IP Fabric v7.11

Upgrade Version Policy

We support the following upgrade paths:

• The latest version in the previous major line → any version in the current major line (for example: 6.10.7 → 7.3.25).
• Any version in the current major line → any newer version in the current major line (for example: 7.0.15 → 7.3.25).
• An upgrade to 7.5 can be only performed from version 7.3.25 or newer.
• An upgrade to 7.11 can be only performed from version 7.5.14 or newer.

Clearing Browser Cache

After upgrading IP Fabric to a newer version, you should see the Your application has been updated and must be refreshed dialog in the main GUI.

It is usually sufficient to just click the Refresh button.

However, in case of issues with the main GUI or if you did not see the mentioned dialog, please force refresh your browser cache.

The key combination for doing this depends on your operating system. In your browser window with your IP Fabric appliance’s URL open, use one of the following key combinations:

• Windows: Ctrl + F5
• macOS: Command + Shift + R
• Linux: Ctrl + F5

This will only affect the browser cache for the IP Fabric appliance.

Known Issues

Maximum Number of Parallel Sessions Setting in GUI Is Not Enforced

The Maximum number of parallel sessions value configured in the GUI is not propagated to discovery workers, so discovery runs in unlimited mode regardless of the configured value.

A workaround is available through worker settings, but it requires manual changes to service files with Support assistance. Customers who need this limit enforced should contact Support.

Fix delivered in 7.11.5 version.

Support Status Page Endpoint Error

When a policy excludes the GET /support/status endpoint in API scope, the Support Status page may intermittently switch between loading correctly and showing a 403 Failed to load data error.

Workaround: Include GET /support/status in the policy. This allows access to hardware information while still restricting actions such as service restarts.

Wrong Elapsed Time When Loading a Snapshot

When loading a before unloaded snapshot, the displayed elapsed time may appear unexpectedly high. This is a display issue only and does not affect data integrity.

v7.11.7 (May 12^th, 2026; GA)

SHA256 (ipfabric-update-7-11-7+0.tar.zst.sig) = 3e799cebe68ceb16a4bc347b909c2d00d3787da27ff66c578d95f68631b52646
MD5 (ipfabric-update-7-11-7+0.tar.zst.sig) = 51bef8ba9a058322fff9d00ccdf74f48
SHA256 (ipfabric-7-11-7+0.qcow2) = 4a2da91fdf2de2ea28e57862e29463878fcfe55030cf4383eb46c6273a9280a3
MD5 (ipfabric-7-11-7+0.qcow2) = 42e76fe6160112e16b4ac0aec5d929f9
SHA256 (ipfabric-7-11-7+0.vmdk) = 4e3bea83426fd0f3fba43d0d07ec52636de966e7fa91c4059567a6b3513fdebb
MD5 (ipfabric-7-11-7+0.vmdk) = 2a2fb20af6c5c7f69aff39478e9d42ac
SHA256 (ipfabric-7-11-7+0.vhdx.zst) = bdfda5105fac70c8ab80d81f0f109dd2f4af1f82fcf42d46bf6ff57db1c89c8e
MD5 (ipfabric-7-11-7+0.vhdx.zst) = 51d34bf302ace1cbae833784093f5bf5
SHA256 (unsupported-ESXi6.7U2-ipfabric-7-11-7+0.ova) = 71f809d5e296d9a7cb4fcfb12020cab9526398de16ecf1051d6d656889f34945
MD5 (unsupported-ESXi6.7U2-ipfabric-7-11-7+0.ova) = ebd9702f290fa313f43eac5b571ad940
SHA256 (unsupported-ESXi7.0-ipfabric-7-11-7+0.ova) = da4968053034aa89877b85f396b855683ecc558af2417fdfd19975c709aece68
MD5 (unsupported-ESXi7.0-ipfabric-7-11-7+0.ova) = a04ec3af65f5a6d8b8c549c29c556e8f
SHA256 (ESXi8.0-ipfabric-7-11-7+0.ova) = dbdd28b37b9d5fbf7c74110dcc0fc38610fc2c818dbda665e4d0a56b8c05975b
MD5 (ESXi8.0-ipfabric-7-11-7+0.ova) = 5d3bcdd544a9901b6d44222e703ebead

Improvements

• Improved Azure Path Lookup handling.
• Optimized the Connectivity Report query, reducing load time by about 6 seconds.

Bug Fixes

• Resolved AWS Discovery errors: Cannot read properties of undefined (reading 'send') and ABRequestFailed.
• Applied critical Azure Discovery fixes:
  • Resolved global peering route handling.
  • Fixed cross-subscription prefix resolution.
  • Resolved validation errors across several Azure services.

v7.11.5 (May 5^th, 2026; GA)

Improvements

• Discovery follows the maximum number of parallel SSH sessions set in the settings.
• Optimized the PostgreSQL queries setCliJobsAsFoundNotInSubnets and getSwitchToAp which prolonged discovery time.
• Improved scanner performance by excluding local routes and routes from exclude list during scanning.
• Improved handling for Vendor API discovery when a connect ETIMEDOUT error occurs, the system sends the request again.
• When rediscovery of device occurs, it respects snapshot settings.
• Improvements of Azure and GCP discovery.

