chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
main
resolutionflow/backend/scripts/seed_trees_networking.py
Michael Chihlas b8f25f19eb Add M365 and additional networking seed trees
2026-02-12 16:13:18 -05:00

734 lines
81 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python3
"""
ResolutionFlow Decision Trees - Batch 4: Additional Networking
Three additional networking troubleshooting trees for MSP engineers.
Imported by seed_trees_v2.py for seeding.
Trees:
1. Bandwidth / Slow Internet
2. Wireless Connectivity Problems
3. Firewall Blocking Issues
"""
from typing import Any
# =============================================================================
# Tree 1: Bandwidth / Slow Internet
# =============================================================================
def get_bandwidth_slow_internet_tree() -> dict[str, Any]:
"""Bandwidth / Slow Internet - Networking tree."""
return {
"name": "Bandwidth / Slow Internet",
"description": "Diagnose and resolve slow internet or bandwidth issues at client sites. Covers ISP problems, LAN saturation, QoS misconfiguration, bandwidth hogs, and speed test analysis for MSP-managed environments.",
"category": "Networking",
"tree_structure": {
"id": "root",
"type": "decision",
"question": "How many users are affected by the slow internet?",
"help_text": "Scope determines whether this is a single-device issue, LAN problem, or ISP/WAN issue.",
"options": [
{"id": "one_user", "label": "Just one user / one device", "next_node_id": "check_single_device"},
{"id": "several_users", "label": "Several users at the same location", "next_node_id": "check_lan_saturation"},
{"id": "everyone", "label": "Everyone at the site is slow", "next_node_id": "check_wan_isp"},
{"id": "intermittent", "label": "Intermittent — comes and goes throughout the day", "next_node_id": "check_intermittent"}
],
"children": [
{
"id": "check_single_device",
"type": "action",
"title": "Diagnose Single Device Slow Internet",
"description": "Only one user is affected — likely a local device or connection issue.\n\n**Step 1: Speed test on the affected device**\nhttps://www.speedtest.net — note download, upload, jitter, and latency.\n\n**Step 2: Compare to another device on the same network**\nRun a speed test from another computer nearby. If the other device is fast, the issue is device-specific.\n\n**Step 3: Check connection type**\n- Wi-Fi or Ethernet? If Wi-Fi, try Ethernet to rule it out.\n- What speed does the NIC show?\n```\n# Check link speed:\nGet-NetAdapter | Select Name, LinkSpeed, Status\n```\n\n**Step 4: Check for bandwidth hogs on the device**\n- Task Manager > Performance > Open Resource Monitor > Network tab\n- Look for processes with high network usage (OneDrive sync, Windows Update, cloud backup, etc.)\n\n**Step 5: Check NIC driver**\n- Device Manager > Network adapters > check for warnings\n- Update or reinstall the NIC driver",
"next_node_id": "single_device_result"
},
{
"id": "single_device_result",
"type": "decision",
"question": "What did the single-device check reveal?",
"help_text": "Compare speed test results and device checks",
"options": [
{"id": "wifi_issue", "label": "Wi-Fi is the problem — Ethernet is fast", "next_node_id": "fix_single_wifi"},
{"id": "hog_found", "label": "Found a bandwidth hog process", "next_node_id": "fix_bandwidth_hog"},
{"id": "nic_issue", "label": "NIC showing errors or slow link speed", "next_node_id": "fix_nic_issue"},
{"id": "device_ok", "label": "Device seems fine — issue may be network-wide", "next_node_id": "check_lan_saturation"}
],
"children": [
{
"id": "fix_single_wifi",
"type": "action",
"title": "Fix Single Device Wi-Fi Performance",
"description": "Ethernet is fast but Wi-Fi is slow on this device.\n\n**Check Wi-Fi signal strength:**\n```\nnetsh wlan show interfaces\n```\nLook at 'Signal' percentage — below 70% is problematic.\n\n**Check Wi-Fi band:**\n- 2.4GHz = longer range but slower and more congested\n- 5GHz = faster but shorter range\n- Force 5GHz: Network adapter properties > Advanced > Preferred Band\n\n**Try these fixes:**\n1. Move closer to the access point\n2. Forget and reconnect to the network\n3. Reset the Wi-Fi adapter:\n```\nnetsh winsock reset\nnetsh int ip reset\nipconfig /flushdns\n```\n4. Update or reinstall the wireless driver\n5. Check for interference (Bluetooth, USB 3.0 devices near the antenna)\n\n**If the laptop has an old/cheap Wi-Fi adapter:** An external USB Wi-Fi adapter (Wi-Fi 6) can be a quick fix.",
"next_node_id": "solution_single_wifi"
},
{
"id": "solution_single_wifi",
"type": "solution",
"title": "Resolved: Single Device Wi-Fi Issue",
"description": "Wi-Fi performance improved on the affected device.\n\n**Ticket Notes:** User experiencing slow internet. Isolated to Wi-Fi on their device — Ethernet was full speed. Resolved by [switching to 5GHz / moving closer to AP / updating driver / resetting adapter].\n\n**If recurring:** Consider a USB Wi-Fi 6 adapter or relocating the user closer to an AP."
},
{
"id": "fix_bandwidth_hog",
"type": "action",
"title": "Address Bandwidth Hog Process",
"description": "A process on the device is consuming excessive bandwidth.\n\n**Common offenders:**\n- **OneDrive/SharePoint sync** — large initial sync or many changes\n- **Windows Update** — downloading feature updates (can be several GB)\n- **Cloud backup** (Veeam agent, Carbonite, etc.)\n- **Browser tabs** — streaming video, large downloads\n- **Antivirus** — cloud scanning or definition updates\n- **Teams/Zoom** — video call running in background\n\n**Fixes:**\n- OneDrive: Pause sync or set upload bandwidth limit (OneDrive > Settings > Network)\n- Windows Update: Pause for 7 days if it's disrupting work\n- Cloud backup: Schedule outside business hours\n- Browser: Close unnecessary tabs, check for extensions consuming bandwidth\n\n**Long-term:** Implement QoS or traffic shaping at the firewall to protect critical traffic from bulk transfers.",
"next_node_id": "solution_bandwidth_hog"
},
{
"id": "solution_bandwidth_hog",
"type": "solution",
"title": "Resolved: Bandwidth Hog Identified",
"description": "Bandwidth restored after addressing the high-usage process.\n\n**Ticket Notes:** Slow internet on user's device caused by [process name] consuming bandwidth. [Paused sync / rescheduled backup / closed streaming tab / paused Windows Update].\n\n**Prevention:** Configure OneDrive bandwidth limits org-wide via Group Policy. Schedule backups and updates outside business hours."
},
{
"id": "fix_nic_issue",
"type": "action",
"title": "Fix NIC / Cable Issue",
"description": "Network adapter showing slow link speed or errors.\n\n**Check link speed:**\n```\nGet-NetAdapter | Select Name, LinkSpeed, Status, MediaConnectionState\n```\nExpected: 1 Gbps for Ethernet. If showing 100 Mbps or 10 Mbps — cable or port issue.\n\n**Check for errors:**\n```\nGet-NetAdapterStatistics | Select Name, ReceivedErrors, OutboundErrors, ReceivedDiscards\n```\n\n**Common causes of slow link speed:**\n- Bad Ethernet cable (bent pins, damaged cable) — try a different cable\n- Plugged into a 100Mbps switch port — check the switch\n- NIC auto-negotiation failing — try setting speed manually\n- USB docking station — many docks have 100Mbps NICs\n\n**Fix:**\n1. Try a different Ethernet cable\n2. Try a different switch port\n3. Check dock specs if using a docking station\n4. Update NIC driver\n5. If NIC is failing: replace or use a USB Ethernet adapter",
"next_node_id": "solution_nic_fixed"
},
{
"id": "solution_nic_fixed",
"type": "solution",
"title": "Resolved: NIC / Cable Issue",
"description": "Network speed restored after fixing the NIC or cable.\n\n**Ticket Notes:** Slow internet caused by [bad cable / 100Mbps dock NIC / NIC errors / wrong switch port]. Resolved by [replacing cable / using direct Ethernet / updating driver / swapping to gigabit port].\n\n**Check:** Confirm link speed is now 1 Gbps with `Get-NetAdapter`."
