One of the greatest strengths of using a digital twin is being able to separate the routing and firewall behavior of a particular traffic flow.
For example, suppose we have a web application that is not functioning properly because traffic from the Internet cannot reach a public virtual-ip that is mapped to private IP on a top-of-rack switch on port 80.
We enter this path search in the Forward Network Search bar.
We can see immediately that the traffic is being blocked on an edge firewall (atl-edge-fw01). However, we don’t know what would happen to the traffic if it is permitted through this firewall and continues along its path.
- Are all the routing protocols properly configured to deliver the traffic to its destination?
- Is there another firewall in the path that would block the traffic?
We can answer these questions by using permit-all mode.
By enabling permit-mode, we pose the hypothetical question “what happens to the traffic if it is permitted through all the security rules in the path?” We are able to do this in our digital twin without making changes to the actual network.
In permit-all mode, we can see that the traffic does route all the way to its destination on the top-of-rack switch.Â
Furthermore, we can see that traffic is also blocked by another firewall further down the path, and we highlight all security rules that apply to the traffic.
With this knowledge in hand, we know that there is not a routing configuration issue, but that two firewalls must be reconfigured to permit the traffic.
Without a digital twin, it may require multiple changes and tests to determine the issue.
Permit-all saves time and provides clarity in path analysis unique to a digital twin.
