The configuration process involves creating and connecting the following configuration objects:

1. On the Main tab, click Local Traffic > Pools .
   The Pool List screen opens.
2. Click Create.
   The New Pool screen opens.
3. In the Name field, type a unique name for the pool.
4. Using the New Members setting, add the IP address for each IPFIX collector that you want to include in the pool:
   1. Type the collector's IP address in the Address field, or select a node address from the Node List.
   2. Type a port number in the Service Port field.
      By default, IPFIX collectors listen on UDP or TCP port 4739 and Netflow V9 devices listen on port 2055, though the port is configurable at each collector.
   3. Click Add.
5. Click Finished.

1. On the Main tab, click System > Logs > Configuration > Log Destinations .
   The Log Destinations screen opens.
2. Click Create.
3. In the Name field, type a unique, identifiable name for this destination.
4. From the Type list, select IPFIX.
5. From the Protocol list, select IPFIX or Netflow V9, depending on the type of collectors you have in the pool.
6. From the Pool Name list, select an LTM^® pool of IPFIX collectors.
7. From the Transport Profile list, select TCP, UDP, or any customized profile derived from TCP or UDP.
8. The Template Retransmit Interval is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the Transport Profile is a UDP profile.
   An IPFIX template defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.

   The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.

9. The Template Delete Delay is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
10. The Server SSL Profile applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the Transport Profile is a TCP profile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.
    SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
11. Click Finished.

1. On the Main tab, click System > Logs > Configuration > Log Publishers .
   The Log Publishers screen opens.
2. Click Create.
3. In the Name field, type a unique, identifiable name for this publisher.
4. Use the Log Destinations setting to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the Available list, and click << to move it to the Selected list.
   Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging will occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
5. Click Finished.

1. On the Main tab, click Security > Event Logs > Logging Profiles .
   The Logging Profiles list screen opens.
2. Click Create.
   The Create New Logging Profile screen opens.
3. In the Name field, type a unique name for the profile.
4. Select the Network Firewall check box.
5. If you want to enable optional subscriber ID logging:
   1. Select the Network Address Translation check box.
   2. Then in the Network Address Translation area, select the Log Subscriber ID check box.
   3. Click Network Firewall.
6. In the Network Firewall area, from the Publisher list, select the IPFIX publisher the BIG-IP system uses to log Network Firewall events.
7. Set an Aggregate Rate Limit to define a rate limit for all combined network firewall log messages per second.
   Beyond this rate limit, log messages are not logged.
8. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.

   Option	Description
   Option	Enables or disables logging of packets that match ACL rules configured with:
   Accept	action=Accept
   Drop	action=Drop
   Reject	action=Reject

   When an option is selected, you can configure a rate limit for log messages of that type.
9. Select the Log IP Errors check box, to enable logging of IP error packets.
   When this setting is enabled, you can configure a rate limit for log messages of this type.
10. Select the Log TCP Errors check box, to enable logging of TCP error packets.
    When this is enabled, you can configure a rate limit for log messages of this type.
11. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions.
    When this is enabled, you can configure a rate limit for log messages of this type.
12. Enable the Log Translation Fields setting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
13. Enable the Log Geolocation IP Address setting to specify that when a geolocation event causes a network firewall action, the associated IP address is logged.
14. From the Storage Format list, select how the BIG-IP system formats the log.

    Option	Description
    None	Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example: "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List	Allows you to: Select, from a list, the fields to be included in the log. Specify the order the fields display in the log. Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined	Allows you to: Select, from a list, the fields to be included in the log. Cut and paste, in a string of text, the order the fields display in the log.

15. In the IP Intelligence area, from the Publisher list, select the publisher that the BIG-IP system uses to log source IP addresses, which are identified and configured for logging by an IP Intelligence policy.
    Note: The IP Address Intelligence feature must be enabled and licensed.
16. Set an Aggregate Rate Limit to define a rate limit for all combined IP Intelligence log messages per second.
    Beyond this rate limit, log messages are not logged.
17. Enable the Log Translation Fields setting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
18. In the Traffic Statistics area, from the Publisher list, select the publisher that the BIG-IP system uses to log traffic statistics.
19. For the Log Timer Events setting, enable Active Flows to log the number of active flows each second.
20. For the Log Timer Events setting, enable Reaped Flowsto log the number of reaped flows, or connections that are not established because of system resource usage levels.
21. For the Log Timer Events setting, enable Missed Flows to log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
22. For the Log Timer Events setting, enable SYN Cookie (Per Session Challenge) to log the number of SYN cookie challenges generated each second.
23. For the Log Timer Events setting, enable SYN Cookie (White-listed Clients) to log the number of SYN cookie clients whitelisted each second.
24. Click Finished.

1. On the Main tab, click Local Traffic > Virtual Servers .
   The Virtual Server List screen opens.
2. Click the name of the virtual server you want to modify.
3. On the menu bar, click Security > Policies .
   The screen displays policy settings for the virtual server.
4. In the Log Profile setting, select Enabled. Then, select one or more profiles that log specific events to IPFIX collectors, and move them from the Available list to the Selected list.
   Note: To log global, self IP, and route domain contexts, you must enable a Publisher in the global-network profile.
5. Click Update to save the changes.