}
]
},
{
"id": "check_lan_saturation",
"type": "action",
"title": "Check LAN for Saturation or Bottleneck",
"description": "Multiple users are slow — check if the internal network is the bottleneck.\n\n**Step 1: Speed test at the firewall/router level**\nIf possible, run a speed test from a device directly connected to the firewall. This eliminates LAN issues.\n- If speed is fine at the firewall: LAN bottleneck\n- If speed is slow at the firewall: WAN/ISP issue\n\n**Step 2: Check switch utilization**\n- Log into managed switches and check port utilization\n- Look for ports at 90%+ utilization\n- Check for CRC errors or packet drops on uplink ports\n\n**Step 3: Check for a single device saturating the LAN**\n- Is someone downloading a large file?\n- Is a server doing a backup over the LAN during business hours?\n- Is a NAS replicating?\n\n**Step 4: Check uplinks between switches**\n- Are inter-switch uplinks gigabit or 10G? If only 1G and lots of traffic, they may be saturated.\n\n**Step 5: Look for broadcast storms**\n- High CPU on switches can indicate a loop or broadcast storm\n- Check spanning tree status",
"next_node_id": "lan_result"
},
{
"id": "lan_result",
"type": "decision",
"question": "Where is the LAN bottleneck?",
"help_text": "Based on speed tests and switch checks",
"options": [
{"id": "device_saturating", "label": "One device is saturating the network", "next_node_id": "fix_lan_hog"},
{"id": "uplink_saturated", "label": "Switch uplink is saturated", "next_node_id": "fix_uplink"},
{"id": "switch_issue", "label": "Switch errors / spanning tree / loop", "next_node_id": "fix_switch_issue"},
{"id": "lan_ok", "label": "LAN is fine — issue is WAN/ISP", "next_node_id": "check_wan_isp"}
],
"children": [
{
"id": "fix_lan_hog",
"type": "action",
"title": "Address Device Saturating the LAN",
"description": "A single device is consuming most of the LAN bandwidth.\n\n**Identify the device:** Check switch port utilization or use a network monitoring tool (PRTG, Auvik, Datto RMM, etc.).\n\n**Common culprits:**\n- Server backup running during business hours\n- NAS replication job\n- Large file copy between servers\n- User downloading/uploading huge files\n- Malware-infected device generating traffic\n\n**Immediate fix:** Rate-limit or pause the offending activity.\n\n**Long-term fixes:**\n- Schedule backups outside business hours\n- Implement QoS on the firewall to prioritize business traffic\n- Segment the network (put backup traffic on its own VLAN)\n- If malware: isolate the device immediately and scan",
"next_node_id": "solution_lan_hog"
},
{
"id": "solution_lan_hog",
"type": "solution",
"title": "Resolved: LAN Bandwidth Hog",
"description": "LAN performance restored after addressing the high-traffic device.\n\n**Ticket Notes:** Network slowdown caused by [device/server] consuming excessive LAN bandwidth due to [backup / replication / file transfer / malware]. Resolved by [pausing job / rescheduling / isolating device].\n\n**Recommendations:**\n- Schedule bulk transfers outside 8AM-6PM\n- Implement QoS policies\n- Consider network segmentation (backup VLAN)"
},
{
"id": "fix_uplink",
"type": "action",
"title": "Fix Saturated Switch Uplink",
"description": "The uplink between switches (or switch to firewall) is maxed out.\n\n**Check the uplink:**\n- What speed is it? (1G, 10G?)\n- Is it a single link or LAG (link aggregation)?\n\n**Fixes:**\n- **Upgrade the uplink** to 10G if switches support it\n- **Add a second uplink** and configure Link Aggregation (LACP)\n- **Move heavy-traffic devices** to the switch closest to the firewall\n- **Implement VLANs** to keep local traffic local (e.g., printer traffic shouldn't cross uplinks)\n\n**If the firewall uplink is saturated:**\nThe internet connection itself may be too small for the number of users. See the WAN/ISP troubleshooting path.",
"next_node_id": "solution_uplink"
},
{
"id": "solution_uplink",
"type": "solution",
"title": "Resolved: Switch Uplink Upgraded",
"description": "Uplink bottleneck resolved.\n\n**Ticket Notes:** Network slowdown caused by saturated switch uplink (was [speed]). Resolved by [upgrading to 10G / adding LACP / restructuring traffic flow].\n\n**Prevention:** Monitor uplink utilization with network monitoring tools. Set alerts at 70% sustained utilization."
},
{
"id": "fix_switch_issue",
"type": "action",
"title": "Fix Switch / Spanning Tree Issue",
"description": "Switch is showing errors, high CPU, or possible network loop.\n\n**Check for a network loop:**\n- Unmanaged switches or user-plugged patch cables are common loop sources\n- High CPU + broadcast storm symptoms: everything slows, then briefly recovers, then slows again\n- On managed switches: check spanning tree status for 'blocking' ports\n\n**Check for CRC errors:**\n- Log into managed switch\n- Show interface counters for CRC errors, runts, giants\n- Errors usually indicate bad cables, bad SFPs, or failing ports\n\n**Fix:**\n- Loop: Find and remove the offending cable/switch. Enable spanning tree (BPDU guard, loop protection)\n- CRC errors: Replace the cable or SFP on the erroring port\n- High CPU: Check for broadcast storms, ARP floods, or multicast issues\n\n**If unmanaged switches are present:** Replace with managed switches. Unmanaged switches are a major risk for loops.",
"next_node_id": "solution_switch_fixed"
},
{
"id": "solution_switch_fixed",
"type": "solution",
"title": "Resolved: Switch / Network Issue",
"description": "Network performance restored after fixing the switch issue.\n\n**Ticket Notes:** Network slowdown caused by [loop / CRC errors / spanning tree issue / broadcast storm]. Resolved by [removing loop / replacing cable / enabling BPDU guard / replacing unmanaged switch].\n\n**Prevention:**\n- Enable BPDU guard and loop protection on all managed switches\n- Replace unmanaged switches with managed\n- Label all patch cables to prevent accidental loops"
}
]
},
{
"id": "check_wan_isp",
"type": "action",
"title": "Check WAN / ISP Connection",
"description": "Everyone is slow — likely a WAN or ISP issue.\n\n**Step 1: Speed test from the firewall or a directly-connected device**\nCompare results to the contracted ISP speed.\n\n**Step 2: Check the ISP circuit**\n- Is the modem/ONT showing link lights?\n- Any errors on the WAN interface of the firewall?\n- Check firewall WAN interface stats for errors, drops, CRC\n\n**Step 3: Check if the ISP is having an outage**\n- https://downdetector.com — search for the ISP\n- Check ISP's status page\n- Call the ISP NOC\n\n**Step 4: Run a traceroute**\n```\ntracert 8.8.8.8\n```\nLook for high latency or timeouts at specific hops. If the first hop (firewall) is slow, it's internal. If later hops are slow, it's ISP.\n\n**Step 5: Check firewall throughput**\n- Is UTM/IPS/content filtering maxing out the firewall CPU?\n- Some firewalls slow down significantly with all security features enabled\n- Check firewall CPU and memory utilization",
"next_node_id": "wan_result"
},
{
"id": "wan_result",
"type": "decision",
"question": "What did the WAN/ISP check reveal?",
"help_text": "Compare speed tests to contracted speeds and check firewall stats",
"options": [
{"id": "isp_issue", "label": "ISP speed is well below contracted rate", "next_node_id": "fix_isp_issue"},
{"id": "firewall_bottleneck", "label": "Firewall is the bottleneck (high CPU / UTM)", "next_node_id": "fix_firewall_bottleneck"},
{"id": "circuit_too_small", "label": "Speed matches contract but is too slow for the site", "next_node_id": "solution_upgrade_circuit"},
{"id": "wan_ok", "label": "WAN speed is fine — issue is elsewhere", "next_node_id": "check_lan_saturation"}
],
"children": [
{
"id": "fix_isp_issue",
"type": "action",
"title": "Address ISP Performance Issue",
"description": "Speed is significantly below the contracted rate.\n\n**Document before calling the ISP:**\n- Speed test results (multiple tests, different times)\n- Traceroute showing where the slowdown is\n- WAN interface stats from the firewall\n- Test from a device directly connected to the modem (bypass firewall) to rule out internal issues\n\n**Call the ISP:**\n- Reference your circuit ID / account number\n- Report the speed discrepancy\n- Ask them to check for errors on their side, check the modem/ONT signal levels\n- Request a tech dispatch if they can't resolve remotely\n\n**If the ISP says everything looks fine on their end:**\n- Ask for the modem/ONT signal levels (SNR, attenuation)\n- Power cycle the modem/ONT\n- Check for damaged cabling from the demarc to the modem",
"next_node_id": "solution_isp_issue"
},
{
"id": "solution_isp_issue",
"type": "solution",
"title": "ISP Issue Reported",
"description": "ISP performance issue identified and reported.\n\n**Ticket Notes:** Internet speed at [X] Mbps, contracted for [Y] Mbps. Tested from device directly connected to modem to rule out internal issues. ISP ticket opened: [ISP ticket #]. [ISP is dispatching tech / ISP found issue on their side / awaiting ISP response].\n\n**Follow-up:** Retest after ISP resolves. If this is a recurring issue, consider a secondary ISP for failover."
