Got questions, feedback, or feature requests? Join our community on Slack!

Pybatfish is a Python client for Batfish.

Batfish is a network validation tool that provides correctness guarantees for security, reliability, and compliance by analyzing the configuration of network devices. It builds complete models of network behavior from device configurations and finds violations of network policies (built-in, user-defined, and best-practices).

A primary use case for Batfish is to validate configuration changes before deployment (though it can be used to validate deployed configurations as well). Pre-deployment validation is a critical gap in existing network automation workflows. By Batfish in automation workflows, network engineers can close this gap and ensure that only correct changes are deployed.

Batfish does NOT require direct access to network devices. The core analysis requires only the configuration of network devices. This analysis may be enhanced using additional information from the network such as:

• BGP routes received from external peers
• Topology information represented by LLDP/CDP

See www.batfish.org for technical information on how it works.

The Batfish YouTube channel (which you can subscribe to for new content) illustrates many types of checks. These checks span a range of network behaviors and device configuration attributes.

• Flag undefined-but-referenced or defined-but-unreferenced structures (e.g., ACLs, route maps)
• Configuration settings for MTUs, AAA, NTP, logging, etc. match templates
• Devices can only be accessed using SSHv2 and password is not null

• End-to-end reachability is not impacted for any flow after any single-link or single-device failure
• Certain services (e.g., DNS) are globally reachable

• Sensitive services can be reached only from specific subnets or devices
• Paths between endpoints are as expected (e.g., traverse a firewall, have at least 2 way ECMP, etc...)

• End-to-end reachability is identical across the current and a planned configuration
• Planned ACL or firewall changes are provably correct and causes no collateral damage for other traffic
• Two configurations, potentially from different vendors, are functionally equivalent

Follow the instructions listed in the batfish github repository

Complete documentation of pybatfish APIs is here.