IP Fabric v7.3

Unreleased Version

This is an upcoming IP Fabric version, which has not been released yet and is not available for download.

Upgrade Version Policy

We support the following upgrade paths:

The latest version in the previous major line → any version in the current major line (for example, 6.10.7 → 7.2.17).
Any version in the current major line → any newer version in the current major line (for example, 7.0.15 → 7.2.17).

Clearing Browser Cache

After upgrading IP Fabric to a newer version, you should see the Your application has been updated and must be refreshed dialog in the main GUI.

It is usually sufficient to just click the Refresh button.

However, in case of issues with the main GUI or if you did not see the mentioned dialog, please force refresh your browser cache.

The key combination for doing this depends on your operating system. In your browser window with your IP Fabric appliance’s URL open, use one of the following key combinations:

Windows: Ctrl + F5
macOS: Command + Shift + R
Linux: Ctrl + F5

This will only affect the browser cache for the IP Fabric appliance.

v7.3.11 (June 12^th, 2025; EA)

SHA256 (ipfabric-update-7-3-11+0.tar.zst.sig) = 54e070dbc5f6e234fc31c4ff60cef8b65f377680f2fb798215e411984c16dc1e
MD5 (ipfabric-update-7-3-11+0.tar.zst.sig) = 381e65722f9116579d51cad92096ff49
SHA256 (ipfabric-7-3-11+0.qcow2) = bcd9f70e6fe6a77e6e7186fb7b8f6293a1a54a177dc60c622ddbf718842378d4
MD5 (ipfabric-7-3-11+0.qcow2) = d892a4ae587df76b310ae0e21bb7f966
SHA256 (ipfabric-7-3-11+0.vmdk) = a9ec4da803c336744a70c693f2da65a849ad6e4254c74660056daac13bd73fcf
MD5 (ipfabric-7-3-11+0.vmdk) = 1952220e753456ae694a83c4d75027f2
SHA256 (ipfabric-7-3-11+0.vhdx.zst) = ab3a565052c7b4f489775c36ad1429d60a981b1d38fa74b5ed17450e75cb3518
MD5 (ipfabric-7-3-11+0.vhdx.zst) = d42bf3b5316fa9ab5481144a028d74ba
SHA256 (unsupported-ESXi6.7U2-ipfabric-7-3-11+0.ova) = 835d9b72e0b170b948e3d6bf28099519aa38d9717e93fac643eafd02891e2f10
MD5 (unsupported-ESXi6.7U2-ipfabric-7-3-11+0.ova) = 95dce75ad50d6215280a736528d14536
SHA256 (unsupported-ESXi7.0-ipfabric-7-3-11+0.ova) = a4c535faa7cc3fc71a105983e9e4230e4885b11e71850663f03398a2b7bf3f66
MD5 (unsupported-ESXi7.0-ipfabric-7-3-11+0.ova) = a2ebbb5e3825593d982ff3297fa6910a
SHA256 (ESXi8.0-ipfabric-7-3-11+0.ova) = f34ea13d960aa6fdcbfeb075d1c4ec933004bd0b45281ba09adc7f1a37d9778a
MD5 (ESXi8.0-ipfabric-7-3-11+0.ova) = d903202c02a38c97f8beb00996f91975

Known Issues

Configuration Management Process Fails to Close SSH Sessions

On HPE arubasw family devices, the Configuration Management process sometimes fails to terminate SSH connections properly. This occurs when a login banner isn’t detected, causing SSH sessions to remain open indefinitely.

To verify if this is happening, access your IP Fabric appliance’s command line interface and execute the following when the Configuration Management process is not running:

netstat -tnpa | grep 'ESTABLISHED' | grep syslogWorkerBu | grep :22

If you see persistent SSH connections, the output will display multiple active sessions like this:

root@ipfabric:~# netstat -tnpa | grep 'ESTABLISHED' | grep syslogWorkerBu | grep :22
tcp        0      0 10.0.192.108:52784      10.20.94.22:22          ESTABLISHED 624/syslogWorkerBui
tcp        0      0 10.0.192.108:22184      10.20.88.20:22          ESTABLISHED 624/syslogWorkerBui
tcp        0      0 10.0.192.108:27698      10.20.130.21:22         ESTABLISHED 624/syslogWorkerBui
tcp        0      0 10.0.192.108:30666      10.20.94.24:22          ESTABLISHED 624/syslogWorkerBui

To resolve this, restart the Configuration Management service with command:

systemctl restart ipf-discovery-syslogworker.service

New Features

IPv6 Discovery Support

Extended network discovery capabilities to support IPv6 networks alongside IPv4, ensuring all existing IPv4 functionality remains unaffected.

