Applies To:
Show Versions
BIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Link Controller
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP Analytics
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP PEM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: IPFIX Templates for AFM DNS Events
The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log F5’s Application Firewall Manager (AFM) DNS events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the denial of a DNS query.
About IPFIX Information Elements for AFM DNS events
Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager™ (AFM™) DNS event.
IANA-defined IPFIX Information Elements
IANA maintains a list of standard IPFIX Information Elements (IEs), each with a unique Element Identifier. The F5® AFM™ DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| destinationIPv4Address | 12 | 4 |
| destinationIPv6Address | 28 | 16 |
| destinationTransportPort | 11 | 2 |
| ingressVRFID | 234 | 4 |
| observationTimeMilliseconds | 323 | 8 |
| sourceIPv4Address | 8 | 4 |
| sourceIPv6Address | 27 | 16 |
| sourceTransportPort | 7 | 2 |
IPFIX enterprise Information Elements
IPFIX provides for enterprises to define their own Information Elements. F5® currently uses the following non-standard IEs for AFM™ DNS events:
| Information Element (IE) | ID | Size (Bytes) |
|---|---|---|
| action | 12276 - 39 | Variable |
| attackEvent | 12276 - 41 | Variable |
| attackId | 12276 - 20 | 4 |
| attackName | 12276 - 21 | Variable |
| bigipHostName | 12276 - 10 | Variable |
| bigipMgmtIPv4Address | 12276 - 5 | 4 |
| bigipMgmtIPv6Address | 12276 - 6 | 16 |
| contextName | 12276 - 9 | Variable |
| deviceProduct | 12276 - 12 | Variable |
| deviceVendor | 12276 - 11 | Variable |
| deviceVersion | 12276 - 13 | Variable |
| dnsQueryType | 12276 - 8 | Variable |
| errdefsMsgNo | 12276 - 4 | 4 |
| flowId | 12276 - 3 | 8 |
| ipfixMsgNo | 12276 - 16 | 4 |
| messageSeverity | 12276 - 1 | 1 |
| msgName | 12276 - 14 | Variable |
| packetsDropped | 12276 - 23 | 4 |
| packetsReceived | 12276 - 22 | 4 |
| partitionName | 12276 - 2 | Variable |
| queryName | 12276 - 7 | Variable |
| vlanName | 12276 - 15 | Variable |
About individual IPFIX Templates for each event
This section enumerates the IPFIX templates used by F5 to publish AFM DNS Events.
IPFIX template for DNS security
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| queryName | 12276 - 7 | Variable | This IE is omitted for NetFlow v9. |
| dnsQueryType | 12276 - 8 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
IPFIX template for DNS DoS
| Information Element (IE) | ID | Size (Bytes) | Notes |
|---|---|---|---|
| action | 12276 - 39 | Variable | This IE is omitted for NetFlow v9. |
| attackEvent | 12276 - 41 | Variable | This IE is omitted for NetFlow v9. |
| attackId | 12276 - 20 | 4 | |
| attackName | 12276 - 21 | Variable | This IE is omitted for NetFlow v9. |
| bigipHostName | 12276 - 10 | Variable | This IE is omitted for NetFlow v9. |
| bigipMgmtIPv4Address | 12276 - 5 | 4 | |
| bigipMgmtIPv6Address | 12276 - 6 | 16 | |
| contextName | 12276 - 9 | Variable | This IE is omitted for NetFlow v9. |
| observationTimeMilliseconds | 323 | 8 | |
| destinationIPv4Address | 12 | 4 | |
| destinationIPv6Address | 28 | 16 | |
| destinationTransportPort | 11 | 2 | |
| deviceProduct | 12276 - 12 | Variable | This IE is omitted for NetFlow v9. |
| deviceVendor | 12276 - 11 | Variable | This IE is omitted for NetFlow v9. |
| deviceVersion | 12276 - 13 | Variable | This IE is omitted for NetFlow v9. |
| queryName | 12276 - 7 | Variable | This IE is omitted for NetFlow v9. |
| dnsQueryType | 12276 - 8 | Variable | This IE is omitted for NetFlow v9. |
| errdefsMsgNo | 12276 - 4 | 4 | |
| flowId | 12276 - 3 | 8 | |
| ipfixMsgNo | 12276 - 16 | 4 | |
| messageSeverity | 12276 - 1 | 1 | |
| partitionName | 12276 - 2 | Variable | This IE is omitted for NetFlow v9. |
| ingressVRFID | 234 | 4 | |
| sourceIPv4Address | 8 | 4 | |
| sourceIPv6Address | 27 | 16 | |
| sourceTransportPort | 7 | 2 | |
| vlanName | 12276 - 15 | Variable | This IE is omitted for NetFlow v9. |
| msgName | 12276 - 14 | Variable | This IE is omitted for NetFlow v9. |
| packetsDropped | 12276 - 23 | 4 | |
| packetsReceived | 12276 - 22 | 4 |
