# Invariant ## Docs - [User Rules](AccessPolicy): Structure - [Access-Minimization](Advanced-Cookbooks/Access-Minimization): - [Detect-Inconsistent-Flows](Advanced-Cookbooks/Detect-Inconsistent-Flows): - [Root-Cause-Analysis](Advanced-Cookbooks/Root-Cause-Analysis): - [Vulnerability-Search](Advanced-Cookbooks/Vulnerability-Search): - [Assisted-Rule-Coding](AI-LLM-Cookbooks/Assisted-Rule-Coding): - [Invariant-In-Context](AI-LLM-Cookbooks/Invariant-In-Context): - [Invariant-MCP-Tool](AI-LLM-Cookbooks/Invariant-MCP-Tool): - [CLI](API/CLI): - [Data-File-Reference-Placeholder](API/Data-File-Reference-Placeholder): - [Overview](API/Overview): - [PySDK](API/PySDK): - [REST-API-Placeholder](API/REST-API-Placeholder): - [REST API Introduction](APIOverview): Invariant offers several options for programmatic access and automation. All of the methods below allow you to control Invariant in an automated fashion, but we generally recommend using the CLI or the PySDK for most automation tasks: - [Batfish-Resources](Appendix/Batfish-Resources): - [Cheat-Sheets](Appendix/Cheat-Sheets): - [Supported-Vendors](Appendix/Supported-Vendors): - [Thank-You](Appendix/Thank-You): - [Ingesting-Live-Snapshots](Automation-Cookbooks/Ingesting-Live-Snapshots): - [Issue-Scanning](Automation-Cookbooks/Issue-Scanning): - [Jenkins](Automation-Cookbooks/Jenkins): - [Pass-Fail-Automation](Automation-Cookbooks/Pass-Fail-Automation): - [Snapshot-Archival](Automation-Cookbooks/Snapshot-Archival): - [API Token Management](Configuration/api_tokens): Learn how to create and delete API Tokens for programmatic access to Invariant Technology features and data. - [GitHub Repositories Integration](Configuration/github): Learn how to connect GitHub repositories to Invariant Technology for automatic snapshot uploads and manage existing connections. - [Configuring an Identity Provider (OIDC)](Configuration/Identity-Provider): Learn how to integrate an OpenID Connect (OIDC) Identity Provider with Invariant Technology to enable single sign-on (SSO) for your workspace users. - [Monitor Targets for GitHub Repositories](Configuration/monitor_targets): Configure Monitor Targets to watch specific paths within your connected GitHub repositories and link them to Invariant Networks for automatic snapshot updates. - [Network Management](Configuration/networks): Learn how to create, edit, and delete Networks in Invariant Technology. Networks are containers for snapshots of your actual network configurations. - [Notification Group Management](Configuration/notification_groups): Configure Notification Groups in Invariant Technology to send email alerts for events on specific Networks to designated subscribers. - [Workspace Security Settings](Configuration/security): Understand and configure security settings for your Invariant Technology workspace, including default login methods and collaboration policies for domain-managed users and external collaborators. - [User Management](Configuration/users): Instructions for inviting new users to Invariant Technology and deleting existing user accounts. - [Guide: critical-flow rules](Connectivity-Validation/Guide-Critical-Flow): Critical-flow rules in Invariant are designed to assert that specific, essential network traffic must always be successfully delivered. Unlike simply checking for a single path, Invariant exhaustively analyzes your network's digital twin to find any scenario—be it routing configurations, ACLs, or firewall policies—that could prevent this critical traffic from reaching its destination. This provides a strong guarantee for the reachability of your vital services. - [Connectivity Validation Overview](Connectivity-Validation/Overview): Invariant empowers network and security teams to proactively validate network connectivity and enforce security policies using a powerful rule-based system within a digital twin environment. This ensures that critical services remain accessible and security postures are maintained, whether monitoring a live network or testing changes before deployment. - [Jenkins Automation Demo](Get-Started/Automation): In This Demo - [llms.txt](Get-Started/LLMs): The Invariant documentation is available in the following LLM-friendly formats: - [Preflight Analysis Tutorial](Get-Started/Preflight-Analysis-Tutorial): In this article: - [Quick Start](Get-Started/quick-start): CLI Installation - [Tutorial](Get-Started/Tutorial): In this tutorial, you'll learn