Manual Chapter :
IPFIX Templates for AFM Events
Applies To:
Show Versions
BIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Link Controller
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Analytics
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP PEM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: IPFIX Templates for AFM events
The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log the F5® Application Firewall Manager™ (AFM™) events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a network packet.
About IPFIX Information Elements for AFM events
Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager™(AFM™) event.
IANA-defined IPFIX Information Elements
IANA maintains a list of standard IPFIX Information Elements (IEs), each with a unique Element Identifier. The F5® AFM™ IPFIX implementation uses a subset of these IEs to publish AFM events. This subset is summarized in the table.
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| destinationIPv4Address | 12 | 4 |
| destinationIPv6Address | 28 | 16 |
| destinationTransportPort | 11 | 2 |
| ingressVRFID | 234 | 4 |
| observationTimeMilliseconds | 323 | 8 |
| protocolIdentifier | 4 | 1 |
| sourceIPv4Address | 8 | 4 |
| sourceIPv6Address | 27 | 16 |
| sourceTransportPort | 7 | 2 |
IPFIX enterprise Information Elements
IPFIX provides for enterprises to define their own Information Elements. F5® currently uses the following non-standard IEs for AFM™ events:
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| aclPolicyName | 12276 - 26 | Variable |
| aclPolicyType | 12276 - 25 | Variable |
| aclRuleName | 12276 - 38 | Variable |
| action | 12276 - 39 | Variable |
| attackType | 12276 - 46 | Variable |
| bigipHostName | 12276 - 10 | Variable |
| bigipMgmtIPv4Address | 12276 - 5 | 4 |
| bigipMgmtIPv6Address | 12276 - 6 | 16 |
| contextName | 12276 - 9 | Variable |
| contextType | 12276 - 24 | Variable |
| destinationFqdn | 12276 - 99 | Variable |
| destinationGeo | 12276 - 43 | Variable |
| deviceProduct | 12276 - 12 | Variable |
| deviceVendor | 12276 - 11 | Variable |
| deviceVersion | 12276 - 13 | Variable |
| dosAttackEvent | 12276 - 41 | Variable |
| dosAttackId | 12276 - 20 | 4 |
| dosAttackName | 12276 - 21 | Variable |
| dosPacketsDropped | 12276 - 23 | 4 |
| dosPacketsReceived | 12276 - 22 | 4 |
| dropReason | 12276 - 40 | Variable |
| errdefsMsgNo | 12276 - 4 | 4 |
| flowId | 12276 - 3 | 8 |
| ipfixMsgNo | 12276 - 16 | 4 |
| ipintelligencePolicyName | 12276 - 45 | Variable |
| ipintelligenceThreatName | 12276 - 42 | Variable |
| logMsgDrops | 12276 - 96 | 4 |
| logMsgName | 12276 - 97 | Variable |
| logprofileName | 12276 - 95 | Variable |
| messageSeverity | 12276 - 1 | 1 |
| msgName | 12276 - 14 | Variable |
| partitionName | 12276 - 2 | Variable |
| saTransPool | 12276 - 37 | Variable |
| saTransType | 12276 - 36 | Variable |
| sourceFqdn | 12276 - 98 | Variable |
| sourceGeo | 12276 - 44 | Variable |
| sourceUser | 12276 - 93 | Variable |
| transDestinationIPv4Address | 12276 - 31 | 4 |
| transDestinationIPv6Address | 12276 - 32 | 16 |
| transDestinationPort | 12276 - 33 | 2 |
| transIpProtocol | 12276 - 27 | 1 |
| transRouteDomain | 12276 - 35 | 4 |
| transSourceIPv4Address | 12276 - 28 | 4 |
| transSourceIPv6Address | 12276 - 29 | 16 |
| transSourcePort | 12276 - 30 | 2 |
| transVlanName | 12276 - 34 | Variable |
| vlanName | 12276 - 15 | Variable |
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded
within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot
correctly process variable-length IEs, so they are omitted from logs sent to those collector
types.
