Manual Chapter : Using CGNAT Logging and Subscriber Traceability

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Using CGNAT Logging and Subscriber Traceability

Overview: Configuring local logging for CGNAT

You can configure the BIG-IP® system to send log messages about carrier grade network address translation (CGNAT) processes to the local Syslog database on the BIG-IP system.

Note: Enabling logging impacts BIG-IP system performance.

When configuring local logging of CGNAT processes, it is helpful to understand the objects you need to create and why:

Object Reason
Destination (formatted/local) Create a formatted log destination to format the logs in human-readable name/value pairs, and forward the logs to the local-syslog database.
Publisher (local-syslog) Create a log publisher to send logs to the previously created destination that formats the logs in name/value pairs, and forwards the logs to the local Syslog database on the BIG-IP system.
LSN pool Associate a large scale NAT (LSN) pool with a log publisher in order to log messages about the traffic that uses the pool.

Task summary

Creating a formatted local log destination for CGNAT

Create a formatted logging destination to specify that log messages about CGNAT processes are sent to the local Syslog database in a format that displays name/value pairs in a human-readable format.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Splunk.
    The Splunk format is a predefined format of key value pairs.
  5. From the Forward To list, select local-syslog.
  6. Click Finished.

Creating a publisher to send log messages to the local Syslog database

Create a publisher to specify that the BIG-IP® system sends formatted log messages to the local Syslog database, on the BIG-IP system.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select the previously created destination from the Available list (which formats the logs in the Splunk format and forwards the logs to the local Syslog database) and move the destination to the Selected list.
  5. Click Finished.

Configuring an LSN pool with a local Syslog log publisher

Before associating a large scale NAT (LSN) pool with a log publisher, ensure that at least one log publisher exists that sends formatted log messages to the local Syslog database on the BIG-IP® system.
Associate an LSN pool with the log publisher that the BIG-IP system uses to send formatted log messages to the local Syslog database.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click the name of an LSN pool.
  3. From the Log Publisher list, select the log publisher that sends formatted log messages to the local Syslog database on the BIG-IP system.
  4. Click Finished.

Overview: Configuring remote high-speed logging for CGNAT

You can configure the BIG-IP® system to log information about carrier grade network address translation (CGNAT) processes and send the log messages to remote high-speed log servers.

When configuring remote high-speed logging (HSL) of CGNAT processes, it is helpful to understand the objects you need to create and why, as described here:

Object Reason
Pool of remote log servers Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination (unformatted) Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Destination (formatted) If your remote log servers are the Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations.
Logging Profile (optional) Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations.
LSN pool Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool.

This illustration shows the association of the configuration objects for remote high-speed logging of CGNAT processes.

Associations between CGNAT remote high-speed logging configuration objects

Association of remote high-speed logging configuration objects

Task summary

Perform these tasks to configure remote high-speed logging of CGNAT processes on the BIG-IP® system.
Note: Enabling remote high-speed logging impacts BIG-IP system performance.

Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP® system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. On the Main tab, click the applicable path.
    • DNS > Delivery > Load Balancing > Pools
    • Local Traffic > Pools
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type a service number in the Service Port field, or select a service name from the list.
      Note: Typical remote logging servers require port 514.
    3. Click Add.
  5. Click Finished.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP® system.

Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Remote High-Speed Log.
    Important: If you use log servers such as Remote Syslog, Splunk, or IPFIX, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the Remote High-Speed Log type. This allows the BIG-IP system to send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the Protocol list, select the protocol used by the high-speed logging pool members.
  7. Click Finished.

Creating a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP® system.

Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select a formatted logging destination, such as Remote Syslog, Splunk, or IPFIX.
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected Remote Syslog, from the Syslog Format list, select a format for the logs, and then from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    Important: For logs coming from Access Policy Manager® (APM®), only the BSD Syslog format is supported.
  6. If you selected Splunk or IPFIX, from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  7. Click Finished.

Creating a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP® system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select a destination from the Available list, and move the destination to the Selected list.
    Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db key to false. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the logpublisher.atomic db key to false will not work to allow the logs to be written to local-syslog. The logpublisher.atomic db key has no effect on local-syslog.
  5. Click Finished.

Creating an LSN logging profile

You can create an LSN logging profile to allow you to configure logging options for various LSN events that apply to high-speed logging destinations.
Note: For configuring remote high-speed logging of CGNAT processes on the BIG-IP® system, these steps are optional.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > LSN .
    The LSN logging profiles screen opens.
  2. Click Create.
    The New LSN Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. Select the Custom check box for the Log Settings area.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Outbound Session Generates event log entries at the start of a translation event for an LSN client.
    End Outbound Session Generates event log entries at the end of a translation event for an LSN client.
    Start Inbound Session Generates event log entries at the start of an incoming connection event for a translated endpoint.
    End Inbound Session Generates event log entries at the end of an incoming connection event for a translated endpoint.
    Quota Exceeded Generates event log entries when an LSN client exceeds allocated resources.
    Errors Generates event log entries when LSN translation errors occur.
  7. Click Finished.