how to use Invariant to analyze a network snapshot and evaluate access policiy rules. You will start with a skeleton snapshot that is ready for upload but contains errors. You will start by identifying and fixing these errors in the snapshot. Once the snapshot is error-free, you will then proceed to build access policies based on the corrected snapshot. - [Build a Zero Trust deployment backlog using Invariant](Guides/Advanced-Use-Cases/Zero-Trust/build-a-zero-trust-deployment-backlog-using-invariant): Use unenforced deny-others rules in Invariant to identify existing traffic flows for Zero Trust policy creation. - [Add a Notification Group to Invariant](Guides/Alerting-and-Notifications/add-a-notification-group-to-invariant): Notification Groups define recipients for alerts when violations occur in monitored networks. - [Configure Live Network Alerts](Guides/Alerting-and-Notifications/send-live-network-alerts-from-invariant): Invariant automatically generates alerts when an uploaded snapshot has rule violations. - [Authenticate using an API Token to Invariant](Guides/Automation-and-API/API-Tokens/authenticate-using-an-api-token-to-invariant): swGenerate an API token from the Invariant Web UI under Settings -> API Tokens. See Create an API token. - [Create an API Token](Guides/Automation-and-API/API-Tokens/create-an-api-token): API Tokens are long-lived refresh tokens used for authenticating the Invariant CLI, SDK, or direct API calls for automation. - [Revoke an API Token](Guides/Automation-and-API/API-Tokens/revoke-an-api-token): Revoking an API Token instantly and permanently invalidates it, preventing any further authentication using that token. - [Configure a placeholder ISP](Guides/Core-Invariant-Tasks/Network-Modeling/configure-a-placeholder-isp): To test egress policies or default routes accurately, you may need to model external connectivity like the Internet or a private backbone. Create a JSON file at batfish/isp_config.json within your snapshot directory. - [Reference well-known networks and services in Invariant](Guides/Core-Invariant-Tasks/Rule-Authoring/reference-wellknown-networks-and-services-in-invariant): Invariant includes built-in definitions for common IP networks (like RFC1918) and IANA well-known services (like HTTP, SSH) for convenience. - [Use IP network and service names from Aerleon](Guides/Core-Invariant-Tasks/Rule-Authoring/use-ip-network-and-service-names-from-aerleon): Invariant natively supports network and service definition files in the Aerleon format. - [Use IP network and service names from Capirca](Guides/Core-Invariant-Tasks/Rule-Authoring/use-ip-network-and-service-names-from-capirca): Invariant natively supports network and service definition files in the Capirca format. - [List network snapshots using the CLI](Guides/Core-Invariant-Tasks/Snapshots/list-network-snapshots-using-the-cli): Use the invariant snapshots command to list prior snapshot analysis results for your networks. - [List network snapshots using the UI](Guides/Core-Invariant-Tasks/Snapshots/list-network-snapshots-using-the-ui): To view network snapshots within the Invariant web interface: - [Add a Network to Invariant](Guides/Getting-Started/add-a-network-to-invariant): Invariant Networks organize snapshots for different environments or network segments. - [Install the Invariant CLI from source](Guides/Getting-Started/install-the-invariant-cli-from-source): Install the Invariant CLI directly from the source code repository using git and Poetry. - [Install the Invariant CLI using pip](Guides/Getting-Started/install-the-invariant-cli-using-pip): Install the Invariant CLI using pip, the Python package installer. - [Log in using the CLI](Guides/Getting-Started/log-in-to-invariant-using-the-cli): Use the invariant login command to authenticate the Invariant CLI with your Invariant account. - [Package and upload a network snapshot](Guides/Getting-Started/package-and-upload-a-network-snapshot): Create the following directory structure to represent a network snapshot. - [Detect simulated BGP changes using Invariant](Guides/Network-Validation-and-Analysis/Change-Detection/detect-simulated-bgp-changes-using-invariant): To detect changes in simulated BGP sessions between two network snapshots, fetch the bgpsessionstatus report for each snapshot and compare them. - [Detect simulated IPSec tunnel changes using Invariant](Guides/Network-Validation-and-Analysis/Change-Detection/detect-simulated-ipsec-tunnel-changes-using-invariant): To