IP Fabric v7.0

Upgrade Version Policy

We support the following upgrade paths:

• The latest version in the previous major line → any version in the current major line (for example, 5.0.2 → 6.1.3).
• Any version in the current major line → any newer version in the current major line (for example, 6.0.1 → 6.2.3).
• The latest version in the current major line → any version in the next major line (for example, 6.2.5 → 7.1.3).

Clearing Browser Cache

After upgrading IP Fabric to a newer version, you should see the Your application has been updated and must be refreshed dialog in the main GUI.

It is usually sufficient to just click the Refresh button.

However, in case of issues with the main GUI or if you did not see the mentioned dialog, please force refresh your browser cache.

The key combination for doing this depends on your operating system. In your browser window with your IP Fabric appliance’s URL open, use one of the following key combinations:

• Windows: Ctrl + F5
• macOS: Command + Shift + R
• Linux: Ctrl + F5

This will only affect the browser cache for the IP Fabric appliance.

v7.0.8 (December 13^th, 2024; EA)

New Features

• AWS Network Load Balancers support – data collection & E2E path lookup via NLB nodes for all listener types. Path lookup via AWS private link is not supported yet.

  Don’t forget to update IAM policy

  In order to collect AWS Network Load Balancers, respective IAM policy has to be updated. You can download the new policy here. The only difference from the previous policy is a new statement allowing all Describe* API endpoints in the elasticloadbalancing service:

  {
    "Sid": "IPFabricElasticLoadBalancing",
    "Effect": "Allow",
    "Action": [
        "elasticloadbalancing:Describe*"
    ],
    "Resource": "*"
  }
  

v7.0.7 (December 5^th, 2024; EA)

Post-Upgrade Notices

If you are using custom Role-Based Access Control (RBAC) to restrict access to certain IP Fabric elements based on role, ensure that users have the appropriate permissions for new tables and capabilities. After the upgrade, please run the script found in the Python SDK: Managed RBAC Configuration (managed_rbac.py).

Upgrade to 7.0 will break custom SSO integrations and will require a change to the /etc/ipf-dex.yaml file. Simply replace the versioned redirectURIs with api/oauth2/external/<SSO_PROVIDER_NAME> and then run systemctl restart ipf-dex.

staticClients:
  - id: ipfabric
    redirectURIs:
      - "https://<YOUR_IPF_INSTANCE_URL>/api/oauth2/external/<SSO_PROVIDER_NAME>"

For more information, please refer to the SSO documentation. If you would like assistance, please contact your Solution Architect or Support Team.

New Features

Extensions (Engineering Preview)

In the 7.0 release, we’re introducing Extensions, a new feature that allows users to add and customize their IP Fabric instance with a tailored functionality. Extension can

• Generate custom reports (e.g., DORA)
• Transform data in real-time (custom tables)
• Enrich your data through external source integration (CVE information for devices)
• Implement business-specific processing logic (global search)
• and much more…

Extensions are managed and access through standard IP Fabric UI under Extensions in the main menu.

Feature activation

Starting with version 7.0, Extensions can be enabled with ENABLE_EXTENSIONS=true feature flag in the global /etc/default/ipf-appliance-local file.

Flexible deployment options

Extensions supports two streamlined deployment methods:

• Source Code Deployment: Submit your source code and Dockerfile in a ZIP archive for automated building and deployment
• Pre-built Container Deployment: Upload your pre-built Docker image (container image created with docker save command, has to have .tar extension) for immediate execution

Technical Specifications

• Extensions run as containers alongside your main application
• Each extension has to listen on port 80/tcp for incoming traffic
• Standard communication flows:
  • Container → Host: Port 443 (for API requests)
  • Host → Container: Port 80 (for extension UI)
• Full external network access support for integration with third-party services

Storage Considerations

Please note that Extensions utilize temporary storage in the /tmp folder for:

• Uploaded source code archives
• Docker image files

These artifacts are automatically cleaned up according to your system’s temporary storage management policies.

Access Control and Permissions

Extensions are governed by a set of atomic permissions that can be assigned through security policies. By default, administrative accounts have full access to all Extensions functionality.

Manageable permissions include:

• Viewing Extensions dashboard
  • GET: /extensions
• Viewing Extension details
  • GET: /extensions/{extensionId}
• Registering new Extensions
  • POST: /extensions/docker-image
  • POST: /extensions/docker-zip
• Starting/Stopping Extensions
  • POST: /extensions/{extensionId}/start
  • POST: /extensions/{extensionId}/stop
• Un-registering Extensions
  • DELETE: /extensions/{extensionId}
• View Extension logs
  • GET: /extensions/{extensionId}/logs
• Download Extension logs
  • GET: /extensions/{extensionId}/logs/download

Each operation requires its specific permission, and unauthorized actions are prevented both at UI level (hidden buttons) and API level (403 Forbidden responses).

