Dimensions unique to a specific data source, e.g., router model, are covered here.
Note: As of May 1st, 2025, the Query SQL Method has been deprecated and is no longer supported.
About Device-specific Dimensions
Device-specific dimensions originate as flow records that are specific to given types of devices, whether physical or virtual, such as Kubernetes containers, Palo Alto Networks firewalls, or Cisco ASA appliances. These records are ingested into Kentik as Universal Data Records (UDR), allowing flexible allocation of flow fields to the columns of the Kentik Data Engine. The resulting dimensions are used for filter or group-by like any other fields in Kentik-ingested flow records.
Notes:
When a device's type is specified in Kentik as "MPLS Router" (e.g. with the Type setting on the General tab of the Device dialog; see Device General Settings), data collection will be enabled for MPLS Dimensions but not for the device's device-specific dimensions.
UDR dimensions have no persistent KDE columns.
Kentik also stores and uses certain Device-specific Metrics.
A10 Thunder CGN Dimensions
These dimensions support the NAT NetFlow template that is provided by A10 Thunder Carrier Grade Networking devices (https://www.a10networks.com/products/thunder-cgn/). For more information on CGN, see What is Carrier Grade NAT?
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. | integer | Src/Dst |
Post-NAT Address | The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. | string | Src/Dst |
NAT Event | A NAT Event Type as defined in the IANA registry (see http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-nat-event-type), such as NAT translation create, NAT translation delete, Threshold Reached, or Threshold Exceeded. | string | Non-directional |
Cisco ASA Dimensions
These dimensions are used to filter or group-by on fields in flow records from Cisco Adaptive Security Appliances (ASA), which run Cisco ASA software to deliver enterprise-class firewall capabilities in a variety of form factors including standalone appliances, blades, and virtual appliances. For more context on these dimensions, see the Cisco document ASA NetFlow Implementation Guide.
Note: Syslog from Cisco ASA is ingested into KDE via Kentik's NetFlow Proxy Agent. For further information contact Kentik (see Customer Care).
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. | integer | Src/Dst |
Post-NAT Address | The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. | string | Src/Dst |
Flow ID | An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. | integer | Non-directional |
Firewall Event | Indicates a firewall event:
| integer | Non-directional |
Extended Event Code | Provides additional information about an event: | integer | Non-directional |
AAA Username | The username associated with the ASA instance that generated the flow. | string | Non-directional |
Ingress ACL | The ID of the ACL that was applied on the input interface and either permitted or denied the flow. | string | Non-directional |
Egress ACL | The ID of the ACL that was applied on the output interface and either permitted or denied the flow. | string | Non-directional |
Note: See also Cisco ASA Metrics.
Cisco ASA Syslog Dimensions
These dimensions are used to filter or group-by on KDE fields whose values are extracted at ingest from syslog messages generated by Cisco Adaptive Security Appliances (ASA); see About ASA Syslog Messages. Syslog data may provide additional details that supplement the data available in Cisco ASA NetFlow (see Cisco ASA Dimensions).
Note: Syslog from Cisco ASA is ingested into KDE via Kentik's NetFlow Proxy Agent. For further information contact Kentik (see Customer Care).
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Flow ID | An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. Flow ID corresponds to the session ID field in Traffic and Threat logs. | integer | Non-directional |
Message | A Cisco ASA Series syslog message. Messages are listed by message ID in Cisco ASA Series Syslog Messages. | string | Non-directional |
Severity | The severity level of the message, which varies depending on the cause (see Messages Listed by Severity Level). | integer | Non-directional |
Message ID | The Cisco-assigned ID for the message. | integer | Non-directional |
Cisco IOS XE SD-WAN Dimensions
Kentik supports the added SD-WAN Edge functionality in Cisco’s IOS XE devices. For more information about these devices, refer to the Cisco document Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x.
