Abstract: Security policy analysis is disclosed. Configuration information, including at least one existing policy, is received. The received configuration information is used to build a model, including by normalizing the policy. The model is used to analyze the existing policy. A result of the policy analysis is provided as output.

Abstract: Techniques for an Application Access Analyzer are disclosed. In some embodiments, a system/process/computer program product for an Application Access Analyzer includes monitoring access to an application over a network; automatically determining a root cause of an issue (e.g., an anomaly in network connectivity, performance degradation, and/or a permission denial and/or policy blocking) associated with the access to the application over the network for a user (e.g., or a group of users) using an application access analyzer; and performing an action in response to determining the root cause of the issue associated with the access to the application over the network.

Abstract: Security policy analysis is disclosed. Configuration information, including at least one policy, is received. The received configuration information is used to build a model, including by normalizing the policy. The policy is used to perform a policy analysis, including by performing a pre-change analysis associated with a proposed policy change. A result of the policy analysis is provided as output.

Abstract: Security policy analysis is disclosed. Configuration information, including at least one policy, associated with a live production security appliance, is received. The received configuration information is used to instantiate the policy in a sandbox environment. The sandbox environment is used to evaluate a proposed change to the configuration information, including by building a model using the received configuration information.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: Systems, methods, and computer-readable media for fault code aggregation across application-centric dimensions. In an example embodiment, a system obtains respective fault codes corresponding to one or more network devices in a network and maps the one or more network devices and/or the respective fault codes to respective logical policy entities defined in a logical policy model of the network, to yield fault code mappings. The system aggregates the one or more of the fault code mappings along respective logical policy dimensions in the network to yield an aggregation of fault codes across respective logical policy dimensions and, based on the aggregation, presents, for each of the respective logical policy dimensions, one or more hardware-level errors along the respective logical policy dimension.

Abstract: Systems, methods, and computer-readable media for fault code aggregation across application-centric dimensions. In an example embodiment, a system obtains respective fault codes corresponding to one or more network devices in a network and maps the one or more network devices and/or the respective fault codes to respective logical policy entities defined in a logical policy model of the network, to yield fault code mappings. The system aggregates the one or more of the fault code mappings along respective logical policy dimensions in the network to yield an aggregation of fault codes across respective logical policy dimensions and, based on the aggregation, presents, for each of the respective logical policy dimensions, one or more hardware-level errors along the respective logical policy dimension.

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

Abstract: Systems, methods, and computer-readable media for generating counterexamples for equivalence failures between models of network intents. A listing of conflict rules corresponding to an equivalence failure between at least first and seconds model of networks intents describing the operation and communication of network devices in a network is obtained. A logical exclusive disjunction between first conflict rules from the first model and corresponding second conflict rules from the second model is calculated. One or more counterexamples corresponding to the equivalence failure are generated based at least in part on the logical exclusive disjunction, such that a given counterexample comprises network and packet conditions that cause the first conflict rules to trigger a first action and cause the second conflict rules to trigger a second action that is different from the first action. Hot fields that are more likely to be associated with the equivalence failure are identified in the counterexample.

Abstract: Systems, methods, and computer-readable media for assurance of rules in a network. An example method can include creating a compliance requirement including a first endpoint group (EPG) selector, a second EPG selector, a traffic selector, and a communication operator, the first and second EPG selectors representing sets of EPGs and the communication operator defining a communication condition for traffic associated with the first and second EPG selectors and the traffic selector. The method can include creating, for each distinct pair of EPGs, a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; creating a second respective data structure representing a logical model of the network; determining whether the first respective data structure is contained in the second respective data structure to yield a containment check; and determining whether policies on the network comply with the compliance requirement based on the containment check.

Abstract: Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

Abstract: Systems, methods, and computer-readable media for configuring and verifying compliance requirements in a network.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

Abstract: Systems, methods, and computer-readable media for identifying conflict rules between models of network intents. A first and second model of network intents are obtained, the models describing the operation and communication between one or more network devices in a network. A logical exclusive disjunction between the first and second models is calculated over the space of possible packet conditions and network actions defined by models, without enumerating all possible packet conditions and network actions. It is detected whether the models are in conflict with respect to at least a first network device. If the models are in conflict, it is determined whether a given rule of a plurality of rules associated with the first model is a conflict rule. The determining comprises calculating the intersection between the given rule and the logical exclusive disjunction, wherein the given rule is a conflict rule if the calculated intersection is non-zero.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

Abstract: Systems, methods, and computer-readable media for assurance of quality-of-service configurations in a network. In some examples, a system obtains a logical model of a software-defined network, the logical model including rules specified for the software-defined network, the logical model being based on a schema defining manageable objects and object properties for the software-defined network. The system also obtains, for each node in the software-defined network, a respective hardware model, the respective hardware model including rules rendered at the node based on a respective node-specific representation of the logical model. Based on the logical model and the respective hardware model, the system can perform an equivalency check between the rules in the logical model and the rules in the respective hardware model to determine whether the logical model and the respective hardware model contain configuration inconsistencies.

Abstract: Systems, methods, and computer-readable media for generating counterexamples for equivalence failures between models of network intents. A listing of conflict rules corresponding to an equivalence failure between at least first and seconds model of networks intents describing the operation and communication of network devices in a network is obtained. A logical exclusive disjunction between first conflict rules from the first model and corresponding second conflict rules from the second model is calculated. One or more counterexamples corresponding to the equivalence failure are generated based at least in part on the logical exclusive disjunction, such that a given counterexample comprises network and packet conditions that cause the first conflict rules to trigger a first action and cause the second conflict rules to trigger a second action that is different from the first action. Hot fields that are more likely to be associated with the equivalence failure are identified in the counterexample.