Access Path Analysis

Using SIP’s behavior analysis framework, the Access Path Analysis (APA) feature allows you to track the flow of a packet through your network configurations. You can view the routes, interfaces, firewall and NAT rules that a packet encounters while traversing your network. This powerful analysis tool can help you find where rules are blocking access along a given path, identify where route configurations prevent specific path access, analyze how traffic is able to travel from deep within your network to the outside world, or find vulnerability points.

Devices with level 4 support work best with network APA, otherwise non-level 4 supported devices will default to basic zone behavior. Basic zone behavior will adjust itself based on what is defined, the most expressive: Routing tables, then policies. If no policies are defined, then it will generally act like a router. If it is marked as a router but has policies, it will not have an implicit drop if nothing matches on rules.

Permission Requirements

A user will need to be a member of a user group with the following minimum permissions granted:

  • Plugins - Write access

  • Modules: Security Manager and Risk Analyzer

  • Device Group: All Devices or specific device groups - Write and Risk access

Criteria needed to run APA:

  • Source uses a single IP address, CIDR format, or ANY
  • Destination uses a single IP address, CIDR format, or ANY

Source and Destination cannot both be 'ANY'. The system restricts both the Source and Destination fields to a single subnet only.

  • Protocol options include TCP, UDP, ICMP, ICMPv6
  • Source Port is an optional field and only used for devices that utilize it
  • Destination Port
  • Starting Network Segment (at the network All Devices level) is selected after inputting the above data. Network segments are suggested by inspecting the interfaces and supplemental addresses, and determining if the space contains the specified source.
  • Inbound Interface (at the device level) is selected after inputting the above data. Inbound interfaces must be active, assigned to the device, and have valid routes that reference the interfaces.

Ambiguous Paths

Ambiguities are identified when more than one device could potentially handle access from a single network segment.

Reason for an ambiguity:
  • Destination is too broad
Resolve an ambiguity:
  • Add a network segment route to the network segment