},
{
"id": "fix_firewall_bottleneck",
"type": "action",
"title": "Address Firewall Throughput Bottleneck",
"description": "The firewall is limiting throughput — CPU is high or UTM features are reducing speed.\n\n**Check firewall CPU and memory:**\nLog into the firewall admin console and check dashboard/system status.\n\n**Common causes:**\n- UTM features (IPS, content filtering, SSL inspection) consuming too much CPU\n- Firewall hardware is undersized for the number of users/throughput\n- Firmware is outdated (newer firmware often has performance improvements)\n- Too many VPN tunnels or NAT sessions\n\n**Quick fixes:**\n- Reduce IPS/UTM logging verbosity\n- Disable SSL deep inspection if not strictly required (major CPU saver)\n- Exclude trusted traffic from UTM scanning (M365, known-good sites)\n- Update firmware\n\n**Long-term:** If the firewall is simply too small, it needs to be right-sized. Check the vendor's throughput specs with UTM enabled (not just raw firewall throughput).",
"next_node_id": "solution_firewall_bottleneck"
},
{
"id": "solution_firewall_bottleneck",
"type": "solution",
"title": "Resolved: Firewall Throughput Issue",
"description": "Internet speed improved after addressing firewall bottleneck.\n\n**Ticket Notes:** Internet slow for all users. Firewall CPU at [X]% with UTM enabled. Resolved by [disabling SSL inspection / excluding M365 from UTM / updating firmware / reducing logging]. Speed improved from [X] to [Y] Mbps.\n\n**If firewall is undersized:** Recommend hardware upgrade. Always check vendor specs for 'threat inspection throughput' not just 'firewall throughput' — they can be 5-10x different."
},
{
"id": "solution_upgrade_circuit",
"type": "solution",
"title": "Recommendation: Upgrade Internet Circuit",
"description": "The internet connection is performing at contracted speed but is insufficient for the site.\n\n**Ticket Notes:** Internet speed matches contracted [X] Mbps but is insufficient for [Y] users at this site. Average utilization during business hours: [Z]%.\n\n**Recommendations:**\n- Current bandwidth per user: [X/Y] Mbps — industry recommendation is 25-50 Mbps per user minimum for cloud-heavy environments\n- Upgrade circuit to [recommended speed]\n- Consider adding a secondary ISP for failover and load balancing\n- In the meantime: Implement QoS to prioritize critical applications (VoIP, video conferencing) over bulk traffic\n\n**Escalate to:** Client decision-maker for circuit upgrade approval."
}
]
},
{
"id": "check_intermittent",
"type": "action",
"title": "Diagnose Intermittent Slowdowns",
"description": "Internet speed comes and goes — hard to catch in the moment.\n\n**Step 1: Establish a baseline with continuous monitoring**\n- Set up a continuous ping to 8.8.8.8 and log results:\n```\nping -t 8.8.8.8 > C:\\Temp\\ping_log.txt\n```\n- Use a free monitoring tool: PRTG (100 sensors free) or PingPlotter\n- Let it run for 24-48 hours to catch the pattern\n\n**Step 2: Identify the pattern**\n- Same time every day? → Scheduled job (backup, updates, AV scan)\n- Random but frequent? → ISP instability, bad cable, or overheating equipment\n- Only during heavy usage? → Bandwidth is insufficient for peak demand\n\n**Step 3: Check for scheduled jobs**\n- What time do backups run?\n- When does Windows Update check/install?\n- When does AV push definitions?\n- When do cloud sync tools run full scans?\n\n**Step 4: Check hardware health**\n- Is the modem, switch, or firewall overheating? (check in a hot server room?)\n- Overheating equipment can throttle or restart intermittently",
"next_node_id": "intermittent_result"
},
{
"id": "intermittent_result",
"type": "decision",
"question": "Did you identify the pattern?",
"help_text": "Review monitoring data and scheduled tasks",
"options": [
{"id": "scheduled_job", "label": "Coincides with a scheduled job (backup, updates)", "next_node_id": "fix_bandwidth_hog"},
{"id": "isp_instability", "label": "ISP connection is dropping/degrading intermittently", "next_node_id": "fix_isp_issue"},
{"id": "hardware_issue", "label": "Equipment overheating or failing", "next_node_id": "solution_hardware_issue"},
{"id": "peak_usage", "label": "Happens during peak usage times", "next_node_id": "solution_upgrade_circuit"}
],
"children": [
{
"id": "solution_hardware_issue",
"type": "solution",
"title": "Resolved: Network Hardware Issue",
"description": "Intermittent slowdowns caused by failing or overheating network equipment.\n\n**Ticket Notes:** Intermittent internet slowdowns traced to [modem / switch / firewall] [overheating / failing]. [Moved equipment / improved cooling / replaced device].\n\n**Prevention:**\n- Ensure network equipment has adequate ventilation\n- Monitor equipment temperatures (SNMP sensors)\n- Replace aging equipment proactively (switches, firewalls have ~7-10 year lifespans)\n- Keep firmware updated"
}
]
}
]
}
}
# =============================================================================
# Tree 2: Wireless Connectivity Problems
# =============================================================================
def get_wireless_connectivity_tree() -> dict[str, Any]:
"""Wireless Connectivity Problems - Networking tree."""
return {
"name": "Wireless Connectivity Problems",
"description": "Troubleshoot Wi-Fi connectivity issues including connection failures, frequent disconnects, slow wireless speeds, roaming problems, and SSID visibility. Covers both single-AP and enterprise wireless environments.",
"category": "Networking",
"tree_structure": {
"id": "root",
"type": "decision",
"question": "What is the wireless issue?",
"help_text": "Identify the specific Wi-Fi problem to narrow down the cause.",
"options": [
{"id": "cant_connect", "label": "Can't connect to Wi-Fi at all", "next_node_id": "check_cant_connect"},
{"id": "keeps_dropping", "label": "Connects but keeps disconnecting", "next_node_id": "check_drops"},
{"id": "slow_wifi", "label": "Connected but Wi-Fi is very slow", "next_node_id": "check_slow_wifi"},
{"id": "no_ssid", "label": "Wi-Fi network (SSID) not showing up", "next_node_id": "check_ssid_missing"},
{"id": "roaming_issues", "label": "Drops when moving between areas / floors", "next_node_id": "check_roaming"}
],
"children": [
{
"id": "check_cant_connect",
"type": "action",
"title": "Diagnose Wi-Fi Connection Failure",
"description": "User can't connect to the wireless network.\n\n**Step 1: Check the basics**\n- Is Wi-Fi turned on? (check hardware switch, Fn key, airplane mode)\n- Is the correct SSID selected?\n- Is the password correct? (most common issue)\n\n**Step 2: Check if other devices can connect**\n- If no devices can connect: AP or RADIUS issue\n- If only this device fails: device-specific problem\n\n**Step 3: Check the Wi-Fi adapter**\n```\nnetsh wlan show interfaces\nnetsh wlan show drivers\n```\nLook for: Radio state (on/off), supported modes, driver version.\n\n**Step 4: Forget and reconnect**\n1. Settings > Network & Internet > Wi-Fi > Manage known networks\n2. Select the network > Forget\n3. Reconnect and enter the password\n\n**Step 5: For enterprise WPA2-Enterprise / 802.1X:**\n- Is the user's certificate valid?\n- Is the RADIUS server reachable and responding?\n- Check the RADIUS server logs for rejection reasons",
"next_node_id": "cant_connect_result"
},
{
"id": "cant_connect_result",
"type": "decision",
"question": "What's preventing the connection?",
"help_text": "Based on the checks above",
"options": [
{"id": "wrong_password", "label": "Wrong password / credential issue", "next_node_id": "solution_wifi_password"},
{"id": "adapter_issue", "label": "Wi-Fi adapter disabled or driver issue", "next_node_id": "fix_wifi_adapter"},
{"id": "radius_issue", "label": "802.1X / RADIUS authentication failing", "next_node_id": "fix_radius_auth"},
{"id": "ap_issue", "label": "No devices can connect — AP issue", "next_node_id": "fix_ap_issue"}
],
"children": [
{
"id": "solution_wifi_password",
"type": "solution",
"title": "Resolved: Wi-Fi Password/Credential Issue",
"description": "User connected after fixing credentials.\n\n**Ticket Notes:** Wi-Fi connection failed due to [wrong password / expired credentials / incorrect profile]. Forgot the network, reconnected with correct credentials.\n\n**If WPA2-Enterprise:** Ensure the user's certificate hasn't expired and their domain credentials are current."