GUI

• Early Snapshot-Data Availability – The GUI now shows available data (tables and diagrams) for snapshots that are still in progress or in an error state.

  Important

  Since this data is displayed while still being processed, it may be incomplete.

• Shareable Snapshot and Tables – Easily share specific snapshot, and tables (including a snapshot ID and full filter representation) with your team using shareable links in the GUI.

  • Added support for URL links that point to a specific snapshot.
  • Links to tables can now be shared with a snapshot ID and full filter representation.

• Discovery force stop – A new Force Stop button has been added next to the Stop button for immediate discovery termination.

  • API endpoint /jobs/{key}/force-stop

    If You Choose to Force Stop Discovery

    The snapshot data may be inconsistent and unusable.

    To ensure UI access is maintained after a discovery Force Stop, any system jobs scheduled to start afterward will be cancelled.

• Pinnable Pages in the Technology Tables – Each page in the Technology Tables can be pinned to the main menu under the Technology section, see Pin Pages to the Main Menu for Quick Access.
• Dashboard with Multiple Views – You can now create multiple views on your Dashboard fitting your needs. Just add a new tab panel, give it a name and select desired widgets.
• IPv4 Managed IP Summary table – A new table providing an overview of sites and all their IPv4 subnets. For each subnet, it provides an information about its gateways, count of users and total counts of different VLAN IDs and VRF names. This new table is going to replace two existing technology tables – Managed Networks and Gateway redundancy tables – which are deprecated now and will be removed in the next major IPF release. Unlike the existing tables, the new table provides information about all subnets regardless of the devices where they are configured.

For more information, please refer to the IPv4 Managed IP Summary table documentation.

Cloud

• New Cloud Tables – New public-cloud tables provide more information for AWS, Azure, and Google Cloud Platform (GCP):

  • AWS
    • /tables/cloud/vendors/aws/inventory
  • Azure
    • /tables/cloud/vendors/azure/inventory
  • GCP
    • /tables/cloud/vendors/gcp/inventory
  • Silverpeak
    • /tables/sdwan/silverpeak/overlay
    • /tables/sdwan/silverpeak/underlay
  • Viptela
    • /tables/sdwan/viptela/bfd-sessions
    • /tables/sdwan/viptela/bfd-summary
    • /tables/sdwan/viptela/control-connections
  • General Public Cloud Tables
    • /tables/cloud/nodes/inventory
    • /tables/cloud/nodes/tags

• AWS Direct Connect Transit VIF support – Routing via Transit Virtual Interfaces over dedicated/hosted connections is now supported in E2E path lookup. To enable this, the new task “BGP Advertised Routes” must be activated on the on-prem routers where AWS Direct Connect connections terminate. More information can be found in the Dynamic Routing section.

SD-WAN

• New Capabilities – Cisco Viptela – New tables collect Bi-directional Forwarding Detection (BFD) and control plane connection data.

  • BFD Sessions Table – Contains IP addresses, Site IDs, encapsulation type, source and destination IP addresses and ports, interface information, and uptime status.
  • Control Connections Table – Contains peer type and protocol, Site ID, peer private/public IP and port, and uptime status.
  • BFD Summarization Table – Displays the number of total sessions, active sessions, sessions flapping, and the maximum sessions allowed.

• New Capabilities – Silverpeak – New tables show overlay and underlay information:

  • Overlay Table – Contains SD-WAN bonded tunnel information with status and uptime.
  • Underlay Table – Contains IPsec tunnels that map to discrete transports.

• New Capabilities – Versa Networks – Configuration backup support has been added for devices when network discovery is running in combined/hybrid (CLI+API) mode.

Network Discovery

• New Capabilities – Check Point – The ability to collect Enforcement Point data using a new extended command, allowing access to expert mode when explicitly defined. See Checkpoint Known Issues.

• New Capabilities – Palo Alto – The ability to collect information on LSVPN (Large Scale VPN) endpoint information. New tables:

  • Gateways - list of discovered LSVPN Gateways and their settings
    • /tables/security/lsvpn/gateways
  • Satellites - list of all connected satellites and their settings
    • /tables/security/lsvpn/satellites

• New Capabilities – Stormshield:

  • Support for collecting NAT rules has been added.
  • Stormshield devices are now discovered automatically by default.

• New Vendor – GoogleCloud Platform:

  • Possibility to configure GoogleCloud Platform API discovery is now available in the GUI, without need to enable feature flag (ENABLE_DISCOVERY_DEVICES_GCP).
  • Support for Load Balancer discovery has been added.

