Path Analysis
Note: the External Path Analysis is available starting with NP-View version 4.2.0 |
Through network access modeling, NP-View analyzes all possible connectivity paths in a network based on the firewall, router, and switch configuration files imported. The results are presented in:
- the Connectivity Paths table,
- the Compare Path History,
- the Connectivity Matrix for each device, and
- the Inbound Connectivity and Outbound Connectivity sections of the info panel for hosts, gateways, and networks.
Path analysis is only available in custom views that have been manually created using the “Manage Views” menu. The default Home view in which only devices are shown (no network, no end points) does not include a path analysis.
NP-View provides two options for analysis; Standard and External. Standard analysis computes paths for all the devices and end points within the view. External analysis include not only devices and end points within the view but also external end points that are listed as unmapped.
By default, new view created include the standard analysis. To include external hosts, select the checkbox “Include external (unmapped) hosts in path analysis” at the bottom of the Create New View form. Please note that the external path analysis will likely take more time to complete and will return a larger number of paths.
Why are there zero paths identified after analysis
In some workspaces customers are seeing zero paths after analysis. To understand why, each ‘allow’ rule must be investigated. In these cases, we found various reasons for not seeing any paths. Some of these reasons are:
-
IP addresses of the firewall’s interfaces and of access rules’ sources and destinations do not overlap. Firewall’s interface addresses are in 124.x.y.z IP ranges. However, the source and destination objects for access rules are in 10.x.y.z IP ranges. Therefore, the traffic is dropped at the ingress of the firewall. This could be caused by (1) incorrect config export, (2) incorrect sanitization, or (3) incomplete config.
-
A zone contains two interfaces (tunnel.1 and tunnel.3), and it is anticipated that the intrazone paths would show up (due to default allow as well as specifically defined access rules). However, those tunnels are destined to gateways that are connected via layer-2 links (in the config). Therefore, our processing of layer-3 paths does not include those cases.
Why are there paths with no rule sequences
Typically, those paths enter a firewall through a tunnel (so no access rule is required) and exit using a route. Since our path table only shows access rules, we see empty rule sequence.