Dimensions for IOS XE SD-WAN are described in the table below.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Application | Application name, from the field 96. | string | Non-directional |
Application Category | Application category, from proprietary field 12232. | string | Non-directional |
Application Subcategory | Application subcategory, from proprietary field 12233. | string | Non-directional |
Application Group | Application group, from proprietary field 12234. | string | Non-directional |
Application Traffic Class | Application traffic class, from proprietary field 12243. | string | Non-directional |
Application Business Relevance | Application business relevance, from proprietary field 12244. | string | Non-directional |
Flow end reason | This information is extracted from IPFIX field 136. Possible values can be found in the IANA specification: IPFIX Flow End Reason. | integer | Non-directional |
VPN identifier | Cisco IOS XE Catalyst SD-WAN Device VPN identifier. The device uses the enterprise ID for VIP_IANA_ENUM or 41916, and the VPN element ID is 4321. | integer | Non-directional |
Overlay Session ID | A 32-bit identifier for input/output overlay session identifier. From proprietary fields 12432 and 12433. | integer | Src/Dst |
Routing VRF Service | Routing VRF Service, from proprietary field 12434. | integer | Non-directional |
Connection ID | A 64-bit identifier for a connection between client and server. From proprietary field 12441. | integer | Non-directional |
BFD avg latency | Calculation of the Bidirectional Forwarding Detection (BFD) average latency for each tunnel. From proprietary field 45296. | integer | Non-directional |
BFD avg loss | Calculation of the BFD average loss for each tunnel. From proprietary field 45295. | integer | Non-directional |
BFD avg jitter | Calculation of the BFD average jitter for each tunnel. From proprietary field 45297. | integer | Non-directional |
BFD rx cnt | Count of received BFD packets. From proprietary field 45299. | counter | Non-directional |
BFD tx cnt | Count of transmitted BFD packets, from proprietary field 45300. | counter | Non-directional |
BFD rx octets | Count of received BFD octets, from proprietary field 45304. | bytes counter | Non-directional |
BFD tx octets | Count of transmitted BFD octets, from proprietary field 45305. | bytes counter | Non-directional |
Cisco IOS XR Dimensions
These dimensions are used to filter or group-by on fields in flow records from Cisco products running the IOS XR operating system. These fields contain IPFIX "entity" values as described in IPFIX Information Elements. For additional information, see the Cisco document Configure NetFlow on IOS XR.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Dest ToS | Entity 55: The IPFIX postIpClassOfService value, which is the post-observation value of ToS (Type of Service) field (IPv4) or Traffic Class field (IPv6) in the packet header. | integer | Dst only |
Minimum TTL | Entity 52: The minimum value observed for the TTL (time to live) field in the IP header of any packet in this flow. | integer | Non-directional |
Maximum TTL | Entity 55: The maximum value observed for the TTL (time to live) field in the IP header of any packet in this flow. | integer | Non-directional |
Forwarding Status | Entity 89: The two-bit forwarding status of the flow and associated six-bit reason code or flag. | integer | Non-directional |
Cisco nvzFlow Dimensions
Cisco AnyConnect version 4.2, a Cisco VPN client, introduced support for extended visibility into endpoint network communication. This is achieved with the export of network metadata using the IPFIX protocol called Cisco Network Visibility Flow protocol (nvzFlow). The protocol is designed to provide greater network visibility of endpoints in a lightweight manner. The IPFIX protocol is extended with a small set of high-value endpoint context data. This enables IT administrators to have a better understanding of the following vectors:
User: Who is accessing enterprise networks and using applications?
Device: Which device is used for access?
Client application: Which application is used for access?
Location: Which location is access being performed from?
Destination application: Which SaaS application has been accessed?
