Applies To:

Show Versions Show Versions

Manual Chapter: IPFIX Templates for PEM Events
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

IPFIX Templates for PEM Events

Overview: IPFIX templates for PEM events

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX Information Elements (IEs) and templates used to log F5® Policy Enforcement Manager™ (PEM™) events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the acceptance of a network packet. In PEM, the IPFIX publisher delivers PEM records at the session, flow, and transaction level.

About IPFIX Information Elements for PEM events

Information Elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single Policy Enforcement Manager(PEM) event.

IANA-defined IPFIX information elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier. The F5 AFM DNS IPFIX implementation uses a subset of these IEs to publish AFM DNS events. This subset is summarized in the table.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationIPv6Address 28 16
destinationTransportPort 11 2
ingressVRFID 234 4
observationTimeMilliseconds 323 8
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2

IPFIX enterprise information elements

IPFIX provides for enterprises to define their own information elements (IEs). F5 currently uses the following non-standard IEs for AFM DNS events:

Information Element (IE) ID Size (Bytes)
action 12276 - 39 Variable
attackEvent 12276 - 41 Variable
attackId 12276 - 20 4
attackName 12276 - 21 Variable
bigipHostName 12276 - 10 Variable
bigipMgmtIPv4Address 12276 - 5 4
bigipMgmtIPv6Address 12276 - 6 16
contextName 12276 - 9 Variable
deviceProduct 12276 - 12 Variable
deviceVendor 12276 - 11 Variable
deviceVersion 12276 - 13 Variable
dnsQueryType 12276 - 8 Variable
errdefsMsgNo 12276 - 4 4
flowId 12276 - 3 8
ipfixMsgNo 12276 - 16 4
messageSeverity 12276 - 1 1
msgName 12276 - 14 Variable
packetsDropped 12276 - 23 4
packetsReceived 12276 - 22 4
partitionName 12276 - 2 Variable
queryName 12276 - 7 Variable
vlanName 12276 - 15 Variable
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

IPFIX Templates for PEM Events

Session logs

This IPFIX template is used for session records used for HSL reporting.

Information Element (IE) ID Size (Bytes) Notes
reportId 12276 - 55 4  
observationTimeSeconds 12276 - 90 8  
timestampMsec 12276 - 91 2  
recordType 12276 - 54 1  
subscriberId 12276 - 71 Variable This IE is omitted for NetFlow v9.
subscriberIdType 12276 - 72 Variable This IE is omitted for NetFlow v9.
3gppParameters 12276 - 57 Variable This IE is omitted for NetFlow v9.
applicationCategoryId 12276 - 48 2  
lastRecordSent 12276 - 63 8  
uplinkVolume 12276 - 89 8  
downlinkVolume 12276 - 88 8  
concurrentFlows 12276 - 59 2  
newFlows 12276 - 64 2  
terminatedFlows 12276 - 69 2  
totalTransactions 12276 - 73 2  
successfulTransactions 12276 - 68 4  
durationSec 12276 - 60 2  
recordReason 12276 - 66 1  
reportVersion 12276 - 56 Variable This IE is omitted for NetFlow v9.

Flow logs

This IPFIX template is used for flow records used for HSL reporting.

Information Element (IE) ID Size (Bytes) Notes
reportId 12276 - 55 4  
observationTimeSeconds 12276 - 90 8  
timestampMsec 12276 - 91 2  
recordType 12276 - 54 1  
subscriberId 12276 - 71 Variable This IE is omitted for NetFlow v9.
subscriberIdType 12276 - 72 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
protocolIdentifier 4 1  
applicationCategoryId 12276 - 48 2  
urlCategoryId 12276 - 87 2  
flowStartSeconds 12276 - 51 8  
flowStartMilliSeconds 12276 - 50 2  
flowStopSeconds 12276 - 53 8  
flowStopMilliSeconds 12276 - 52 2  
totalTransactions 12276 - 73 2  
uplinkVolume 12276 - 89 8  
downlinkVolume 12276 - 88 8  
reportVersion 12276 - 56 Variable This IE is omitted for NetFlow v9.
ingressVRFID 234 4  
vlanId 12276 - 92 2  

Transaction logs

This IPFIX template is used for transactional records used for HSL reporting.

Information Element (IE) ID Size (Bytes) Notes
reportId 12276 - 55 4  
recordType 12276 - 54 1  
reportVersion 12276 - 56 Variable This IE is omitted for NetFlow v9.
transactionNumber 12276 - 81 2  
subscriberId 12276 - 71 Variable This IE is omitted for NetFlow v9.
subscriberIdType 12276 - 72 Variable This IE is omitted for NetFlow v9.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
destinationIPv6Address 28 16  
destinationTransportPort 11 2  
protocolIdentifier 4 1  
ingressVRFID 234 4  
vlanId 12276 - 92 2  
applicationCategoryId 12276 - 48 2  
urlCategoryId 12276 - 87 2  
classification 12276 - 49 Variable This IE is omitted for NetFlow v9.
transactionStartSeconds 12276 - 84 8  
transactionStartMilliSeconds 12276 - 83 2  
transactionStopSeconds 12276 - 86 8  
transactionStopMilliSeconds 12276 - 85 2  
uplinkVolume 12276 - 89 8  
downlinkVolume 12276 - 88 8  
skippedTransactions 12276 - 82 2  
httpResponseCode 12276 - 76 2  
httpHostnameTruncated 12276 - 75 1  
httpHostname 12276 - 74 Variable This IE is omitted for NetFlow v9.
httpUserAgentTruncated 12276 - 80 1  
httpUserAgent 12276 - 79 Variable This IE is omitted for NetFlow v9.
httpUrlTruncated 12276 - 78 1  
httpUrl 12276 - 77 Variable This IE is omitted for NetFlow v9.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)