Distributed firewall implements stateful tracking of flows and the tracked flows go through a set of state changes. You can use the IPFIX protocol to export data about the status of a flow. The tracked events include flow creation, flow denial, flow update, and flow teardown.

Because IPFIX is template-based, exporters must declare the format of the data before exporting any flow, so that the collector knows how to analyze incoming flow records. The format is declared in templates, which are sets of <type,length> that define the meaning and the length of each field in a record, one after the other.

The following table describes the information elements that are used in the IPFIX templates of the distributed firewall.

Table 1. IPFIX Information Elements
Name Data Type Size (Octet) Description
sourceMacAddress macAddress 6 The IEEE 802 source MAC address field.
destinationMacAddress macAddress 6 The IEEE 802 destination MAC address field.
ethernetType unsigned16 2 The Ethernet type field of an Ethernet frame that identifies the MAC client protocol carried in the payload.
sourceIPv4Address ipv4Address 4 The IPv4 source address in the IP packet header.
destinationIPv4Address ipv4Address 4 The IPv4 destination address in the IP packet header.
sourceIPv6Address ipv6Address 16 The IPv6 source address in the IP packet header.
destinationIPv6Address ipv6Address 16 The IPv6 destination address in the IP packet header.
sourceTransportPort unsigned16 2 The source port identifier in the transport header.
destinationTransportPort unsigned16 2 The destination port identifier in the transport header.
octetDeltaCount unsigned64 8 The number of octets since the previous report (if any) in incoming packets for the flow at the observation point. The number of octets includes IP headers and IP payload.
packetDeltaCount unsigned64 8 The number of incoming packets since the previous report (if any) for the flow at the observation point.
flowId unsigned64 8 A flow identifier that is unique within an observation domain. This information element helps to distinguish between different flows when flow keys, such as IP addresses and port numbers are not reported, or are reported in separate records.
flowStartSeconds dateTimeSeconds 4 The absolute timestamp of the first packet of the flow.
flowEndSeconds dateTimeSeconds 4 The absolute timestamp of the last packet of the flow.
protocolIdentifier unsigned8 1 The value of the protocol number in the IP packet header.
firewallEvent unsigned8 1 Valid values are:
  • 1 - Flow Created
  • 2 - Flow Deleted
  • 3 - Flow Denied
  • 4 - Flow Alert (not used in this implementation)
  • 5 - Flow Update
direction unsigned8 1 Valid values as applied to the filter at the observation point are:
  • 0x00 - ingres flow to VM
  • 0x01 - egress flow from VM
icmpTypeIPv4 unsigned8 1 Type of the IPv4 ICMP message.
icmpCodeIPv4 unsigned8 1 Code of the IPv4 ICMP message.
icmpTypeIPv6 unsigned8 1 Type of the IPv6 ICMP message.
icmpCodeIPv6 unsigned8 1 Code of the IPv6 ICMP message.
ruleId unsigned32 4 firewall Rule Id - Enterprise specific IE.
vmUuid string 16

VM UUID - Enterprise specific IE.

Uniquely identifies the VM (octet array of 16).

vnicIndex unsigned32 4

VNIC Index - Enterprise specific IE.

Index of the VNIC for the specified VM.

sessionFlags unsigned8 1

Session Flags - Enterprise specific IE. Valid values are:

  • 0 - unknown
  • 0x1 - established
flowDirection unsigned8 1

Flow Direction- Enterprise specific IE. Valid values are:

  • 0 - unknown
  • 1 - forward
  • 2 - reverse
algControlFlowId unsigned64 8
ALG Control Flow ID - Enterprise specific IE. Valid values are:
  • 0
  • flowId of ALG control flow
algType unsigned8 1
ALG Control Flow ID - Enterprise specific IE. Valid values are:
  • 0 - none
  • 1 - FTP
  • 2 - Oracle
  • 3 - SUNRPC
  • 4 - DCERPC
  • 5 - TFTP
algFlowType unsigned8 1
ALG Control Flow ID - Enterprise specific IE. Valid values are:
  • 0 - none
  • 1 - control flow
  • 2 - data flow
averageLatency unsigned32 4

Average TCP Latency - Enterprise specific IE

Unit is in microseconds.

vifUuid octetArray 16

VIF UUID - Enterprise specific IE.

