This section explains how to run traffic simulation queries and routing queries.
Overview
Once AFA has analyzed a device, group, or matrix, you can issue your own traffic simulation query to be tested against the policy. When running a traffic simulation query on a group or matrix, AFA finds the devices in the path of the traffic, using the graphic network map, and queries all these devices. If traffic is blocked by the device, you can determine which rules block it. This provides you with a powerful help desk support functionality. Furthermore, using the traffic simulation query feature allows users to determine whether the devices are protecting the organization's networks against traffic from a new exploit, or which device is letting a particular type of traffic through.
NAT is fully supported for traffic simulation queries on groups of devices. When finding the devices in the path of the traffic for a group, AFA supports both NAT and Proxy ARP. AFA predicts the devices in the path and then validates the prediction with the query information. When the query information matches the path, the source and destination values for all relevant devices in the path are updated. When only part of the traffic is translated, the downstream devices are queried for both the pre- and post-NAT values. This produces an accurate query, where no relevant traffic is ignored.
If you want to run a traffic simulation query, but you only know post-NAT values, you can look up the pre-NAT values with which to run the query. For details, see Find NAT values.
AFA additionally provides the option to run a routing query to determine the devices in the path, without policy simulation. Note that routing queries ignore NAT. For details, see Run a routing query.
Run traffic simulation queries
Tip: To enable Traffic Simulation Query for an L2 device
AFA enables you to run a traffic simulation query on an individual device's current or past policy.
Do the following:
Verify your permissions. To run a successful query, you must have access to all the firewalls that are relevant for your query results path. Queries will fail if the query goes through a non-permitted device.
Users with permissions to view an entire group can run queries on the group. If you do not have permission to view a group of devices, or the ALL_FIREWALLS group, we recommend that you perform single-device queries on the devices you have permissions to view. For more details, see Run traffic simulation queries on groups.
You can run a query on the policy data that is available from the device's latest report or from an earlier report, as follows:
Run a query based on a device's latest report's policy data
Select the device in the devices tree. The device Overview tab displays. Continue with step 3.
Run a query based on an earlier report's policy data
Select the device in the devices tree. Click the device's Reports tab.
On the reports tab, select the checkbox of the report you want to query, and continue with step 3.
Click Traffic Simulation Query.
The Traffic Simulation Query page is displayed.
To load a saved query, select the desired query in the Select Saved Query drop-down list.
The fields are populated with the saved query's data.
Note: You can run a query for the source/destination that you specify, or the negation of the source/destination that you specify (all IPs other than the source/destination that you specify).
Do the following:
Click at the right of the desired field (Source or Destination).
The Select Source or Select Destination dialog box is displayed.
Specify the desired source or destination.
You can select either an individual or multiple IP addresses, a range of IP addresses, CIDRs, FQDNs or host groups (The host group must be defined on the device). If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.
To negate the source and/or destination that you specified, select the Negate check box to the right of the desired field.
Note: The negation of the specified source/destination means IPs other than the source/destination that you specified. If you specified multiple IP addresses, IP address ranges, and/or hostgroups, the union of these values is negated.
[Optional] For brands that support applications, specify an application by doing one or more of the following:
You can filter the information displayed in the list by application name: type the desired application name in the Filter by Name field, and then clicking Filter.
Note: To clear the filter, click Reset.
Select the required application.
Click Save.
You can specify multiple applications, by repeating this step.
To open a FireFlow change request to allow the blocked traffic or block the allowed traffic, do the following:
Click .
If the result of the query is Blocked, the change request will open the traffic. If the result of the query is Allowed, the change request will block the traffic. If the result of the query is Partially Allowed, you are prompted to chose whether to allow or block traffic.
If the result of the query is Partially Allowed, select whether to block or allow the traffic.
Click OK.
The change request is opened. Once the change request is successfully created, a link to the change request appears.
To export the query results to PDF, click in the top-right corner of the report. A new window opens with the results to export. For more details, see Export AFA screens to PDF.
To export to CSV format, click in the top-right corner of the report. Follow your browser prompts to open or save the CSV file.
Note: FQDN IPs are viewed in the TSQ results for group TSQs only.
When running traffic simulation queries on device groups, AFA finds the devices in the path of the query by simulating routing and NAT across the entire network. AFA then simulates the policy on each relevant device to determine if it blocks or allows the traffic that reaches it.
AFA uses the graphic network map when querying groups; therefore, it is important to ensure that the map is correct. For details, see AFA's graphic network map.
To run a traffic simulation query on a group:
Verify your permissions. To run a successful query, you must have access to all the firewalls that are relevant for your query results path. Queries will fail if the query goes through a non-permitted device.
Users with permissions to view an entire group can run queries on the group. If you do not have permission to view a group of devices, or the ALL_FIREWALLS group, we recommend that you perform single-device queries on the devices you have permissions to view. For more details, see Run traffic simulation queries .
