IP Fabric v7.2

Upgrade Version Policy

We support the following upgrade paths:

The latest version in the previous major line → any version in the current major line (for example, 6.10.7 → 7.2.17).
Any version in the current major line → any newer version in the current major line (for example, 7.0.15 → 7.2.17).

Clearing Browser Cache

After upgrading IP Fabric to a newer version, you should see the Your application has been updated and must be refreshed dialog in the main GUI.

It is usually sufficient to just click the Refresh button.

However, in case of issues with the main GUI or if you did not see the mentioned dialog, please force refresh your browser cache.

The key combination for doing this depends on your operating system. In your browser window with your IP Fabric appliance’s URL open, use one of the following key combinations:

Windows: Ctrl + F5
macOS: Command + Shift + R
Linux: Ctrl + F5

This will only affect the browser cache for the IP Fabric appliance.

v7.2.17 (June 9^th, 2025; GA)

SHA256 (ipfabric-update-7-2-17+0.tar.zst.sig) = 3a3b9c0ecab5603297e35db98fd180d7a35c9e5327be02e68501517ee372354e
MD5 (ipfabric-update-7-2-17+0.tar.zst.sig) = ddb4f8009f23bae7b1c1be55f921ab9e
SHA256 (ipfabric-7-2-17+0.qcow2) = 6249b2a155176d55b1d2805256ca975c2884feca4968404be54869a26049bf21
MD5 (ipfabric-7-2-17+0.qcow2) = 00f4923c04cb735312c41c4a13fc588d
SHA256 (ipfabric-7-2-17+0.vmdk) = fb0cbb4be5d100660a7af201477b891cb6a4d704f108d085922b6cfe14edac95
MD5 (ipfabric-7-2-17+0.vmdk) = 6aa0415042cf128f62461ee79261b6ac
SHA256 (ipfabric-7-2-17+0.vhdx.zst) = f3ea8509b6d7b0b55a5e9d25f936dc6a5822fe761739170ee404809a78ffbd89
MD5 (ipfabric-7-2-17+0.vhdx.zst) = 4d6b8fa3e47e70aaf36d21e9f680670c
SHA256 (unsupported-ESXi6.7U2-ipfabric-7-2-17+0.ova) = 842c90a08c62dd4b46902b4d7753bb71f2678d7f4c0f0055b53656fccea3bc14
MD5 (unsupported-ESXi6.7U2-ipfabric-7-2-17+0.ova) = 1406790ec4f1cc2f1e694465d91927e9
SHA256 (unsupported-ESXi7.0-ipfabric-7-2-17+0.ova) = 789b11f70248a9a378a0866de72eb4c2c28c58684b48229b5159fc4c77ba9f6d
MD5 (unsupported-ESXi7.0-ipfabric-7-2-17+0.ova) = f01491bf442d304105a9c9e13a26f2cd
SHA256 (ESXi8.0-ipfabric-7-2-17+0.ova) = 25da28f1a6320f5c7a121ce517835407447eac5e15bc103ecb5c3143f2b93e30
MD5 (ESXi8.0-ipfabric-7-2-17+0.ova) = a90c335120c91b98a77c0e61f7bfa0e5

Fixes

Something went wrong Error

After an upgrade a Something went wrong error when accessing the IP Fabric GUI after upgrading was shown. This issue was resolved in the 7.2.17 release but may still occur in rare situations. Clear the browser cache to resolve this issue.

Known Issues

License or Database Errors After Upgrade

If the IP Fabric GUI redirects to the status page after an upgrade and displays errors such as License Error, ArangoDB Disconnected, or Failed to load initial app data, this may indicate an issue with the ArangoDB configuration.

To diagnose the issue:

Log in to the IP Fabric appliance via CLI and switch to the root user using sudo -i.

