Given the nature of today’s dynamic networks, it should be no surprise that firewall administrators have their hands full trying to keep their networks secure while also maintaining the highest levels of performance and uptime. So, when something goes wrong, time is of the essence to get it fixed!
Fortunately, there’s a tool for that. It’s called Packet Tracer and it's part of SolarWinds Firewall Security Manager (FSM). Packet Tracer gives you visibility into how firewall rules and routing tables control traffic across your network. The two main use cases for Packet Tracer are:
- Testing – Test configuration changes without actually implementing them in your production environment.
- Troubleshooting – Identify all devices and the device policies along the network path to see why a packet cannot reach its destination.
How Does Packet Tracer Work?
Packet Tracer utilizes a two-step approach to tracing the path of a packet. First, it finds all routable paths to the packet destination, taking into account NATing along the path. Next, on a routable path it evaluates the ACL on each device along the path to check if the device allows or drops the packet.
Packet Tracer uses virtual packets to determine reachability so you can test changes beforehand without touching (or bringing down) the production environment, as well as quickly troubleshoot traffic flow issues by identifying all devices and rules that act upon a specific packet.
Simply input a source IP address, a destination IP address, and a service (protocol and destination port number) and click Run.
Once the virtual packet is successfully traced through the network (no actual packet is being injected in the network), a Packet Tracer Report is generated. This report provides a summary of the results obtained from the trace and the path details.
The Trace Results Detail is a detailed description of a path. It contains the following data:
- A description of the path
- The entering device and entering interface of the packet
- The real destination IP address (which may be different from the packet destination IP address, due to NATing)
- The trace result for the path
- The trace results by device, which shows the effect of each device along the path on the packet.
Path Description: Paths are labeled path1, path2, etc. The path description lists the sequence of devices along the path using the following format: Source network name-> entering interface-> device name-> exiting interface-> network name, etc.
The Trace Result for the path identifies one of the following four possible outcomes:
- A routable path is found and all devices along the path allow the packet to reach its intended destination network.
- A routable path is found that ends in the packet destination, but one or more devices' ACL or NAT rules block the packet at some point along the path.
- There is no routable path for the packet to the destination because of:
- a routing conflict
- no default route in a device along the path
- routing to a disabled interface
- a routing loop
- There is no routable path for the packet to the destination because of a missing gateway.
In the Trace Results by Device section, the rows of the table are ordered by the sequence of devices along the path traced. The last column, Trace Result, shows the action (allow or deny) of the devices' ACL, NAT, and route rules on the packet passing through the device. Hyperlinks to devices in the Path Details worksheet show details of individual rules that impact the packet flow.
The Benefits of Packet Tracer
In short, the Packet Tracer feature in SolarWinds Firewall Security Manager helps you understand how your network processes traffic. You get critical insight into how firewall rules and routing tables affect traffic flow. The end result is significantly reduced configuration errors and troubleshooting time.
Experience the power of Packet Tracer for yourself by downloading a free, fully-functional trial of SolarWinds Firewall Security Manager (FSM).