• Duplicate IP Discovery – The ability to discover duplicate IP addresses in the same network can now be allowed explicitly in the GUI.

  Important

  If you previously configured SUBNETS_TO_ALLOW_PROCESSING_DUPLICIT_IP in the tasker service, you will need to manually set the subnets again in the GUI.

• Pagination on actrlRule API endpoint – The Cisco APIC actrlRule API endpoint has a default paging size of 50,000 records (previously, the lack of a paging limit led to slow or unsuccessful data collection). The page size can be adjusted using the ACI_ACTRLRULE_PAGESIZE configuration flag. Please contact our Support team if you need to lower the default value.

Diagrams

• Added Media to xDP line cap labels – you can now configure diagrams to show Media information as a line cap label for xDP links.

• Visio Export – An “Export to VSDX” button has been added to the Diagrams toolbar. This feature allows diagrams to be exported as .vsdx files, which can be opened in Visio.

  NOT Supported

  • Export of Intent checks in diagrams (colorful nodes are not supported).
  • Export of temporarily visible hidden nodes in “Show Hidden Nodes” mode.
  • Export of group boundaries.

Interactive API Documentation

• Explore and Test Workflows Directly From the API Documentation – Interactive API documentation (powered by RapiDoc) allows you to see predefined schemas and make requests directly from your web browser. You can find it at https://<host>/api/rapidoc.

Dynamic Routing

• New BGP Table – Advertised Routes – A new table in Technology → Routing → BGP has been added to provide more information about BGP routes being advertised to neighbors.

  BGP Advertised Routes task

  The data collected for this table can be substantial, so the task BGP Advertised Routes is disabled by default.

  This table will only populate if the related collector task is explicitly enabled.

  To enable it, delete the BGP Advertised Routes rule from the list under Settings → Discovery & Snapshots → Discovery Settings → Disabled Discovery Tasks.

Support for Future Functionality

• Docker Container Support – Docker runtime has been added to the appliance for future accelerated extensibility.
• New Database Added – PostgreSQL 15 has been added to the appliance for future scalability and performance improvements.
• Add External Services to Appliance – A new script, /opt/ipf-debian-repositories/bin/ipf-debian-repositories.sh, can be used to re-enable official Debian repositories.

Improvements

• Device-Based Advanced Filters – Filter tables based on device properties such as Vendor, Family, Model, and Version.
  • For a full list of properties, see Technology Tables – Device-Based Advanced Filters.
• Server Overload Detection – We’ve enhanced the overload detection for all HTTP-based vendor API clients. Now, if an overloaded server message is received, the system pauses for a specified duration before retrying.
• Site Separation Automatic Site Name Identification – Enhanced the option to build advanced Site Name values using RegEx template strings. See Site Separation.

• Format Change for Techsupport Files – Techsupport files are now compressed with zstd (instead of gzip) for improved speed and compression ratio.

• Unnecessary Tables Have Been Removed:

  • Technology → Interfaces → Average Rates → Data
  • Technology → Interfaces → Average Rates → Errors
  • Technology → Interfaces → Average Rates → Drops

• Renamed Initial Configuration Command
  • This is a reminder that in the previous 6.9.x release, nimpee-net-config was renamed to ipf-cli-config to align with the current product name.
    • This change remains valid for 7.0.x and newer versions.

API Changes

Several API endpoints have been updated or removed in this major release. This could result in breaking your automation and system workflows. Please consult your Operations or DevOps team to double-check if you use these endpoints.

Replaced Endpoints

• /tables/sdwan/links → /tables/sdwan/versa/links
• /tables/sdwan/sites → /tables/sdwan/versa/sites
• /tables/load-balancing/f5-partitions → /tables/load-balancing/partitions
• /tables/mpls/l2vpn/curcit-cross-connect → /tables/mpls/l2vpn/circuit-cross-connect
• /tables/cloud/virtual-machines-interfaces → /tables/cloud/endpoints/virtual-machines-interfaces
• /tables/cloud/virtual-machines → /tables/cloud/endpoints/virtual-machines

• /tables/management/osver-consistency replaced with the following:

  • /tables/inventory/os-version-consistency/platforms
  • /tables/inventory/os-version-consistency/models

• The API version is no longer part of the token endpoint, making the following path inaccessible:

  • <API_VERSION>/auth/token
  • Please use /auth/token instead.

• /licenses/validity was updated as it does not need authentication and previously exposed maximum number of devices, which can be considered sensitive information.

  • The same information can now be retrieved at /licenses/info, which requires authentication.
  • The /licenses/validity endpoint does not contain devices field anymore.

