Skip to main content

Intent Verification

Intent Verification provides the ability to define the policy and behavior of Verifications that cover security, reachability, fault tolerance, and compliance. Forward Networks Verification capabilities help network operators prevent regressions and confirm that the desired end-to-end behavior holds as the network evolves.

Intent Verification Page

Types of Verifications

There are three types of network policies that can be defined. The Forward Platform refers to these as Intent Verifications. An Intent Verification can encompass a verification of end-to-end network behavior or configuration properties across a network.

Existence

Verifies that the network allows at least one possible path between source and destination. The and back option can be used for round-trip verification. This type of Intent Verification succeeds when at least one possible path is found.

Isolation

Verifies that the network allows no possible paths between the source and destination. This type of Intent Verification succeeds only when no paths that match the query are found.

Reachability

Verifies connectivity for all the possible combinations of sources and destination addresses (explicitly or implicitly) defined in the clauses of the path query. This type of Intent Verification succeeds only when all the combinations of paths are present in the network.

Examples of Useful Policies

Every network requires a different set of Intent Verification to represent the desired policy. We suggest talking to key stakeholders in the security, applications, and network architecture/engineering teams to find the most critical policy goals for the network. We suggest getting started by identifying mission-critical application traffic flows that should always be enabled.

Examples of Existence Verifications include:

  • Traffic from user subnets to mission critical servers with the appropriate TCP/UDP port defined.
  • Front-end web servers can talk to back-end servers only on specific ports, and are isolated otherwise.
  • Servers in one data center can do backups to a backup server, or can do replication to servers in another DC

Next, we suggest defining isolation policies to represent any traffic that should always be blocked. Existing firewall policies can be an excellent source of potential Intent Verifications.

Examples of Isolation Verifications include:

  • Front-end web servers cannot talk to back-end servers on blocked ports.
  • Traffic from the internet should not be able to directly reach internal servers.

Finally, we suggest going through the list of Predefined Verifications and identifying those that apply to your network.

Creating New Intent Verifications

There are two ways to turn policies into Intent Verifications.

Forward GUI

We recommend getting started with the Forward Networks GUI, which helps you to quickly define valid Intent Verifications, via an intuitive wizard-based process.

You can create your first Intent Verification by navigating to the Intent page in the Verify application. The Intent page provides some common use cases for Intent Verifications.

To create a new Verification, select Create First Intent Verification to start the wizard. Alternatively, selecting New Verification will trigger the same action.

First Intent Verification

The wizard provides an explanation of the different Intent Verification types. The process is similar for all Intent Verifications. The following example shows how to create an Existence Intent Verification.

  1. Select Existence and select Next to continue.

Intent Wizard Verification Type

  1. Define your Existence Intent by creating a search query as you would do in a Path Analysis query. Select Next to continue.

Intent Wizard Type

  1. Provide a Verification Name, desired Intent, one or more optional Tags and set the Priority level. The Active toggle button provides an option to enable or disable the Intent Verification. By default, the Verification is enabled. Select Create Intent to complete the process. If the Verification was enabled, the Forward Platform will immediately process it.

Intent Wizard Context

Forward REST APIs

Alternately, you can leverage Forward REST APIs to automate the creation and deletion of Intent Verifications, using a JSON data format.

Forward Enterprise provides interactive documentation to understand and test API calls, as well as Python bindings to automate API usage. Please check the Checks REST API docs for examples of JSON content for the API calls.

Intent Verification API Page

Editing Existing Intent Verifications

To edit an existing Verification, locate it within the list of available Verifications and select the Edit icon.

Selecting the Additional Options Menu icon display the following options:

  • Copy query to clipboard - Copy query to clipboard
  • Move to - Move Verification to a different directory
  • Delete - Delete the selected Verification

Editing a Verification

To edit multiple Verifications at once, mark the checkboxes of each selected Verification in the list. Doing so will enable the following actions:

  • Delete - Delete all selected Verifications
  • Move to - Move all selected Verifications to a different directory.
  • Change Priority to - Edit the priority levels of all selected Verifications to low, medium, high.

Editing Verifications

Creating a Verification Directory

Intent Verifications can be moved into separate directories to help with organizing and grouping large numbers of Verifications. To create a new directory, select New Directory in the Intent Verification page, enter the name you would like to call the directory and select Save. The new directory should now be visible under the All Verifications directory.

Creating Verification Directories

Editing a Verification Directory

To view additional options for editing directories, hover the mouse cursor over the name of a directory to edit to view the Additional Options Menu icon.

Editing Verification Directories

Selecting the Additional Options Menu icon to provide the following additional options:

  • Rename - Edit the name of the directory.
  • New Verification - Create a new Verification within the selected directory
  • New Directory - Create a new directory within the selected directory
  • Move to - Move selected directory to another location
  • Delete directory - Delete the selected directory. All Verifications within the deleted directory will be moved to the parent directory.

Downloading a Report

To download the latest Intent Verification report, select the Additional Options Menu icon and click Download Report.

Downloading a Intent Verification Report

The report is provided in the form of a spreadsheet and will only include the Verifications displayed in the table, within the currently selected directory. Each row will provide information on the following properties:

  • ID
  • Type
  • Priority
  • Name
  • Check
  • Result
  • Run time, ms
  • Notes

Screenshot of an Intent Verification Report