Device-specific Dimensions
Dimensions that are unique to a specific data source, e.g. a particular router model, are covered in the following topics:
- About Device-specific Dimensions
- A10 Thunder CGN Dimensions
- Cisco ASA Dimensions
- Cisco ASA Syslog Dimensions
- IOS XR Dimensions
- Istio Dimensions
- Juniper PFE Syslog Dimensions
- Palo Alto Networks Firewall
- Silver Peak Dimensions
- VXLAN Dimensions
- sFlow Tunnel Decode Dimensions
- FortiGate Dimensions
Notes:
- The categorization of dimensions in the topics below corresponds to the categories by which the dimensions are shown in the Dimension Selector Dialog (part of the ad hoc filter controls in the Filtering Options dialog).
- Except where noted, the dimensions listed in the tables below are available for both filtering and group-by.
- The value type refers to the data type (text, integer, etc.) of the dimension value.
- The column type refers to whether the dimension is literally stored in KDE (native) or derived at query-time from other KDE-stored information (virtual); see KDE Query Efficiency.
- The KDE name(s) given below, which represent the KDE column(s) corresponding to each dimension, may be used in API queries made with the Query SQL Method.
- As indicated by column type, some columns are native (actually stored in the backend) while others are virtual (derived from other information). In general, filtering with dimensions based on native columns will return results faster than filtering with dimensions based on virtual columns.
About Device-specific Dimensions
Device-specific dimensions originate as flow records that are specific to given types of devices, whether physical or virtual, such as Kubernetes containers, Istio mesh, Palo Alto Networks firewalls, or Cisco ASA appliances. These records are ingested into Kentik as Universal Data Records (UDR), allowing flexible allocation of flow fields to the columns of the Kentik Data Engine. The resulting dimensions are used for filter or group-by like any other fields in Kentik-ingested flow records.
Notes:
- Kentik also stores and uses certain Device-specific Metrics.
- UDR dimensions have no persistent KDE columns.
A10 Thunder CGN Dimensions
These dimensions support the NAT NetFlow template that is provided by A10 Thunder Carrier Grade Networking devices (https://www.a10networks.com/products/thunder-cgn/). For more information on CGN, see What is Carrier Grade NAT?
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. | integer Virtual |
Src/Dst |
| Post-NAT Address | The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. | string Virtual |
Src/Dst |
| NAT Event | A NAT Event Type as defined in the IANA registry (see http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-nat-event-type), such as NAT translation create, NAT translation delete, Threshold Reached, or Threshold Exceeded. | string Native |
Non-directional |
Cisco ASA Dimensions
These dimensions are used to filter or group-by on fields in flow records from Cisco Adaptive Security Appliances (ASA), which run Cisco ASA software to deliver enterprise-class firewall capabilities in a variety of form factors including standalone appliances, blades, and virtual appliances. For more context on these dimensions, see the Cisco document ASA NetFlow Implementation Guide.
Note: Syslog from Cisco ASA is ingested into KDE via Kentik's NetFlow Proxy Agent. For further information please contact Customer Support.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. | integer Virtual |
Src/Dst |
| Post-NAT Address | The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. | string Virtual |
Src/Dst |
| Flow ID | An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. | integer Virtual |
Non-directional |
| Firewall Event | Indicates a firewall event: - 0 = Ignore (invalid)—Not used. - 1 = Flow created—The NetFlow data record is for a new flow. - 2 = Flow deleted—The NetFlow data record is for the end of a flow. - 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied. - 4 = Flow alert—Not used. - 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile. |
integer Virtual |
Non-directional |
| Extended Event Code | Provides additional information about an event: 1001 = the flow was denied by an ingress ACL. 1002 = the flow was denied by an egress ACL. 1003 = the flow was denied because connection to ASA interface was denied, an ICMP packet (v4 or v6) was denied, or for an unspecified reason. 1004 = the flow denied because the first packet on the TCP was not a TCP SYN packet. 2001 or greater = the flow was terminated. |
integer Virtual |
Non-directional |
| AAA Username | The username associated with the ASA instance that generated the flow. | string Virtual |
Non-directional |
| Ingress ACL | The ID of the ACL that was applied on the input interface and either permitted or denied the flow. | string Virtual |
Non-directional |
| Egress ACL | The ID of the ACL that was applied on the output interface and either permitted or denied the flow. | string Virtual |
Non-directional |
Note: See also Cisco ASA Metrics.