Kentik dimensions for Cisco nvzFlow are described in the table below.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Unique ID | 20-byte Unique ID that identifies the endpoint. From proprietary field 12332. | string | Non-directional |
Logged In User | This is the logged in user on the device, in the form Authority/Principle. From proprietary field 12333. | string | Non-directional |
Process Account | Authority/Principle of the process associated with the flow. E.g., ACME/JSMITH, <machine>/JSMITH. From proprietary field 12338. | string | Non-directional |
Process Name | Name of the process associated with the flow. E.g., firefox.exe. From proprietary field 12340. | string | Non-directional |
Process Hash | SHA256 hash of the process image on disk associated with the flow. From proprietary field 12341. | string | Non-directional |
Parent Process Account | Authority/Principle of the parent process associated with the flow. E.g., ACME/JSMITH, <machine>/JSMITH. From proprietary field 12339. | string | Non-directional |
Parent Process Name | Name of the parent process associated with the flow. E.g., firefox.exe. From proprietary field 12342. | string | Non-directional |
Parent Process Hash | SHA256 hash of the process image on disk of the parent process associated with the flow. From proprietary field 12341. | string | Non-directional |
DNS Suffix | Per-interface DNS suffix configured on the adapter associated with the flow for the endpoint. From proprietary field 12344. | string | Non-directional |
Destination Hostname | The FQDN (hostname) that resolved to the destination IP on the endpoint. E.g., www.google.com. From proprietary field 12338. | string | Non-directional |
Layer 4 Byte Count in | Total number of incoming bytes on the flow at Layer4 (Transport). Payload only, without L4 headers. From proprietary field 12346. | bytes counter | Non-directional |
Layer 4 Byte Count Out | Total number of outgoing bytes on the flow at Layer4 (Transport). Payload only, without L4 headers. From proprietary field 12347. | bytes counter | Non-directional |
Cisco SD-WAN vEdge Dimensions
These dimensions are used to filter or group-by on IPFIX fields (see IPFIX Information Elements Exported to the Collector) in cflowd records from Cisco SD-WAN routers. For more information about these devices, refer to the Cisco document Cisco SD-WAN vEdge Routers Data Sheet.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Maximum packet length | Length of the largest packet observed for this flow. | integer | Non-directional |
Minimum packet length | Length of the smallest packet observed for this flow. | integer | Non-directional |
VPN identifier | VEdge VPN identifier. | integer | Non-directional |
Field 4322 | Reserved for internal use. | integer | Non-directional |
Flow end reason | Reason for the flow termination (see IANA IPFIX Entities). | integer | Non-directional |
FortiGate Dimensions
These dimensions are used to filter or group-by on fields from devices whose Type is set in Kentik to "Fortinet FortiGate" (see Device General Settings). The dimensions enabled for these devices store various types of information that is specific to the data fields of NetFlow templates supported by FortiOS.
Notes:
If the device sends flow to Kentik via kproxy, the kproxy version must be 7.39.0 or higher.
For more information about Fortinet FortiOS NetFlow templates, see NetFlow templates.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Post-NAT Address | The IPv4 or IPv6 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the device. Extracted from the following IPFIX fields:
| ip-address | Src/Dst |
Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the device. Extracted from the following IPFIX fields:
| integer | Src/Dst |
Flow Flags | Extracted from IPFIX field 65. | integer | Non-directional |
Forwarding Status | Extracted from IPFIX field 89. For possible values, see IANA specification. | Integer/string | Non-directional |
Flow End Reason | Extracted from the IPFIX field 136. For possible values, see IANA specification. | integer | Non-directional |
Application Name | Extracted from IPFIX field 96. | string | Non-directional |
Application Category | Extracted from IPFIX field 372. | string | Non-directional |
Juniper PFE Syslog Dimensions
These dimensions represent event-triggered syslog messages from a Juniper switch equipped with a Packet Forwarding Engine (see the Juniper article Informal Guide to Packet Forwarding). If a given switch has multiple PFEs their messages are grouped as if they were from a single PFE. In addition to the dimensions below, the remaining portion of the syslog message may contain information (e.g. MAC address, protocol, IP addresses, and bytes) that is accessible via KDE dimensions that aren't device-specific.
Note: Syslog from Juniper PFE is ingested into KDE via Kentik's NetFlow Proxy Agent. For further information contact Kentik (see Customer Care).
