IP Fabric v6.9

IP Fabric Upgrade From Version 6.6.3 (or 6.7.6)

Due to an issue identified within the System Administration UI, upgrading IP Fabric from version 6.6.3 (or 6.7.6) over the internet will fail with Validation failed - Field pathName: "pathName" is required. The issue has been addressed in version 6.7.7 (or newer). If you are running any IP Fabric versions from 6.6.3 to 6.7.6, please upgrade to 6.7.7 or newer manually with an update file from https://releases.ipfabric.io/updates/.

Upgrade Version Policy

We support the following upgrade paths:

The latest version in the previous major line → any version in the current major line (for example, 5.0.2 → 6.1.3).
Any version in the current major line → any newer version in the current major line (for example, 6.0.1 → 6.2.3).
The latest version in the current major line → any version in the next major line (for example, 6.2.5 → 7.1.3).

Clearing Browser Cache

After upgrading IP Fabric to a newer version, you should see the Your application has been updated and must be refreshed dialog in the main GUI.

It is usually sufficient to just click the Refresh button.

However, in case of issues with the main GUI or if you did not see the mentioned dialog, please force refresh your browser cache.

The key combination for doing this depends on your operating system. In your browser window with your IP Fabric appliance’s URL open, use one of the following key combinations:

Windows: Ctrl + F5
macOS: Command + Shift + R
Linux: Ctrl + F5

This will only affect the browser cache for the IP Fabric appliance.

Upgrade Notices

During the update process, locked snapshots will be unloaded together with other snapshots, and their locks will be preserved. Therefore, such snapshots won’t be deleted by snapshot retention.
The upgrade to version 6.9 may break custom SSO integrations and will require a change to the /etc/ipf-dex.yaml file. Since the 6.3.2 release, we are omitting the minor API version for SSO configuration, and only the major version will need to be changed with the next major IP Fabric version. Simply replace the vX.Y string in this file with v6 and then run systemctl restart ipf-dex.
```
staticClients:
  - id: ipfabric
    redirectURIs:
      - "https://demo1.eu.ipfabric.io/api/v6/auth/external/azure"
```
For more information, please refer to the SSO documentation. If you would like assistance, please contact your Solution Architect.

v6.9.7 (August 8^th, 2024; GA)

SHA256 (ipfabric-update-6-9-7+0.tar.gz.sig) = b23860a5bf0822995c78552f24ac390238f85280d67d0187482e5bf8d07ac69c
MD5 (ipfabric-update-6-9-7+0.tar.gz.sig) = 1b25cbaeb4530e85997524af3a1888b4
SHA256 (ipfabric-6-9-7+0.ova) = cbf57e5827e0d3077b63a765859b881340a53a0f7a517e3fe88d643727d0f715
MD5 (ipfabric-6-9-7+0.ova) = f8eb83d019bc750caf9b366647fba4c3
SHA256 (ipfabric-6-9-7+0.qcow2) = b0dc62bb91a848d3d6fd535ee0a6f27ffdd525b933e624af4357245a56dfb3ed
MD5 (ipfabric-6-9-7+0.qcow2) = 993509f7ce678662beac293c3bffb62e
SHA256 (ipfabric-6-9-7+0.vmdk) = bcfb19ea7115a2e3c6d2856c91f2f98c232ee59377ae8aee04f4d0f9b8ba1b4d
MD5 (ipfabric-6-9-7+0.vmdk) = addb7058c0551b4e0308ee6db5eb7c59

Security Fixes

Opengear Enable Passwords

The issue with enable passwords being logged in plaintext in the CLI log while discovering Opengear devices with the Neighbors task enabled has been fixed. For details and remediation, please see NIM-13396: Opengear – Prevent sudo Password From Being Logged in our Security Bulletin.

Authentication Tokens

accessToken and refreshToken have been removed from the response body of all endpoints (/auth/login, /auth/token, and /auth/token/swap) as a security enhancement to protect against XSS attacks. If you use this authentication method in your scripts, please update them to use the Set-Cookie headers. For more details, see Token API.

Network Discovery

Vendor Support and Improvements

Versa – LLDP support was added.
Stormshield (SN) – Support for filter (firewall) rules was added.
Brocade (FastIron) – NTP support was added.
Fortinet FortiGate – SD-WAN support was added. For more details, see Fortinet SD-WAN Known Issues.
Citrix NetScaler ADC
- Discovery has been permanently added to the product, so the feature flag is no longer needed.
- Data collection for each ADC partition (routing, L3 interfaces, PBR, ARP, and virtual servers) was added.
Overloaded server detection for HTTP/HTTPS-based Vendor APIs was improved.

Performance Improvements

Post-Discovery Calculations

The following improvements were made in post-discovery caculations:

Memory optimizations when saving STP edges.
Increased speed of VLAN-related database queries.

Configuration Management

The speed of Configuration Management processing was improved by increasing the number of devices being processed by a single syslogWorker. The default number of CLI connections was increased from 10 to 80. If you need to lower the default value, please contact our Support team.

Frontend

Simplified Vendor API Credential Management

In this release, we have streamlined the process for managing Vendor API credentials. When editing Vendor API settings, it is no longer needed to re-enter credentials each time.

Settings

Advanced CLI

The Authentication failure field (how many times to retry a connection when it fails on authentication) now has an increased maximum value of 5 (previously 2). The default value remains 0.
New timeout settings have been added:
- Network device authentication timeout
  - How many seconds to wait for the login prompt to appear.
  - The default value is 300 seconds.
- Command response timeout
  - How many minutes to wait for a device to finish sending the response to a command.
  - The default value is 180 minutes.

