There is a difference in default behavior for path search results in the GUI vs the API.
For example, consider this path search:
f(10.100.0.101)(ipv4_dst.190.37.14.120)(tp_dst.80)
Notice that in the GUI, the path is blocked on atl-edge-fw01
In the API, however, the same search yields a result showing ALL the hops in the path as if the traffic were permitted through all the firewalls. In other words, the path search above entered in the API is similar to the output in the GUI for the search:
f(10.100.0.101)(ipv4_dst.190.37.14.120)(tp_dst.80)m(permit_all)
Notice that the forwardingOutcome is DELIVERED, while the securityOutcome is Denied. This indicates that if the traffic were permitted through all the firewalls in the path, that the packet would be delivered to the destination.
There are two firewalls in the path that have a behavior of “ACL_DENY”
{
"srcIpLocationType": "INTERFACE_ATTACHED_SUBNET",
"dstIpLocationType": "DNAT",
"info": {
"paths": t
{
"forwardingOutcome": "DELIVERED",
"securityOutcome": "DENIED",
"hops": o
{
"deviceName": "atl-internet",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/0",
"egressInterface": "ge-0/0/2",
"behaviors": o
"L3"
]
},
{
"deviceName": "atl-isp-edge02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/2",
"egressInterface": "ge-0/0/7",
"behaviors": o
"L3",
"L2"
]
},
{
"deviceName": "atl-isp-edge01",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/7",
"egressInterface": "ge-0/0/3",
"behaviors": o
"L2"
]
},
{
"deviceName": "atl-edge-fw01",
"deviceType": "FIREWALL",
"ingressInterface": "gi0/1",
"egressInterface": "gi0/1",
"behaviors": o
"NAT",
"ACL_DENY",
"L3"
]
},
{
"deviceName": "atl-isp-edge01",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/3",
"egressInterface": "ge-0/0/7",
"behaviors": o
"L2"
]
},
{
"deviceName": "atl-isp-edge02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/7",
"egressInterface": "ge-0/0/6",
"behaviors": o
"L3"
]
},
{
"deviceName": "atl-ce02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/11",
"egressInterface": "ge-0/0/4",
"behaviors": o
"L3"
]
},
{
"deviceName": "atl-te-fw01",
"deviceType": "FIREWALL",
"ingressInterface": "ethernet1/2",
"egressInterface": "ethernet1/2",
"behaviors": o
"L3",
"ACL_DENY"
]
},
{
"deviceName": "atl-ce02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/4",
"egressInterface": "ge-0/0/7",
"behaviors": o
"L3"
]
},
{
"deviceName": "atl-app-lb01",
"deviceType": "LOADBALANCER",
"ingressInterface": "1.1",
"egressInterface": "1.1",
"behaviors": o
"NAT",
"L3",
"L2"
]
},
{
"deviceName": "atl-ce02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/7",
"egressInterface": "ae0",
"behaviors": o
"L3"
]
},
{
"deviceName": "atl-dc01-spine01",
"deviceType": "ROUTER",
"ingressInterface": "po11",
"egressInterface": "et5",
"behaviors": o
"L3"
]
},
{
"deviceName": "atl-dc01-acc05",
"deviceType": "ROUTER",
"ingressInterface": "et3",
"egressInterface": "et10",
"behaviors": o
"L3",
"L2"
]
},
{
"deviceName": "ESXi-1_vSwitch14",
"deviceType": "HYPERVISOR",
"ingressInterface": "vmnic4",
"egressInterface": "dsl01_nic1",
"behaviors": o
"L2"
]
}
]
}
],
"totalHits": {
"value": 64,
"type": "EXACT"
}
},
"returnPathInfo": {
"paths": t],
"totalHits": {
"value": 0,
"type": "LOWER_BOUND"
}
},
"timedOut": false,
"queryUrl": "*redacted*"
}If you want to see greater detail of what security rule is blocking the traffic on each firewall, you can enable the includeNetworkFunctions flag in the API.