Note: You can run a query for the source/destination that you specify, or the negation of the source/destination that you specify (all IPs other than the source/destination that you specify).
Do the following:
Click at the right of the desired field (Source or Destination).
The Select source or Select destination dialog is displayed.
Specify the desired source or destination.
You can select either an individual IP address, a range of IP addresses, a CIDR, an FQDN or a host group. (The host group must be defined on the device.) If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.
Click OK.
You can specify multiple sources/destinations, by repeating this step.
(Optional) In the Query title field, type a name for the query.
(Optional) To specify that query results should be grouped by policy, and only one device should be displayed per policy, select the Group by Policy check box.
This option is only available if grouping query results by policy is enabled in the system. For more details, see Configure group traffic query results .
To open a FireFlow change request to allow the blocked traffic or block the allowed traffic, do the following:
Click .
If the result of the query is Blocked, the change request will open the traffic. If the result of the query is Allowed, the change request will block the traffic. If the result of the query is Partially Allowed, you are prompted to chose whether to allow or block traffic.
If the result of the query is Partially Allowed, select whether to block or allow the traffic.
Click OK.
The change request is opened. Once the change request is successfully created, a link to the change request appears.
Specify the source and destination, by doing one or more of the following:
Note: For Cisco ACI, when you specify TSQ source and destination, either use the EPG name, any host IP that is currently part of the EPG, or the first IP in the subnet.
Note: You can run a query for the source/destination that you specify, or the negation of the source/destination that you specify (all IPs other than the source/destination that you specify).
To specify a source/destination that is already defined in AFA:
Click at the right of the desired field (Source or Destination).
The Select source or Select destination dialog is displayed.
Specify the desired source or destination.
You can select either an individual IP address, a range of IP addresses, a CIDR, an FQDN or a host group. (The host group must be defined on the device.) If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.
Click OK.
You can specify multiple sources/destinations, by repeating this step.
To specify a source/destination that is not defined in AFA, type an IP address, IP address range, CIDR, FQDN or host group name in the relevant field (Source or Destination) and then press <Enter>.
You can specify multiple sources/destinations.
To negate the source/destination that you specified, select the Negate check box to the right of the desired field.
If you specified multiple IP addresses, IP address ranges, and/or hostgroups, the union of these values is negated.
Specify the service, by doing one or more of the following:
To specify a service that is already defined in AFA:
Click at the right of the Service field.
The Select Service dialog appears.
You can filter the information displayed in the list, by doing one of the following:
To filter the information displayed in the list by service name, type the desired service name in the Filter by Name field, then click Filter.
To filter the information displayed in the list by service definition, type the desired service definition in the Definitions field, then click Filter.
To clear the filter, click Reset.
Select the desired service(s).
Click OK.
To specify a service that is not defined in AFA, in the Service field, type the desired service's definition and then press <Enter>.
You can query multiple services.
(Optional) In the Query title field, type a name for the query.
After running a traffic simulation query, AFA presents detailed information about the devices found in the traffic path based on the policy protecting the network. Query results depend on the type of simulation:
The top of the page lists the following traffic simulation query details:
Status of the request (Allowed, Partially Allowed, or Blocked)
Day and time when the query was performed
Query parameters of the request
Note: When a query has more than three values in a single field, click to see all the values.
The Device Details area displays the details for the queried device.
To view details for a specific device, click the arrow located to the left of its name.
The fields that appear for each rule depend on the device brand. If AppViz is licensed, fields from AppViz appear, indicating business information such as which rules are included as flows in which applications. For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
The top of the page lists the following traffic simulation query details:
Status of the request (Allowed, Partially Allowed, or Blocked)
Day and time when the query was performed
Query parameters of the request
Note: When a query has more than three values in a single field, click to see all the values.
Query results display on the map with the devices listed to the left.
Map navigation
Do any of the following to zoom in or out or pan across the map:
Zoom in or out
Click or on the zoom bar.
Enter + or - until you've hit the zoom you want to reach.
Scroll up or down.
Drag the line on the zoom bar up or down.
Resize to fit
To resize the graphic network map to fit the screen, click .
Pan across the screen
On the direction control button, click the arrow pointing in the direction you want to take.
If the cursor is not in Pan mode, switch by clicking . Then, click the map and drag it in the desired direction.
Note: You can increase the amount of screen space available to view the map:
Click to view the map in full screen mode
Click to minimize the device list
The device list contains the following information:
Total number of devices found matching the query results.
An option to sort devices according to Status (default) or to Path.
When sorted by Status, each group displays the total number of devices found within that status level (Blocking, Partially Allowing, Allowing or Relevant).