Device Credentials

In global (Settings → Discovery & Snapshots → Discovery Settings → Device Credentials) and per-snapshot (Discovery Snapshot → (specific snapshot) → Settings → Device Credentials) settings, usernames and passwords now accept only ASCII printable characters. Validation has been added to the credentials input.

Technology Tables

Device Data in JSON

Device data can be now downloaded in JSON format. These are device data processed (parsed) by IP Fabric from the CLI logs, which are used when devices are added to IP Fabric during snapshot discovery or load.

Device Discovery Duration

Start and end timestamps of individual device discovery have been added, and these data are shown in new columns of the Device Inventory table (in Inventory → Devices):

Technology → SDWAN → Versa

The Technology → SDWAN section of the GUI was previously dedicated to Versa SDWAN information only. In upcoming releases, this section will be enriched by data from other SDWAN vendors. For this reason, a separate page for Versa has been created.

Path Lookup

Topology Improvements

Neighbor calculation in STP over ACI scenarios has been improved.
Fixed host-to-gateway simulation for wireless hosts connected to an AP.
More realistic handling of VRF leaks in BGP routes.
Fixed inconsistency in the graph comparison feature, where the same topology graph edges across two snapshots could be falsely reported as changed.

Security and ACI Improvements

Rules received via API were not ordered correctly; they are now properly ordered by IP Fabric.
Implicit and default rules can have the same priority and match the same traffic; implicit rules are now evaluated as the last ones.
More accurate security evaluation for tunnels using zone firewalls.
Improved security evaluation on spines where no endpoints are connected, and on leafs where no information about the endpoint’s group is present.
Improved handling of source and destination groups in ACI ACL rules.
Improved handling of VXLAN network identifiers (VNIs) in output security evaluation.

Appliance OS-Level Improvements

The nimpee-net-config command for the First Boot Wizard has been changed to ipf-cli-config. Additionally, the First Boot Wizard is now referred to as IPF CLI Config.
Jumphost services have been renamed from jumphost@<ID>.service to ipf-jumphost@<ID>.service (with the addition of the ipf- prefix).

Other Changes

System Maintenance has been enhanced to remove snapshot data from the database that is no longer loaded in the IP Fabric appliance. Previously, this data could occasionally remain in the database, leading to increased memory resource requirements.

Experimental Features

Newly added features that need to be explicitly enabled in service files. If you are interested in trying them out, please contact our Support or Solution Architect team, and we will gladly assist you with enabling these features.

VeloCloud

Basic device info support has been added as a Proof of Concept (PoC) and needs to be enabled manually via a feature flag (ENABLE_DISCOVERY_DEVICES_VELOCLOUD).
This section provides a detailed description of the VeloCloud setup.

Known Issues

Fortinet NAT44 and Zone Firewall Cause Discovery Issues in Version `6.9.x`

Temporarily disabling both NAT44 and Zone firewall discovery tasks for the fortigate Family (in Settings → Discovery & Snapshots → Discovery Settings → Disabled Discovery Tasks) is the recommended hotfix until this issue is resolved in one of the upcoming releases.

Failing Upgrade to Version `6.9.4`

A bug was identified on IP Fabric appliances with initial deployment versions 4.3.x or earlier.

During the upgrade process to version 6.9.4, the installation of the ipf-ethx package fails, causing the entire upgrade process to stop.

This issue was fixed in the 6.9.6 release.

Bug Affecting Online Upgrade in Versions `6.9.4` and `6.9.6`

A critical bug was identified in the 6.9.4 and 6.9.6 releases, impacting the online upgrade process to a next release. As a result, only manual upgrades are possible for the affected versions.

Versions 6.8.x and earlier remain unaffected by this issue.

This issue was fixed in the 6.9.7 release.

Failing Upgrade to `6.9.x` in Azure Environment

We have identified an issue with upgrading IP Fabric in the Azure environment from any older versions to 6.9.x.

The upgrade process becomes stuck at installing the waagent package, which blocks the upgrade of all ipf- packages that now depend on it.

The issue arises because 6.9.x attempts to install waagent, but this package is native to Azure and is already installed by default on any Linux VMs in Azure.

To resolve the issue, follow these steps:

Connect to the Azure instance via SSH as the osadmin user and run the following commands:

sudo su -
dpkg -l | grep -e '||/ Name' -e 'ipf-' # Check the status of the ipf- packages and their versions
cp -p /var/lib/waagent/ovf-env.xml /root/
systemctl stop walinuxagent.service
rm -Rf /var/lib/waagent/
apt install waagent # The command will appear stuck, but please let it run

Open another SSH session to the Azure instance in a different window, log in as osadmin, and run the following commands:
```
sudo su -
cp -p /root/ovf-env.xml /var/lib/waagent/
```
Once the apt install waagent command finishes, reboot the Azure instance by running the following command in any of the SSH sessions:
```
reboot
```
After the Azure instance fully reboots, connect to it again via SSH as osadmin and re-check the status of the ipf- packages and their versions with the following command:
```
dpkg -l | grep -e '||/ Name' -e 'ipf-'
```
In the first column of the command output, you should see only ii.

In the third column, you should see 6.9.x+y, except for the following ipf- packages, which have different versioning schemes:
- ipf-checker
- ipf-cli-config
- ipf-dex
- ipf-ethx
- ipf-jumphost
- ipf-techsupport-exporter

If you are unsure how to proceed or encounter any issues, please contact our Support team.