Backward Compatibility

Existing IPv4 discovery workflows continue to function as expected.
No changes are required for IPv4-only setups.

API Enhancements

The /settings API now accepts and processes IPv6 addresses in:
- Seed lists
- Include/Exclude/Whitelist networks
- Device credentials
- Custom SSH/Telnet ports
Address-type validation ensures that:
- IPv4 filters apply only to IPv4 addresses
- IPv6 filters apply only to IPv6 addresses

Discovery Configuration Updates

Introduced a new task type: NDPv6, available under Global Discovery Tasks settings.
IPv6 networks can now be discovered using a combination of:
- Seed addresses
- Include/Exclude/Whitelist networks
- Device credentials

Improvements

Technology Tables

New Tables

A new Virtual-wires table has been added under Technology → Interfaces, supporting:

Palo Alto PAN-OS
Cisco Firepower
Fortinet FortiGate / FortiOS
Forcepoint NGFW

New Columns

The following tables have been updated with new columns:

Inventory → Interfaces table:
- Last Status Change
Inventory → Devices table:
- Login IPv4
- Login IPv6
- Switch stack
Technology → Interfaces → Switchport table:
- Virtual Bridge
Technology → Addressing → MAC Table table:
- Virtual Bridge
Management → Discovery History table:
- Login IPv4
- Login IPv6
Management → Changes table:
- Login IPv4
- Login IPv6
Management → Changes → Managed IP table:
- IPv4 Address
- IPv6 Address
Management → Saved config consistency table:
- Login IPv4
- Login IPv6
Technology → Platforms → Cisco VSS → Chassis table:
- Switch Priority
Technology → Management → Telnet access table:
- Login IPv4
- Login IPv6
Technology → Management → Logging → Remote table:
- Host IPv4
- Host IPv6
- Src Address IPv4
- Src Address IPv6
Technology → Management → NTP → Sources table:
- Source IPv4
- Source IPv6
Technology → Management → SNMP → Trap Hosts table:
- Destination Host IPv4
- Destination Host IPv6
- Source IPv4
- Source IPv6
Technology → Security → AAA → Servers table:
- Server IPv4
- Server IPv6
- Source IPv4
- Source IPv6
Discovery Snapshot → Connectivity Report table:
- IPv4
- IPv6

Deprecated Columns

The following columns are now marked as deprecated:

Inventory → Devices → Login IP
Management → Discovery History → Login IP
Management → Changes → Login IP
Management → Changes → Managed IP → IP Address
Management → Saved config consistency → Login IP
Technology → Management → Telnet access → Login IP
Discovery Snapshot → Connectivity Report → IP

Login IP Deprecation

The Login IP (loginIp) column is being deprecated and replaced with loginIpv4 and loginIpv6. Please ensure all scripts, automations, or reports are properly updated to reflect this change.

Deprecated Tables

Removed tables of already deprecated API endpoints:
- Managed Networks
- Gateway Redundancy

IPv4 Managed IP Summary table

As of version 7.0, the Managed Networks and Gateway Redundancy tables have been replaced by the IPv4 Managed IP Summary table.

GUI

IP Input Enhancement:

Search Functionality: Users can perform keyword-based searches within the IP list to quickly locate specific entries.
IP List Management: Users can efficiently manage IP addresses through enhanced multi-selection capabilities. Multiple IPs can be selected via:
- Shift + Left Click to select range.
- Click-and-Drag, similar to text selection in a paragraph.
- Once selected, IP addresses can be copied or removed from the list.