When sorted by Path, devices appear according to relevant traffic paths. Each device in the path appears sequentially, from source to destination.
A colored dot to the left of each device indicates whether traffic is allowed (green), blocked (red), partially allowed through the device (yellow), or relevant (grey).
Note: Depending on the active tab (Map or Device), click on a device in the list to:
Shift the map's focus to that device (Map tab)
View the details of the query relative to the selected device (Details tab)
Review additional information about the query results using the Map and Details tabs.
Map tab (default): In the graphic network map, path lines show the relationship between the entities. A colored box around each device in the map indicates whether traffic is allowed (green), blocked (red), partially allowed through the device (yellow), or relevant (grey).
Note: Right click on a device in the map to see available selections for the device type:
Connectivity Diagram: A list of the interfaces of the selected device and their associated IPs.
Latest Report: Opens the latest report for the selected device. For more details see Device report pages.
Routing Information: Shows the current URT file with details about the interfaces, routing information, and VPN information when available.
Note: When the path of the query intersects an IP address in a host-based device, the device is represented in the results map. For VMware NSX or Cisco ACI, the device and relevant IP address is always represented by a single icon. For AWS and Azure, the individual internal elements (such as VPC / VNet routers) may additionally appear in the map.
In the map, the sources are marked with a green flag , and destinations are marked with a checkered flag . The path between each source and destination is marked in blue. You can zoom in, zoom out, resize the graphic network map to fit the screen, and pan the view. For details, see AFA's graphic network map.
The map indicates if they perform NAT with a NAT icon. Hovering over NAT devices displays the translation information for source and destination. Additionally, a table of applied NAT rules is displayed. If NAT is performed before traffic reaches a device, the results specify that the source and/or destination was modified before reaching the device.
Details tab: View detailed information about a selected device in the device list.
For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
Fields that appear for each rule depend on the device brand. If AppViz is licensed, fields from AppViz appear, indicating business information such as which rules are included as flows in which applications. For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
If NAT is performed by the device, the NAT rules appear in tooltips in the map. For Check Point and Cisco ASA devices which perform NAT, a table of applied NAT rules appears below the map.
Device Details
The Device Details area displays the details for each device found in the query. For additional information see Details Tab.
To view details for a specific device, click the arrow located to the left of its name. Click +Expand and –Collapse to show/hide details for all of the devices appearing on the page.
For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
Note: If you ran the query from the Groups tab, the query result is also stored and attached to the report. To view it later, go to the Policy page in the report. If you specified a query title, then this title will be shown in the Policy page. Otherwise a default title is selected.
The top of the page lists the following traffic simulation query details:
Status of the request (Allowed, Partially Allowed, or Blocked)
Day and time when the query was performed
Query parameters of the request
Note: When a query has more than three values in a single field, click to see all the values.
Query results display on the map with the devices listed to the left.
Map navigation
Do any of the following to zoom in or out or pan across the map:
Zoom in or out
Click or on the zoom bar.
Enter + or - until you've hit the zoom you want to reach.
Scroll up or down.
Drag the line on the zoom bar up or down.
Resize to fit
To resize the graphic network map to fit the screen, click .
Pan across the screen
On the direction control button, click the arrow pointing in the direction you want to take.
If the cursor is not in Pan mode, switch by clicking . Then, click the map and drag it in the desired direction.
Note: You can increase the amount of screen space available to view the map:
Click to view the map in full screen mode
Click to minimize the device list
The device list contains the following information:
Total number of devices found matching the query results.
An option to sort devices according to Status (default) or to Path.
When sorted by Status, each group displays the total number of devices found within that status level (Blocking, Partially Allowing, Allowing or Relevant).
When sorted by Path, devices appear according to relevant traffic paths. Each device in the path appears sequentially, from source to destination.
A colored dot to the left of each device indicates whether traffic is allowed (green), blocked (red), partially allowed through the device (yellow), or relevant (grey).
Note: Depending on the active tab (Map or Device), click on a device in the list to:
Shift the map's focus to that device (Map tab)
View the details of the query relative to the selected device (Details tab)
Review additional information about the query results using the Map and Details tabs.
Map tab (default): In the graphic network map, path lines show the relationship between the entities. A colored box around each device in the map indicates whether traffic is allowed (green), blocked (red), partially allowed through the device (yellow), or relevant (grey).
Note: Right click on a device in the map to see available selections for the device type:
Connectivity Diagram: A list of the interfaces of the selected device and their associated IPs.
Latest Report: Opens the latest report for the selected device. For more details see Device report pages.
Routing Information: Shows the current URT file with details about the interfaces, routing information, and VPN information when available.
Note: When the path of the query intersects an IP address in a host-based device, the device is represented in the results map. For VMware NSX or Cisco ACI, the device and relevant IP address is always represented by a single icon. For AWS and Azure, the individual internal elements (such as VPC / VNet routers) may additionally appear in the map.
