Network Path Analysis and Troubleshooting

Visualize and analyze end-to-end network paths in real time to detect misconfigurations, resolve connectivity issues, and validate policy enforcement across hybrid environments.

When connectivity breaks down, you need to see exactly how traffic moves through the network and where it is routed, filtered, or blocked. Use Network Path Analysis and Troubleshooting to apply the topology and visibility you built in Network Mapping and Visulization to a specific traffic flow.

Network Path Analysis and Troubleshooting guides you through using SecureTrack to:

Resolve connectivity and enforcement issues with precise traffic path visibility.
Analyze traffic flows across routing and policy enforcement points in real time.
Accelerate troubleshooting with real-time end-to-end path validation.

Why this matters

Reduce the time spent isolating connectivity and enforcement issues.
Identify where traffic is routed, filtered, or blocked across the network path.
Improve operational efficiency with precise end-to-end traffic path visibility.
Support faster validation of network behavior across on-premises, cloud, and hybrid environments.

Who this is for

Network engineers responsible for maintaining and updating network topology
System administrators responsible for maintaining device visibility and continuous sync health and
Cloud engineers validating hybrid network representation.

Key capabilities

Network Path Analysis and Troubleshooting leverages key features in SecureTrack:

Map to visualize network elements and run path analysis
Reports to track changes
TufinMate for IT to troubleshoot connectivity

Prerequisites

Successful completion of Network Mapping and Visualization
Map with up to date topology data

Step 1: Perform Path Analysis

Start by collecting a representative set of access queries that you can analyze in TOS to validate network paths.

Use SecureTrack's Map to visualize your network environment and run path analysis.

Collect sample access queries

Collect access queries from different geographical regions, zones, or data centers in your organization. Use queries that represent actual traffic scenarios in production environments.

Run path analysis for queries

Analyze how TOS derives the network path for each query. Run each query individually to see how routing, NAT, and firewall policy logic contribute to the derived result.

In Map, click Path Analysis and enter the details of the query.
For a more detailed result, in Path Analysis, select Trace Mode to trace the route the traffic takes from source to destination.

See:

Run a path query

Manage path queries

Path Analysis

Step 2: Troubleshoot path analysis results

If the path analysis result does not match the expected network behavior, troubleshoot the issue based on the type of problem: inaccurate paths or incomplete paths.

For detailed topology correction procedures, use Step 5: Validate topology data for path analysis in Network Mapping and Visualization, and then rerun the path query.

Troubleshoot inaccurate paths

Use this process when the path does not reflect the actual network flow.

Hop-by-hop validation: When dynamic data is enabled, trace each hop in the path from source to destination to confirm that the ingress and egress interfaces at each device match the actual traffic flow.
If the issue is caused by stale or incomplete topology data, correct it in Step 5: Validate topology data for path analysis in Network Mapping and Visualization.
Repeat the validation until the path is accurate and reflects the actual network flow.

See Trace path route.

Resolve incomplete paths

Use this process when the rendered path is incomplete, containing greyed-out devices or missing segments.

Identify broken hops: Review the path and identify the broken or greyed-out hop.
- For missing cloud joins or unmodeled segments, use Step 3 or Step 4 in Network Mapping and Visualization.
- For missing routes, interfaces, Dynamic Data, Layer 2 segmentation, VPN modeling, or passive and duplicate-IP interface issues, use Step 5 in Network Mapping and Visualization.
After correcting the topology data, rerun the path query.

See:

Investigate incomplete paths

Investigate partial paths

Step 3: Add generic NAT information

If a device in your topology does not support NAT modeling, use Generic NAT functionality to manually insert required NAT details into the path logic.

First, see SecureTrack Features by Vendor to see if your device supports NAT modeling. s supported only for devices that are modeled in TOS as Generic Devices.Generic NAT is supported only for devices that are modeled in TOS as Generic Devices.

Add the NAT rules to a CSV file to import into TOS.

See Generic NAT Information.

Step 4: Generate change reports

If the network path appears to be correct, but the access result (Allow/Deny) does not align with expectations—particularly after implementing a new access rule—change tracking reports can help identify potential discrepancies.

Change tracking reports are especially useful for troubleshooting access failures due to recent configuration changes:

New Revision Report

Highlights the latest changes to network or firewall configurations that may have impacted access.

Advanced Change Report

Detailed policy changes for selected devices.

See:

New Revision Report

Advanced Change Report

Step 5: Use TufinMate for IT

TufinMate is a Security Copilot plugin that pulls information from the Tufin Orchestration Suite (TOS), and returns details such as permitted network access paths, firewall rule compliance, rule permissiveness, and last hit data—so analysts can quickly understand how traffic is allowed to traverse the network.

TufinMate for IT provides self-service access to connectivity troubleshooting, topology insights, and access requests through Microsoft Teams.

See TufinMate for IT.