Notice the more detailed output of the path search in the API with this flag enabled:
{
"srcIpLocationType": "INTERFACE_ATTACHED_SUBNET",
"dstIpLocationType": "DNAT",
"info": {
"paths": a
{
"forwardingOutcome": "DELIVERED",
"securityOutcome": "DENIED",
"hops": h
{
"deviceName": "atl-internet",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/0",
"egressInterface": "ge-0/0/2",
"behaviors": i
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/0"
},
"l3": {
"interfaceName": "ge-0/0/0"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/2"
},
"l3": {
"interfaceName": "ge-0/0/2"
}
}
}
},
{
"deviceName": "atl-isp-edge02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/2",
"egressInterface": "ge-0/0/7",
"behaviors": i
"L3",
"L2"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/2"
},
"l3": {
"interfaceName": "ge-0/0/2",
"vrf": "INTERNET-OUT"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/7"
},
"l3": {
"interfaceName": "irb.107",
"vrf": "INTERNET-OUT"
}
}
}
},
{
"deviceName": "atl-isp-edge01",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/7",
"egressInterface": "ge-0/0/3",
"behaviors": i
"L2"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/7"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/3"
}
}
}
},
{
"deviceName": "atl-edge-fw01",
"deviceType": "FIREWALL",
"ingressInterface": "gi0/1",
"egressInterface": "gi0/1",
"behaviors": i
"NAT",
"ACL_DENY",
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "gi0/1"
},
"l3": {
"interfaceName": "gi0/1.107"
}
},
"egress": {
"l2": {
"interfaceName": "gi0/1"
},
"l3": {
"interfaceName": "gi0/1.108"
}
},
"acl": "
{
"name": "out_inside",
"context": "INPUT",
"action": "DENY"
},
{
"name": "inside_different-security-level",
"context": "OUTPUT",
"action": "DENY"
}
]
}
},
{
"deviceName": "atl-isp-edge01",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/3",
"egressInterface": "ge-0/0/7",
"behaviors": i
"L2"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/3"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/7"
}
}
}
},
{
"deviceName": "atl-isp-edge02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/7",
"egressInterface": "ge-0/0/6",
"behaviors": i
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/7"
},
"l3": {
"interfaceName": "irb.108",
"vrf": "INTERNET-IN"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/6"
},
"l3": {
"interfaceName": "ge-0/0/6.108",
"vrf": "INTERNET-IN"
}
}
}
},
{
"deviceName": "atl-ce02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/11",
"egressInterface": "ge-0/0/4",
"behaviors": i
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/11"
},
"l3": {
"interfaceName": "ge-0/0/11.108",
"vrf": "INTERNET-IN"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/4"
},
"l3": {
"interfaceName": "ge-0/0/4.108",
"vrf": "INTERNET-IN"
}
}
}
},
{
"deviceName": "atl-te-fw01",
"deviceType": "FIREWALL",
"ingressInterface": "ethernet1/2",
"egressInterface": "ethernet1/2",
"behaviors": i
"L3",
"ACL_DENY"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ethernet1/2"
},
"l3": {
"interfaceName": "ethernet1/2.108"
}
},
"egress": {
"l2": {
"interfaceName": "ethernet1/2"
},
"l3": {
"interfaceName": "ethernet1/2.101"
}
},
"acl": "
{
"name": "to_app3-web-vip-default-deny",
"context": "OUTPUT",
"action": "DENY"
}
]
}
},
{
"deviceName": "atl-ce02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/4",
"egressInterface": "ge-0/0/7",
"behaviors": i
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/4"
},
"l3": {
"interfaceName": "ge-0/0/4.101",
"vrf": "ECOMM-1-PROD"
}
},
"egress": {
"l2": {
"interfaceName": "ge-0/0/7"
},
"l3": {
"interfaceName": "ge-0/0/7.101",
"vrf": "ECOMM-1-PROD"
}
}
}
},
{
"deviceName": "atl-app-lb01",
"deviceType": "LOADBALANCER",
"ingressInterface": "1.1",
"egressInterface": "1.1",
"behaviors": i
"NAT",
"L3",
"L2"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "1.1"
},
"l3": {
"interfaceName": "/Common/vlan101",
"vrf": "1"
}
},
"egress": {
"l2": {
"interfaceName": "1.1"
},
"l3": {
"interfaceName": "/Common/vlan101",
"vrf": "1"
}
}
}
},
{
"deviceName": "atl-ce02",
"deviceType": "ROUTER",
"ingressInterface": "ge-0/0/7",
"egressInterface": "ae0",
"behaviors": i
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "ge-0/0/7"
},
"l3": {
"interfaceName": "ge-0/0/7.101",
"vrf": "ECOMM-1-PROD"
}
},
"egress": {
"l2": {
"interfaceName": "ae0"
},
"l3": {
"interfaceName": "ae0.101",
"vrf": "ECOMM-1-PROD"
}
}
}
},
{
"deviceName": "atl-dc01-spine01",
"deviceType": "ROUTER",
"ingressInterface": "po11",
"egressInterface": "et5",
"behaviors": i
"L3"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "po11"
},
"l3": {
"interfaceName": "po11.101",
"vrf": "ECOMM-1-PROD"
}
},
"egress": {
"l2": {
"interfaceName": "et5"
},
"l3": {
"interfaceName": "et5.101",
"vrf": "ECOMM-1-PROD"
}
}
}
},
{
"deviceName": "atl-dc01-acc05",
"deviceType": "ROUTER",
"ingressInterface": "et3",
"egressInterface": "et10",
"behaviors": i
"L3",
"L2"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "et3"
},
"l3": {
"interfaceName": "et3.101",
"vrf": "ECOMM-1-PROD"
}
},
"egress": {
"l2": {
"interfaceName": "et10"
},
"l3": {
"interfaceName": "vlan251",
"vrf": "ECOMM-1-PROD"
}
}
}
},
{
"deviceName": "ESXi-1_vSwitch14",
"deviceType": "HYPERVISOR",
"ingressInterface": "vmnic4",
"egressInterface": "dsl01_nic1",
"behaviors": i
"L2"
],
"networkFunctions": {
"ingress": {
"l2": {
"interfaceName": "vmnic4"
}
},
"egress": {
"l2": {
"interfaceName": "dsl01_nic1"
}
}
}
}
]
}
],
"totalHits": {
"value": 64,
"type": "EXACT"
}
},
"returnPathInfo": {
"paths": a],
"totalHits": {
"value": 0,
"type": "LOWER_BOUND"
}
},
"timedOut": false,
"queryUrl": "*redacted*"
}