detect changes in simulated IPSec tunnels between two network snapshots, fetch the ipsec_edges report for each snapshot and compare them. - [Detect simulated OSPF changes using Invariant](Guides/Network-Validation-and-Analysis/Change-Detection/detect-simulated-ospf-changes-using-invariant): To detect changes in simulated OSPF sessions between two network snapshots, fetch the ospfsessioncompatibility report for each snapshot and compare them. - [Detect simulated route table changes using Invariant](Guides/Network-Validation-and-Analysis/Change-Detection/detect-simulated-route-table-changes-using-invariant): To detect changes in simulated route tables between two network snapshots, fetch the routes report for each snapshot and compare them. - [Detect simulated VLAN changes using Invariant](Guides/Network-Validation-and-Analysis/Change-Detection/detect-simulated-vlan-changes-using-invariant): To detect changes in VLAN configurations between two network snapshots, fetch the vlan_properties report for each snapshot and compare them. - [Access pass-fail validation outcome for a network snapshot](Guides/Network-Validation-and-Analysis/General-Validation/access-passfail-validation-outcome-for-a-network-snapshot): To quickly determine if a network snapshot passed all configured rules after analysis, use the invariant run command with the --condensed flag. - [Access pass-fail validation outcome for a specific rule](Guides/Network-Validation-and-Analysis/General-Validation/access-passfail-validation-outcome-for-a-specific-rule): To check the pass/fail status of a specific access policy or critical flow rule after running invariant run, examine the relevant ok or violations report files using invariant show --json. - [Validate ACL behavior using Invariant](Guides/Network-Validation-and-Analysis/Specific-Validations/validate-acl-behavior-using-invariant): Use Invariant Access Policy rules to verify network access control list (ACL) behavior. - [Validate VLAN segmentation using Invariant](Guides/Network-Validation-and-Analysis/Specific-Validations/validate-vlan-segmentation-using-invariant): Use Invariant Access Policy rules to ensure proper network segmentation between VLANs. - [Validate zone-to-zone connectivity using Invariant](Guides/Network-Validation-and-Analysis/Specific-Validations/validate-zone-to-zone-connectivity-using-invariant): Use Invariant Access Policy rules to verify required and deny disallowed traffic flows between security zones (like PCI CDE, corporate networks, and VPN ingress points). - [Identify when an issue was first introduced using Invariant](Guides/Network-Validation-and-Analysis/Troubleshooting/identify-when-an-issue-was-first-introduced): Use Invariant historical snapshots and reports to pinpoint when a network configuration change caused an issue, like a critical flow violation due to an interface shutdown. - [Invariant](Introduction): Invariant is a network analysis platform which can validate network configurations against user-provided rules within a fast, highly scalable, cross-vendor digital twin. Its primary function is to identify network and access control issues - connectivity loss and unwanted security gaps - preventing issues with a wide variety of root causes. It can also receive scheduled scans of the live network and generate incident alerts with attached virtual traceroutes and virtual route table diffs demonstrating the issue. As a secondary function, ad-hoc rules can be tested against the digital twin, allowing Invariant to function as a powerful security research tool, or permitting instant yes/no connectivity tests and virtual traceroutes. It also supports AWS. - [Model-Fine-Tuning](Model-Fine-Tuning): - [Map Screen](Network-Snapshots/Map-Screen): Invariant generates a visual network map for all uploaded network snapshots. The generated network map includes all on-prem devices, cloud network devices, and hosts. It includes any artificial additions to the network snapshot such as ISPs (see section Model Fine-Tuning). - [Model Data Files](Network-Snapshots/Model-Network-Info): Invariant loads your network snapshot into a network simulation environment which simulates protocols like IPSec, BGP, OSPF, and others, and generates simulated route tables for all devices and VRFs. Invariant makes all aspects of this simulated network available to you through data files. - [Network Snapshots