Layout Optimization for Large Circular Graphs

In release 7.2, we added an autonomous optimization switch from circular to universal layout for graphs with more than 100 nodes. This functionality is now fully supported at the API level and is also fully integrated into the UI starting with this release.

Configuration Management

Simplified configuration selection for comparison.
Added a new Compare with previous version button to configuration entries in the table.

Network Discovery

New Device – AWS Application Load Balancer (ALB)
- Initial support for data collection & inventory. The path lookup via ALB is not supported yet.

New Device – Azure ExpressRoute Circuit (ERC)
- Data collection and end-to-end path lookup via ERC is now supported. The path lookup via ERC when deployed in vWAN is not supported yet.

New Device – Azure RouteServer (ARS)
- Initial support for data collection & inventory - end-to-end path lookup via Network Virtual Appliances has been improved.

New Capabilities – Arista
- Support for route-maps has been added.

New Capabilities – CheckPoint, Juniper
- Support for URL filtering has been added.

New Capabilities – PaloAlto (PAN-OS)
- Support for IP and PREDEFINED-IP type objects of External Dynamic List has been added.

New Device – Meraki Cloud-managed Catalyst Switches
- Now discoverable via the Meraki API
- Identification: Firmware prefix CS and Monitoring Version n/a
- Discovery can be disabled via feature flags.

Path Lookup

Using Palo Alto’s External Dynamic List in combination with end-to-end path lookup:
- To investigate a Path Lookup scenario for a specific IP expected to be in the dynamic list, use the Source / Destination IP fields and enter the IP address.
- If the content of the dynamic list is not available, or if you need to find where a specific list is being used, use the Source / Destination Region fields and enter the name of the list as it appears in the configuration.

Vendor Support and Improvements

Interface uptime/downtime is now available for Arista located in the new Last Status Change (lastStatusChange) column in the Inventory > Interfaces table.
Switch priority is now available for Cisco StackWise located in the new Switch Priority (switchPriority) Technology → Platforms → Cisco VSS → Chassis table.
Added IPv6 support for the FortiGate zone firewall task.
Added IPv6 support for FortiGate GRE tunnels.
Added IPv6 support for the Cisco ACI, ASA, IOS, and IOS-XE NTP task.
Added IPv6 support for the Cisco IOS, IOS-XE, and ASA Syslog task.
Added IPv6 support for the Cisco IOS, IOS-XE, and ASA AAA task.
Added IPv6 support for the Cisco IOS, IOS-XE, and ASA SNMP task.
Added IPv6 support for the Cisco ASA Neighbor Discovery task.
Added IPv6 support for Cisco ASA IPv6 routing.
Added IPv6 support for Cisco ASA IPv6 tunnels.
Added IPv6 support for Cisco ASA, IOS, and IOS-XE IPv6 IPsec.
New Switch stack column added in Inventory → Devices to show if switch is considered as stack
Added ARP table support for Meraki L3 switches.
Improved STP support for Meraki switches.

Advanced Filters

Device Attribute-Based Advanced Filters now support Uptime as a device property.
For a complete list of properties and supported tables, refer to Technology Tables – Device-Based Advanced Filters.

