Manage the firewall change process and reduce the time it takes to complete the change cycle. The Change Advisor runs a virtual packet test to pre-determine redundant change requests or isolate blocking rules. This behavioral analysis ensures that network engineers need only attend to requests that are legitimately required.
With SolarWinds' newest release, network access teams can cut down the number of change requests that are processed.
A simulated model of network access (derived purely from configuration data) provides application engineers the ability to ask if existing policies already cover the change. The web-based UI enables the question to be asked while preventing access to sensitive configuration data directly. Firewall engineers with authorized access can use the tool to determine the optimal places to implement rule changes.
Making changes to network device configurations can be difficult to accomplish. Network change requests typically specify a source IP address, a destination IP address, and a service to allow. In networks of any reasonable size, it is quite likely that the specified packet will traverse multiple network devices along its path from source to destination. Identifying the path and knowing which devices will need to be touched along the path requires significant knowledge of and experience with the network in question. Using traditional tools like ping or traceroute, the network engineer would only be able to identify the first device along the path that is blocking the packet. He would then have to identify the change required in that device, then continue pinging or tracerouting to the next blocking device and so on. This can be a very time-consuming and potentially error-prone process.
SolarWinds' Change Advisor automates the change process, taking advantage of SolarWinds' core technology for understanding how packets would traverse the network, based on connectivity, routing and the firewall devices involved in the change request. An application engineer initiates a change request by entering the parameters of the request into a web form. Change Advisor issues a packet tracer query based on the parameters from the change request to determine the path the requested packet would take through the network and identifying the firewalls and routers involved.
The virtual packet tracer determines when:
- A routable path is found and all devices along the path allow the packet to reach its intended destination.
- A routable path is found that ends in the packet destination, but one or more devices ACL or NAT rules block the packet at some point along the path.
- There is no routable path for the packet to the destination because of a routing conflict, no default route in a device along the path, routing to a disabled interface, or a routing loop.
- There is no routable path for the packet to the destination because of a missing gateway.
When presented to the network engineer, this analysis shows precisely where in the network the packet will travel, which devices along the path will need to be modified to allow the requested service, and even which rules in those devices need to be changed.
See how the Change Modeling tool is used to further design and verify changes on firewalls and routers prior to deployment out to the network.