Manual Chapter : IPFIX Templates for AFM DNS Events

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Link Controller

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Analytics

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP LTM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP PEM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: IPFIX Templates for AFM DNS Events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log F5’s Application Firewall Manager (AFM) DNS events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the denial of a DNS query.

About IPFIX Information Elements for AFM DNS events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager™ (AFM™) DNS event.

IANA-defined IPFIX Information Elements

IANA maintains a list of standard IPFIX Information Elements (IEs), each with a unique Element Identifier. The F5® AFM™ DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationIPv6Address 28 16
destinationTransportPort 11 2
ingressVRFID 234 4
observationTimeMilliseconds 323 8
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2

IPFIX enterprise Information Elements

IPFIX provides for enterprises to define their own Information Elements. F5® currently uses the following non-standard IEs for AFM™ DNS events:

Information Element (IE) ID Size (Bytes)
action 12276 - 39 Variable
attackEvent 12276 - 41 Variable
attackId 12276 - 20 4
attackName 12276 - 21 Variable
bigipHostName 12276 - 10 Variable
bigipMgmtIPv4Address 12276 - 5 4
bigipMgmtIPv6Address 12276 - 6 16
contextName 12276 - 9 Variable
deviceProduct 12276 - 12 Variable
deviceVendor 12276 - 11 Variable
deviceVersion 12276 - 13 Variable
dnsQueryType 12276 - 8 Variable
errdefsMsgNo 12276 - 4 4
flowId 12276 - 3 8
ipfixMsgNo 12276 - 16 4
messageSeverity 12276 - 1 1
msgName 12276 - 14 Variable
packetsDropped 12276 - 23 4
packetsReceived 12276 - 22 4
partitionName 12276 - 2 Variable
queryName 12276 - 7 Variable
vlanName 12276 - 15 Variable
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

About individual IPFIX Templates for each event

This section enumerates the IPFIX templates used by F5 to publish AFM DNS Events.

IPFIX template for DNS security

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
queryName 12276 - 7 Variable This IE is omitted for NetFlow v9.
dnsQueryType 12276 - 8 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.

IPFIX template for DNS DoS

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
attackEvent 12276 - 41 Variable This IE is omitted for NetFlow v9.
attackId 12276 - 20 4  
attackName 12276 - 21 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
queryName 12276 - 7 Variable This IE is omitted for NetFlow v9.
dnsQueryType 12276 - 8 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
packetsDropped 12276 - 23 4  
packetsReceived 12276 - 22 4