},
{
"id": "fix_wifi_adapter",
"type": "action",
"title": "Fix Wi-Fi Adapter Issue",
"description": "Wi-Fi adapter is disabled, missing, or has a driver problem.\n\n**Re-enable the adapter:**\n```\n# Check adapter status\nGet-NetAdapter -Name \"Wi-Fi\" | Select Status\n\n# Enable if disabled\nEnable-NetAdapter -Name \"Wi-Fi\"\n```\n\n**Check Device Manager:**\n- Right-click Start > Device Manager > Network adapters\n- Look for the wireless adapter — yellow warning icon means driver issue\n- Right-click > Update driver > Search automatically\n- If no wireless adapter listed: check if it's disabled in BIOS/UEFI\n\n**Reset the adapter stack:**\n```\nnetsh winsock reset\nnetsh int ip reset\nipconfig /flushdns\nipconfig /release\nipconfig /renew\n```\nRestart the computer after running these.\n\n**If driver update doesn't help:** Download the latest driver from the laptop manufacturer's website (not Windows Update).",
"next_node_id": "solution_adapter_fixed"
},
{
"id": "solution_adapter_fixed",
"type": "solution",
"title": "Resolved: Wi-Fi Adapter Fixed",
"description": "Wi-Fi adapter restored and connecting.\n\n**Ticket Notes:** Wi-Fi not connecting. Adapter was [disabled / driver corrupted / missing from Device Manager]. Resolved by [re-enabling / updating driver from manufacturer / resetting network stack].\n\n**If BIOS-disabled:** Document that the wireless was disabled in BIOS settings and re-enabled."
},
{
"id": "fix_radius_auth",
"type": "action",
"title": "Fix RADIUS / 802.1X Authentication",
"description": "Enterprise Wi-Fi authentication is failing.\n\n**Check the RADIUS server (NPS):**\n1. Event Viewer on the NPS server > Custom Views > Server Roles > Network Policy and Access Services\n2. Look for reject events — they show the reason code\n\n**Common RADIUS failures:**\n- **Certificate expired** on the user, computer, or RADIUS server\n- **User not in the allowed group** specified in the NPS policy\n- **Computer not domain-joined** (if policy requires domain membership)\n- **NPS policy mismatch** (wrong auth type, encryption settings)\n- **RADIUS shared secret mismatch** between AP and NPS server\n\n**Quick fixes:**\n1. Verify the user is in the correct security group\n2. Check certificate expiration dates\n3. Delete the Wi-Fi profile on the client and re-create it\n4. If using GPO-deployed Wi-Fi profiles: run `gpupdate /force`\n\n**Test with a known-working account** to isolate whether it's user-specific or systemic.",
"next_node_id": "solution_radius_fixed"
},
{
"id": "solution_radius_fixed",
"type": "solution",
"title": "Resolved: RADIUS Authentication Fixed",
"description": "802.1X/RADIUS authentication restored.\n\n**Ticket Notes:** Wi-Fi 802.1X authentication failing. NPS logs showed: [reason]. Resolved by [adding user to group / renewing certificate / fixing NPS policy / correcting shared secret].\n\n**If certificate-related:** Check expiration dates for:\n- NPS server certificate\n- Root CA certificate distributed to clients\n- User/computer certificates"
},
{
"id": "fix_ap_issue",
"type": "action",
"title": "Troubleshoot Access Point",
"description": "No devices can connect — the AP itself may be the problem.\n\n**Step 1: Check AP status**\n- Is the AP powered on? (check LED indicators)\n- Is the AP reachable on the network? (ping its management IP)\n- Log into the wireless controller or AP management console\n\n**Step 2: Check for common AP issues:**\n- **Power cycle the AP** — many issues resolve with a reboot\n- **PoE power** — is the switch providing enough power? (check PoE budget)\n- **DHCP pool exhausted** — clients can't get an IP (check DHCP scope)\n- **Channel congestion** — AP is on a congested channel\n- **Firmware** — is the AP firmware up to date?\n\n**Step 3: If managed by a controller:**\n- Check controller for AP status and alerts\n- Check if the AP has lost its connection to the controller\n- Is the AP's VLAN trunk configured correctly on the switch?\n\n**Step 4: Try a different AP** — swap with a known-good AP to isolate hardware failure.",
"next_node_id": "solution_ap_fixed"
},
{
"id": "solution_ap_fixed",
"type": "solution",
"title": "Resolved: Access Point Issue",
"description": "Wi-Fi connectivity restored after fixing the AP.\n\n**Ticket Notes:** No devices could connect to [SSID]. AP at [location] was [unresponsive / PoE issue / firmware crash / controller disconnect]. Resolved by [power cycle / fixing PoE / updating firmware / re-adopting to controller].\n\n**If AP hardware failure:** Replace the unit and configure the replacement."
}
]
},
{
"id": "check_drops",
"type": "action",
"title": "Diagnose Frequent Wi-Fi Disconnections",
"description": "User connects but keeps getting disconnected.\n\n**Step 1: Check event logs for disconnect reasons**\n```\nGet-WinEvent -LogName 'Microsoft-Windows-WLAN-AutoConfig/Operational' -MaxEvents 20 | Select TimeCreated, Message\n```\n\n**Step 2: Check signal strength during a dropout**\n```\nnetsh wlan show interfaces\n```\nSignal below 50% = likely cause of drops.\n\n**Step 3: Common causes:**\n- **Weak signal** — user is too far from the AP\n- **Interference** — microwaves, Bluetooth, cordless phones on 2.4GHz\n- **Driver power management** — Windows is turning off Wi-Fi to save power\n- **AP overloaded** — too many clients on one AP (usually 30+ causes issues)\n- **DHCP lease issues** — very short lease time causing re-auth\n- **DFS channel change** — radar detection causes AP to switch channels, dropping clients\n\n**Step 4: Disable Wi-Fi power saving**\nDevice Manager > Network adapter > Properties > Power Management > Uncheck \"Allow the computer to turn off this device to save power\"\n\nAlso: Adapter properties > Advanced > Power Save Mode > set to Maximum Performance",
"next_node_id": "drops_result"
},
{
"id": "drops_result",
"type": "decision",
"question": "What's causing the disconnections?",
"help_text": "Based on signal strength, event logs, and environment checks",
"options": [
{"id": "weak_signal", "label": "Weak signal — too far from AP", "next_node_id": "solution_weak_signal"},
{"id": "power_mgmt", "label": "Power management turning off Wi-Fi", "next_node_id": "solution_power_mgmt"},
{"id": "interference", "label": "Interference on the channel", "next_node_id": "fix_interference"},
{"id": "ap_overloaded", "label": "AP is overloaded with too many clients", "next_node_id": "solution_ap_overloaded"}
],
"children": [
{
"id": "solution_weak_signal",
"type": "solution",
"title": "Resolved: Weak Wi-Fi Signal",
"description": "Disconnections caused by weak signal in the user's area.\n\n**Ticket Notes:** Wi-Fi disconnecting due to weak signal ([X]% signal strength). User is [location], too far from nearest AP at [AP location].\n\n**Fixes applied:** [Moved user / added AP / replaced AP with higher-power model / switched to 2.4GHz for better range].\n\n**If additional coverage is needed:** Recommend a site survey to identify optimal AP placement."
},
{
"id": "solution_power_mgmt",
"type": "solution",
"title": "Resolved: Wi-Fi Power Management Disabled",
"description": "Disconnections stopped after disabling Wi-Fi power management.\n\n**Ticket Notes:** Wi-Fi disconnecting intermittently. Windows power management was turning off the wireless adapter. Disabled in Device Manager and set adapter to Maximum Performance.\n\n**To deploy org-wide:** Use Group Policy:\nComputer Config > Admin Templates > System > Power Management > set wireless adapter to Maximum Performance on AC power."
