The next time applications or network sources break or are not available, use Athena's Configuration Debugger tool to quickly determine whether the firewall is responsible and then trace the exact cause in the rulebase. The debugger examines the entire configuration in minutes, and using "virtual" packets, presents results interactively so that you can conveniently explore the rule and object relationships to isolate the specific location for fixes.

Discover why so many network engineers find Athena's Firewall Configuration Debugger to be the most comprehensive and easy to use.

The Configuration Debugger Tool is engineer-friendly functionality for troubleshooting the most complicated features inherent to Cisco, Check Point and Netscreen firewalls. The tool simulates the behavior of the firewall so that you can ask what-if questions to learn how the firewall is configured to allow or block traffic flows to reachable hosts or subnets.

Troubleshooting service availability issues requires a complete examination of the configuration and an accurate mapping of how polices relate to the structural and order dependencies between all of the ACLs, NATs and Routes. Athena offers the only tool to make these rule relationships explicitly clear, so that technical engineers can pinpoint the areas in the configuration where fixes are needed to resolve blocked services.

Example issues that you can resolve using the debugger are:

• There is a disruption of service availability because of some changes
• An application engineer made a change and complains that the problem is in the firewall, and you want to show that it is not
• There is a security event, and you want to know the rules to close the security exposure
• You are planning a server migration and want to avoid causing any service disruptions by making the wrong changes
• You have a Cisco firewall with hundreds of NAT rules and you are trying to debug them

Users can specify the traffic they are trying to debug using a single IP address or a subnet. The Debugger will perform a reachability analysis using the routing rules and address translations to automatically determine the ingress or egress access lists or zone to zone policies, and evaluates how they act on the user's input. The results are organized by the rules as well as the packets that they allow or deny. The Debugger will also take into account any settings or implied rules that affect the resulting traffic flows.

Advanced Change Analysis

The Debugger also provides advanced comparison capabilities where it links each rule and object change to its impact on added or deleted traffic flows. This enables the ability to identify what specific changes are responsible for a service disruption.

More Key Features:

• Totally offline analysis that does not require you to enable logging on rules and injecting packets to understand the firewall's behavior
• For Cisco and Juniper NetScreen firewalls, see all the CLI commands that allow or deny the input traffic.
• Takes minutes to completely troubleshoot service availability problems found in the firewall
• Interactive drill-down capability facilitates complete exploration of all rule and object hierarchies

technical info

whitepapers