Uniquely identifies the VIF (octet array of 16).

The following IPFIX templates for a distributed firewall are supported only for UDP payloads.

UDP IPV4 Template

The fields sent for this template are as follows: 
IPFIX_TEMPLATE_FIELD(sourceMacAddress,6)
IPFIX_TEMPLATE_FIELD(destinationMacAddress,6)
IPFIX_TEMPLATE_FIELD(sourceIPv4Address,4)
IPFIX_TEMPLATE_FIELD(destinationIPv4Address,4)
IPFIX_TEMPLATE_FIELD(sourceTransportPort,2)
IPFIX_TEMPLATE_FIELD(destinationTransportPort,2)
IPFIX_TEMPLATE_FIELD(protocolIdentifier,1)
IPFIX_TEMPLATE_FIELD(icmpTypeIPv4,1)
IPFIX_TEMPLATE_FIELD(icmpCodeIPv4,1)
IPFIX_TEMPLATE_FIELD(ethernetType,2)
IPFIX_TEMPLATE_FIELD(flowStartSeconds,4)
IPFIX_TEMPLATE_FIELD(flowEndSeconds,4)
IPFIX_TEMPLATE_FIELD(octetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(packetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(firewallEvent,1)
IPFIX_TEMPLATE_FIELD(direction,1)
IPFIX_TEMPLATE_FIELD(ruleId,4)
IPFIX_TEMPLATE_FIELD(vmUUId,16)
IPFIX_TEMPLATE_FIELD(vnicIndex,4)
IPFIX_TEMPLATE_FIELD(sessionFlags,1)      /* Introduced in 6.4.2 */
IPFIX_TEMPLATE_FIELD(flowDirection,1)     /* Introduced in 6.4.2 */
IPFIX_TEMPLATE_FIELD(flowId,8)            /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(algControlFlowId,8)  /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(algType,1)           /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(algFlowType,1)       /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(averageLatency,4)    /* Introduced in 6.4.4 */

UDP IPV6 Template

The fields sent for this template are as follows: 
IPFIX_TEMPLATE_FIELD(sourceMacAddress,6)
IPFIX_TEMPLATE_FIELD(destinationMacAddress,6)
IPFIX_TEMPLATE_FIELD(sourceIPv6Address,16)
IPFIX_TEMPLATE_FIELD(destinationIPv6Address,16)
IPFIX_TEMPLATE_FIELD(sourceTransportPort,2)
IPFIX_TEMPLATE_FIELD(destinationTransportPort,2)
IPFIX_TEMPLATE_FIELD(protocolIdentifier,1)
IPFIX_TEMPLATE_FIELD(icmpTypeIPv6,1)
IPFIX_TEMPLATE_FIELD(icmpCodeIPv6,1)
IPFIX_TEMPLATE_FIELD(ethernetType,2)
IPFIX_TEMPLATE_FIELD(flowStartSeconds,4)
IPFIX_TEMPLATE_FIELD(flowEndSeconds,4)
IPFIX_TEMPLATE_FIELD(octetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(packetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(firewallEvent,1)
IPFIX_TEMPLATE_FIELD(direction,1)
IPFIX_TEMPLATE_FIELD(ruleId,4)
IPFIX_TEMPLATE_FIELD(vmUUId,16)
IPFIX_TEMPLATE_FIELD(vnicIndex,4)
IPFIX_TEMPLATE_FIELD(sessionFlags,1)      /* Introduced in 6.4.2 */
IPFIX_TEMPLATE_FIELD(flowDirection,1)     /* Introduced in 6.4.2 */
IPFIX_TEMPLATE_FIELD(flowId,8)            /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(algControlFlowId,8)  /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(algType,1)           /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(algFlowType,1)       /* Introduced in 6.4.4 */
IPFIX_TEMPLATE_FIELD(averageLatency,4)    /* Introduced in 6.4.4 */