Check if ArangoDB is listening on port 8529 via IPv6 (expected for IP Fabric 7.2):

root@IPF:~# lsof -i | grep 8529 | grep LISTEN  
arangod      952    arangodb   26u  IPv6   19501      0t0  TCP *:8529 (LISTEN)

If ArangoDB is bound to IPv4 instead, this likely causes the error:

root@IPF:~# lsof -i | grep 8529 | grep LISTEN  
arangod     874 arangodb   26u  IPv4  20599      0t0  TCP *:8529 (LISTEN)

Verify the arangod.conf file in /etc/arangodb3 is a symbolic link to arangod.conf.ipf. The directory should show:

root@IPF:~# cd /etc/arangodb3  
root@IPF:/etc/arangodb3# ls -lsa | grep arangod.conf  
0 lrwxrwxrwx   1 root root    16 Nov 27  2023 arangod.conf -> arangod.conf.ipf  
4 -rw-r--r--   1 root root  1687 Feb 11 12:07 arangod.conf.ipf  
4 -rw-r--r--   1 root root  1696 Nov 27  2023 arangod.conf.ipf-orig

If the symlink is missing (i.e., arangod.conf is a regular file):

Run these commands to restore the symlink:

cd /etc/arangodb3/  
mv arangod.conf arangod.conf.bkp  
ln -s arangod.conf.ipf arangod.conf  
systemctl restart arangodb3

Confirm the symlink exists and ArangoDB uses IPv6:

root@IPF:/etc/arangodb3# ls -lsa | grep arangod.conf  
0 lrwxrwxrwx   1 root root    16 May 27 09:30 arangod.conf -> arangod.conf.ipf  
4 -rw-r--r--   1 root root  1697 May 27 09:22 arangod.conf.bkp  
4 -rw-r--r--   1 root root  1693 Jan 22  2021 arangod.conf.dpkg-old  
4 -rw-r--r--   1 root root  1687 Apr 23 13:42 arangod.conf.ipf  
4 -rw-r--r--   1 root root  1696 Mar  4 10:44 arangod.conf.ipf-orig  

root@IPF:~# lsof -i | grep 8529 | grep LISTEN  
arangod    876 arangodb   26u  IPv6  17979      0t0  TCP *:8529 (LISTEN)

After these steps, the GUI should function correctly.

BGP Communities Filtering Issues

The new BGP communities filtering feature during discovery correctly passes tags to settings only in automatic snapshots. However:

Manual snapshot triggers fail to activate this feature
Even when tags are passed correctly, filters aren’t applied during Cisco IOS-XR discovery
Any modifications to these sections:
- Configuration Management
- Snapshot Retention
- System → SNMP
- System → Backup & Maintenance
remove the BGP communities filter from Discovery Settings

These issues are scheduled for resolution in an upcoming patch release.

Configuration Management Process Fails to Close SSH Sessions

On HPE arubasw family devices, the Configuration Management process sometimes fails to terminate SSH connections properly. This occurs when a login banner isn’t detected, causing SSH sessions to remain open indefinitely.

To verify if this is happening, access your IP Fabric appliance’s command line interface and execute the following when the Configuration Management process is not running:

netstat -tnpa | grep 'ESTABLISHED' | grep syslogWorkerBu | grep :22

If you see persistent SSH connections, the output will display multiple active sessions like this:

root@ipfabric:~# netstat -tnpa | grep 'ESTABLISHED' | grep syslogWorkerBu | grep :22
tcp        0      0 10.0.192.108:52784      10.20.94.22:22          ESTABLISHED 624/syslogWorkerBui
tcp        0      0 10.0.192.108:22184      10.20.88.20:22          ESTABLISHED 624/syslogWorkerBui
tcp        0      0 10.0.192.108:27698      10.20.130.21:22         ESTABLISHED 624/syslogWorkerBui
tcp        0      0 10.0.192.108:30666      10.20.94.24:22          ESTABLISHED 624/syslogWorkerBui

To resolve this, restart the Configuration Management service with command:

systemctl restart ipf-discovery-syslogworker.service

v7.2.13 (May 21^st, 2025; GA)

v7.2.5 (March 17^th, 2025; EA)

API Endpoints Deprecation

The below API endpoints have been marked as deprecated and the intention is to remove them in version 7.5.

