Application telemetry and F5 AI Data Fabric¶
Overview¶
Your F5 BIG-IP already knows more about your applications than you think.
F5 AI Data Fabric (AIDF) takes the raw telemetry flowing through your BIG-IP and turns it into something actionable. It creates a continuously updated picture of every application workload in your environment. Enhanced with best practices and expert guidance, AIDF helps teams operate applications more effectively.
AIDF automatically discovers and categorizes your application workloads based on real traffic patterns. You no longer need to manually track what is running, where it is running, or how it is behaving. You get a clear, always-current inventory of what is in production—not an outdated record of what should be there. This real-time visibility eliminates one of the biggest challenges in enterprise environments: keeping an accurate record of application deployments and support services.
From visibility to actionable security intelligence¶
Once AIDF understands your application workloads, it adds security scoring to show you where your risks are. Every workload is evaluated against real traffic behavior. This gives you a clear, prioritized view of your security posture across the entire fleet. This is not a theoretical compliance checklist—it is based on your actual network traffic right now.
The result is that your team spends less time auditing configurations and investigating undocumented systems. You spend more time fixing the things that matter. You move from uncertainty to confidence—you can show exactly where your security posture stands.
Before you begin¶
Before you set up AIDF integration, confirm you have the following:
- An F5 Insight account.
- Your Endpoint, Sensor ID, and Token (provided by your F5 account team).
- Administrative access to your BIG-IP device.
Enable AIDF integration¶
To enable AIDF integration, contact your F5 account team to sign up, then complete the following steps:
- Log in to F5 Insight.
- Under Manage, select F5 AIDF.
- Slide the toggle from Disabled to Enabled.
- Enter the Endpoint, Sensor ID, and Token provided by your account team.
To start uploading metrics, configure the iRule to send collected data to AIDF.
Download the telemetry iRule: irule_application_telemetry_using_publisher.tcl
Application telemetry with the iRule¶
The telemetry iRule runs directly on your BIG-IP. It captures detailed metrics for every request flowing through your infrastructure: response times, status codes, throughput, error rates, and more.
Because the iRule operates at the traffic management layer, it gives you direct visibility into how your applications perform. You do not need to deploy agents, modify application code, or ask developers to add monitoring. You are already routing traffic through your BIG-IP—this lets you access the insights your traffic data already provides.
Set up the log destination and publisher¶
To create your log destination and publisher:
- Log in to the BIG-IP Configuration utility.
- Select System > Logs > Configuration > Log Destinations.
- Create a log destination called
f5insight_destinationwith the following settings:- Type: Management Port
- Address:
<F5 Insight IP Address> - Port:
30514 - Protocol: UDP
- Select Finished.
- Under the same configuration tab, select Log Publishers.
- Create a log publisher called
f5insight_publisher. - Move
f5insight_destinationfrom the Available box to the Selected box. - Select Finished.
- Attach the iRule to the virtual servers of your choice.
Important
Confirm the iRule references the publisher as shown below:
# HSL Configuration - USING PUBLISHER
set static::hsl_publisher "/Common/f5insight_publisher"
Note
Using the Traffic Management Microkernel (TMM) network is recommended when high-speed logging (HSL) traffic is expected to exceed 1 Gbps. This approach allows the BIG-IP system to efficiently transmit high-speed logs through the data plane rather than the management interface.
Beginning with BIG-IP version 12.0.0, you can configure HSL to use the management port for sending logs to servers that are accessible only through the management network.
However, there are a few caveats when using the management port that do not apply to TMM interfaces:
- TMM does not use the management interface. Therefore, load balancing across pool members is not supported.
- The management port cannot be used for request logging.
- The management port has limited bandwidth capacity.
For additional details, refer to the KB article.
Data collection disclosure¶
The F5 Insight telemetry iRule collects and transmits the following categories of data from HTTPS transactions processed by your BIG-IP device. Request and response body content is never collected. The data collected is limited to metadata and performance metrics. This data is necessary to provide application visibility, security scoring, and workload analytics.
