Net-Script is the only platform that traces paths through NAT, analyzes every firewall, and provisions policies — simultaneously across Cisco, Palo Alto, FortiGate, Juniper, and more.
Security engineers waste hours chasing blocked traffic, manually writing ACLs, and losing sight of policies across sprawling multi-vendor networks.
You know traffic is failing, but not which firewall is blocking it, which ACL, or which NAT translation is breaking the flow.
Pushing the same ACL rules to 15 different firewalls takes hours and introduces errors. Different syntax for every vendor makes it even worse.
Your path tracing tools break at NAT boundaries. You can't see what happens to traffic after a source or destination IP gets translated.
Net-Script gives you a complete end-to-end workflow: discover paths, analyze policies, fix issues, and verify — all in one platform, across every vendor.
Net-Script's PathFinder uses advanced BFS graph algorithms to trace the exact route traffic takes through your network — including across NAT boundaries where other tools go blind.
Dead ends are no longer dead ends. If a requested path is unreachable, the engine scans the multi-vendor routing tables to instantly find every alternate path from the source or destination that *is* currently working.
The Traffic Analyzer evaluates every firewall and ACL in the path, giving you a per-hop verdict — allow or deny — with the exact rule that matched. No more log diving.
Net-Script's Policy Provisioning engine generates and deploys vendor-specific security rules to every firewall in the path simultaneously — with previews before you push.
Every automated action belongs to a proper Change Request state machine. Bidirectionally sync with ServiceNow/Jira, calculate pre-provisioning Risk Scores based on source breadth and port sensitivity, and automate safe deployments.
Submit multiple sources, destinations, and ports in a single Connectivity Request. The platform automatically traces every path, analyzes every firewall, generates consolidated policies, and provisions fixes — all through one unified approval workflow.
The only enterprise cybersecurity platform with a 100% local, air-gapped AI powered by Ollama and Llama 3. Ask complex networking queries without leaking your data to public APIs.
Other tools stop at NAT boundaries. Net-Script translates IPs at each hop, evaluates policies with the correct pre/post-NAT addresses per vendor, and traces the complete path — no matter how complex.
Tracks source IP translations as traffic exits through NAT devices
Follows destination IP translations for inbound traffic to servers
Handles simultaneous source + destination translation in one rule
PAT/overload support — stores port data for full NAT visibility
Beyond simple scripts, Net-Script natively handles advanced enterprise routing protocols, high-availability clusters, and telemetry data tracking layers.
Dynamically resolves Active/Standby states for gateways and automatically overrides physical MAC addresses with Virtual MACs during path calculations.
Vendor-agnostic High Availability state tracking. The engine checks active/passive cluster states across Cisco, FortiGate, and Palo Alto before taking action.
Centralized monitoring dashboard securely tracking configuration ingestion health, parsed dataset readiness, and real-time topology ingestion metrics.
Deep support for advanced provider architectures. Calculates end-to-end paths across complex multi-VRF environments and nested MPLS label networks.
Traditional scripts completely break on NAT. Our engine seamlessly maps both Source and Destination translations (including PAT/Overload) directly during traffic calculations.
Native protocol handling that respects PBR next-hop overrides instead of blindly following standard routing tables. Fully supported across 7 routing and firewall vendors.
Net-Script connects natively to each vendor using the right protocol — SSH, REST API, XML API, NETCONF, or FMC API — with no additional adapters required.
SSHSSHFMC APISSHXML APIREST APINETCONF / PyEZA complete end-to-end workflow — from discovering your network to verifying that traffic flows correctly after policy changes.
Net-Script performs a multi-stage connection validation — scanning network reachability, executing protocol/port checks (SSH/API/NETCONF), and dynamically authenticating credentials to ensure 100% device readiness before pushing automation.
Net-Script securely interrogates each device to pull interfaces, routing tables, ACLs, and NAT rules. The real-time Data Statistics dashboard proves exactly what was successfully ingested.
