Path Analysis

Updated
March 26, 2024

Through network access modeling, NP-View analyzes all possible connectivity paths in a network based on the firewall, router, and switch configuration files imported. The results are presented in:

  • the Connectivity Paths table,
  • the Compare Path History,
  • the Connectivity Matrix for each device, and
  • the Inbound Connectivity and Outbound Connectivity sections of the info panel for hosts, gateways, and networks.

Path analysis is only available in custom views that have been manually created using the “Manage Views” menu. This can be found in the default Home view in which only devices are shown (no network, no end points) does not include a path analysis.

NP-View provides two options for analysis; Internal and Internal + External. Internal analysis computes paths for all the devices and end points within the view. Internal + External analysis include devices and end points within the view and adds external end points that are listed as unmapped.

By default, new views are created using internal analysis. To include external hosts, select Internal + External from the dropdown.

Please note that the external path analysis will take more time to complete and will return a larger number of paths.

Why are there zero paths identified after analysis

In some workspaces customers are seeing zero paths after analysis.  To understand why, each ‘allow’ rule must be investigated.  In these cases, we found various reasons for not seeing any paths.  Some of these reasons are:

  1. IP addresses of the firewall’s interfaces and of access rules’ sources and destinations do not overlap. Firewall’s interface addresses are in 124.x.y.z IP ranges. However, the source and destination objects for access rules are in 10.x.y.z IP ranges. Therefore, the traffic is dropped at the ingress of the firewall. This could be caused by (1) incorrect config export, (2) incorrect sanitization, or (3) incomplete config.
  2. A zone contains two interfaces (tunnel.1 and tunnel.3), and it is anticipated that the intrazone paths would show up (due to default allow as well as specifically defined access rules). However, those tunnels are destined to gateways that are connected via layer-2 links (in the config). Therefore, our processing of layer-3 paths does not include those cases.

Why are there paths with no rule sequences

In some situations, the path sequence field may not be populated due to implied rules from tunnels or security levels. In these situations, the path sequence will be populated with text: ‘Access implied by tunnel or security level’

Why does Path Analysis not create paths for FWs where there are 2 defined default static routes

We use default gateways to route traffic to and from external addresses. In this context, we handle multiple default gateways differently depending on whether the paths are inbound or outbound.

For inbound paths, i.e., from external sources to the internal network, we process all default gateways. We process traffic through every default gateway and generate all paths as the access rules allow.

For outbound paths, i.e., from internal network to external sources, we select only one default gateway. We have implemented a set of rules grounded in routing principles that prioritize one route over others. However, if those rules find no clear winner, we break the tie by picking the route through the interface appearing first in alphabetical order. In any case, we end up picking one default route and generating a warning  message.