It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Reporting of Network Flow Information with IPFIX

  • Last updated on

On the Barracuda CloudGen Firewall, you can stream audit and reporting information to multiple external collectors based on the IPFIX protocol. Enable IPFIX, add collectors, and, optionally, enable IPFIX streaming for your HTTP proxy service.

Handling IPFIX Templates

Starting with firmware version 8.0.5 / 8.2.0, IPFIX now works completely independent of the audit infrastructure. In order to use IPFIX, you now just need to enable/disable IPFIX in the configuration. The audit configuration does not need to be changed in any way and has no effect on IPFIX.

Also, previous IPFIX templates have been updated to newer versions. When updating the firmware to 8.0.5 / 8.2.0, IPFIX will run in 'backward compatibility mode', that is, previous IPFIX template settings remain in their current state and now (8.0.5 / 8.2.0) have names with the prefix *DEPRECATED*. These settings remain activated to preserve the configured behavior and can be updated to their corresponding new names.

It is recommended to change such settings by selecting the corresponding new names. In this example, switch from *DEPRECATED* Uniflow Default to Uniflow Default in the respective menu list in the UI.

ipfix_new_templates_and_deprecated_templates.png

If IPFIX is working in backward compatibility mode, the use of former templates is indicated by corresponding messages in the log line:
ipfix_loglines_with_messages_about_deprecated_templates.png

Changes to IPFIX Templates

With firmware 8.0.5 / 8.2.0, several changes have been made to the Information Elements.

For an overview of the current information templates, see the tables below.

Standardized Fields

Some standardized fields (Information Elements) in predefined templates have changed:

  • All templates now include flowStartMilliseconds and flowEndMilliseconds.
  • octetTotalCount and packetTotalCount are now only included in the Extended templates.
  • A new basic template (Uniflow Basic) has been introduced that offers the best compatibility with various collectors.
  • Except in the basic template, firewallEvent is now included in all templates.
  • The systemInitTimeMilliseconds has been added and is included in the Extended templates.
Barracuda Proprietary Fields

Some proprietary fields were replaced with standardized ones and apply to the deprecated templates only:

  • bindIPv4Address has been replaced with postNATSourceIPv4Address
  • connIPv4Address has been replaced with postNATDestinationIPv4Address
  • bindTransportPort has been replaced with postNAPTSourceTransportPort
  • connTransportPort has been replaced with postNAPTDestinationTransportPort
  • auditCounter has been removed without replacement, because similar information can be derived from the IPFIX header
  • timestamp has been removed without replacement, because similar information can be derived from the IPFIX header
Reporting Timestamps

The reporting of timestamps for intermediate flow records has been adapted to improve the compatibility with various collectors. Instead of reporting the flow's overall start and end times, the flow record now includes the start and end times of the corresponding intermediate interval. This change takes effect only when a non-deprecated template is configured.

The reporting timestamps now work as follows:

  • If there is a preceding flow report for a flow, the report's 'end time' is used as the new 'start time'. Otherwise, the slot creation time is used.
  • The timestamp of the last packet that was forwarded through the slot is sent as 'end time'.
Blocked Traffic

Blocked traffic is no longer reported by default for improved compatibility with various collectors. If reporting of blocked traffic is desired and there are no compatibility concerns, it can be re-enabled as follows:

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration.
  2. In the left menu, select Audit and Reporting.
  3. In the left menu, expand Configuration Mode and click Switch to Advanced View.
  4. Click Lock.
  5. In the section IPFIX Export, set Report Blocked or Failed Sessions to yes.
  6. Click Send Changes / Activate.
    ipfix_report_blocked_or_failed_sessions.png

Configuring IPFIX

To configure audit & reporting with IPFIX, see How to Configure IPFIX.

To create custom information templates, see How to Create Custom IPFIX Templates.

Tables

Basic Template
IDNameSize (octets)Type
1octetDeltaCount8unsigned64
2packetDeltaCount8unsigned64
4protocolIdentifier1unsigned8
7sourceTransportPort2unsigned16
8sourceIPv4Address4ipv4Address
10ingressInterface4unsigned32
11destinationTransportPort4unsigned16
12destinationIPv4Address4ipv4Address
14egressInterface4unsigned32
152flowStartMilliseconds8dateTimeMilliseconds
153flowEndMilliseconds8dateTimeMilliseconds
Default Template

 

IDNameSize (octets)Type
1octetDeltaCount8unsigned64
2packetDeltaCount8unsigned64
4protocolIdentifier1unsigned8
7sourceTransportPort2unsigned16
8sourceIPv4Address4ipv4Address
10ingressInterface4unsigned32
12destinationIPv4Address4ipv4Address
14egressInterface4unsigned32
148flowID8unsigned64
152flowStartMilliseconds8dateTimeMilliseconds
153flowEndMilliSeconds8dateTimeMilliseconds
161flowDurationMilliseconds4unsigned32
233firewallEvent1unsigned8
Barracuda Proprietary Information Elements
Private Enterprise Number Barracuda Networks: 10704
2cudaLogOperation1unsigned8
3cudaTrafficType1unsigned8
4cudaFirewallRulevariablestring
5cudaServiceNamevariablestring
6cudaFirewallReasonvariablestring
7cudaFirewallReasonTextvariablestring

 

Extended Template

 

IDNameSize (octets)Type
1octetDeltaCount8unsigned64
2packetDeltaCount8unsigned64
4protocolIdentifier1unsigned8
7sourceTransportPort2unsigned16
8sourceIPv4Address4ipv4Address
10ingressInterface4unsigned32
12destinationIPv4Address4ipv4Address
14egressInterface4unsigned32
21flowEndSysUpTime4unsigned32
22flowStartSysUpTime4unsigned32
148flowID8unsigned64
152flowStartMilliseconds8dateTimeMilliseconds
153flowEndMilliSeconds8dateTimeMilliseconds
161flowDurationMilliseconds4unsigned32
233firewallEvent1unsigned8
Barracuda Proprietary Information Elements
Private Enterprise Number Barracuda Networks: 10704
2barracudaLogOperation1unsigned8
3barracudaTrafficType1unsigned8
4barracudaFirewallRulevariablestring
5barracudaServiceNamevariablestring
6barracudaFirewallReasonvariablestring
7barracudaFirewallReasonTextvariablestring

 

Extended Template without Proprietary Barracuda Fields

 

IDNameSize (octets)Type
1octetDeltaCount8unsigned64
2packetDeltaCount8unsigned64
4protocolIdentifier1unsigned8
7sourceTransportPort2unsigned16
8sourceIPv4Address4ipv4Address
10ingressInterface4unsigned32
12destinationIPv4Address4ipv4Address
14egressInterface4unsigned32
21flowEndSysUpTime4unsigned32
22flowStartSysUpTime4unsigned32
148flowID8unsigned64
152flowStartMilliseconds8dateTimeMilliseconds
153flowEndMilliSeconds8dateTimeMilliseconds
161flowDurationMilliseconds4unsigned32
233firewallEvent1unsigned8

 

Valid Values for the cudaLogOperation Information Field
IDName
0Unknown
1Allow
2LocalAllow
3Block
4LocalBlock
5Remove
6LocalRemove
7Drop
8Terminate
9LocalTerminate
10Change
11Operation
12Startup
13Configuration
14Rule
15State
16LocalState
17Process
18AdminAction
19Deny
20LocalDeny
21SecurityEvent
22Sync
23Fail
24LocalFail
25ARP
26Detect
27LocalDetect
28IntermediateReport
Values for the cudaTrafficType Information Field
IDName
0Forwarding
1Local In
2Local Out
3Loopback
Last updated on