Blog :: Network Operations :: Security Operations

F5 Networks IPFIX Support

Looks like F5 Networks IPFIX support will be available soon. If you plan on exporting IPFIX from your F5 hardware, keep in mind that you probably won’t be able to look at the data with most flow collectors on the market.  It’s sort of an interesting flow because there is no octetDeltaCount in the flow records that we tested.  Never the less, the export is proving very useful and we are excited to see another company joining the community that supports the only IETF flow standard: IPFIX.

F5 IPFIX Template

F5 Networks IPFIX Support

We started working in mid 2013 with early versions of the F5 IPFIX support.

What about sFlow?

I can’t say for sure but, I hope F5 maintains their sFlow support as well.  SFlow is a proprietary technology lead by Inmon who’s technology appears to have been rolled into IPFIX just as NetFlow was. IPFIX allows for real-time packet sampling and the export of SNMP counters.  Adoption of IPFIX is growing fast with over two dozen companies to date supporting IPFIX.  Two years ago, there were about 4 and we believe this is because it is the most scalable flow technology available today and it is the only official Internet standard.

What about byte counts?

What a vendor chooses to export in IPFIX is vendor specific.  IPFIX set the standard in how flows should be exported and IANA specifies several hundred elements that are common across all vendors. Similar to SNMP, enterprise (i.e. vendor) specific elements can also be exported.  In some IPFIX implementations, vendors (e.g. Cisco and Dell-SonicWALL) allow the consumer to pick which elements they want to export.  As more details are requested, the flows get larger and the more bandwidth and disk space are consumed.  F5 may decide to export octetDeltaCount later but, they are still 100% compliant with IPFIX without exporting bytes.  There is nothing in the official IPFIX standard that says a vendor has to export byte counts.

F5 IPFIX Reporting

An example of our F5 Networks IPFIX Reporting is shown above.  We created several other reports and many more can be created for all of the F5 AFM Events.

More on IPFIX

NetFlow and IPFIX are flow or messaging technologies which are nearly identical. IPFIX is the official IETF standard and considered by some to be NetFlow v10. IPFIX allows for variable length strings and opened the technology up to allow other vendors outside of Cisco to export unique details about the traffic passing through the hardware.

Flow collectors are able to dynamically read in the templates exported by flow capable hardware and store the flows being sent. Most NetFlow collectors provide reporting on the data and some even provide behavior analysis to help detect cyber threats.

About F5 Networks

F5 Networks, Inc. is a provider of Application Delivery Networking (ADN) technology that optimizes the delivery of network-based applications and the security, performance, and availability of servers, data storage devices, and other network resources and is normally managed by the system administrators and engineers. F5 is headquartered in Seattle, Washington and has development, manufacturing, and sales/marketing offices worldwide. F5 originally manufactured and sold some of the industry’s first load balancing products.

July 2016 Update: We have added several new reports this summer. Reports include details on their new F5 IPFIX elements (E.g. DoS Attack, Drop Reason, Message Severity, etc.). Details on how to export these elements can be found here. Reach out to our team for details on the new reports.