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Message | The first 64 chars of the PFE syslog message. | string | Non-directional |
Subtype | The subtype of the message, e.g. "FW" for firewall. | string | Non-directional |
Interface | The device interface on which the event occurred. | string | Non-directional |
Event | The nature of the event, e.g. "D" for dropped packets. | string | Non-directional |
Nokia Layer 2 Dimensions
These dimensions are used to filter or group-by on fields in IPFIX flow records from Nokia routers connected to a "Dot1Q" (IEEE 802.1Q) VLAN.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Physical Interface | The router's index for the physical interface where the packets of the flow were sent/received. | integer | Src/Dst |
Dot1q Vlan ID | The value of the 12-bit VLAN Identifier portion of the Tag Control Information field of an Ethernet frame. | integer | Src/Dst |
Dot1q Customer Vlan ID | The value of the Customer VLAN identifier in the Customer VLAN Tag (C-TAG) Tag Control Information (TCI) field. | integer | Src/Dst |
SAP | The value of the Service Access Point (SAP) field derived from the vendor MIB | String | Src/Dst |
Palo Alto Networks Firewall
These dimensions are used to filter or group-by on fields in flow records from Palo Alto Networks firewalls. In addition to the port, IP address, and type of packets, the data identifies the application and includes firewall event information. For more context on these dimensions, see the Palo Alto Networks document NetFlow Templates.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Post-NAT Transport Port | The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. | integer | Src/Dst |
Post-NAT Address | The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. | string | Src/Dst |
ICMP Type | Internet Control Message Protocol (ICMP) packet type. This is reported as: ICMP Type * 256 + ICMP code | integer | Non-directional |
Flow ID | An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. | integer | Non-directional |
Application ID | The name of an application (up to 32 bytes). | string | Non-directional |
User ID | A username that User-ID identified. The name can be up to 64 bytes. | string | Non-directional |
Firewall Event | Indicates a firewall event:
| integer | Non-directional |
Direction | The direction of the flow:
| integer | Non-directional |
sFlow Tunnel Decode Dimensions
These dimensions are used to filter or group-by on fields from the headers of VXLAN-encapsulated packets on virtual networks in data centers. The dimensions are on available for traffic on devices that report flow using sFlow and whose Type (see Device General Settings) is set to "sFlow Tunnel Decode."
Note: For information about usage, see Using VXLAN.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
VXLAN VTEP 0/1 IP Address | The VXLAN tunnel endpoint used to map tenants’ end devices to VXLAN segments and to perform VXLAN encapsulation and decapsulation. | string | Src/Dst |
VXLAN 0/1 VNI | The IP address of an encapsulated packet inside a virtual network (VXLAN tunnel). | integer | Non-directional |
Silver Peak Dimensions
These dimensions are used to filter or group-by on flow records from Silver Peak appliances running VXOA software (version 8.2.1 or higher). Silver Peak analyzes the actual packets as traffic flows through their appliances, identifies the applications (e.g. SaaS service) with which each packet is associated, and prioritizes routing by applying application-specific rules.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Application name | The name of an application as identified by a Silver Peak VXOA appliance. | string | Non-directional |
Business Intent Overlay | The Silver Peak Business Intent Overlay (https://www.silver-peak.com/sites/default/files/UserDocuments/WAN-OP-HTML/content/business_intent_overlays_bio.htm) | UDR | Non-directional |
Application Category | The category grouping of the applications identified by Silver Peak Edge Connect | UDR | Non-directional |
From Zone | The firewall zone the traffic is coming from. | UDR | Src |
To Zone | The firewall zone the traffic is going to. | UDR | Dst |
Firewall Event | Indicates a firewall event:
| integer | Non-directional |
VMware SD-WAN Dimensions
VMware SD-WAN Edge devices (formerly known as Velocloud) support flow export via the IPFIX protocol. The VMware SASE Orchestrator allows users to configure NetFlow collectors and filters as network services at the Profile, Edge, and Segment level. Users can configure a maximum of two collectors per Segment and eight collectors per Profile and Edge, with support for a maximum of 16 filters per collector.
An IP flow is typically identified by the five-tuple of source IP, destination IP, source port, destination port, and protocol. In NetFlow records exported by SD-WAN Edge, however, flows with different source ports are aggregated if they share the same source and destination IPs and same destination port.
Kentik dimensions for VMware SD-WAN are described in the table below.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
Biflow Direction | A description of the direction assignment method used to assign the biflow source and destination. This information element may be present in flow data record or applied to all flows exported from an exporting process or observation domain using IPFIX options. IANA field 239. | integer | Non-directional |
Flow ID | An identifier of a Flow that is unique within an Observation Domain. This information element can be used to distinguish between different Flows if Flow Keys such as IP addresses and port numbers are not reported or are reported in separate records. IANA field 148. | string | Non-directional |
Flow end reason | This information is extracted from the IPFIX field 136. Possible values of this field can be found on the IANA’s specification: IPFIX Flow End Reason. | integer Native | Non-directional |
Ingress VRF ID | A unique identifier of the VRF name where the packets of this flow are being received. This identifier is unique per metering process. This maps to the VMware SASE orchestrator. segments. A segment should be visualized and reported as a separated L3 domain within edge. IANA field 234. | string string | Non-directional |
Application Name | Application Name, IANA field 96. | string | Non-directional |
Application Category | An Attribute that provides a first level categorization for each application ID. IANA field 372. | string | Non-directional |
Destination UUI | Destination node UUID. | string | Non-directional |
VC Priority | This identifies the BizPolicy “Priority” classification applied. Unset should monitored to deduce a warning since it would only occur during overflow:
| integer Native | Non-directional |
VC Route Type | This identifies the path type out to internet the flow is taking. Unset should be monitored to deduce a warning since it would only occur during overflow:
| integer Native | Non-directional |
VC Link Policy | This value provides the type of link steering and remediation configured for this application under BizPolicy.