Configuring an LSN pool

You can associate an LSN pool with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools > LSN Pool List .
    The LSN Pool List screen opens.
  2. Select an LSN pool from the list.
    The configuration screen for the pool opens.
  3. From the Log Publisher list, select the log publisher that the BIG-IP system uses to send log messages to a specified destination.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db key to false. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the logpublisher.atomic db key to false will not work to allow the logs to be written to local-syslog. The logpublisher.atomic db key has no effect on local-syslog.
  4. Optional: From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
  5. Click Finished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified logging profile.

Overview: Configuring IPFIX logging for CGNAT

You can configure the BIG-IP® system to log information about carrier grade network address translation (CGNAT) processes and send the log messages to remote IPFIX collectors.

IPFIX is a set of IETF standards described in RFCs 5101 and 5102. The BIG-IP system supports logging of CGNAT translation events over the IPFIX protocol. IPFIX logs are raw, binary-encoded strings with their fields and field lengths defined by IPFIX templates. IPFIX collectors are external devices that can receive IPFIX templates, and use them to interpret IPFIX logs.

The configuration process involves creating and connecting the following configuration objects.

Object Reason
Pool of IPFIX collectors Create a pool of IPFIX collectors to which the BIG-IP system can send IPFIX log messages.
Destination Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors.
Publisher Create a log publisher to send logs to a set of specified log destinations.
Logging Profile (optional) Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations.
LSN pool Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool.

This illustration shows the association of the configuration objects for IPFIX logging of CGNAT processes.

Associations between CGNAT logging configuration objects

Association of logging configuration objects

Task summary

Perform these tasks to configure IPFIX logging of CGNAT processes on the BIG-IP system.
Note: Enabling IPFIX logging impacts BIG-IP system performance.

Assembling a pool of IPFIX collectors

Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors that you want to include in the pool. Ensure that the remote IPFIX collectors are configured to listen to and receive log messages from the BIG-IP® system.
These are the steps for creating a pool of IPFIX collectors. The BIG-IP system can send IPFIX log messages to this pool.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each IPFIX collector that you want to include in the pool:
    1. Type the collector's IP address in the Address field, or select a node address from the Node List.
    2. Type a port number in the Service Port field.
      By default, IPFIX collectors listen on UDP or TCP port 4739 and Netflow V9 devices listen on port 2055, though the port is configurable at each collector.
    3. Click Add.
  5. Click Finished.

Creating an IPFIX log destination

A log destination of the IPFIX type specifies that log messages are sent to a pool of IPFIX collectors. Use these steps to create a log destination for IPFIX collectors.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select IPFIX.
  5. From the Protocol list, select IPFIX or Netflow V9, depending on the type of collectors you have in the pool.
  6. From the Pool Name list, select an LTM® pool of IPFIX collectors.
  7. From the Transport Profile list, select TCP, UDP, or any customized profile derived from TCP or UDP.
  8. The Template Retransmit Interval is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the Transport Profile is a UDP profile.
    An IPFIX template defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.

    The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.

  9. The Template Delete Delay is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
  10. The Server SSL Profile applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the Transport Profile is a TCP profile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.
    SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
  11. Click Finished.

Creating a publisher

A publisher specifies where the BIG-IP® system sends log messages for IPFIX logs.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. Use the Log Destinations area to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the Available list, and move it to the Selected list.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging will occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the logpublisher.atomic db key to false will not work to allow the logs to be written to local-syslog. The logpublisher.atomic db key has no effect on local-syslog.
  5. Click Finished.

Creating an LSN logging profile

You can create an LSN logging profile to allow you to configure logging options for various LSN events that apply to IPFIX logging destinations.
Note: For configuring IPFIX logging of CGNAT processes on the BIG-IP® system, these steps are optional.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > LSN .
    The LSN profile list screen opens.
  2. Click Create.
    The New LSN Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. Select the Custom check box for the Log Settings area.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Outbound Session Generates event log entries at the start of a translation event for an LSN client.
    End Outbound Session Generates event log entries at the end of a translation event for an LSN client.
    Start Inbound Session Generates event log entries at the start of an incoming connection event for a translated endpoint.
    End Inbound Session Generates event log entries at the end of an incoming connection event for a translated endpoint.
    Quota Exceeded Generates event log entries when an LSN client exceeds allocated resources.
    Errors Generates event log entries when LSN translation errors occur.
  7. Click Finished.

Configuring an LSN pool

You can associate an LSN pool with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools > LSN Pool List .
    The LSN Pool List screen opens.
  2. Select an LSN pool from the list.
    The configuration screen for the pool opens.
  3. From the Log Publisher list, select the log publisher that the BIG-IP system uses to send log messages to a specified destination.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db key to false. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the logpublisher.atomic db key to false will not work to allow the logs to be written to local-syslog. The logpublisher.atomic db key has no effect on local-syslog.
  4. Optional: From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
  5. Click Finished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified logging profile.