Enter source/destination IPs to run BFS graph algorithms tracing the route — including NAT translations. We additionally support automated routing fixes via static routing configs across all vendors. When routing issues are discovered, the engine proposes topology-aware or subnet-aware fixes with L3 relationship control (modifying the proposed next-hop IP and egress interface).
10.0.1.5 → 192.168.50.10The Traffic Analyzer evaluates every firewall in the discovered path, expanding ACLs and object-groups, applying NAT-aware IP lookups, and returning a per-hop verdict.
With one click, Net-Script generates and deploys the correct vendor-specific rule to every blocking firewall — using the right pre/post-NAT IPs for each device position.
Re-run PathFinder and Traffic Analyzer to confirm that all firewalls now show ALLOW and traffic flows successfully. Full audit trail recorded.
Don't just discover routing blackholes—heal them. The platform mathematically computes zero-risk fixes using Destination-Aware Sibling Subnet validation and deploys them with automatic rollback guarantees.
When PathFinder hits a dead-end, it scans the destination device's sibling subnets to perfectly deduce the missing next-hop and interface.
No blind executions. The engine presents the exact CLI commands, confirms a Low-Risk assessment, and locks in a pre-execution rollback config.
The fix is deployed fully-threaded. The platform immediately re-runs Traffic Analysis to guarantee a 100% verified resolution.
Scaling from 10 to 10,000 devices is effortless. Organize firewalls, switches, and routers into logical Device Groups. Perform bulk actions across your entire infrastructure instance inside the clean UI.
ASA-HA) for instant filtering.
Net-Script is completely state-aware. It tracks thousands of metrics on every collection cycle to dynamically establish baselines. If a switch loses 60% of its routes or an interface drops, the engine immediately halts and flags the anomaly.
Data successfully collected. All routes, interfaces, and VRFs successfully baselined as healthy.
During the next collection cycle, Net-Script detected a critical -63% drop in active routes.
Because networks are inherently unstable, Net-Script is fully fault-tolerant. We track deep ingestion metrics over time and seamlessly fall back to "last-known-good" configurations if a device goes offline.
If a router crashes or becomes unreachable during collection, the platform doesn’t blind the automation engine. It safely caches the last known healthy state, flags it as Stale, and ensures uninterrupted Path Analysis algorithms against the last known topology.
Every single connection, packet, and baseline ingestion is graphed historically. Instantly view exactly which devices have reliable connectivity and which suffer from SSH/API timeouts via deep sparkline success rates and per-run logs.
Ensure compliance and rapid rollback. Treat your infrastructure like code with deep configuration diffing, automatic state backups, and certified exact-match validation to detect configuration drift instantly.
Safely store thousands of historical configurations. Perform ad-hoc bulk backups or rely on scheduled collections to ensure you are never caught without a fallback state.
Keep your firewalls lean and compliant. The engine automatically evaluates rules against 34 distinct compliance and security metrics, while managing the entire PCI-DSS expiration and recertification lifecycle.
Scans policies to identify fully shadowed rules, redundant overlaps, overly permissive "Any-Any" rules, and performance-draining definitions.
Enforces SOX and PCI-DSS compliance by auto-generating recertification tasks the moment rules approach their expiration dates.
Instantly locates any IP or Server across all managed firewalls, generates a targeted removal plan, and safely purges dead access.
Keep your disaster recovery site in perfect sync. Net-Script automatically replicates provisioned policies from your primary datacenter to DR firewalls — with intelligent translation mapping and continuous parity monitoring.
When a policy is provisioned on a DC firewall, Net-Script detects the DR pair, applies translation maps, and auto-provisions the equivalent rule on DR — zero manual effort.
Continuously measures how aligned DC and DR policies are with a 0–100% parity score. Scheduled checks with email alerting when parity drops below threshold.
Maps DC-specific object names and IP addresses to DR equivalents. Policies are translated before comparison and replication — network-aware, not just copy-paste.