Overview](Network-Snapshots/Overview): A Network Snapshot in Invariant is a digital twin of your network, enabling offline analysis and validation. It's constructed by Invariant using your device configuration files and other supplemental data, with Batfish as the core network modeling engine. - [History](Network-Snapshots/Snapshot-History): Invariant keeps a history of analysis results for uploaded snapshots. The snapshot history is most useful when snapshots are organized into well-named networks - see Best Practices. - [Access Policy](Reference/Access_Policy): An access policy does the following. - [Create integration](Reference/API/create-integration-organization-name-api-v-1-integrations-post): Create integration - [Create Repository Monitor](Reference/API/create-monitor-targets-organization-name-api-v-1-monitor-targets-post): Create Repository Monitor - [Create Network](Reference/API/create-network-organization-name-api-v-1-networks-post): Create Network - [Create Notification Group](Reference/API/create-notification-group-organization-name-api-v-1-notification-groups-post): Create Notification Group - [Create Security Integration](Reference/API/create-security-integration-organization-name-api-v-1-security-integrations-post): Create a new security integration. This is used to create an OIDC integration. - [Generate API Token](Reference/API/create-token-organization-name-api-v-1-tokens-post): Generate a long-lived, revokable refresh token (API token). - [Create or invite user](Reference/API/create-user-organization-name-api-v-1-members-post): Create or invite a user in the organization. Creating a user creates a 'managed user', a whole user account managed by this organization. An invited user is not managed by this organization. You can disallow outside user invitations in the security settings. - [Delete Repository Monitors](Reference/API/delete-monitor-target-organization-name-api-v-1-monitor-targets-monitor-target-uuid-delete): Delete a repository monitor. - [Delete Network](Reference/API/delete-network-organization-name-api-v-1-networks-network-uuid-delete): Delete Network - [Delete Notification Group](Reference/API/delete-notification-group-organization-name-api-v-1-notification-groups-notification-group-uuid-delete): Delete Notification Group - [Delete security integration](Reference/API/delete-security-integration-organization-name-api-v-1-security-integrations-integration-uuid-delete): Delete security integration - [Revoke API token](Reference/API/delete-token-organization-name-api-v-1-token-token-uuid-delete): Revoke an API token and immediately invalidate all access tokens associated with it. - [Get data file](Reference/API/get-report-organization-name-api-v-1-reports-report-id-get): Fetches a data file as Apache Arrow (feather). Use the 'Get report details' endpoint for a listing of constituent data files. - [Get report details](Reference/API/get-report-summary-organization-name-api-v-1-reports-report-id-summary-get): Returns a summary of the report. Includes a listing of all data files and their row counts. - [Get report detail (json or text)](Reference/API/get-report-summary-text-summary-organization-name-api-v-1-reports-report-id-summary-text-get): Returns a user-facing textual or JSON summarizing the report. This is what users see when calling 'invariant show' in the CLI. - [Get data file (json or text)](Reference/API/get-report-text-summary-organization-name-api-v-1-reports-report-id-text-get): Returns a user-facing textual or JSON summary of a report file. - [Invariant Instance](Reference/API/invariant-instance): - [List integrations](Reference/API/list-integrations-organization-name-api-v-1-integrations-get): List integrations - [List Repository Monitors](Reference/API/list-monitor-targets-organization-name-api-v-1-monitor-targets-get): List Repository Monitors - [List Networks](Reference/API/list-networks-organization-name-api-v-1-networks-get): List Networks - [List Notification Groups](Reference/API/list-notification-groups-organization-name-api-v-1-notification-groups-get): List Notification Groups - [List users](Reference/API/list-organization-members-organization-name-api-v-1-members-get): List all members of the organization. This includes both managed users and invited users. - [List in-progress evaluation tasks](Reference/API/list-report-tasks-organization-name-api-v-1-reports-in-progress-get): List in-progress snapshot evaluation