Cisco ASA Syslog Dimensions
These dimensions are used to filter or group-by on KDE fields whose values are extracted at ingest from syslog messages generated by Cisco Adaptive Security Appliances (ASA); see About ASA Syslog Messages. Syslog data may provide additional details that supplement the data available in Cisco ASA NetFlow (see Cisco ASA Dimensions).
Note: Syslog from Cisco ASA is ingested into KDE via Kentik's NetFlow Proxy Agent. For further information please contact Customer Support.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Flow ID | An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. Flow ID corresponds to the session ID field in Traffic and Threat logs. | integer Native |
Non-directional |
| Message | A Cisco ASA Series syslog message. Messages are listed by message ID in Cisco ASA Series Syslog Messages. | string Native |
Non-directional |
| Severity | The severity level of the message, which varies depending on the cause (see Messages Listed by Severity Level). | integer Native |
Non-directional |
| Message ID | The Cisco-assigned ID for the message. | integer Native |
Non-directional |
IOS XR Dimensions
These dimensions are used to filter or group-by on fields in flow records from Cisco products running the IOS XR operating system. These fields contain IPFIX "entity" values as described in IPFIX Information Elements. For additional information, see the Cisco document Configure NetFlow on IOS XR.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Dest ToS | Entity 55: The IPFIX postIpClassOfService value, which is the post-observation value of ToS (Type of Service) field (IPv4) or Traffic Class field (IPv6) in the packet header. | integer Native |
Dst only |
| Minimum TTL | Entity 52: The minimum value observed for the TTL (time to live) field in the IP header of any packet in this flow. | integer Native |
Non-directional |
| Maximum TTL | Entity 55: The maximum value observed for the TTL (time to live) field in the IP header of any packet in this flow. | integer Native |
Non-directional |
| Forwarding Status | Entity 89: The two-bit forwarding status of the flow and associated six-bit reason code or flag. | integer Native |
Non-directional |
Istio Dimensions
These dimensions are used to filter or group-by on KDE fields related to telemetry metrics from Istio, which is an open source insight and control layer that enables you to secure, connect, and monitor the applications that make up a distributed microservices architecture for hybrid and multi-cloud deployments. For an overview of Istio telemetry, see the Istio document Policies and Telemetry.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Name | Workload instance name. | string Virtual |
Src/Dst |
| Namespace | Workload instance namespace. | string Virtual |
Src/Dst |
| Workload Name | Workload name. | string Virtual |
Src/Dst |
| Workload Namespace | Workload namespace. | string Virtual |
Src/Dst |
| Container Name | Name of the destination workload instance’s container. | string Virtual |
Dst only |
| Service Host | Destination host address. | string Virtual |
Dst only |
| Service Name | Destination service name. | string Virtual |
Dst only |
| Service Namespace | Destination service namespace. | string Virtual |
Dst only |
| Request Path | The HTTP URL path including query string. | string Virtual |
Non-directional |
| Request Method | The HTTP method. | string Virtual |
Non-directional |
| Request User Agent | The HTTP User-Agent header. | string Virtual |
Non-directional |
| Response Code | The HTTP status code in the response. | integer Virtual |
Non-directional |
Note: See also Istio Metrics.
Juniper PFE Syslog Dimensions
These dimensions represent event-triggered syslog messages from a Juniper switch equipped with a Packet Forwarding Engine (see the Juniper article Informal Guide to Packet Forwarding). If a given switch has multiple PFEs their messages are grouped as if they were from a single PFE. In addition to the dimensions below, the remaining portion of the syslog message may contain information (e.g. MAC address, protocol, IP addresses, and bytes) that is accessible via KDE dimensions that aren't device-specific.
