Kentik - Network Flow Analytics
More Product Updates

January 2019

Kentik kicked off 2019 with many new features and integrations that make Kentik Detect a true end-to-end insight and analytics platform for every network. Highlights include support for flow data from Palo Alto Networks firewalls, Universal Data Records, VRF Awareness, and the Raw Flow View.

Palo Alto Networks Firewalls

Kentik now supports the full set of fields from the NetFlow Templates that are supported by Palo Alto Networks firewalls. This first phase of our PAN integration adds huge value for Kentik customers who use PAN firewalls, providing single-pane-of-glass network visibility that now includes firewall policies and events. Beyond standard flow-record fields such as IPs, protocols, and interfaces, you’ll also now have visibility into data including user IDs, application names, and more.

You can see this new functionality in Kentik Detect’s Data Explorer. First, make sure that your PAN firewall is included in the devices selected in the Devices pane in the Explorer sidebar (shown at right). Then click in the Group-by Dimensions selector in the Query pane to open the Group-by Dimensions dialog. Scrolling down, you’ll now find (as shown below) a dimension category for Palo Alto Networks Firewall. Available PAN dimensions include:

  • Source Dimensions: Post-NAT Transport Port, Post-NAT Address
  • Destination Dimensions: Post-NAT Transport Port, Post-NAT Address
  • Non-Directional Dimensions: ICMP Type, Flow ID, Application ID, User ID, Firewall Event, Direction

Once you select the dimensions of interest, you can order them as you like and run the query. Moreover, you can combine other data (i.e. Geo) and filter on specific firewall events to answer questions like, “Is this a region-specific problem or a general problem?” The following screenshot, for example, shows a Geo HeatMap chart of traffic filtered by a Firewall Event value of Flow Denied (the filter setting is shown in the overlaid inset).

Bringing PAN firewall events into Kentik Detect flow records empowers enterprise network teams with application visibility and enables additional security use cases, such as:

  • Forensic investigation of current and past threat activity.
  • Real-time verification that firewall policies are not over- or under-blocking applications.
  • Cross-correlation between source countries and firewall events with a map view.

We’ll continue executing on additional phases of integration, aiming for the best user experience (e.g. UI improvement and alerting integration). For more information, please see the Kentik Knowledge Base topic on Palo Alto Networks Firewall dimensions, or contact our Customer Success team.

Universal Data Records

The secret of our speedy integration with Palo Alto Networks firewalls is our new Universal Data Records architecture. With Universal Data Records, we’ve made it even easier to take advantage of the Kentik Data Engine (KDE) data store’s ability to store, unify, and query disparate data types, mapping its flexible schema to an even wider set of traffic sources, and so to bring data integration (i.e. vendor, protocol, etc.) faster to the customers for actionable insights. This approach has many advantages, like storing vendor-specific flow fields, more capacity for Custom Dimensions, and even the ability to store non-flow records that don’t contain standard flow fields like IP addresses. That makes it much faster for us to expand the types of data sources ingested into KDE, enabling visibility into a wider range of customer networks and infrastructure.

Using Palo Alto Networks firewalls as an example, with Universal Data Records we can now accept all of the fields included in PAN NetFlow Templates. While most of those fields are IANA IPFIX standard, we also include two vendor-specific fields, App-ID and User-ID (see below), that we previously couldn’t have ingested or stored.

Flow data that identifies applications and users is extremely valuable, and with Universal Data Records our customers can now take full advantage of this data to get a complete end-to-end picture of network activity.

VRF Awareness, Phase 1

Virtual routing and forwarding (VRF) is a technology that allows multiple routing table instances to co-exist within the same router at the same time. Because Internet service providers (ISPs) often take advantage of VRFs to create separate virtual private networks (VPNs) for customers, the technology is also referred to as VPN routing and forwarding. With VRF support in Kentik Detect, you no longer need to manually map interface names and descriptions to VRF names and IDs (which are hard to read, troubleshoot, and support). Instead, flow data is enriched with VRF identifiers as it’s ingested into the KDE, enabling the use of VRF attributes to filter or segment network traffic in your Kentik queries.

The first phase of our VRF implementation includes support for Cisco L3VPN, Cisco VRF-lite, and Juniper L3VPN. As shown in the screenshot below, there are eight new dimensions associated with VRF support: source and destination VRF Name, VRF Route Distinguisher, VRF Route Target, and VRF Extended Route Distinguisher.

Our new VRF functionality enables multiple use cases:

  • An enterprise network can verify that VRF-lite network partitions are functioning correctly (e.g. to ensure there is no traffic leaking).
  • An infrastructure/network planner can see inbound or outbound traffic at the Provider Edge (PE) segmented by VRFs.
  • A network operator can see all traffic associated with a specific Route Distinguisher (RD) or verify the names of the VRFs that are associated with a specific RD.
  • A network operator can get alerts for changes (e.g. increase/decrease) in traffic volume per customer using VRF IDs to distinguish customers at the PE

The screenshot below shows a Sankey graph and table with all of the details about how VRFs map to interfaces on network devices. With this view, network teams can accelerate troubleshooting and easily answer questions about how traffic maps to VRFs.

As shown below, the new VRF dimensions are also supported in Alert Policies.

As we extend our VRF capabilities going forward we’ll be able to provide an even richer set of insights for analytics and visibility, including deeper integration with per-VRF BGP routing data and Kentik’s existing Ultimate Exit feature. For more information, please see the listing of VRF dimensions in our Knowledge Base, or contact our Customer Success team.

Raw Flow View for Dashboard Panels

As mentioned above, the Kentik Data Engine (KDE) ingests and enriches flow records from routers, switches, and firewalls, as well as flow logs from cloud providers. This unaggregated data on individual flows is the basis for our comprehensive analytics functionality, including charts, graphs, tables, and dashboards. While those views are extremely useful, we’ve also given customers the option to directly view, filter, and export the raw underlying data in the Raw Flow Viewer (Analytics » Raw Flow; see the Raw Flow article in our Knowledge Base). We’ve now extended this functionality with Raw Flow Views for dashboard panels.

A Raw Flow View allows raw flow output to be embedded into a dashboard. Panels based on Raw Flow Views can inherit the devices, filters, and time range specified for the dashboard on which they live. Such panels are particularly useful on dashboards that are linked to Kentik alert policies, providing more traffic detail when investigating an alarm.

You can add a raw flow panel to a dashboard with a few easy steps:

  1. Create or Edit a dashboard. When you click the Edit Mode button, you’ll see Raw Flow View as one of the options available in the Add A Dashboard Panel pane.
  1. Click the Add button in the Raw Flow View card, which will open a configuration window where you can customize your query and get a preview of raw flows.
  1. Click the Add Dashboard Panel button to add the panel to the dashboard.

For further information about the Raw Flow View, please contact our Customer Success team.

We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.