| integer Native | Non-directional |
VC Traffic Type | This identifies the BizPolicy “Service Class” classification applied.
| integer Native | Non-directional |
VC Flow Path | This identifies the type of “path” the flow is taking.
| integer Native | Non-directional |
Business Policy ID | The business policy logical ID that this flow matches. This value is a UUID and must be mapped to a BizPolicy via Orchestrator API. | integer Native | Non-directional |
Next Hop UUID | Next hop UUID for this flow. This will be populated in case of overlay traffic. This value identifies the device that is in the path between source and destination in the SD-WAN overlay network (not underlay). | integer Native | Non-directional |
Post-NAT Address | The IPv4 or IPv6 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the device. This information is extracted from the following IPFIX fields:
| ip-address Native | Src/Dst |
Responder Bytes | The total number of layer 4 bytes in a flow from the responder since the previous report. The responder is the device which replies to the initiator and remains the same for the life of the session. | bytes counter | Non-directional |
Responder Packets | The total number of layer 4 packets in a flow from the responder since the previous report. The responder is the device which replies to the initiator and remains the same for the life of the session. | counter | Non-directional |
Delta Flow Count | The conservative count of original flows contributing to this aggregated flow; may be distributed via any of the methods expressed by the valueDistributedMethod information element. IANA field 3. | counter | Non-directional |
Replicated Packets Rx | Count of replicated packets received for the flow. | gauge | Non-directional |
Replicated Packets Tx | Count of packets replicated for the flow. | gauge | Non-directional |
Lost Packets Rx | Count of packets lost for the flow at the receive. | gauge | Non-directional |
Retransmitted Packets Tx | Count of packets retransmitted for the flow. | gauge | Non-directional |
TCP RTT ms | Maximum RTT observed for a TCP flow. | gauge | Non-directional |
TCP Retransmits | Count of TCP packets retransmitted for the flow. | gauge | Non-directional |
VXLAN Dimensions
These dimensions are used to filter or group-by on fields from the headers of VXLAN-encapsulated packets on virtual networks in data centers. The dimensions are on available for traffic on devices that report flow using sFlow and whose Type (see Device General Settings) is set to "VXLAN."
Note: For information about usage, see Using VXLAN.
Dimension name (portal) | Description | Type: | Direction |
---|---|---|---|
VXLAN VNI 0/1 MAC Address | The MAC address of an encapsulated packet inside a virtual network (VXLAN tunnel). | string | Src/Dst |
VXLAN VNI 0/1 IP Address | The IP address of an encapsulated packet inside a virtual network (VXLAN tunnel). | string | Src/Dst |
VXLAN VNI 0/1 Port | The Port of an encapsulated packet inside a virtual network (VXLAN tunnel). | integer | Src/Dst |
IP TTL | The value of the IP TTL (time to live) field in the header of a VXLAN encapsulated packet. | integer | Non-directional |
VXLAN VNI 0/1 | A virtual network identifier (VNI) that identifies a specific virtual network in the data plane. | integer | Non-directional |
VXLAN VNI 0/1 DSCP | A DSCP (differentiated services code point) value from the DS field in the header of a VXLAN encapsulated packet. | integer | Non-directional |
VXLAN VNI 0/1 TCP Flags | TCP flags set in the header of a VXLAN encapsulated packet. | integer | Non-directional |
VXLAN VNI 0/1 IP TTL | The value of the TTL (time to live) field in the IP header of a VXLAN encapsulated packet. | integer | Non-directional |
VXLAN VNI 0/1 Protocol | The protocol of an encapsulated packet inside a virtual network (VXLAN tunnel). | integer | Non-directional |
© 2014-25 Kentik