tasks. - [List reports](Reference/API/list-reports-organization-name-api-v-1-reports-get): Reports are the results of evaluating a snapshot or testing a rule. This API lists reports. Each report contains a summary listing the result files for this report, plus an extras section condensing that information into user-friendly key-value properties. - [List connected repositories](Reference/API/list-repositories-organization-name-api-v-1-repositories-get): List connected repositories - [List security settings](Reference/API/list-security-settings-organization-name-api-v-1-security-settings-get): List security settings - [List API Tokens](Reference/API/list-tokens-organization-name-api-v-1-tokens-get): List API Tokens - [Log out](Reference/API/logout-organization-name-api-v-1-logout-post): Immediately terminate the current session. This invalidates the access token and cookie. API tokens are not affected. - [Modify Repository Monitors](Reference/API/modify-monitor-target-organization-name-api-v-1-monitor-targets-monitor-target-uuid-post): Modify a repository monitor. - [Modify Network](Reference/API/modify-network-organization-name-api-v-1-networks-network-uuid-post): Modify Network - [Modify Notification Group](Reference/API/modify-notification-group-organization-name-api-v-1-notification-groups-notification-group-uuid-post): Modify Notification Group - [Modify security integration](Reference/API/modify-security-integration-organization-name-api-v-1-security-integrations-integration-uuid-post): Modify a security integration. This is used to modify an OIDC integration. - [Refresh integration](Reference/API/refresh-integration-organization-name-api-v-1-integrations-integration-uuid-refresh-post): Refresh integration - [Get access token](Reference/API/refresh-organization-name-api-v-1-refresh-post): Get or refresh access token from refresh token (cookie or API Token). - [Re-invite user](Reference/API/reissue-invitation-organization-name-api-v-1-members-user-uuid-re-invite-post): Re-invite a user to join the organization. This will send an email to the user with a link to join. - [Re-issue managed user setup link](Reference/API/reissue-setup-link-organization-name-api-v-1-members-user-uuid-reissue-setup-link-post): Re-issue a managed member setup link. This will send an email to the user with a link to create their account. - [Remove user](Reference/API/remove-organization-member-organization-name-api-v-1-members-user-uuid-delete): Remove a user from the organization. If the user is managed by this organization, the user account is deleted. - [Modify a user](Reference/API/update-organization-member-organization-name-api-v-1-members-user-uuid-post): Modify user permissions and other settings. - [Modify security policy](Reference/API/update-security-policy-organization-name-api-v-1-security-settings-post): Modify organization-level security settings. Possible setttings include whether external users can be invited into this organization, whether certain login methods are permitted by default, and whether users managed by this organization are permitted to participate in outside organizations. - [Upload a snapshot](Reference/API/upload-snapshot-organization-name-api-v-1-uploadsnapshot-post): Create a snapshot by direct upload. This triggers snapshot evaluation and rule processing. - [Check snapshot evaluation status](Reference/API/upload-snapshot-status-organization-name-api-v-1-uploadsnapshot-status-get): Check on the status of an in-progress snapshot evaluation task. - [CLI](Reference/CLI): Installing the CLI - [critical_flows_details](Reference/Output/AccessPolicy/critical_flows_details): Detailed results for all critical flow rule tests. Includes virtual traceroutes where appropriate for both passing and failing rules. - [critical_flows_logs](Reference/Output/AccessPolicy/critical_flows_logs): Processing summary for each critical flow rule. Rules not evaluated due to errors can be found here. - [critical_flows_ok](Reference/Output/AccessPolicy/critical_flows_ok): Passing critical flow rules. - [critical_flows_skipped](Reference/Output/AccessPolicy/critical_flows_skipped): Invalid critical flow rules. Invariant could not evalute these rules because some correction is needed. - [critical_flows_violations](Reference/Output/AccessPolicy/critical_flows_violations): Failing critical flow rules. Excludes rules flagged with enforce = False - see