In the map, the sources are marked with a green flag , and destinations are marked with a checkered flag . The path between each source and destination is marked in blue. You can zoom in, zoom out, resize the graphic network map to fit the screen, and pan the view. For details, see AFA's graphic network map.
The map indicates if they perform NAT with a NAT icon. Hovering over NAT devices displays the translation information for source and destination. Additionally, a table of applied NAT rules is displayed. If NAT is performed before traffic reaches a device, the results specify that the source and/or destination was modified before reaching the device.
Details tab: View detailed information about a selected device in the device list.
For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
Fields that appear for each rule depend on the device brand. If AppViz is licensed, fields from AppViz appear, indicating business information such as which rules are included as flows in which applications. For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
If NAT is performed by the device, the NAT rules appear in tooltips in the map. For Check Point and Cisco ASA devices which perform NAT, a table of applied NAT rules appears below the map.
Device Details
The Device Details area displays the details for each device found in the query. For additional information see Details Tab.
To view details for a specific device, click the arrow located to the left of its name. Click +Expand and –Collapse to show/hide details for all of the devices appearing on the page.
For details listed in a table, you can sort and filter table data by clicking on table headers and/or typing in the search bar.
Note: If you ran the query from the Matrices tab, the query result also is stored and attached to the report. To view it later, go to the Policy page in the report. If you specified a query title, then this title will be shown in the Policy page. Otherwise a default title is selected.
Some traffic simulation queries are repeated often. AFA allows saving the source, destination, service and title values of such queries, and then reloading them when they are needed again. The saved queries are kept for each user individually, for maximum customization. Saved queries can be used for both single device queries and group queries.
To save a traffic simulation query:
Fill in the query form.
Click Save to save a query or select the down arrow on the save button and click Save as to save the query with a different name.
The query is saved or when saving as, the Save Query As dialog appears.
Type a Query Name and a Description.
Click Save.
The query is saved.
Delete saved traffic simulation queries
To delete a saved traffic simulation query:
Access the query form.
In the Select Saved queries list, select the desired query.
Click Delete query. A deletion confirmation box appears.
Click Delete. The query is deleted.
Find NAT values
AFA provides the ability to look up all the potential translations to and or from an IP address. This is particularly useful if you want to run a traffic simulation query, but you only know a post-NAT value. You can look up the pre-NAT value(s) with which to run the query.
Note: The results of this search include all possible translations across all NAT rules and configurations.
In the Type a single IP field, type a single IP address.
Using the IP address can be check boxes, indicate whether the IP address can be a Pre-NAT value, Post-NAT value, or both.
Using the Discover NAT address in check boxes, indicate whether the IP address can be a Source, Destination, or both.
Click Discover. The results appear.
The results indicate the device name, the potential pre- and post-NAT values, and whether the NAT is static or dynamic.
Run a routing query
Run a routing query to see the devices in the path of a route without policy simulation.
Note: When running a routing query, NAT is ignored.
Note: Traffic simulation queries include policy simulation and take NAT into account. Consequently, they produce a more accurate path when NAT is involved (especially for a group of devices). For details, see Run traffic simulation queries.
In the Source field, type the relevant IP address or CIDR.
Note: IP ranges are not a supported format for this field.
In the Destination field, type the relevant IP address or CIDR.
Note: IP ranges are not a supported format for this field.
Click Run Simulation.
The results appear in a new window. The path of the traffic is highlighted in blue on the graphic network map. When hovering over the route, all devices in the path display a tooltip that states "Traffic is routed through this device".
Supported network object names
If your network includes object names not supported by ASMS, your traffic simulation query may return incorrect results.
Use the following regular expression to verify that all of your network object names are supported:
Sometimes due to caching issues, 0 search results are returned for every query . When this happens try pressing SHIFT+F5 several times to clear your browser’s cache.
You can search for a complete word or number string.
Note
The full text search is not case-sensitive. For example, a search for the word "run" will find matches for "Run" and "run." The full text search also matches with variant endings. For example, a search for the word "run" will also find matches for words such as, "runner," "running," and "runs."
You can search for phrases by enclosing their search terms in quotation marks (" "). This is useful when you want to restrict a search to locate terms that appear in an exact order.
at the right of the desired field (
.
in the top-right corner of the report. A new window opens with the results to export. For more details, see 
in the top-right corner of the report. Follow your browser prompts to open or save the CSV file.
.
to see all the values.
or 
on the zoom bar.
.
. Then, click the map and drag it in the desired direction.
to view the map in full screen mode
to minimize the device list
, and destinations are marked with a checkered flag 
. The path between each source and destination is marked in blue. You can zoom in, zoom out, resize the graphic network map to fit the screen, and pan the view. For details, see 
.
