Manual Chapter : IPFIX Templates for AFM Events

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP Link Controller

  • 13.0.1, 13.0.0

BIG-IP Analytics

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP PEM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: IPFIX Templates for AFM events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log the F5® Application Firewall Manager™ (AFM™) events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a network packet.

About IPFIX Information Elements for AFM events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager™(AFM™) event.

IANA-defined IPFIX Information Elements

IANA maintains a list of standard IPFIX Information Elements (IEs), each with a unique Element Identifier. The F5® AFM™ IPFIX implementation uses a subset of these IEs to publish AFM events. This subset is summarized in the table.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationIPv6Address 28 16
destinationTransportPort 11 2
ingressVRFID 234 4
observationTimeMilliseconds 323 8
protocolIdentifier 4 1
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2

IPFIX enterprise Information Elements

IPFIX provides for enterprises to define their own Information Elements. F5® currently uses the following non-standard IEs for AFM™ events:

Information Element (IE) ID Size (Bytes)
aclPolicyName 12276 - 26 Variable
aclPolicyType 12276 - 25 Variable
aclRuleName 12276 - 38 Variable
action 12276 - 39 Variable
attackType 12276 - 46 Variable
bigipHostName 12276 - 10 Variable
bigipMgmtIPv4Address 12276 - 5 4
bigipMgmtIPv6Address 12276 - 6 16
contextName 12276 - 9 Variable
contextType 12276 - 24 Variable
destinationFqdn 12276 - 99 Variable
destinationGeo 12276 - 43 Variable
deviceProduct 12276 - 12 Variable
deviceVendor 12276 - 11 Variable
deviceVersion 12276 - 13 Variable
dosAttackEvent 12276 - 41 Variable
dosAttackId 12276 - 20 4
dosAttackName 12276 - 21 Variable
dosPacketsDropped 12276 - 23 4
dosPacketsReceived 12276 - 22 4
dropReason 12276 - 40 Variable
errdefsMsgNo 12276 - 4 4
flowId 12276 - 3 8
ipfixMsgNo 12276 - 16 4
ipintelligencePolicyName 12276 - 45 Variable
ipintelligenceThreatName 12276 - 42 Variable
logMsgDrops 12276 - 96 4
logMsgName 12276 - 97 Variable
logprofileName 12276 - 95 Variable
messageSeverity 12276 - 1 1
msgName 12276 - 14 Variable
partitionName 12276 - 2 Variable
saTransPool 12276 - 37 Variable
saTransType 12276 - 36 Variable
sourceFqdn 12276 - 98 Variable
sourceGeo 12276 - 44 Variable
sourceUser 12276 - 93 Variable
transDestinationIPv4Address 12276 - 31 4
transDestinationIPv6Address 12276 - 32 16
transDestinationPort 12276 - 33 2
transIpProtocol 12276 - 27 1
transRouteDomain 12276 - 35 4
transSourceIPv4Address 12276 - 28 4
transSourceIPv6Address 12276 - 29 16
transSourcePort 12276 - 30 2
transVlanName 12276 - 34 Variable
vlanName 12276 - 15 Variable
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

About individual IPFIX templates for each event

F5® uses IPFIX templates to publish AFM™ events.

Network accept or deny

This IPFIX template is used whenever a network packet is accepted or denied by an AFM™ firewall.

Information Element (IE) ID Size (Bytes) Notes
aclPolicyName 12276 - 26 Variable This IE is omitted for NetFlow v9.
aclPolicyType 12276 - 25 Variable This IE is omitted for NetFlow v9.
aclRuleName 12276 - 38 Variable This IE is omitted for NetFlow v9.
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
contextType 12276 - 24 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationFqdn 12276 - 99 Variable This IE is omitted for NetFlow v9.
destinationGeo 12276 - 43 Variable This IE is omitted for NetFlow v9.
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
dropReason 12276 - 40 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
protocolIdentifier 4 1  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
saTransPool 12276 - 37 Variable This IE is omitted for NetFlow v9.
saTransType 12276 - 36 Variable This IE is omitted for NetFlow v9.
sourceFqdn 12276 - 98 Variable This IE is omitted for NetFlow v9.
sourceGeo 12276 - 44 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
sourceUser 12276 - 93 Variable This IE is omitted for NetFlow v9.
transDestinationIPv4Address 12276 - 31 4  
transDestinationIPv6Address 12276 - 32 16  
transDestinationPort 12276 - 33 2  
transIpProtocol 12276 - 27 1  
transRouteDomain 12276 - 35 4  
transSourceIPv4Address 12276 - 28 4  
transSourceIPv6Address 12276 - 29 16  
transSourcePort 12276 - 30 2  
transVlanName 12276 - 34 Variable This IE is omitted for NetFlow v9.
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.

DoS device

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
dosAttackEvent 12276 - 41 Variable This IE is omitted for NetFlow v9.
dosAttackId 12276 - 20 4  
dosAttackName 12276 - 21 Variable This IE is omitted for NetFlow v9.
dosPacketsDropped 12276 - 23 4  
dosPacketsReceived 12276 - 22 4  
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.

IP intelligence

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
attackType 12276 - 46 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
contextType 12276 - 24 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
ipintelligencePolicyName 12276 - 45 Variable This IE is omitted for NetFlow v9.
ipintelligenceThreatName 12276 - 42 Variable This IE is omitted for NetFlow v9.
protocolIdentifier 4 1  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
saTransPool 12276 - 37 Variable This IE is omitted for NetFlow v9.
saTransType 12276 - 36 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
transDestinationIPv4Address 12276 - 31 4  
transDestinationIPv6Address 12276 - 32 16  
transDestinationPort 12276 - 33 2  
transIpProtocol 12276 - 27 1  
transRouteDomain 12276 - 35 4  
transSourceIPv4Address 12276 - 28 4  
transSourceIPv6Address 12276 - 29 16  
transSourcePort 12276 - 30 2  
transVlanName 12276 - 34 Variable This IE is omitted for NetFlow v9.
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.

Log Throttle

Information Element (IE) ID Size (Bytes) Notes
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
observationTimeMilliseconds 323 8  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
contextType 12276 - 24 Variable This IE is omitted for NetFlow v9.
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
logprofileName 12276 - 95 Variable This IE is omitted for NetFlow v9.
logMsgName 12276 - 97 Variable This IE is omitted for NetFlow v9.
logMsgDrops 12276 - 96 4