/tables/networks/gatewayRedundancy
/tables/networks/networks

System Administration UI Removal

The System Administration UI on port 8443 has been deprecated in version 7.0 and is no longer accessible. All its functionalities have been replaced by an alternative:

RBAC Fixes

After reviewing our built-in RBAC policies, we have made the following changes. This is to ensure that the policies are more consistent with the intended use cases. If your roles require access to these endpoints, please create a custom RBAC policy and assign it to the required role(s).

These policies have been removed from the built-in others (ID of read) and moved to settings:

POST /os/generate-nimpee-cert: Generate IP Fabric certificate
POST /os/upload-nimpee-cert: Upload certificate to platform
POST /os/maintenance: Trigger platform maintenance
POST /os/snapshots-retention: Trigger snapshot retention
POST /os/techsupport: Generate techsupport file
POST /os/clean-db: Clean system database
POST /jobs/{key}/cancel: Cancel specific job
POST /jobs/{key}/force-stop: Force stop running system job
POST /jobs/{key}/stop: Stop running system job
GET /jobs/{key}/download: Return result of system job
- With the introduction of the new Configuration Import/Export users without settings policies are able to download and view all settings.
- Our team is working on a feature to provide RBAC based on the type of file (configuration, snapshot, techsupport). This will be available in a future release.

System upgrade improvements

The upgrade UI has switched from basic HTTP authentication to cookie/session-based authentication.
Downloading a remote upgrade package via the UI now displays download progress, which is also logged in the systemd journal.
Improved timeout management provides better handling on systems with slow disk I/O or during network interruptions.

Layout Optimization for Large Circular Graphs

Circular graphs with over 100 nodes experienced slow rendering and oversized layouts due to complex line-crossing minimization calculations. This also impacted snapshot discovery/loading performance due to prolonged node position caching.

For graphs exceeding 100 nodes, we now automatically apply the universal layout instead of the circular layout. This ensures:

Faster rendering (reduced layout computation time)
Improved readability of large graphs
Optimized snapshot performance (quicker node position caching)

The layout type change (circular → universal) is not yet reflected in API responses or the UI. This visibility will be added in an upcoming release.

New Features

Configuration Import/Export

We have developed a new feature that allows you to import and export configurations of the IP Fabric application across multiple IP Fabric instances. More details can be found on the Configuration Import/Export page.

Azure Network Load Balancers (NLB) support

Data collection and end-to-end path lookup via NLB nodes are supported. However, path lookup via Azure private links is not supported yet.

Do not forget to update IAM policy

To collect Azure Network Load Balancers, the corresponding IAM policy must be updated. You can download the new policy here.

Enhanced BGP Community Controls for Optimized Discovery

Introduced per-device, per-protocol (IPv4/IPv6), and per-VRF BGP community configurations to limit downloaded routes during discovery.
This feature prioritizes community-based filtering over global thresholds, ensuring precise data collection while reducing processing time. Ideal for large-scale networks with extensive BGP tables. For more information see Routing

Connections between IPsec & VXLAN tunnel endpoints now visible in path-lookup

For easier identification of where IPsec and VXLAN tunnels start and end, especially when traversing multiple devices, direct links between tunnel endpoints are now visible in path lookups. More details can be found in IPsec & VXLAN tunnel endpoints.

BGP Route Collection Enhancement

We have introduced filtered BGP route collection support, allowing network administrators to explicitly define which networks to collect. This enables focused BGP route analysis while optimizing system resources across Cisco IOS/IOS-XE, IOS-XR, NX-OS, Juniper JunOS and Arista EOS platforms.

For detailed information about the new API endpoints and configuration options, see BGP Route Collection API.