},
{
"id": "fix_interference",
"type": "action",
"title": "Address Wi-Fi Channel Interference",
"description": "Wi-Fi channel is congested or has interference.\n\n**Step 1: Scan for competing networks**\nUse a Wi-Fi analyzer app (e.g., WiFi Analyzer for Android, or inSSIDer for Windows).\n- How many SSIDs are on the same channel?\n- Are neighboring businesses on overlapping channels?\n\n**Step 2: Choose the best channel**\n- **2.4GHz:** Only use channels 1, 6, or 11 (non-overlapping). Pick the least crowded.\n- **5GHz:** More channels available — switch to a less crowded one. Avoid DFS channels if radar is an issue.\n\n**Step 3: Change the channel on the AP**\n- Log into the AP or wireless controller\n- Set the radio to the selected channel (disable auto if it keeps picking a bad one)\n\n**Step 4: Check for non-Wi-Fi interference**\n- Microwaves (2.4GHz interference)\n- Bluetooth devices\n- Cordless phones\n- USB 3.0 hubs (known to cause 2.4GHz interference)",
"next_node_id": "solution_interference_fixed"
},
{
"id": "solution_interference_fixed",
"type": "solution",
"title": "Resolved: Wi-Fi Interference",
"description": "Wi-Fi stability improved after addressing channel interference.\n\n**Ticket Notes:** Wi-Fi disconnections caused by channel interference. Changed [AP name] from channel [X] to channel [Y] on [2.4/5]GHz band. Also [removed interference source / moved microwave / switched clients to 5GHz].\n\n**Best practice:** For enterprise environments, use a wireless controller with automatic channel management. For small sites, manually set non-overlapping channels."
},
{
"id": "solution_ap_overloaded",
"type": "solution",
"title": "Resolved: AP Overloaded — Too Many Clients",
"description": "AP had too many connected clients causing instability.\n\n**Ticket Notes:** AP at [location] had [X] connected clients. Performance degrades above ~25-30 clients per AP. [Added additional AP / load balanced clients / configured band steering to push clients to 5GHz].\n\n**Recommendations:**\n- Deploy additional APs to distribute the client load\n- Enable band steering to push dual-band devices to 5GHz\n- Consider client load balancing on the wireless controller\n- Target 15-25 clients per AP for reliable performance"
}
]
},
{
"id": "check_slow_wifi",
"type": "action",
"title": "Diagnose Slow Wi-Fi Speeds",
"description": "User is connected but Wi-Fi is very slow.\n\n**Step 1: Check connection speed and signal**\n```\nnetsh wlan show interfaces\n```\nLook at: Receive/Transmit rate, Signal, Radio type, Channel\n\n**Step 2: Speed test on Wi-Fi vs Ethernet**\nRun speedtest.net on Wi-Fi, then on Ethernet. This shows how much the Wi-Fi is limiting speed.\n\n**Step 3: Check which band/standard the client is on**\n- 802.11n on 2.4GHz = max ~70Mbps real-world\n- 802.11ac on 5GHz = max ~400Mbps real-world\n- 802.11ax (Wi-Fi 6) on 5GHz = max ~600Mbps+ real-world\n\n**If connected at low rates (e.g., 54Mbps, 72Mbps):**\n- Client may be forcing an older standard\n- Adapter > Properties > Advanced > Wireless Mode > enable all standards\n- Or the AP is configured for legacy compatibility mode (slows everyone down)\n\n**Step 4: Check AP client count**\nMany clients on one AP = everyone gets slower. Over 25 clients is a concern.",
"next_node_id": "slow_wifi_result"
},
{
"id": "slow_wifi_result",
"type": "decision",
"question": "What's causing slow Wi-Fi?",
"help_text": "Compare Wi-Fi speed to Ethernet and check connection parameters",
"options": [
{"id": "old_standard", "label": "Client connected on old/slow standard (11n, 11g)", "next_node_id": "solution_upgrade_wifi_standard"},
{"id": "poor_signal", "label": "Signal is weak — degrading speed", "next_node_id": "solution_weak_signal"},
{"id": "congested_channel", "label": "Channel is congested", "next_node_id": "fix_interference"},
{"id": "too_many_clients", "label": "Too many clients on the AP", "next_node_id": "solution_ap_overloaded"}
],
"children": [
{
"id": "solution_upgrade_wifi_standard",
"type": "solution",
"title": "Resolved: Wi-Fi Standard Upgrade Needed",
"description": "Client is connecting on an older, slower Wi-Fi standard.\n\n**Ticket Notes:** User's Wi-Fi slow due to connection on [802.11n/g] instead of [802.11ac/ax]. [Updated adapter settings / replaced adapter / switched to 5GHz band].\n\n**If the AP only supports 802.11n:** Recommend upgrading to Wi-Fi 5 (802.11ac) or Wi-Fi 6 (802.11ax) APs.\n**If the client only supports 802.11n:** A USB Wi-Fi 6 adapter is an inexpensive upgrade."
}
]
},
{
"id": "check_ssid_missing",
"type": "action",
"title": "Troubleshoot Missing SSID",
"description": "The Wi-Fi network name isn't appearing in the available networks list.\n\n**Step 1: Can other devices see the SSID?**\n- If no devices see it: AP issue or SSID is disabled\n- If only this device can't see it: client-side issue\n\n**Step 2: Check if SSID is hidden**\n- Some networks are configured as hidden (SSID broadcast disabled)\n- To connect to a hidden SSID: Network & Internet > Wi-Fi > Add a network > enter the SSID manually\n\n**Step 3: Check if the correct band is supported**\n- If the SSID is only on 5GHz and the client only has 2.4GHz, it won't appear\n- Check: `netsh wlan show drivers` — look for 'Supported bands'\n\n**Step 4: Check the AP**\n- Is the SSID still configured and enabled on the AP/controller?\n- Is the AP's radio turned on?\n- Did someone accidentally delete or disable the SSID?\n\n**Step 5: Scan for networks**\n```\nnetsh wlan show networks mode=bssid\n```\nThis shows all detected networks with their channel and signal strength.",
"next_node_id": "ssid_result"
},
{
"id": "ssid_result",
"type": "decision",
"question": "Why is the SSID not visible?",
"help_text": "Based on the checks above",
"options": [
{"id": "hidden", "label": "SSID is hidden — need to connect manually", "next_node_id": "solution_hidden_ssid"},
{"id": "band_mismatch", "label": "SSID is on 5GHz, client only has 2.4GHz", "next_node_id": "solution_band_mismatch"},
{"id": "ap_ssid_down", "label": "SSID was disabled or AP radio is off", "next_node_id": "fix_ap_issue"},
{"id": "client_driver", "label": "Client Wi-Fi driver issue — can't scan", "next_node_id": "fix_wifi_adapter"}
],
"children": [
{
"id": "solution_hidden_ssid",
"type": "solution",
"title": "Resolved: Connected to Hidden SSID",
"description": "Network was configured as a hidden SSID. Connected manually.\n\n**Ticket Notes:** Wi-Fi SSID [name] not appearing because SSID broadcast is disabled. Connected manually by adding the network profile.\n\n**Note:** Hidden SSIDs are not more secure — they actually cause the client to broadcast the SSID name while probing. Consider enabling SSID broadcast and using proper WPA2/3 Enterprise for security."
},
{
"id": "solution_band_mismatch",
"type": "solution",
"title": "Resolved: Band Mismatch",
"description": "Client doesn't support the frequency band the SSID is on.\n\n**Ticket Notes:** SSID [name] is configured on 5GHz only. User's device only supports 2.4GHz. [Added 2.4GHz SSID / provided USB dual-band adapter / user connected to alternate SSID].\n\n**Recommendation:** Most enterprise environments should have both 2.4GHz and 5GHz SSIDs available, or a single SSID on both bands with band steering."
}
]
},
{
"id": "check_roaming",
"type": "action",
"title": "Troubleshoot Wi-Fi Roaming Issues",
"description": "User drops connection when moving between APs (different floors, areas).\n\n**What should happen:** Client seamlessly roams from one AP to the next without disconnecting.\n\n**Step 1: Check roaming configuration**\n- Are all APs on the same SSID and security settings? (Must match exactly)\n- Are all APs on the same VLAN? (Or is there L3 roaming configured?)\n- Is fast roaming enabled? (802.11r, OKC, or PMKSA caching)\n\n**Step 2: Check AP overlap**\n- Adjacent APs should have 15-20% signal overlap\n- If there's a dead zone between APs, the client drops before finding the next AP\n- Use a Wi-Fi survey tool to check coverage\n\n**Step 3: Check client-side roaming aggressiveness**\n- Adapter > Properties > Advanced > Roaming Aggressiveness\n- Set to 'Medium' or 'High' — low aggressiveness means the client clings to a weak AP too long\n\n**Step 4: Check for 'sticky client' behavior**\n- Client stays connected to a distant AP instead of roaming to a closer one\n- Fix: Enable minimum RSSI on the AP (disconnect clients below -75dBm threshold)\n- Enable band steering and fast roaming on the controller",
"next_node_id": "roaming_result"
},
{
"id": "roaming_result",
"type": "decision",
"question": "What's causing the roaming issue?",
"help_text": "Based on coverage analysis and configuration checks",
"options": [
{"id": "dead_zone", "label": "Dead zone between APs — no overlap", "next_node_id": "solution_dead_zone"},
{"id": "sticky_client", "label": "Client is sticky — won't roam", "next_node_id": "solution_sticky_client"},
{"id": "config_mismatch", "label": "SSID or security mismatch between APs", "next_node_id": "solution_ssid_mismatch"},
{"id": "no_fast_roaming", "label": "Fast roaming (802.11r) not enabled", "next_node_id": "solution_fast_roaming"}
],
"children": [
{
"id": "solution_dead_zone",
"type": "solution",
"title": "Resolved: Wi-Fi Dead Zone",
"description": "Coverage gap between APs causing disconnections.\n\n**Ticket Notes:** Wi-Fi drops when user moves between [area A] and [area B]. Coverage survey confirmed dead zone. [Repositioned AP / added additional AP / increased AP transmit power].\n\n**Recommendation:** Conduct a professional Wi-Fi site survey to identify all dead zones. APs should have 15-20% signal overlap at -67dBm or better for seamless roaming."