Intent Verification Rules

Updated Rules

Minor UI updates to remove the Green Success check from empty columns and to revise field descriptions.:
- Technology > Security > DHCP Snooping
  - DHCP Snooping Enabled VLANs
  - DHCP Snooping Trusted Port
  - DHCP Snooping Dropped Packets
- Inventory > OS Versions > Platforms
  - Devices with Unique Platform changed to Platforms with a Single Deployment
  - Devices with Unique OS changed to OS Versions with a Single Deployment
- Inventory > OS Versions > Models
  - Devices with Unique Model changed to Models with a Single Deployment
- Technology > Management > Port Mirroring > Port Mirroring - Port Mirroring Status
- Technology > MPLS > L2 VPN > Circuit cross-connect
  - CCC state changed to Circuit Cross-Connect State
- Technology > SDWAN > Versa > Sites
  - SDWAN Sites Uptime changed to Versa SDWAN Sites Uptime
Technology > Spanning Tree > STP Inconsistencies > Neighbor ports allowed VLAN mismatch - Trunk Allowed VLAN Mismatch
- Removed Green Success check as this rule is not applicable.
Technology > FHRP > Group state - FHRP Active Group Priority
- Adjusted active FHRP groups to include master for support on Aruba and Arista devices.
Technology > Platforms > Environment > Power Supplies - Power-Supply State
- Adjusted Red Error states to include power supplies with a bad state.
Technology > Platforms > Environment > Fans - Fan Module State
- Adjusted Green Success states to include fan modules that contain an ok - state.
Inventory > Interfaces - Interface Operational State
- Green Success - Default which should match normal states.
- Blue Info - Layer 2 states of unknown (i.e. IP Fabric is unable to discover states on some Meraki devices.)
- Amber Warning - Interfaces with Layer 1 state matching regex up|enabled and Layer 2 state of down without monitoring status reason.
Technology > Addressing > MAC Table > MAC Table - MAC Address Source
- Green Success - Added igmp to the list of acceptable source types.
- Blue Info and Amber Warning have been swapped so static MAC address types report as Info instead of Warning.
- Blue Info - Added svi, permanent, and management to the list of acceptable source types.

New Rules

SDWAN Uptime Verifications:
- Rules:
  - Technology > SDWAN > Silverpeak > Overlay - Silverpeak Overlay Uptime
  - Technology > SDWAN > Viptela > Control Connections - Viptela Control Connections Uptime
  - Technology > SDWAN > VeloCloud > Overlay - VeloCloud Overlay Uptime
- Green Success - 1 year >= uptime >= 1 week
- Blue Info - uptime > 1 year
- Amber Warning - uptime < 1 week
- Red Error - uptime < 1 day
SDWAN Status Verifications:
- Rules:
  - Technology > SDWAN > Silverpeak > Overlay - Silverpeak Overlay Status
  - Technology > SDWAN > Silverpeak > Underlay - Silverpeak Underlay Status
- Green Success - Status that is Up Active or Up Idle
- Blue Info - Status that is Down or other statuses
- Amber Warning - Status that is Up but with IP SLA Disabled or Reduced Functionality
- Red Error - Status that is Down and Misconfigured
Load Balancing Availability Verifications:
- Rules:
  - Technology > Load-balancing > Virtual Servers - Load Balancing Virtual Server Availability
  - Technology > Load-balancing > Virtual Servers - Pool members - Load Balancing Pool Member Availability
- Green Success - Up Availability and Enabled status
- Blue Info - All other statuses.
- Amber Warning - Down Availability and Enabled status
Technology > Management > AAA > Password Strength - Password Strength Enabled
- Green Success - Check is enabled on supported platforms
- Amber Warning - Check is not enabled on supported platforms

Experimental Features

Newly added features which need to be explicitly enabled in service files. You can enable these yourself using our feature documentation or if you are not comfortable self-enabling these features or need further clarification, contact our Support or Solution Architect team. We will gladly help you.

Cisco ACI Service Graphs Improvements

The path lookup capability for Layer 2 (L2) has been added to Cisco ACI Service Graphs.

To collect Service Graph data, the feature flag ENABLE_ACI_SERVICEGRAPHS_ENDPOINTS must be enabled. For more information, see feature flag documentation.

Palo Alto External Dynamic Lists

The ingestion of Palo Alto’s External Dynamic Lists for URL Filtering and IP Lists is currently available as an experimental feature.

To access this functionality, respective feature flags must be enabled. (ENABLE_PALOALTO_EDL_IPLIST and ENABLE_PALOALTO_EDL_URLLIST).

Transparent Firewalls

Initial support for transparent firewalls has been introduced. Since transparent firewalls typically operate at Layer 2 and remain invisible to other network devices, manual link configuration is required to incorporate them into the network model.

To enable this feature, the corresponding feature flag (ENABLE_MANUAL_LINKS) must be activated.

Once enabled, transparent firewalls will appear in the graph topology, and basic path lookup (excluding security policy evaluation) will be supported.

Visualization Setup

In case that you want to edit Manual Link Protocol Settings → Line Cap Label field, it incorrectly permits IP address selection.