Improvements

GUI

We have updated default tabs settings for consoleServer devices in Device Explorer: added Serial Ports, removed QoS, MAC and Port Channel. This resets previous tab settings for this device type.
Edges in topology graphs now support multiple labels, which can be displayed either inline or on separate lines. These settings are customizable in the Visualization Setup panel of the Network Viewer, allowing configuration for each protocol or group type individually.
Additional columns were added to Inventory → Interfaces table, all hidden by default:
- Clearing Type
- Clearing Value
- Last Input Type
- Last Input Value
- Last Output Type
- Last Output Value
An additional column was added to the Inventory → Devices table and is hidden by default:
- Credentials Notes
Global filter now allows for selecting all possible values of given attribute using the Select all option.

Advanced Filters

Device Attribute-Based Advanced Filters now supports Attributes as a device property.

This allows you to:
- Filter data using predefined Attributes, such as siteName.
- Use custom Attributes for more specific filtering.

For a complete list of properties and supported tables, refer to Technology Tables – Device-Based Advanced Filters.

Discovery Settings

Saving discovery settings with missing or expired credentials is now allowed. Users can decide whether the missing data is important for running the discovery or can add the data later. Clear messages and dialogs will inform users of any potential issues.

Network Discovery

New Capabilities – Cisco (FTD), Fortinet (FortiGate), PaloAlto (PAN-OS)
- Support for URL filtering has been added.
- In Path Lookup under Advanced Packet Options, new search fields are now available:
  - Site category: Matches the name of a URL filter category. Works for both built-in and custom categories. The field accepts regex if multiple categories are needed in the result.
  - URL / DOMAIN: Matches a specific URL against applicable security rules.

New Capabilities – PaloAlto (PAN-OS)
- Support for URL-type objects of External Dynamic List has been added.

New Capabilities – Fortinet (FortiGate)
- Support for URL-type objects of External Resource has been added.

Vendor Support and Improvements

Added Silver Peak API key authentication support.
Added IPv6 BGP neighbors support for Arista (EOS), Cisco (IOS, IOS-XE, NX-OS), FS (FSOS), PaloAlto (PAN-OS).
Added support for IPv6 BGP Route limit - see documentation
- Arista: EOS
- Cisco: NX-OS, IOS, IOS-XE, IOS-XR, Viptela
- Juniper: JunOS
- Nokia: TiMOS
Added URL filtering support in firewall rules for Cisco (FTD), Fortinet (FortiGate), PaloAlto (PAN-OS).
Added support for SR-MPLS TE with BGP On-Demand Next Hop (ODN) functionality for Cisco (IOS-XR).
Added threat feeds support for FortiGate firewalls (IP lists only).
The HP vendor has been renamed to HPE.
The bookmark Detail for all AWS devices has changed. The differences are:
- The Family column value is now empty (previously was set to ec2)
- The Version column value is now empty (previously was set to 2016-11-15)
Added support for Nokia TiMOS version 23 and above

Technology Tables

Unmanaged Neighbors Detail – Fixed an issue in the Technology → Interfaces → Connectivity matrix → Unmanaged Neighbors Detail table where Intent Verification rules could incorrectly highlight rows for specific datasets. Unique row IDs have been enforced to resolve the inconsistency.
Important

If Intent Verification rules were configured for this table, you may need to trigger their recalculation. To do this, you can either:
- In local settings of the relevant snapshot(s), toggle “Compute Intent Verification” off, save settings, then toggle the rule back on; or
- Manually unload and reload the relevant snapshot(s)

Site separation

Devices now automatically inherit their site name from connected peers via CDP/LLDP, STP topology neighbors, or devices in the same L3 network, in order of priority, when rule Try to assign devices without sites based on device neighborship is enabled.

Experimental Features

Newly added features which need to be explicitly enabled in service files. You can enable these yourself using our feature documentation or if you are not comfortable self-enabling these features or need further clarification, contact our Support or Solution Architect team. We will gladly help you.

Configuration Management Optimizations

To accelerate device configuration retrieval, you can try to enable different Git performance optimizations for configuration management.