},
{
"id": "solution_sticky_client",
"type": "solution",
"title": "Resolved: Sticky Client Issue",
"description": "Client was holding onto a distant AP instead of roaming.\n\n**Ticket Notes:** User's device staying connected to distant AP ([AP name], signal [X]dBm) instead of roaming to closer AP. Resolved by [increasing roaming aggressiveness on client / enabling minimum RSSI on AP / configuring band steering].\n\n**AP-side fixes:**\n- Set minimum RSSI threshold to -75dBm (disconnect weak clients)\n- Enable client load balancing on the controller"
},
{
"id": "solution_ssid_mismatch",
"type": "solution",
"title": "Resolved: SSID/Security Mismatch",
"description": "APs had different SSID or security configurations preventing roaming.\n\n**Ticket Notes:** Roaming failure between APs. [AP at location A] and [AP at location B] had mismatched [SSID / security type / VLAN / WPA settings]. Corrected to match across all APs.\n\n**Prevention:** Use a wireless controller to manage all APs centrally — this prevents configuration drift."
},
{
"id": "solution_fast_roaming",
"type": "solution",
"title": "Resolved: Fast Roaming Enabled",
"description": "Enabled fast roaming protocols to speed up transitions between APs.\n\n**Ticket Notes:** Wi-Fi drops during roaming due to slow re-authentication. Enabled [802.11r (Fast BSS Transition) / OKC (Opportunistic Key Caching) / PMKSA caching] on the wireless controller.\n\n**Note:** 802.11r can cause issues with some older devices. Test before deploying broadly. OKC is usually a safer first option.\n\n**Result:** Roaming transitions now take <50ms instead of 1-3 seconds."
}
]
}
]
}
}
# =============================================================================
# Tree 3: Firewall Blocking Issues
# =============================================================================
def get_firewall_blocking_tree() -> dict[str, Any]:
"""Firewall Blocking Issues - Networking tree."""
return {
"name": "Firewall Blocking Issues",
"description": "Troubleshoot firewall-related blocking of applications, websites, ports, and services. Covers both Windows Firewall and network firewalls (UTM/NGFW). Includes common port requirements, rule creation, and log analysis.",
"category": "Networking",
"tree_structure": {
"id": "root",
"type": "decision",
"question": "What is being blocked?",
"help_text": "Identify what the user can't access or what application isn't working.",
"options": [
{"id": "website", "label": "A specific website or web application", "next_node_id": "check_website_block"},
{"id": "application", "label": "A desktop application can't connect", "next_node_id": "check_app_block"},
{"id": "port_service", "label": "A specific port or service is blocked", "next_node_id": "check_port_block"},
{"id": "vpn_blocked", "label": "VPN can't connect through the firewall", "next_node_id": "check_vpn_block"},
{"id": "not_sure", "label": "Something isn't working but not sure if it's the firewall", "next_node_id": "diagnose_firewall_vs_other"}
],
"children": [
{
"id": "check_website_block",
"type": "action",
"title": "Diagnose Website/URL Blocking",
"description": "User can't access a specific website.\n\n**Step 1: Verify the block**\n- Can other users at the same site access it?\n- Can the user access it from their phone (on cellular, not Wi-Fi)?\n- What error message do they see? (timeout, block page, SSL error, etc.)\n\n**Step 2: Check for a firewall block page**\n- Many UTM firewalls show a branded block page (SonicWall, Fortinet, Sophos, etc.)\n- The block page usually tells you the category (e.g., 'Social Media', 'Uncategorized', 'Security Risk')\n- This confirms it's the firewall content filter\n\n**Step 3: Check the firewall content filter logs**\n- Log into the firewall admin console\n- Check the web filter or content filter log\n- Search for the URL/domain\n- Note the category and policy that blocked it\n\n**Step 4: Check SSL/TLS inspection**\n- If SSL inspection is enabled, it may be causing certificate errors on some sites\n- Some sites use certificate pinning and break with SSL inspection\n- Check if excluding the site from SSL inspection fixes it",
"next_node_id": "website_block_cause"
},
{
"id": "website_block_cause",
"type": "decision",
"question": "Why is the website blocked?",
"help_text": "Based on the block page and firewall logs",
"options": [
{"id": "content_filter", "label": "Content filter category block (intended)", "next_node_id": "fix_content_filter"},
{"id": "wrong_category", "label": "Website is miscategorized by the filter", "next_node_id": "fix_miscategorized"},
{"id": "ssl_inspection", "label": "SSL inspection causing certificate errors", "next_node_id": "fix_ssl_inspection"},
{"id": "dns_filter", "label": "DNS-level filtering (DNS Security, Umbrella, etc.)", "next_node_id": "fix_dns_filter"}
],
"children": [
{
"id": "fix_content_filter",
"type": "action",
"title": "Handle Content Filter Block",
"description": "Website is blocked by the content filter policy — this is working as designed.\n\n**If the user needs access for work:**\n1. Verify the business justification\n2. Get approval from the client's manager or IT decision-maker\n3. Options to allow access:\n\n**Option A: Allow the specific URL/domain** (recommended)\n- Firewall > Content Filter > Allow List\n- Add just the specific domain (not the entire category)\n\n**Option B: Allow for specific user/group only**\n- If the firewall supports user-based policies (most NGFWs do)\n- Create a policy for the user/group that allows the category\n\n**Option C: Allow the category** (least recommended)\n- Unblocking an entire category opens it for everyone\n- Only do this if the policy needs to change org-wide\n\n**Document:** Who approved the exception and the business justification.",
"next_node_id": "solution_content_filter"
},
{
"id": "solution_content_filter",
"type": "solution",
"title": "Resolved: Content Filter Exception Added",
"description": "Website access granted via content filter exception.\n\n**Ticket Notes:** [URL] blocked by content filter (category: [category]). Business justification: [reason]. Approved by: [approver]. Added domain to [allow list / user-specific policy]. Access confirmed.\n\n**Important:** Document all exceptions for compliance and audit purposes. Review exceptions periodically."
},
{
"id": "fix_miscategorized",
"type": "action",
"title": "Fix Miscategorized Website",
"description": "The website is in the wrong content filter category.\n\n**Immediate fix:** Add the domain to the allow list so the user can work.\n\n**Submit a recategorization request:**\n- Most firewall vendors let you request a category change:\n - **Fortinet:** https://www.fortiguard.com/faq/wfrating\n - **SonicWall:** https://cfssupport.sonicwall.com/\n - **Sophos:** Submit through Sophos Central\n - **Palo Alto:** https://urlfiltering.paloaltonetworks.com/\n - **Cisco/OpenDNS:** https://community.opendns.com/domaintagging/\n\n- Recategorization usually takes 1-3 business days\n\n**After recategorization:** You can remove the manual allow list entry once the category is corrected.",
"next_node_id": "solution_recategorized"
},
{
"id": "solution_recategorized",
"type": "solution",
"title": "Resolved: Website Recategorization Submitted",
"description": "Website miscategorized — added to allow list and submitted recategorization.\n\n**Ticket Notes:** [URL] miscategorized as [wrong category] instead of [correct category]. Added to allow list for immediate access. Recategorization request submitted to [vendor]. Will remove allow list entry once category is corrected.\n\n**Follow-up:** Check categorization in 3-5 business days."
