At the beginning of the year Dale wrote a blog on F5 Networks IPFIX Support. Today, I want to follow up on that post by explaining F5 IPFIX Configuration and configuring IPFIX logging for SIP DoS.

f5 IPFIX configuration

These are the steps required to configure IPFIX logging of SIP DoS events on the BIG-IP system (specifically BIG-IP Advanced Firewall Manager (AFM 11.6.0)). To learn which elements are supported visit the IPFIX Templates for AFM SIP Events article on F5’s website.

A quick note before you begin: Enabling IPFIX logging impacts BIG-IP system performance.

Assembling a pool of IPFIX collectors

Assembling a pool of IPFIX collectors is the first step in the configuraton. Get together the IP address of the collectors that you wish to include in the pool. Additionally, make sure your collectors are configured to listen to, and receive, log messages from the BIG-IP system.

Follow these steps to create a pool of IPFIX colelctors.

  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each IPFIX collector that you want to include in the pool:
    1. Type the collector’s IP address in the Address field, or select a node address from the Node List.
    2. Type a port number in the Service Port field. By default, IPFIX collectors listen on UDP or TCP port 4739 and Netflow V9 devices listen on port 2055, though the port is configurable at each collector.
    3. Click Add.
  5. Click Finished.

Creating an IPFIX log destination

A log destination of the IPFIX type specifies that log messages are sent to a pool of IPFIX collectors. Use these steps to create a log destination for IPFIX collectors

  1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select IPFIX.
  5. From the Protocol list, select IPFIX or Netflow V9, depending on the type of collectors you have in the pool.
  6. From the Pool Name list, select an LTM® pool of IPFIX collectors.
  7. From the Transport Profile list, select TCPUDP, or any customized profile derived from TCP or UDP.
  8. The Template Retransmit Interval is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the Transport Profile is a UDP profile. An IPFIX template defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
  9. The Template Delete Delay is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
  10. The Server SSL Profile applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the Transport Profile is a TCP profile. Choose an SSL profile that is appropriate for the IPFIX collectors’ SSL/TLS configuration. SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
  11. Click Finished.

Creating a publisher

A publisher specifies where the BIG-IP® system sends log messages for IPFIX logs.

  1. On the Main tab, click System > Logs > Configuration > Log Publishers. The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. Use the Log Destinations area to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the Available list, and click << to move it to the Selected list.
  5. Click Finished.

Creating a custom DNS DoS Protection Logging profile

Create a custom Logging profile to log DNS DoS Protection events and send the log messages to a specific location.

  1. On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
  2. Click Create. The New Logging Profile screen opens.
  3. Select the DoS Protection check box.
  4. In the DNS DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log DNS DoS events. You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  5. Click Finished.

Assign this custom DNS DoS Protection Logging profile to a virtual server.

That’s it! You’re done!

Let us know if you need further clarification on setting up IPFIX logging for SIP DoS on your BIG-IP AFM; we’re here to help.


Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.