F5 BIG­IP + Cisco Tetration: Application Centric Visibility

Cisco Tetration Analytics is the latest Cisco innovation to provide visibility into everything in the data center in real-time. It is designed to help customers understand the applications running in the Data Centers, help them build policies around that application for the Data Center, and enforce the policy right down to the network or host level. To learn more about Cisco Tetration Analytics, please go to: 



The F5 team has been working closely with the Cisco Tetration team to bring the rich L4-L7 data from BIG-IP into Tetration. We primarily focus on two enhancement areas:

  1. Application Telemetry
  2. Policy Enforcement 


Application Telemetry 


Cisco Tetration uses sensors on switches, hosts to collect flow Data at high speed in the Data Center, the sensors annotates data with host specific information called context information which is send to Tetration Cluster for Analytics. Since most of the deployments will have BIG-IP in the Data Center acting as proxy due to which the flow is split into multiple flows and the context information is lost. BIG-IP integration with Cisco Tetration provides the complete end to end flow visibility for applications running in Data Center. 




With F5 BIG-IP and Cisco Tetration integration, BIG-IP customers can enhance Tetration Analytics visibility by adding iRules to the virtual server:


How do I use Tetration with BIG-IP ?

You need to configure BIG-IP with Publisher log, IPFIX Pool and use TCP or UDP iRules to intercept the application traffic at various events. The IPFIX template on BIG-IP is created using iRules and it is send to the F5 Tetration Sensor which in turn forwards the flow details to the Tetration Cluster. Tetration Cluster can visualize the flow information in the Related flow tab on the Cluster, this helps the Operations folks to troubleshoot in case there is a problem or can visualize the complete flow information even though BIG-IP proxy exists. For more details to configure BIG-IP for flow stitching refer to https://github.com/f5devcentral/f5-tetration 





After F5 BIG-IP IPFIX Collector Appliance is deployed, in the Tetration Flow Search panel, a “Related Flow” option is available:




What is Policy Enforcement ? 

Tetration has the ability to map the application as it is running on the network, it can do workload behavior analysis and look at characteristics of workloads like; Do they run similar process ? Do they open similar ports? What kind of neighbors do they talk to? Are they part of the same service? ...and so on. All of this information is used to create a proper map of the application to create a whitelist policy which can be pushed to BIG-IP through Tetration Cluster. Based on the policy defined in Tetration, the enforcement agent can translate into L4 firewall rules and update F5 BIG-IP AFM (Advanced Firewall Manager) using REST API. The innovation extends the policy enforcement from the host level to L4-L7 ADV device, allowing an administrator to build a truly zero-trust data center model. 




To learn more, visit:

Cisco Tetration F5 BIG-IP Solution Brief 

Published Jul 09, 2019
Version 1.0

Was this article helpful?


  • SWJO's avatar
    Icon for Cirrostratus rankCirrostratus



    You did nice work!


    I have some questions.


    1. F5 BIG-IP IPFIX collector is something new product? or just appliance type?

    2. How does ADC send traffic data to IPFIX collector? using mirror or clone pool?

    3. picture in "application telemetry" client and server send data to cisco tetration, does both unit have to install something?

    or just express both unit`s data is going to tetration?

  • hi swjo,

    please see my comments below

    1.F5 BIG-IP IPFIX collector is something new product? or just appliance type?

    ans: F5 BIG-IP IPFIX collector is not a new product, you can use same existing BIG-IP or BIG-IP VE to send IPFIX traffic to a F5 Tetration Sensor(which is a new IPFIX collector build by Cisco Tetration )

    2.How does ADC send traffic data to IPFIX collector? using mirror or clone pool?

    ans: It uses separate data pool to send the data, you need to create a separate IPFIX Pool which is in the data plane you can find more details using this article

    3.picture in "application telemetry" client and server send data to Cisco tetration, does both unit have to install something?

    ans: Yes typically you will have Tetration Sensor installed on Client and Server which will send more detail information like process running on your system, packet out, security events etc, more details please refer to Cisco Tetration


  • Hi Sanjay Shitole

    I have tried the step-by-step indicated in the article but I have not succeeded.

    I downloaded the iRule found in Github, I associated it with a Virtual Server where I have a web application and it doesn't send data.



    My version of TMOS is

    Will you know if I have to perform any additional process?

    Thank you.


  • Hi Sanjay Shitole

    Yes, my virtual server is TCP and I am using that iRule. Being a web application, I also used the HTTP iRule

    On the other hand, I used the script for the automatic process from my Mac but in none of the 3 cases it worked for me.

    If you have any other suggestions, I would appreciate it.


  • louis's avatar
    Icon for Nimbostratus rankNimbostratus

    May i know the performance impact to enable IPFIX on BigIP? Any reference data or lab data can be shared?