFlow v9. |
| logMsgDrops | 12276 - 96 | 4 |
