Kentik - Network Analysis Tool

Overview

Kentik is an advanced network traffic analysis and forensics tool providing deep insight into your network's traffic patterns and bandwidth utilization. The integration with Fortinet firewalls enhances its capabilities by providing visibility into traffic passing through these devices.

Kentik is our partner for network traffic analysis, offering this service to customers based on their contract requirements.

What is Network Traffic Analysis?

Network Traffic Analysis is like watching all the information moving through a computer network. It's about checking and understanding the data that flows in and out to ensure everything runs smoothly and securely. This involves looking at data packets (small chunks of information) to spot anything unusual, like potential security threats or unauthorized access. By doing this, network managers can fix problems before they cause trouble and protect sensitive information.
 
In addition to enhancing security, network traffic analysis helps the network work better. By watching how data moves, managers can discover where things are slowing down and what needs upgrading. It also helps ensure the network meets certain rules and standards, keeping data safe and operations aligned with policies.

Overall, it’s essential to keep networks efficient, secure, and compliant.

What is NetFlow?

NetFlow is a tool developed by Cisco that helps track and analyze the data flow in a network. Think of it like a traffic camera system for a network, keeping track of where data is coming from and going to, how much data is being sent, and which routes it's taking.

Routers or switches grab important details from the data moving through the network, focusing on the essential parts of each packet.

The device groups packets with similar details into flows. Each flow shows a unique communication between two points.

The device sends this collected flow data to a central place called a NetFlow collector, which stores it for analysis.

Special software analyzes the stored flow data, providing insights into traffic volume, application usage, and potential security threats.

Using NetFlow, network managers can monitor network performance, troubleshoot issues, and enhance security, ensuring everything runs smoothly and efficiently.

NetFlow

NetFlow ingestion with Kentik is like having a super-smart assistant that helps you keep track of all the data moving through your network.

Network devices such as routers and switches capture data about the traffic passing through them. They gather key information about where the data is coming from, where it's going, and how much there is.

These devices send all this collected information to Kentik's Proxy. It's like sending a daily report to your assistant.

Kentik Proxy consolidates and forwards the flows to the Cloud. It organizes this information, making it easy to understand. It combines data from all your devices to give you a clear picture of what’s happening in your network.

Kentik analyzes the data and provides useful insights. It can provide insight if there’s a problem, like unusual traffic that might indicate a security threat, or if bottlenecks are slowing down your network.

By using Kentik for NetFlow ingestion, you can monitor your network’s health, spot and fix problems quickly, and make sure everything is running smoothly and securely.

Setup of Fortinet Firewalls

Setting up NetFlow on a FortiGate firewall involves configuring the firewall to collect and send detailed network traffic data to a designated analysis system, known as a NetFlow collector. This setup allows you to monitor and analyze the flow of data through your network, providing insights into traffic patterns, bandwidth usage, and potential security issues.

As part of this setup, the sampling rate is set. The sampling rate determines how many packets are analyzed out of a total number of packets. For instance, a sampling rate of 1:100 means that one out of every 100 packets is analyzed. Choosing the right sampling rate is a balance between performance and detail. A lower sampling rate (e.g., 1:1000) reduces the processing load on the firewall and the collector, but it might miss some detailed traffic patterns. A higher sampling rate (e.g., 1:10) provides more detailed data but can increase the load on both the firewall and the NetFlow collector. ENA Engineering determines the sampling rate during setup.

Access and Roles

To access the Kentik solution, log in to the myENA portal. Once you're in, click the Kentik icon and your credentials will be automatically transferred.

If you do not have access to the Kentik portal, contact CTAC for assistance.

Roles

The roles within the Kentik platform are divided into two categories:

1. District Level View: Users assigned to a specific district can only view the data associated with that district. Each FortiGate device is linked to a district, and data access between districts is restricted. Additionally, peering between districts has been disabled.

2. Provider Level View: Users with this role can view all FortiGate devices and their associated traffic across all districts.

District Dashboards

Upon logging into Kentik, you will be directed to your default dashboard. These dashboards are designed to display the most useful information gathered through NetFlow.