},
{
"id": "fix_ssl_inspection",
"type": "action",
"title": "Fix SSL Inspection Certificate Issues",
"description": "SSL deep inspection is causing certificate errors on certain sites.\n\n**Why this happens:** The firewall intercepts HTTPS, re-signs the certificate with its own CA. Sites that use certificate pinning (banking, government, some apps) will reject the firewall's certificate.\n\n**Fix: Exclude the site from SSL inspection**\n1. Firewall > SSL Inspection policy\n2. Add the domain to the SSL inspection bypass/exclusion list\n\n**Common sites that need SSL inspection bypass:**\n- Banking and financial sites\n- Government sites\n- Microsoft 365 (Microsoft recommends bypassing)\n- Video conferencing (Teams, Zoom, WebEx)\n- Healthcare portals\n\n**If the issue is that the firewall's CA cert isn't trusted:**\n- Deploy the firewall's root CA certificate to all domain computers via GPO\n- Non-domain devices will show certificate warnings unless the CA is manually trusted",
"next_node_id": "solution_ssl_fixed"
},
{
"id": "solution_ssl_fixed",
"type": "solution",
"title": "Resolved: SSL Inspection Bypass Added",
"description": "Certificate errors resolved by excluding the site from SSL inspection.\n\n**Ticket Notes:** [URL] showing certificate errors due to SSL deep inspection. Added to SSL inspection bypass list. Site now loads correctly.\n\n**If CA deployment is needed:** Deploy firewall root CA to all endpoints via GPO:\nComputer Config > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities"
},
{
"id": "fix_dns_filter",
"type": "action",
"title": "Fix DNS-Level Filtering Block",
"description": "Website is blocked at the DNS level (Cisco Umbrella, DNSFilter, Cloudflare Gateway, etc.).\n\n**How to identify DNS filtering:**\n- User gets a block page but it's from the DNS service, not the firewall\n- `nslookup` for the domain returns the DNS filter's block IP instead of the real IP\n```\nnslookup blocked-site.com\n```\n\n**To fix:**\n1. Log into the DNS filtering console (Umbrella, DNSFilter, etc.)\n2. Check the logs for the blocked domain\n3. Add to the allow list if it should be permitted\n\n**If you can't access the DNS filter console:** The DNS filter may be managed by a different team or MSP. Escalate.\n\n**Quick test:** Temporarily change the client's DNS to 8.8.8.8 to bypass DNS filtering and confirm the site works. (Change it back afterward!)",
"next_node_id": "solution_dns_filter"
},
{
"id": "solution_dns_filter",
"type": "solution",
"title": "Resolved: DNS Filter Exception Added",
"description": "Website unblocked in DNS filtering service.\n\n**Ticket Notes:** [URL] blocked by [DNS filter service]. Added to allow list in [service name]. Access confirmed.\n\n**Note:** DNS filtering and firewall content filtering are separate layers. A site may need to be allowed in both if the org uses both."
}
]
},
{
"id": "check_app_block",
"type": "action",
"title": "Diagnose Application Connection Block",
"description": "A desktop application can't connect to its server or service.\n\n**Step 1: Identify what the app needs**\n- What server/IP does it connect to?\n- What port(s) does it use?\n- Check the vendor's documentation for required ports and IPs\n\n**Step 2: Test connectivity**\n```\n# Test if the port is reachable\nTest-NetConnection -ComputerName server.example.com -Port 443\nTest-NetConnection -ComputerName server.example.com -Port 8080\n\n# Check if Windows Firewall is blocking\nGet-NetFirewallRule | Where-Object {$_.DisplayName -like '*AppName*'} | Select DisplayName, Enabled, Direction, Action\n```\n\n**Step 3: Check Windows Firewall first**\n- Windows Defender Firewall may be blocking the app independently from the network firewall\n- Check: Control Panel > Windows Defender Firewall > Allow an app\n- Temporarily disable Windows Firewall to test (re-enable immediately after)\n\n**Step 4: Check network firewall logs**\n- Search for the source IP (user's computer) in the firewall deny logs\n- Look at what destination IP and port is being blocked",
"next_node_id": "app_block_source"
},
{
"id": "app_block_source",
"type": "decision",
"question": "What is blocking the application?",
"help_text": "Based on connectivity tests and firewall log analysis",
"options": [
{"id": "windows_fw", "label": "Windows Firewall is blocking it", "next_node_id": "fix_windows_firewall"},
{"id": "network_fw", "label": "Network firewall is blocking the port/IP", "next_node_id": "fix_network_firewall_rule"},
{"id": "both", "label": "Both firewalls need rules", "next_node_id": "fix_windows_firewall"},
{"id": "not_firewall", "label": "Connectivity works — issue isn't firewall", "next_node_id": "solution_not_firewall"}
],
"children": [
{
"id": "fix_windows_firewall",
"type": "action",
"title": "Create Windows Firewall Rule",
"description": "Windows Firewall is blocking the application.\n\n**Option 1: Allow the app through Windows Firewall**\n1. Control Panel > Windows Defender Firewall > Allow an app\n2. Click 'Change settings' > 'Allow another app'\n3. Browse to the application's .exe file\n4. Check Private and/or Domain as appropriate\n\n**Option 2: Create a port-based rule**\n```\n# Allow inbound on specific port\nNew-NetFirewallRule -DisplayName 'Allow MyApp' -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow\n\n# Allow outbound on specific port\nNew-NetFirewallRule -DisplayName 'Allow MyApp Outbound' -Direction Outbound -Protocol TCP -RemotePort 443 -Action Allow\n```\n\n**Option 3: Deploy via Group Policy (for org-wide apps)**\nComputer Config > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound/Outbound Rules\n\n**After adding the rule:** Test the application. If it still doesn't work, also check the network firewall.",
"next_node_id": "windows_fw_result"
},
{
"id": "windows_fw_result",
"type": "decision",
"question": "Did the Windows Firewall rule fix it?",
"help_text": "Test the application after adding the rule",
"options": [
{"id": "yes", "label": "Yes, application works now", "next_node_id": "solution_windows_fw"},
{"id": "no", "label": "No, still blocked — network firewall too", "next_node_id": "fix_network_firewall_rule"}
],
"children": [
{
"id": "solution_windows_fw",
"type": "solution",
"title": "Resolved: Windows Firewall Rule Added",
"description": "Application connectivity restored after adding Windows Firewall rule.\n\n**Ticket Notes:** [Application] blocked by Windows Defender Firewall. Created [inbound/outbound] rule for [app/port]. Application confirmed working.\n\n**If this needs to be deployed org-wide:** Create the rule via Group Policy to push to all domain computers."
}
]
},
{
"id": "fix_network_firewall_rule",
"type": "action",
"title": "Create Network Firewall Rule",
"description": "The network firewall needs a rule to allow the application's traffic.\n\n**Step 1: Gather the requirements**\n- Source: User's subnet or specific IP\n- Destination: Application server IP or FQDN\n- Port(s): TCP/UDP port numbers the app uses\n- Protocol: TCP, UDP, or both\n\n**Step 2: Check vendor documentation**\nAlways check the app vendor's docs for the complete list of required ports and IPs. Common apps:\n- RDP: TCP 3389\n- SQL Server: TCP 1433\n- HTTPS: TCP 443\n- SSH: TCP 22\n- FTP: TCP 20-21, passive ports\n- SIP/VoIP: UDP 5060-5061, RTP 10000-20000\n\n**Step 3: Create the rule**\nLog into the firewall and create an allow rule with the specific source, destination, ports, and protocol.\n\n**Step 4: Test and verify**\n```\nTest-NetConnection -ComputerName destination -Port port_number\n```\n\n**Best practice:** Use the most specific rule possible (exact IPs and ports). Avoid broad 'allow all' rules.",
"next_node_id": "solution_network_fw_rule"
},
{
"id": "solution_network_fw_rule",
"type": "solution",
"title": "Resolved: Network Firewall Rule Created",
"description": "Application connectivity restored after creating firewall rule.\n\n**Ticket Notes:** [Application] blocked by network firewall. Created rule: Source [IP/subnet] → Destination [IP/FQDN] Port [ports] [TCP/UDP]. Application confirmed working.\n\n**Documentation:** Record the rule in the client's firewall change log with business justification and approval."
},
{
"id": "solution_not_firewall",
"type": "solution",
"title": "Not a Firewall Issue",
"description": "Connectivity test succeeded — the firewall is not blocking the traffic.\n\n**Ticket Notes:** Application [name] not connecting. Firewall ruled out — port test to [destination:port] succeeds. Issue is likely:\n- Application configuration (wrong server address, credentials)\n- Server-side issue (service down, certificate expired)\n- DNS resolution (app resolving to wrong IP)\n- Application-level authentication failure\n\n**Next steps:** Troubleshoot at the application level."