Removed Endpoints

• /tables/networks/domain
• /tables/spanning-tree/radius
• /tables/spanning-tree/topology
• /tables/addresing/path-lookup-sources
• /tables/attributes/summary
• /tables/interfaces/transfer-rates/*
• /tables/interfaces/errors/*
  • except /tables/interfaces/errors/disabled
• /tables/interfaces/drops/*

Added Endpoint

Along with other new features and tables mentioned in this release note the following new endpoint has been also added:

• /settings/networks/exclude: Append discovery networks settings exclude list
• /tables/addressing/ipv4-managed-ip-summary: Provides data for a new IPv4 Managed IP Summary table
• /tables/security/lsvpn/gateways: List of discovered LSVPN Gateways and their settings
• /tables/security/lsvpn/satellites: List of all connected satellites and their settings

Replaced Endpoint Properties

• NTP Synchronization Status – Some vendors report reachable status along with synchronization status, leading to incorrectly marking some sources as not reachable.
  • The following columns have been renamed to more accurately reflect their property:
    • /tables/management/ntp/summary: reachableSources → synchronizedSources
    • /tables/management/ntp/sources: reachable → sync

Removed Endpoint Properties

• /tables/networks/policies/routing/interfaces: status
• /tables/inventory/devices: mac

Frontend URL Changes

Removed Alias f in URLs

• Support for f as an alias for filters in table URLs has been dropped.

  Removed URL

  https://<IPF_IP_or_FQDN>/inventory/os-versions?options={"f":{"and":[{"version":["eq","15.5(2)T"]},{"platform":["eq","i86bi_linux"]}]}}

  Still Supported URL

  https://<IPF_IP_or_FQDN>/inventory/os-versions?options={"filters":{"and":[{"version":["eq","15.5(2)T"]},{"platform":["eq","i86bi_linux"]}]}}

Moved table URLs

• Managed IPv4 table was moved from /technology/addressing/managed-ip to /technology/addressing/managed-ip/ipv4.

System Administration UI Deprecation

System administration UI on port 8443 will be removed in the near future. In version 7.0, we are introducing replacements for its functionality.

• System Status
• Backup and Maintenance
• System Update
• Restore Admin Access

Intent Rules

New Rules

• Technology → Management → Banner → Summary: Device Banner
  • Green – Devices with either a MOTD or Login Banner configured.
  • Yellow – Devices with no MOTD and no Login Banners configured.
• Technology → Management → Banner → Banners: Banner Text
  • Green – Banner contains message on authorized use, monitoring, and penalties.
  • Yellow – Banner does not contains message on authorized use, monitoring, and penalties.

Updated Rules

• Technology → Management NTP → Summary: NTP Synchronized Sources
  • Updated descriptions from “reachable” to “synchronized”.
  • Corrected calculations of Success (green) rule causing an internal error.
• Technology → Management NTP → Sources:
  • NTP Stratum Level: Updated Error (red) rule from stratum==16 to stratum>=16.
  • NTP Time Offset:
    • Corrected calculation of Success (green) to only report if offest is not empty.
    • Corrected calculation of Info (blue) to use correct offest column.
  • NTP Network Round-Trip Time:
    • Corrected calculation of Success (green) to only report if delay is not empty.
• Technology → Management → SNMP → Communities:
  • SNMP Community Name: Corrected to match name on case insensitive equal.
• Technology → Environment → Power Supplies:
  • Power-Supply State:
    • Updated State so not present is informational (blue) rather than error (red).
    • Adding alarm and power loss to the error State

Fixes

• RP Mappings Groups – Ensured the ID of each individual row is unique, resolving a potential issue where Intent Verification rules might have incorrectly highlighted rows for certain datasets in the Technology → Multicast → RP → RP Mappings groups table.

  Important

  If Intent Verification rules were configured for this table, you may need to manually unload and reload specific snapshots to ensure proper functionality.

• NSX-T Rate Limiter – Fixed a bug where, in rare cases, NSX-T discovery issues occurred due to the NSX-T server becoming overloaded.
• Juniper Mist API limitations – The Juniper Mist API client now uses a specific wait time from the controller’s overloaded response, preventing session termination when the default 5000 calls per hour limit is reached.

Beta Features

If you’re interested in trying our new beta features, please contact your Customer Success Manager for assistance with enabling these features.

• VeloCloud Discovery Enhancements

  • Enhanced VeloCloud discovery with basic networking support, including:
    • IPv4
    • IPv6
    • ARP
    • neighborDiscovery
    • fhrp
    • l2Interfaces
    • l3Interfaces
    • MAC
    • neighbors
    • portChannel
    • routingTable
    • stp
    • vlan
  • New VeloCloud Overlay Table: /tables/sdwan/velocloud/overlay

• Opengear Discovery
  • Additional Opengear console servers can be discovered:
    • ACM700x
    • CM71xx
    • CM81xx
    • OM12xx
    • OM22xx