criticalflowsviolationsunenforced. - [critical_flows_violations_unenforced](Reference/Output/AccessPolicy/critical_flows_violations_unenforced): Failing critical flow rules flagged with enforce = False. - [policy_details](Reference/Output/AccessPolicy/policy_details): Detailed results for all access control rule tests. Includes virtual traceroutes where appropriate for both passing and failing rules. - [policy_logs](Reference/Output/AccessPolicy/policy_logs): Processing summary for each access control rule. Rules not evaluated due to errors can be found here. - [policy_ok](Reference/Output/AccessPolicy/policy_ok): Passing access control rules. - [policy_skipped](Reference/Output/AccessPolicy/policy_skipped): Invalid access control rules. Invariant could not evalute these rules because some correction is needed. - [policy_violations](Reference/Output/AccessPolicy/policy_violations): Failing access control rules. Excludes rules flagged with enforce = False - see policyviolationsunenforced. - [policy_violations_unenforced](Reference/Output/AccessPolicy/policy_violations_unenforced): Failing access control rules flagged with enforce = False. - [bgp_edges](Reference/Output/BGP/bgp_edges): All BGP edges in the network. - [bgp_peer_config](Reference/Output/BGP/bgp_peer_config): Configuration settings for each configured BGP peering on each node in the network. - [bgp_process_config](Reference/Output/BGP/bgp_process_config): Configuration settings for each BGP process on each node and VRF in the network. - [bgp_ribs](Reference/Output/BGP/bgp_ribs): Shows BGP routes for specified VRF and node(s). - [bgp_session_compatibility](Reference/Output/BGP/bgp_session_compatibility): Checks the settings of each configured BGP peering and reports any issue with those settings locally or incompatiblity with its remote counterparts. - [bgp_session_status](Reference/Output/BGP/bgp_session_status): Checks whether configured BGP peerings can be established. - [errors](Reference/Output/Errors/errors): Errors encountered during Invariant analysis. - [loopback_multipath](Reference/Output/InconsistentTraffic/loopback_multipath): Flows between loopbacks that are treated differently (i.e., dropped versus forwarded) by different paths in the presence of multipath routing. - [subnet_multipath](Reference/Output/InconsistentTraffic/subnet_multipath): Flows between subnets that are treated differently (i.e., dropped versus forwarded) by different paths in the network and returns example flows. - [defined_structures](Reference/Output/ModelCreation/defined_structures): Structures defined in the network. - [file_parse_status](Reference/Output/ModelCreation/file_parse_status): Each file's parse status: pass, fail, or partial. - [ignored_lines](Reference/Output/ModelCreation/ignored_lines): Lines parsed but ignored by the model, this can be due to lack of support in the model, syntax errors, or other possibilities. - [parse_warnings](Reference/Output/ModelCreation/parse_warnings): Warnings such as failure to recognize certain lines and lack of support for certain features. - [referenced_structures](Reference/Output/ModelCreation/referenced_structures): References in configuration files to vendor-specific structures. - [unconnected_nodes](Reference/Output/ModelCreation/unconnected_nodes): Nodes that have been created but are not connected to the network. - [undefined_references](Reference/Output/ModelCreation/undefined_references): Finds configurations that have references to named structures (e.g., ACLs) that are not defined. - [unused_structures](Reference/Output/ModelCreation/unused_structures): Structures such as ACLs, routemaps, etc. that are defined but not used. - [hsrp_properties](Reference/Output/NetworkInformation/hsrp_properties): Information about HSRP Groups within the network. - [interfaces](Reference/Output/NetworkInformation/interfaces): Interface settings across the network. - [ip_owners](Reference/Output/NetworkInformation/ip_owners): For each node, lists the mapping from IPs to corresponding interfaces and VRFs. - [mlag_properties](Reference/Output/NetworkInformation/mlag_properties): Information about each MLAG domain within the network. - [named_structures](Reference/Output/NetworkInformation/named_structures): Structures defined in the configurations, represented in a vendor-independent JSON format. - [nodes](Reference/Output/NetworkInformation/nodes): Global configuration settings for all nodes. Specific configurations for