Note: Syslog from Juniper PFE is ingested into KDE via Kentik's NetFlow Proxy Agent. For further information please contact Customer Support.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Message | The first 64 chars of the PFE syslog message. | string Native |
Non-directional |
| Subtype | The subtype of the message, e.g. "FW" for firewall. | string Native |
Non-directional |
| Interface | The device interface on which the event occurred. | string Native |
Non-directional |
| Event | The nature of the event, e.g. "D" for dropped packets. | string Native |
Non-directional |
Palo Alto Networks Firewall
These dimensions are used to filter or group-by on fields in flow records from Palo Alto Networks firewalls. In addition to the port, IP address, and type of packets, the data identifies the application and includes firewall event information. For more context on these dimensions, see the Palo Alto Networks document NetFlow Templates.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. | integer Virtual |
Src/Dst |
| Post-NAT Address | The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. | string Virtual |
Src/Dst |
| ICMP Type | Internet Control Message Protocol (ICMP) packet type. This is reported as: ICMP Type * 256 + ICMP code | integer Virtual |
Non-directional |
| Flow ID | An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. | integer Virtual |
Non-directional |
| Application ID | The name of an application (up to 32 bytes). | string Virtual |
Non-directional |
| User ID | A username that User-ID identified. The name can be up to 64 bytes. | string Virtual |
Non-directional |
| Firewall Event | Indicates a firewall event: - 0 = Ignore (invalid)—Not used. - 1 = Flow created—The NetFlow data record is for a new flow. - 2 = Flow deleted—The NetFlow data record is for the end of a flow. - 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied. - 4 = Flow alert—Not used. - 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile. |
integer Virtual |
Non-directional |
| Direction | The direction of the flow: - 0 = ingress - 1 = egress |
integer Virtual |
Non-directional |
Silver Peak Dimensions
These dimensions are used to filter or group-by on flow records from Silver Peak appliances running VXOA software (version 8.2.1 or higher), which is described in this Silver Peak white paper. Silver Peak analyzes the actual packets as traffic flows through their appliances, identifies the applications (e.g. SaaS service) with which each packet is associated, and prioritizes routing by applying application-specific rules.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Application name | The name of an application as identified by a Silver Peak VXOA appliance. | string UDR |
Non-directional |
| Business Intent Overlay | The Silver Peak Business Intent Overlay (https://www.silver-peak.com/sites/default/files/UserDocuments/WAN-OP-HTML/content/business_intent_overlays_bio.htm) | UDR | Non-directional |
| Application Category | The category grouping of the applications identified by Silver Peak Edge Connect | UDR | Non-directional |
| From Zone | The firewall zone the traffic is coming from. | UDR | Src |
| To Zone | The firewall zone the traffic is going to. | UDR | Dst |
| Firewall Event | Indicates a firewall event: - 0 = Ignore (invalid)—Not used. - 1 = Flow created—The NetFlow data record is for a new flow. - 2 = Flow deleted—The NetFlow data record is for the end of a flow. - 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied. - 4 = Flow alert—Not used. - 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile. |
integer UDR |
Non-directional |
Cisco SD-WAN Dimensions
These dimensions are used to filter or group-by on IPFIX fields (see IPFIX Information Elements Exported to the Collector) in cflowd records from Cisco SD-WAN SD-WAN routers. For more information about these devices, refer to the Cisco document Cisco SD-WAN vEdge Routers Data Sheet.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Maximum packet length | Length of the largest packet observed for this flow. | integer Native |
Non-directional |
| Minimum packet length | Length of the smallest packet observed for this flow. | integer Native |
Non-directional |
| VPN identifier | VEdge VPN identifier. | integer Native |
Non-directional |
| Field 4322 | Reserved for internal use. | integer Native |
Non-directional |
| Flow end reason | Reason for the flow termination (see IANA IPFIX Entities). | integer Native |
Non-directional |
VXLAN Dimensions
These dimensions are used to filter or group-by on fields from the headers of VXLAN-encapsulated packets on virtual networks in data centers. The dimensions are on available for traffic on devices that report flow using sFlow and whose Type (see Device General Settings) is set to "VXLAN."