Device and infrastructure identifiers¶
The hostname of the BIG-IP device, virtual server name, pool name, server and node addresses, node name, and node port. This data maps your infrastructure topology and identifies which resources serve application traffic.
Request metadata¶
HTTP method, host header, request URI (with a sanitized path variant), request size, user agent string, request headers, filtered header names, and request cookie names. No cookie values or authentication credentials are captured unless explicitly present in header names.
Response metadata¶
HTTP status code, response size, content type, server header, X-Powered-By header, response cookie names, and filtered response header names. Response body content is never collected.
Performance and timing metrics¶
Total request duration, time to first byte (TTFB), server-side processing time, SSL handshake duration, TCP round-trip time, node connection time, node queue time, node response time, node total time, and node-level TCP round-trip time. These metrics assess application performance and detect degradation.
Client and network information¶
Client IP address and up to three X-Forwarded-For header values. This data helps you understand traffic distribution and supports security analysis.
TLS and SSL information¶
TLS protocol version, cipher suite, and encryption bit strength. This data is used for security posture scoring and compliance evaluation.
Timestamp¶
A per-request timestamp used for time-series correlation and analytics.
AIDF (optional)¶
If enabled, a subset of telemetry metrics is batched and sent to F5 AI Data Fabric (us.edge.df.f5.com). Transmission occurs every 300 seconds. Data is sent over a TLS-encrypted gRPC connection. The connection authenticates using a sensor ID and token unique to your deployment.
No data is sent to F5 unless this pipeline is explicitly configured and credentials are provisioned. The transmitted data powers cloud-based analytics, security scoring, and application workload intelligence within F5 Insight.
iRule data types and examples¶
| Variable name in iRule | Common language name | Example data |
|---|---|---|
timestamp |
Response timestamp | 2024-01-15T14:32:18.123Z |
method |
HTTP method | GET, POST, PUT, DELETE |
host |
Hostname or domain | www.example.com |
uri |
Full request URI | /api/users?id=123 |
sanitized_path |
Sanitized URL path | /api/users |
status |
HTTP status code | 200, 404, 500 |
req_size |
Request size (bytes) | 1024 |
resp_size |
Response size (bytes) | 5120 |
total_ms |
Total request duration (ms) | 245 |
ttfb_ms |
Time to first byte (ms) | 180 |
server_ms |
Backend server duration (ms) | 150 |
ssl_ms |
SSL and TLS processing time (ms) | 25 |
tcp_rtt_ms |
TCP round-trip time—client (ms) | 15 |
client_ip |
Client IP address | 192.168.1.100 |
xff_1 |
X-Forwarded-For header 1 | 10.0.0.50 |
xff_2 |
X-Forwarded-For header 2 | 172.16.0.10 |
xff_3 |
X-Forwarded-For header 3 | 192.168.5.25 |
vs_name |
Virtual server name | /Common/app_vs |
pool_name |
Server pool name | /Common/web_pool |
server_addr |
Backend server IP and port | 10.10.10.5:8080 |
node_addr |
Node IP address | 10.10.10.5 |
node_port |
Node port number | 8080 |
node_name |
Node name | web-server-01 |
node_connect_ms |
Node connection time (ms) | 5 |
node_queue_ms |
Node queue time (ms) | 10 |
node_response_ms |
Node response time (ms) | 120 |
node_total_ms |
Node total time (ms) | 135 |
node_tcp_rtt |
Node TCP round-trip time (ms) | 8 |
content_type |
Response content type | application/json, text/html |
server_header |
Server software header | nginx/1.18.0, Apache/2.4 |
powered_by |
X-Powered-By header | PHP/7.4, Express |
req_headers |
Request headers | User-Agent: Mozilla/5.0... |
req_headers_filtered |
Filtered request headers | Authorization, Cookie |
req_cookies |
Request cookies | session_id, preferences |
resp_cookies |
Response cookies | JSESSIONID, tracking |
resp_headers_filtered |
Filtered response headers | Set-Cookie |
tls_version |
TLS protocol version | TLSv1.3, TLSv1.2 |
tls_bits |
TLS encryption strength | 256, 128 |