interfaces, protocols, etc are available in other outputs. - [routes](Reference/Output/NetworkInformation/routes): Shows routes for specified RIB, VRF, and nodes. - [vlan_properties](Reference/Output/NetworkInformation/vlan_properties): VLAN properties configured on the network. - [vrrp_properties](Reference/Output/NetworkInformation/vrrp_properties): Information about VRRP groups on the network. - [ospf_area_config](Reference/Output/OSPF/ospf_area_config): Important properties for all OSPF processes running across the network. - [ospf_interface_config](Reference/Output/OSPF/ospf_interface_config): Interface level OSPF configuration details for the interfaces in the network which run OSPF. - [ospf_process_config](Reference/Output/OSPF/ospf_process_config): Important properties for all OSPF processes running across the network. - [ospf_session_compatibility](Reference/Output/OSPF/ospf_session_compatibility): OSPF sessions in the network. A session is compatible if the interfaces involved are not shutdown and do run OSPF, are not OSPF passive and are associated with the same OSPF area. - [Output Overview](Reference/Output/Output): Invariant creates a set of reports for each network snapshot it analyzes. These files can be accessed using the invariant show command. By default, the show command displays the file as an interactive table, but it can also output the file as TSV or JSON. - [probes](Reference/Output/Probes/probes): Probes are quick connectivity tests used for troubleshooting the model. - [edges](Reference/Output/Topology/edges): Lists network adjacencies of different types (e.g., Layer 3, BGP, OSPF) in the form of edges. - [layer_1_edges](Reference/Output/Topology/layer_1_edges): Lists Layer 1 edges after potentially normalizing node and interface names. - [layer_3_edges](Reference/Output/Topology/layer_3_edges): All Layer 3 edges in the network. - [Settings](Reference/Settings): Network - [Snapshots](Reference/Snapshots): Packaging your snapshot - [Supported Platforms](Reference/SupportedPlatforms): Invariant supports all platforms supported by Batfish. A listing of those platforms is provided in the following table. Please refer to the following pages on the Batfish documentation for additional information: - [Rule-Language](Rule-Language): - [Guide: deny rules](Security-Validation/Guide-Deny): Invariant deny rules are a powerful tool for enforcing your network security policy. They allow you to assert that specific types of traffic should never be successfully delivered between defined source and destination networks or locations. - [Guide: deny-others rules](Security-Validation/Guide-Deny-Others): The deny-others rule is one of Invariant's most powerful tools for enforcing network segmentation and Zero Trust principles. It allows you to define a broad scope of traffic that should be denied by default, with specific, explicitly permitted exceptions. This guide will walk you through understanding, writing, and troubleshooting deny-others rules. - [Security Validation Overview](Security-Validation/Overview): Invariant empowers network and security teams to rigorously validate their network configurations against defined security policies. With Invariant you can identify potential security misconfigurations, ensure compliance, and investigate network behavior without impacting the live environment. This overview explores how Invariant facilitates security validation through its rule evaluation models, various enforcement strategies, and its utility in compliance and research. - [Understanding the User Invitation Process](User-Management/invitation): Explore how user invitations work in Invariant Technology, from initiation by an administrator to acceptance and account activation by the invited user. - [The Role of OIDC in User Authentication](User-Management/oidc): Explore how OpenID Connect (OIDC) enhances user authentication in Invariant Technology through Single Sign-On (SSO) and centralized identity management. - [Overview: Identity and Access in Invariant](User-Management/overview): Understand the fundamental concepts of user identity and access within Invariant Technology, including managed users and external collaborators. - [Impact of Workspace Security Policies on Users](User-Management/security_policies): Understand how Invariant Technology's workspace security policies, such as login settings and collaborator permissions, affect user access and collaboration.