Breakdown of District View Dashboard

Top Application Category, Application by Average bits/s
A chart showing the "Top Application Category, Application by Average bits/s" is a visual representation that helps you understand which applications are consuming the most bandwidth on your network.

Dashboard Purpose

• Bandwidth Management: Helps in identifying which application categories are using the most bandwidth.
• Performance Monitoring: Monitor and optimize network performance by understanding bandwidth usage.
• Troubleshooting: Aids in diagnosing network issues by pinpointing bandwidth-heavy applications.
  By analyzing this chart, network administrators can make informed decisions about traffic management, prioritization, and resource allocation

Top 10 Destination ASNs

A chart showing the top 10 ASNs. An Autonomous System Number (ASN) is a unique identifier assigned to an autonomous system (AS), which is a collection of IP networks and routers under the control of a single organization that presents a common routing policy to the internet.

Dashboard Purpose

• Traffic Analysis: Identifies the top destination networks that are receiving the most traffic from your network.
• Network Management: Help understand where most of the traffic is going, which is crucial for optimizing network performance and capacity planning.
• Security Monitoring: Detects unusual traffic patterns or potential security issues by monitoring which ASNs are receiving high volumes of traffic.

Top Source and Destination Countries

Through this chart, network administrators can gain insights into the geographical distribution of their network traffic, enabling them to make informed decisions about network management, optimization, and security.

Dashboard Purpose

• Traffic Analysis: Identifies the top countries involved in sending and receiving traffic to and from your network.
• Network Management: Helps network administrators understand global traffic distribution, which is crucial for optimizing international network performance and capacity planning.
• Security Monitoring: Detects unusual or suspicious traffic patterns by monitoring traffic volumes to and from different countries, aiding in the identification of potential security threats.

Top District IPs Consuming Data

The purpose of this list of IP addresses is to highlight the top 10 IPs consuming the most data within a district.

Top Destination Port and Protocol

A pie chart showing Port and Protocol. Each segment is labeled with the corresponding destination port number and protocol (e.g., Port 80 - HTTP, Port 443 - HTTPS).

Traffic Volume Labels include the percentage of total traffic or the actual traffic volume (e.g., in Gigabytes or Terabytes) for each port and protocol combination.

Dashboard Purpose
Provides a visual representation of how network traffic is distributed across different destination ports and protocols.

• Network Management: Helps network administrators identify which ports and protocols are most heavily used, aiding in capacity planning and traffic optimization.
• Security Monitoring: Highlights potentially vulnerable or suspicious ports and protocols that may require additional security measures or monitoring.
• By examining this pie chart, network administrators can quickly understand the distribution of traffic across various destination ports and protocols, allowing them to make informed decisions about network management and security.

Top Source Port and Protocol

A pie chart showing Port and Protocol. Each segment is labeled with the corresponding source port number and protocol (e.g., Port 80 - HTTP, Port 443 - HTTPS).

Traffic Volume Labels include the percentage of total traffic or the actual traffic volume (e.g., in Gigabytes or Terabytes) for each port and protocol combination.

Dashboard Purpose
Provides a visual representation of how source network traffic is distributed across different destination ports and protocols.

• Network Management: Helps identify which ports and protocols are most heavily used, aiding in capacity planning and traffic optimization.
• Security Monitoring: Highlights potentially vulnerable or suspicious ports and protocols that may require additional security measures or monitoring.

Top Traffic Categories

This chart provides a general categorization of network traffic, offering a high-level overview of how data is being utilized across different categories within the network. By breaking down the traffic into distinct categories, such as web browsing, streaming media, social media, email, file transfers, and other applications, the chart helps to visualize and understand the distribution and usage patterns of network resources.

Changing Dashboard Time Intervals

To change the timeframe of the data displayed in any dashboard, simply click on the Query button.

Within the slide-out menu, you can adjust the dashboard's time interval and choose time comparison options. Don't forget to click apply!

Additional Dashboards

The Kentik solution provides additional metrics and dashboards for both District level users and Providers. To navigate, simply click on the ENA logo in the upper left-hand corner.