About individual IPFIX templates for each event
F5® uses IPFIX templates to publish AFM™ events.
Network accept or deny
This IPFIX template is used whenever a network packet is accepted or denied by an AFM™ firewall.
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| aclPolicyName | 12276 - 26 | Variable | This IE is omitted for NetFlow v9. |
| aclPolicyType | 12276 - 25 | Variable | This IE is omitted for NetFlow v9. |
| aclRuleName | 12276 - 38 | Variable | This IE is omitted for NetFlow v9. |
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| contextType | 12276 - 24 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationFqdn | 12276 - 99 | Variable | This IE is omitted for NetFlow v9. |
| destinationGeo | 12276 - 43 | Variable | This IE is omitted for NetFlow v9. |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| dropReason | 12276 - 40 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| protocolIdentifier | 4 | 1 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| saTransPool | 12276 - 37 | Variable | This IE is omitted for NetFlow v9. |
| saTransType | 12276 - 36 | Variable | This IE is omitted for NetFlow v9. |
| sourceFqdn | 12276 - 98 | Variable | This IE is omitted for NetFlow v9. |
| sourceGeo | 12276 - 44 | Variable | This IE is omitted for NetFlow v9. |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| sourceUser | 12276 - 93 | Variable | This IE is omitted for NetFlow v9. |
| transDestinationIPv4Address | 12276 - 31 | 4 | |
| transDestinationIPv6Address | 12276 - 32 | 16 | |
| transDestinationPort | 12276 - 33 | 2 | |
| transIpProtocol | 12276 - 27 | 1 | |
| transRouteDomain | 12276 - 35 | 4 | |
| transSourceIPv4Address | 12276 - 28 | 4 | |
| transSourceIPv6Address | 12276 - 29 | 16 | |
| transSourcePort | 12276 - 30 | 2 | |
| transVlanName | 12276 - 34 | Variable | This IE is omitted for NetFlow v9. |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
DoS device
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| dosAttackEvent | 12276 - 41 | Variable | This IE is omitted for NetFlow v9. |
| dosAttackId | 12276 - 20 | 4 | |
| dosAttackName | 12276 - 21 | Variable | This IE is omitted for NetFlow v9. |
| dosPacketsDropped | 12276 - 23 | 4 | |
| dosPacketsReceived | 12276 - 22 | 4 | |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
IP intelligence
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| attackType | 12276 - 46 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| contextType | 12276 - 24 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| ipintelligencePolicyName | 12276 - 45 | Variable | This IE is omitted for NetFlow v9. |
| ipintelligenceThreatName | 12276 - 42 | Variable | This IE is omitted for NetFlow v9. |
| protocolIdentifier | 4 | 1 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| saTransPool | 12276 - 37 | Variable | This IE is omitted for NetFlow v9. |
| saTransType | 12276 - 36 | Variable | This IE is omitted for NetFlow v9. |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| transDestinationIPv4Address | 12276 - 31 | 4 | |
| transDestinationIPv6Address | 12276 - 32 | 16 | |
| transDestinationPort | 12276 - 33 | 2 | |
| transIpProtocol | 12276 - 27 | 1 | |
| transRouteDomain | 12276 - 35 | 4 | |
| transSourceIPv4Address | 12276 - 28 | 4 | |
| transSourceIPv6Address | 12276 - 29 | 16 | |
| transSourcePort | 12276 - 30 | 2 | |
| transVlanName | 12276 - 34 | Variable | This IE is omitted for NetFlow v9. |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
Log Throttle
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| observationTimeMilliseconds | 323 | 8 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| messageSeverity | 12276 - 1 | 1 | |
| contextType | 12276 - 24 | Variable | This IE is omitted for NetFlow v9. |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| logprofileName | 12276 - 95 | Variable | This IE is omitted for NetFlow v9. |
| logMsgName | 12276 - 97 | Variable | This IE is omitted for NetFlow v9. |
| logMsgDrops | 12276 - 96 | 4 |