Bug Fixes

• Fixed duplicated Path Inspector path options occurring on port-channels.
• Corrected Palo Alto security policy evaluation where self-originated traffic was incorrectly matched against Security Policy rules.
• Cisco ACI fixes:
  • Corrected ACI Security Evaluation to prevent unexpected deny results for allowed traffic in E2E Path Lookup
  • Fixed E2E Path Lookup security evaluation to use the correct VNI for Cisco ACI environments
• Updated MikroTik OSPF parsing to allow routerId to be a string instead of strictly validating it as an IP address.
• Corrected Fortinet FortiGate NAT44 parsing so rules disabled with “set status disable” are no longer shown as “Active - Yes” in the NAT44 table.
• Fixed Cisco IOS-XE syslog parsing on C9300-48U (cat9300) devices so “logging host FQDN ipv4” entries display the actual FQDN instead of “FQDN” as the host.

v7.11.3 (April 22^nd, 2026; GA)

New Features

MCP Server – AI Assistant Integration

The new MCP Server enables seamless integration between IP Fabric and AI assistants (such as GitHub Copilot and Claude Desktop) via the Model Context Protocol (MCP). It allows AI assistants to query network data, analyze paths, and assess network health — see the full documentation to learn about its capabilities. The MCP Server is built into the IP Fabric appliance and can be enabled in Settings → Integration → MCP Server.

Cloud Load Balancers – SSL Certificate Visibility

IP Fabric now provides visibility into managed SSL/TLS certificates associated with supported cloud load balancers. Certificates are collected and displayed in a dedicated table at Technology → Security → SSL Certificates, with direct access from related load-balancing tables.

Supported platforms:

• Azure — Application Gateway (L7 regional load balancer)
• AWS — Application Load Balancer, Network Load Balancer

This helps security and network teams inventory certificates, identify expiring or expired certificates, and improve their overall security posture.

Do Not Forget to Update Cloud IAM Policies

To collect SSL/TLS certificate information for cloud load balancers, the required IAM policies must be updated on both supported platforms.

Azure If Azure Key Vault access is configured with role-based access control, update the Azure IAM policy to grant the permissions required to collect certificate data.

Download the updated policy here.

AWS If you are using AWS API discovery, update your IAM policy to include AWS Certificate Manager (ACM) permissions so IP Fabric can retrieve SSL/TLS certificate details associated with load balancers and other AWS services.

• Users of the Simplified policy must update to: IAM-policy-IPF_simplified_7.11_or_newer.json

• Users of a previous Granular policy version must update to: IAM-policy-IPF_7.11-full.json

For more details, see AWS API Configuration – Required IAM Policy.

Improvements

• Improved the stability and reduced the memory footprint of the syslogWorker (responsible for ingesting data into Configuration Management) and of all remaining discovery workers.
• Improved discovery logging by replacing the logging library for discovery workers. This resolved missing logs and memory leaks due to logging issues.

Path Lookup

• We extended path lookup support to redirect traffic to an Azure VM after transit. The implementation currently supports only a single destination IP address. Support for a destination subnet will be added in the future. For now, traffic to a subnet destination is dropped.

Vendor Support and Improvements

• GCP

  • Added support for classic VPN gateways.
  • Added support for dynamic routes exchanged over VPC Peering.

  New GCP Permission Required

  The compute.networks.listPeeringRoutes permission must be added to your GCP IAM role to enable this feature.

• Azure

  • Added support for ExpressRoute circuits in Virtual WAN.
  • Improved routing for Azure VPN and ExpressRoute gateways (Virtual Hub).
  • Added BGP support for Azure VPN Gateway (Virtual Hub).

  Do Not Forget to Update Azure IAM Policy

  The IAM policy must be updated to grant the necessary permissions for collecting VPN Gateway routes, BGP peer details, and Virtual Hub routing intent information.

  You can download the new policy here.

• AWS
  • Updated IAM policies to include AWS Certificate Manager (ACM) permissions required for SSL/TLS certificate discovery.

• Meraki
  • SD-WAN
    • Added support for Meraki SD-WAN (AutoVPN).
    • SD-WAN connections are now listed in Technology → SD-WAN → Meraki.
    • Meraki SD-WAN links are now shown in both the Network Diagram and Path Lookup.
    • This enhancement improves visibility and troubleshooting of Meraki SD-WAN connectivity in IP Fabric.
  • IPsec
    • Added support for Meraki IPsec tunnels.
    • All configured tunnels are listed in Technology → Security → IPsec.
    • Path Lookup and routing information currently support only statically configured routes for IPsec; BGP is not yet supported.
    • IPsec tunnels are now shown in both the Network Diagram and Path Lookup.

• D-Link
  • Added support for basic discovery of D-Link DGS-1250 family switches. See Feature Matrix for more details.
  • Covered features include:
    • Platform & system: init, device information
    • Configuration
    • Interfaces: Layer 2 interfaces, Layer 3 interfaces, port-channel
    • Network data: ARP, MAC table, LLDP
    • Routing & switching: routing table, STP, VLAN
    • Management: AAA, DNS client, NTP, SNMP, logging

Miscellaneous

• The Feature Flag ENABLE_ACI_SERVICEGRAPHS_ENDPOINTS has been removed, and endpoints related to service graphs are now always downloaded.

Topology Calculation Technical Changes

• Network topology calculation has been relocated from the tasker process to a dedicated topology calculation job running within the API process. This change was implemented for technical and architectural reasons and lays the foundation for upcoming advanced product features.
• Topology calculation logs are now clearly distinguishable from general tasker process logs through the addition of a dedicated label prefix: [topology-calculation].