}
]
},
{
"id": "check_port_block",
"type": "action",
"title": "Test and Fix Specific Port Block",
"description": "A specific port or service needs to be opened.\n\n**Step 1: Confirm the port is actually blocked**\n```\n# Test TCP port\nTest-NetConnection -ComputerName target_ip -Port port_number\n\n# If the above isn't available, use telnet:\ntelnet target_ip port_number\n\n# Check what's listening locally\nnetstat -an | findstr :port_number\n```\n\n**Step 2: Determine WHERE the block is**\n1. Test from the server itself (is the service even listening?)\n2. Test from the same subnet (is it a Windows Firewall issue?)\n3. Test from a different subnet (is it the network firewall?)\n4. Test from outside the network (is it the edge firewall?)\n\n**Step 3: Common port requirements by service**\n- HTTP/HTTPS: 80, 443\n- RDP: 3389\n- SSH: 22\n- DNS: 53 (TCP+UDP)\n- SMTP: 25, 587\n- IMAP: 143, 993\n- FTP: 20-21 + passive range\n- SMB: 445\n- SQL: 1433\n- MySQL: 3306\n- PostgreSQL: 5432",
"next_node_id": "app_block_source"
},
{
"id": "check_vpn_block",
"type": "action",
"title": "Troubleshoot VPN Blocked by Firewall",
"description": "VPN connection can't establish through the firewall.\n\n**Identify the VPN type and required ports:**\n\n**IPSec VPN:**\n- UDP 500 (IKE)\n- UDP 4500 (NAT Traversal)\n- Protocol 50 (ESP) — note: this is an IP protocol, not a port\n\n**SSL VPN / OpenVPN:**\n- TCP or UDP 443 (most common)\n- Or custom port (check VPN server config)\n\n**WireGuard:**\n- UDP 51820 (default)\n\n**L2TP/IPSec:**\n- UDP 500, UDP 4500, UDP 1701, Protocol 50\n\n**PPTP (legacy, avoid):**\n- TCP 1723, Protocol 47 (GRE)\n\n**Step 1: Check which ports are needed** based on the VPN type above.\n\n**Step 2: Test if the port is reachable**\n```\nTest-NetConnection -ComputerName vpn_server -Port 443\n```\n\n**Step 3: Check both directions**\n- Outbound: Is the user's firewall allowing outbound VPN traffic?\n- Inbound: Is the VPN server's firewall allowing inbound connections?\n- NAT: Is port forwarding configured correctly for the VPN server?\n\n**Step 4: Check for ISP blocking**\nSome ISPs and hotel/public Wi-Fi block VPN protocols. Try port 443 (usually open everywhere).",
"next_node_id": "vpn_block_result"
},
{
"id": "vpn_block_result",
"type": "decision",
"question": "Where is the VPN being blocked?",
"help_text": "Based on port tests and firewall log analysis",
"options": [
{"id": "outbound_fw", "label": "User's network firewall blocking outbound VPN", "next_node_id": "fix_network_firewall_rule"},
{"id": "inbound_fw", "label": "VPN server firewall blocking inbound", "next_node_id": "fix_vpn_inbound"},
{"id": "nat_issue", "label": "NAT or port forwarding not configured", "next_node_id": "fix_vpn_nat"},
{"id": "isp_block", "label": "ISP or public Wi-Fi blocking VPN protocols", "next_node_id": "solution_isp_vpn_block"}
],
"children": [
{
"id": "fix_vpn_inbound",
"type": "action",
"title": "Fix VPN Server Inbound Firewall",
"description": "The firewall in front of the VPN server is blocking incoming VPN connections.\n\n**Create the inbound rule:**\nBased on VPN type, allow the required ports/protocols inbound to the VPN server's internal IP.\n\n**For IPSec:** Allow UDP 500, UDP 4500, and IP Protocol 50 to the VPN server.\n\n**For SSL VPN:** Allow TCP 443 (or the custom port) to the VPN server.\n\n**Check NAT:** If the VPN server is behind NAT, port forwarding must be configured (see NAT fix).\n\n**After creating the rule:** Test the VPN connection from outside the network.",
"next_node_id": "solution_vpn_inbound"
},
{
"id": "solution_vpn_inbound",
"type": "solution",
"title": "Resolved: VPN Server Firewall Rule Added",
"description": "VPN connections now working after adding inbound firewall rule.\n\n**Ticket Notes:** VPN connections blocked by firewall in front of VPN server. Created inbound rules for [ports/protocols] to [VPN server IP]. VPN confirmed working from external network."
},
{
"id": "fix_vpn_nat",
"type": "action",
"title": "Fix VPN NAT / Port Forwarding",
"description": "VPN server is behind NAT and port forwarding isn't configured.\n\n**Configure port forwarding:**\n1. Log into the edge firewall/router\n2. Create port forwarding rules:\n - External port → Internal VPN server IP : Internal port\n\n**For IPSec behind NAT:**\n- Forward UDP 500 and UDP 4500 to the VPN server\n- NAT-Traversal (NAT-T) must be enabled on both ends\n- Note: Multiple IPSec VPNs behind the same NAT can cause issues\n\n**For SSL VPN behind NAT:**\n- Forward TCP 443 to the VPN server\n- If port 443 is already used by something else, use a different port and update the VPN client config\n\n**Important:** Only ONE device can receive forwarded traffic for a given port. If 443 is forwarded to a web server, the SSL VPN needs a different port.",
"next_node_id": "solution_vpn_nat"
},
{
"id": "solution_vpn_nat",
"type": "solution",
"title": "Resolved: VPN Port Forwarding Configured",
"description": "VPN connectivity restored after configuring NAT/port forwarding.\n\n**Ticket Notes:** VPN server behind NAT at [public IP]. Configured port forwarding: [external port] → [internal IP:port]. VPN confirmed working.\n\n**Document:** Record the port forwarding rule in the client's network documentation."
},
{
"id": "solution_isp_vpn_block",
"type": "solution",
"title": "ISP or Public Wi-Fi Blocking VPN",
"description": "The user's ISP or public Wi-Fi is blocking VPN protocols.\n\n**Ticket Notes:** VPN blocked by [ISP / hotel Wi-Fi / public network]. Standard VPN ports are filtered.\n\n**Workarounds:**\n1. Switch VPN to port 443 (TCP) — almost never blocked because it looks like HTTPS\n2. Use SSL VPN instead of IPSec if available\n3. Use a mobile hotspot instead of the public Wi-Fi\n4. Some VPN clients support stealth/obfuscation modes\n\n**If the VPN server supports it:** Configure an alternative listener on TCP 443 for users in restrictive networks."
}
]
},
{
"id": "diagnose_firewall_vs_other",
"type": "action",
"title": "Determine If the Firewall Is the Problem",
"description": "Not sure if the firewall is causing the issue. Let's find out.\n\n**Quick test: Is it the firewall?**\n\n**Test 1: Check firewall deny logs**\nSearch the firewall's deny/drop log for the user's IP address in the last hour. If you see blocked traffic, the firewall is involved.\n\n**Test 2: Test from inside vs outside the firewall**\n- Can the user reach the resource from the same subnet? (bypasses the firewall)\n- If it works from the same subnet, the firewall is likely involved\n\n**Test 3: Temporarily create a broad allow rule** (for testing ONLY)\n- Allow all traffic from the user's IP to the destination\n- If it works: firewall is the issue — now narrow down which specific port/protocol is needed\n- **Remove the broad rule immediately after testing**\n\n**Test 4: Check Windows Firewall too**\n```\n# Temporarily disable Windows Firewall to test\nSet-NetFirewallProfile -Profile Domain,Public,Private -Enabled False\n# TEST NOW — then immediately re-enable:\nSet-NetFirewallProfile -Profile Domain,Public,Private -Enabled True\n```\n\n**If none of these point to the firewall:** The issue is likely DNS, application configuration, server-side, or authentication.",
"next_node_id": "firewall_diagnosis_result"
},
{
"id": "firewall_diagnosis_result",
"type": "decision",
"question": "Is the firewall causing the problem?",
"help_text": "Based on the tests above",
"options": [
{"id": "windows_fw", "label": "Yes — Windows Firewall is blocking", "next_node_id": "fix_windows_firewall"},
{"id": "network_fw", "label": "Yes — Network firewall is blocking", "next_node_id": "check_app_block"},
{"id": "not_fw", "label": "No — Firewall isn't the issue", "next_node_id": "solution_not_firewall"}
]
}
]
}
}
Reference in New Issue View Git Blame Copy Permalink