Cisco
Login
Search
Software Secure Workload
Activity Configure

Configure and Manage Connectors for Secure Workload What are Connectors Connectors for Flow Ingestion F5 Connector How to configure IPFIX on F5 BIG-IP

Last updated: Jun 09, 2025

How to configure IPFIX on F5 BIG-IP

The following steps are for F5 BIG-IP load balancer. (Ref: Configuring F5 BIG-IP for IPFIX)

Purpose

Description

1. Create a pool of IPFIX collectors.

On a F5 BIG-IP appliance, create the pool of IPFIX collectors. These are the IP addresses associated with F5 connectors on a Secure Workload Ingest appliance. F5 connectors run in Docker containers on the VM listen on port 4739 for IPFIX packets.

2. Create a log-destination.

The log destination configuration on a F5 BIG-IP appliance specifies the actual pool of IPFIX collectors that are used.

3. Create a log-publisher.

A log publisher specifies where F5 BIG-IP sends the IPFIX messages. The publisher is bound with a log-destination.

4. Add a F5 and Secure Workload approved iRule.

Secure Workload and F5 developed iRules that will export flow records to F5 connectors. These iRules will export complete information about a given transaction: including all the endpoints, byte and packet counts, flow start and end time (in milliseconds). F5 connectors will create 4 independent flows and match each flow with its related flow.

5. Add the iRule to the virtual server.

In the iRule settings of a virtual server, add the Secure Workload, approved iRule to the virtual server.

The above steps configures IPFIX on F5 BIG-IP load balancer to export IPFIX protocol packets for traffic going through the appliance. Here is a sample config of F5.

Running configuration of IPFIX on F5 BIG-IP load balancer
Figure 1: Running configuration of IPFIX on F5 BIG-IP load balancer

In the example above, flow records will be published to ipfix-pub-1. ipfix-pub-1 is configured with log-destination ipfix-collector-1 which sends the IPFIX messages to IPFIX pool ipfix-pool-1. ipfix-pool-1 has 10.28.118.6 as one of the IPFIX collectors. The virtual server vip-1 is configured with IPFIX iRule ipfix-rule-1 which specifies the IPFIX template and how the template gets filled and sent.


 

Before using the iRule downloaded from this guide, update the log-publisher to point to the log-publisher configured in the F5 connector where you add the iRule.

 

F5 has published a GitHub repository, f5-tetration to help you to start with flow-stitching. The iRules for publishing IPFIX records to the F5 connector for various protocol types are available at: f5-tetration/irules.

Visit the site for the latest iRule definitions. In addition, F5 also develops a script to:

  1. Install the correct iRule for the virtual servers.

  2. Add a pool of IPFIX collector endpoints (where F5 connectors listen for IPFIX records).

  3. Configure the log-collector and log-publisher.

  4. Bind the correct iRule to the virtual servers.

This tool minimizes manual configuration and user error while enabling flow-stitching use-case. The script is available at f5-tetration/scripts.
Previous topic Flow Ingestion to Secure Workload Next topic How to Configure the Connector