Exclude specific policies from comparison and replication using exact match or glob patterns. Visual editor with instant preview for fine-grained exception control.
Detect unauthorized firewall changes instantly. Net-Script snapshots your known-good policy state, then automatically compares every collection cycle — flagging added, removed, or modified rules with severity-based classification.
After every device collection, post-collection hooks automatically compare current policies against baselines. Zero manual effort — drift is surfaced immediately.
Changes classified as Info (metadata), Warning (rule additions), or Critical (new allow-any rules, action changes). Compliance score calculated per device.
After successful policy provisioning, baselines are automatically updated to include the new rules. Ensures provisioned changes become the new "known-good" state.
Detects policy desync between HA firewall members. Cross-member comparison with worst-score aggregation ensures no HA peer falls out of compliance.
Beyond automation, Net-Script provides the governance controls, scheduling safeguards, naming standards, and audit trail that enterprises demand for production deployments.
Four hierarchical roles — Viewer, Operator, Approver, Admin — with per-endpoint enforcement, segregation of duties, and a role-aware UI that hides unauthorized actions.
Schedule one-time or recurring change windows with three enforcement modes (Warn, Soft, Strict). Block provisioning outside approved times with auto-generated announcements.
Centralized system event log capturing every collection, provisioning, DR sync, and drift event. Filter by category, severity, and time range with full JSON detail views.
Intelligent 3-stage engine that prevents policy sprawl by merging new rules into existing policies. Combined with customizable naming templates for all provisioned objects.
Save successful bulk provisioning jobs as reusable templates. One-click apply with override support, category tags, and visibility control for team-wide sharing.
All device and ITSM credentials encrypted at rest with Fernet AES-128. Credentials never exposed via API — same enterprise-grade encryption for ITSM tokens and device passwords.
Stop staring at CLI outputs. Net-Script builds a fully interactive D3 graph of your entire network, featuring animated path traces, HA group bubbles, and live hit-count heatmaps overlaid directly onto links.
Move beyond static topologies. Net-Script automatically surveys your dynamic routing environments, directly mapping OSPF, BGP, and EIGRP neighbor adjacencies into interactive routing domains.
Instantly visualize eBGP and iBGP neighbor states, ASN mappings, and route reflector clusters across your enterprise and WAN edges.
See your exact OSPF Area 0 backbones and stub areas. The engine identifies DR/BDR roles and highlights broken adjacencies in real time.
Easily track EIGRP neighbors, K-value mismatches, and AS boundaries, keeping your internal routing topology perfectly verified.
A unified routing map whether you use Cisco IOS/XR, Palo Alto, FortiGate, or Juniper SRX. Protocol data is normalized into a vendor-agnostic graph.
Stop spending hours tracing connectivity problems manually. Net-Script traces paths, identifies blockers, and generates the fix — in seconds, not hours.
Know exactly which firewall is blocking traffic, which rule is responsible, and what the correct fix is — without digging through logs across 10 different management consoles.
Reduce human error in policy changes. Get audit-ready change history. Deploy consistent security policies across all vendors with a single workflow.
Three-tier architecture, fully containerized. Deploy on-premise, on any cloud, or in your lab.
Our engineering roadmap is aggressively moving beyond static automation towards fully dynamic, traffic-aware simulation environments.
Simulate proposed rule changes against historical traffic to guarantee zero downtime before an engineer ever touches the "Provision" button.
Native integration with NetFlow/sFlow collectors to actively correlate live traffic against provisioned firewall rules, perfectly identifying unused legacy policies.
Complete tenant isolation and domain mapping across devices, policies, and users, tailored for MSSPs and large federated organizations.
Join the teams using Net-Script to trace paths, analyze policies, and provision controls — across every vendor in their network.
Net-Script was created to solve real problems in real multi-vendor enterprise networks. Every feature was built and validated in a live lab environment with actual Cisco, Palo Alto, FortiGate, and Juniper hardware.
The platform is built with a strict zero-regression policy — every code change is validated against 1,500+ automated tests before release.