Note: For information about usage, see Using VXLAN.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| VXLAN VNI 0/1 MAC Address | The MAC address of an encapsulated packet inside a virtual network (VXLAN tunnel). | string UDR |
Src/Dst |
| VXLAN VNI 0/1 IP Address | The IP address of an encapsulated packet inside a virtual network (VXLAN tunnel). | string UDR |
Src/Dst |
| VXLAN VNI 0/1 Port | The Port of an encapsulated packet inside a virtual network (VXLAN tunnel). | integer UDR |
Src/Dst |
| IP TTL | The value of the IP TTL (time to live) field in the header of a VXLAN encapsulated packet. | integer UDR |
Non-directional |
| VXLAN VNI 0/1 | A virtual network identifier (VNI) that identifies a specific virtual network in the data plane. | integer UDR |
Non-directional |
| VXLAN VNI 0/1 DSCP | A DSCP (differentiated services code point) value from the DS field in the header of a VXLAN encapsulated packet. | integer UDR |
Non-directional |
| VXLAN VNI 0/1 TCP Flags | TCP flags set in the header of a VXLAN encapsulated packet. | integer UDR |
Non-directional |
| VXLAN VNI 0/1 IP TTL | The value of the TTL (time to live) field in the IP header of a VXLAN encapsulated packet. | integer UDR |
Non-directional |
| VXLAN VNI 0/1 Protocol | The protocol of an encapsulated packet inside a virtual network (VXLAN tunnel). | integer UDR |
Non-directional |
sFlow Tunnel Decode Dimensions
These dimensions are used to filter or group-by on fields from the headers of VXLAN-encapsulated packets on virtual networks in data centers. The dimensions are on available for traffic on devices that report flow using sFlow and whose Type (see Device General Settings) is set to "sFlow Tunnel Decode."
Note: For information about usage, see Using VXLAN.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| VXLAN VTEP 0/1 IP Address | The VXLAN tunnel endpoint used to map tenants’ end devices to VXLAN segments and to perform VXLAN encapsulation and decapsulation. | string UDR |
Src/Dst |
| VXLAN 0/1 VNI | The IP address of an encapsulated packet inside a virtual network (VXLAN tunnel). | integer UDR |
Non-directional |
FortiGate Dimensions
These dimensions are used to filter or group-by on fields from devices whose Type is set in Kentik to "Fortinet FortiGate" (see Device General Settings). The dimensions enabled for these devices store various types of information that is specific to the data fields of NetFlow templates supported by FortiOS.
Notes:
- If the device sends flow to Kentik via kproxy, the kproxy version must be 7.39.0 or higher.
- For more information about Fortinet FortiOS NetFlow templates, see NetFlow templates.
| Dimension name (portal) |
Description | Type: value column |
Direction |
| Post-NAT Address | The IPv4 or IPv6 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the device. Extracted from the following IPFIX fields: - 225: Post-NAT Source IPv4 Address - 281: Post-NAT Source IPv6 Address - 226: Post-NAT Destination IPv4 Address - 282: Post-NAT Destination IPv6 Address |
ip-address Native |
Src/Dst |
| Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the device. Extracted from the following IPFIX fields: - 227: Post-NAT Source Transport Port - 228: Post-NAT Destination Transport Port |
integer Native |
Src/Dst |
| Flow Flags | Extracted from IPFIX field 65. | integer Native |
Non-directional |
| Forwarding Status | Extracted from IPFIX field 89. For possible values, see IANA specification. | Integer/string Native |
Non-directional |
| Flow End Reason | Extracted from the IPFIX field 136. For possible values, see IANA specification. | integer Native |
Non-directional |
| Application Name | Extracted from IPFIX field 96. | string Native |
Non-directional |
| Application Category | Extracted from IPFIX field 372. | string Native |
Non-directional |