Network Path Analysis and Troubleshooting

Visualize and analyze end-to-end network paths in real time to detect misconfigurations, resolve connectivity issues, and validate policy enforcement across hybrid environments.

When connectivity breaks down, you need to see exactly how traffic moves through the network and where it is routed, filtered, or blocked.

Network Path Analysis and Troubleshooting guides you through using SecureTrack to:

Resolve connectivity and enforcement issues with precise traffic path visibility.
Analyze traffic flows across routing and policy enforcement points in real time.
Accelerate troubleshooting with real-time end-to-end path validation.

Why this matters

Reduce the time spent isolating connectivity and enforcement issues.
Identify where traffic is routed, filtered, or blocked across the network path.
Improve operational efficiency with precise end-to-end traffic path visibility.
Support faster validation of network behavior across on-premises, cloud, and hybrid environments.

Who this is for

Network engineers responsible for maintaining and updating network topology
System administrators responsible for maintaining device visibility and continuous sync health and
Cloud engineers validating hybrid network representation.

Key capabilities

Network Path Analysis and Troubleshooting leverages key features in SecureTrack:

Map to visualize network elements and run path analysis
Reports to track changes
TufinMate for IT for connectivity troubleshooting

Prerequisites

Successful completion of Network Mapping and Visualization
TufinMate installed

Step 1: Perform Path Analysis

Start by collecting a representative set of access queries that you can analyze in TOS to validate network paths.

Use SecureTrack's Map to visualize your network environment and run path analysis.

Collect sample access queries

Collect access queries from different geographical regions, zones, or data centers in your organization. Use queries that represent actual traffic scenarios in production environments.

Run path analysis for queries

Analyze how TOS derives the network path for each query. Run each query individually to see how routing, NAT, and firewall policy logic contribute to the derived result.

In Map, click Path Analysis and enter the details of the query.
For a more detailed result, in Path Analysis, select Trace Mode to trace the route the traffic takes from source to destination.

See:

Run a path query

Manage path queries

Path Analysis

Step 2: Troubleshoot path analysis results

If the path analysis result does not match the expected network behavior, troubleshoot the issue based on the type of problem: inaccurate paths or incomplete paths.

For the detailed topology correction procedures used in this step, see the relevant tasks in Network Mapping and Visualization, then rerun the path query.

Troubleshoot inaccurate paths

Use this process when the path does not reflect the actual network flow.

Dynamic data: Verify that Dynamic data is enabled for the device and that the most recent data was successfully retrieved.
1. Identify if Dynamic data is enabled: In Map, click the device and expand the Info tab. Check if Dynamic data displays Enable.
2. If not enabled, go to Monitoring > Manage Devices, and edit the device configuration to select the option.
Hop-by-hop validation: When dynamic data is enabled, trace each hop in the path from source to destination to confirm that the ingress and egress interfaces at each device match the actual traffic flow.
Repeat steps 1 and 2 until the path is accurate and reflects the actual network flow.
Handle layer 2 scenarios: If a missing firewall or hop is a Layer 2 device, gather the connected Layer 3 information and complete the Layer 2 segmentation in the topology.

See:

Topology intelligence

Trace path route

Transparent firewalls

Resolve incomplete paths

Use this process when the rendered path is incomplete, containing greyed-out devices or missing segments.

Identify broken hops: Review the path and identify the broken or greyed-out hop. Check whether Dynamic data is enabled and current.
Analyze device configuration: Drill down into the affected device and verify its routing and interface data. If needed, repeat the check on the previous hop.
Link unmonitored clouds: Look for missing cloud joins or unmodeled segments.

Add the required connections using Join Cloud for external providers or Generic Device for SD-WAN or unmanaged devices.
VPN gaps: If the path includes a VPN, gather the VPN peer information and model the tunnel by using Generic VPN settings.

See:

Show routes for monitored devices

Show interfaces for monitored devices

Investigate incomplete paths

Investigate partial paths

Join Clouds

Generic route-Based VPN connections

Step 3: Resolve HA device issues

Your network paths can include HA (High Availability) devices with sync interfaces that do not participate in actual traffic, or devices with multiple interfaces that share the same IP address. Such devices when included in path analysisgenerate false path links. Separate these passive interfaces so the path reflects only active interfaces.

Use Split Networks to separate these interfaces and avoid false path links.

See Joining or splitting subnets.

Step 4: Add generic NAT information

If a device in your topology does not support NAT modeling, use Generic NAT functionality to manually insert required NAT details into the path logic.

First, see SecureTrack Features by Vendor to see if your device supports NAT modeling. s supported only for devices that are modeled in TOS as Generic Devices.Generic NAT is supported only for devices that are modeled in TOS as Generic Devices.

Add the NAT rules to a CSV file to import into TOS.

See Generic NAT Information.

Step 5: Generate change reports

If the network path appears to be correct, but the access result (Allow/Deny) does not align with expectations—particularly after implementing a new access rule—change tracking reports can help identify potential discrepancies.

Change tracking reports are especially useful for troubleshooting access failures due to recent configuration changes:

New Revision Report

Highlights the latest changes to network or firewall configurations that may have impacted access.

Advanced Change Report

Detailed policy changes for selected devices.

See:

New Revision Report

Advanced Change Report

Step 6: Use TufinMate for IT

TufinMate is a Security Copilot plugin that pulls information from the Tufin Orchestration Suite (TOS), and returns details such as permitted network access paths, firewall rule compliance, rule permissiveness, and last hit data—so analysts can quickly understand how traffic is allowed to traverse the network.

TufinMate for IT provides self-service access to connectivity troubleshooting, topology insights, and access requests through Microsoft Teams.

See TufinMate for IT.