Manual Chapter : IPFIX Templates for AFM Events

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

IPFIX Templates for AFM Events

Overview: IPFIX Templates for AFM events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and Templates used to log the F5® Application Firewall Manager™ (AFM™) events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a network packet.

About IPFIX Information Elements for AFM events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Advanced Firewall Manager(AFM) event.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationIPv6Address 28 16
destinationTransportPort 11 2
ingressVRFID 234 4
observationTimeMilliseconds 323 8
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:

Information Element (IE) ID Size (Bytes)
action 12276 - 39 Variable
attackEvent 12276 - 41 Variable
attackId 12276 - 20 4
attackName 12276 - 21 Variable
bigipHostName 12276 - 10 Variable
bigipMgmtIPv4Address 12276 - 5 4
bigipMgmtIPv6Address 12276 - 6 16
contextName 12276 - 9 Variable
deviceProduct 12276 - 12 Variable
deviceVendor 12276 - 11 Variable
deviceVersion 12276 - 13 Variable
dnsQueryType 12276 - 8 Variable
errdefsMsgNo 12276 - 4 4
flowId 12276 - 3 8
ipfixMsgNo 12276 - 16 4
messageSeverity 12276 - 1 1
msgName 12276 - 14 Variable
packetsDropped 12276 - 23 4
packetsReceived 12276 - 22 4
partitionName 12276 - 2 Variable
queryName 12276 - 7 Variable
vlanName 12276 - 15 Variable
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

About individual IPFIX Templates for each AFM DNS event

This section enumerates the IPFIX templates used by F5 to publish AFM DNS Events.

Network accept or deny

This IPFIX template is used whenever a network packet is accepted or denied by an AFM firewall.

Information Element (IE) ID Size (Bytes) Notes
aclPolicyName 12276 - 26 Variable This IE is omitted for NetFlow v9.
aclPolicyType 12276 - 25 Variable This IE is omitted for NetFlow v9.
aclRuleName 12276 - 38 Variable This IE is omitted for NetFlow v9.
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
contextType 12276 - 24 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationFqdn 12276 - 99 Variable This IE is omitted for NetFlow v9.
destinationGeo 12276 - 43 Variable This IE is omitted for NetFlow v9.
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
dropReason 12276 - 40 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
protocolIdentifier 4 1  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
saTransPool 12276 - 37 Variable This IE is omitted for NetFlow v9.
saTransType 12276 - 36 Variable This IE is omitted for NetFlow v9.
sourceFqdn 12276 - 98 Variable This IE is omitted for NetFlow v9.
sourceGeo 12276 - 44 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
sourceUser 12276 - 93 Variable This IE is omitted for NetFlow v9.
transDestinationIPv4Address 12276 - 31 4  
transDestinationIPv6Address 12276 - 32 16  
transDestinationPort 12276 - 33 2  
transIpProtocol 12276 - 27 1  
transRouteDomain 12276 - 35 4  
transSourceIPv4Address 12276 - 28 4  
transSourceIPv6Address 12276 - 29 16  
transSourcePort 12276 - 30 2  
transVlanName 12276 - 34 Variable This IE is omitted for NetFlow v9.
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.

DoS device

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
dosAttackEvent 12276 - 41 Variable This IE is omitted for NetFlow v9.
dosAttackId 12276 - 20 4  
dosAttackName 12276 - 21 Variable This IE is omitted for NetFlow v9.
dosPacketsDropped 12276 - 23 4  
dosPacketsReceived 12276 - 22 4  
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.

IP intelligence

Information Element (IE) ID Size (Bytes) Notes
action 12276 - 39 Variable This IE is omitted for NetFlow v9.
attackType 12276 - 46 Variable This IE is omitted for NetFlow v9.
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
contextType 12276 - 24 Variable This IE is omitted for NetFlow v9.
observationTimeMilliseconds 323 8  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
flowId 12276 - 3 8  
ipfixMsgNo 12276 - 16 4  
ipintelligencePolicyName 12276 - 45 Variable This IE is omitted for NetFlow v9.
ipintelligenceThreatName 12276 - 42 Variable This IE is omitted for NetFlow v9.
protocolIdentifier 4 1  
messageSeverity 12276 - 1 1  
partitionName 12276 - 2 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
saTransPool 12276 - 37 Variable This IE is omitted for NetFlow v9.
saTransType 12276 - 36 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
transDestinationIPv4Address 12276 - 31 4  
transDestinationIPv6Address 12276 - 32 16  
transDestinationPort 12276 - 33 2  
transIpProtocol 12276 - 27 1  
transRouteDomain 12276 - 35 4  
transSourceIPv4Address 12276 - 28 4  
transSourceIPv6Address 12276 - 29 16  
transSourcePort 12276 - 30 2  
transVlanName 12276 - 34 Variable This IE is omitted for NetFlow v9.
vlanName 12276 - 15 Variable This IE is omitted for NetFlow v9.

Log Throttle

Information Element (IE) ID Size (Bytes) Notes
bigipHostName 12276 - 10 Variable This IE is omitted for NetFlow v9.
bigipMgmtIPv4Address 12276 - 5 4  
bigipMgmtIPv6Address 12276 - 6 16  
observationTimeMilliseconds 323 8  
deviceProduct 12276 - 12 Variable This IE is omitted for NetFlow v9.
deviceVendor 12276 - 11 Variable This IE is omitted for NetFlow v9.
deviceVersion 12276 - 13 Variable This IE is omitted for NetFlow v9.
msgName 12276 - 14 Variable This IE is omitted for NetFlow v9.
errdefsMsgNo 12276 - 4 4  
ipfixMsgNo 12276 - 16 4  
messageSeverity 12276 - 1 1  
contextType 12276 - 24 Variable This IE is omitted for NetFlow v9.
contextName 12276 - 9 Variable This IE is omitted for NetFlow v9.
logprofileName 12276 - 95 Variable This IE is omitted for NetFlow v9.
logMsgName 12276 - 97 Variable This IE is omitted for NetFlow v9.
logMsgDrops 12276 - 96 4