Product Updates

The 23.8 release introduces the ability to configure periodic network discoveries. The Forward platform offers different discovery methods: seed-based, neighbor inference, and subnet scan. The system supports the creation of multiple schedulers per network each based on a different discovery method.For more information, visit the Snapshots page.

Synthetic devices are often used as a proxy for environments that are not under the direct management of the user, and as such they cannot be collected from and consequently modeled in Forward. For example, a modeled device at the edge of the network would have one or more interfaces and their sub-interfaces connected to a given synthetic node which represents a Service Provider peering.There have been cases in which the user connects only a subset of sub-interfaces to a synthetic node, leaving the rest of them "orphaned". This incomplete configuration leads to traffic egressing those interfaces and being black-holed by the Forward model.The 23.8 release introduces a new synthetic device called Missing Peer that models such traffic. Unlike other synthetic devices, this new device is not configured by the user but is automatically created by the Forward platform. A config property will allow Org Admins to enable or disable the creation of these synthetic devices. For more information, visit the Missing Peer page.

The 23.6 release introduced Entity Decorators. The 23.7 release adds a set of new improvements and the all-new Path decorators.Improvements:Several improvements have been made to the decorators' configuration to make it more intuitive Decorators are now included in Snapshot import/export Decorations are displayed in decorator name order Placeholders are shown for empty decorations Violations are highlighted for all decorator typesNew Path Decorators: these new decorators allow to augment the Path Analysis at the path, the path device hop, and path device hop ingress/egress interface levels.The image above shows an example of all new path decorators.

Forward is introducing a new user experience for multicast, centered around multicast groups and their sources, receivers, and rendezvous points. This release brings a new multicast group Search.The image below shows an example of a multicast group Search.New multicast improvements will be introduced in upcoming releases.For more information, visit the Multicast Search page.

Cisco Fabricpath deployments can become very complex and considerably increase the Snapshot processing time. Modeling Cisco Fabricpath as point-to-point tunnel links instead of navigating through individual hops in the Fabricpath underlay drastically reduces the processing time.This new Fabricpath modeling is optional. A Forward Admin can enable it by setting Model FP as Tunnels in Settings --> System --> Org preferences --> Experimental features.

The 23.6 release brings additional value to Forward's Vulnerability analysis by enriching it with the addition of the devices' connectivity exposure to the Internet. This addition underlines once again our commitment to bring unique value to security teams. Vulnerability together with exposure tell the full story about a device's risk profile. Forward tells the user which vulnerable devices are Internet exposed, differentiating between devices that carry traffic from the Internet and devices whose interfaces are actually internet exposed, the latter case being the most urgent to remediate. With the 23.6 release, our users can benefit from the additional layer of prioritization when trying to remediate network CVEs.  

To better visualize the Cloud license consumption, the 23.6 release introduces a dedicated page with graphs that visualize the Cloud Credit Hours.  FWD-31221 Azure - Automatically find all subscriptions ahead of collection Before the 23.6 release, to add subscriptions to an Azure cloud setup, the user had to run a script in the Azure powershell which generated a subscriptions JSON file. Then the user had to upload that JSON file in the Azure cloud setup wizard. The shortcoming of this approach is that any time there are any new subscriptions created in the Azure account, the user would have needed to generate a new JSON file and re-upload it. Obviously, this approach is not scalable when there are hundreds of subscriptions in an account that are constantly changing. FWD-31221 introduces the ability to automatically detect and collect from subscriptions without needing the user to manually upload a subscriptions file every time. To learn more about Azure setup, please read its documentation. FWDN-7948 Azure - Support application LoadBalancer backend types FWDN-7741 Azure - Support Layer7 Application Gateway and Firewall

ModelingPrior to this release, Forward would not allow to use IP addresses contained in NAT policies as sources or destinations in a path query. This restriction becomes problematic when our users provide connectivity transport to other networks that they don't directly manage and about whom they have no knowledge of the IP addressing end-to-end. In this case, our users are interested in tracing the traffic up-to and from the NAT translation point. With the release 23.5, this restriction is lifted allowing for the use case describe above to be supported by Forward. Cisco​FWD-29707 Support for VLAN Mapping in IOS/IOS-XE Brocade​FWD-31027 Brocade ADX load-balancer direct server response

In multi-VRF environments, it is possible that some VRFs in core routers take much longer to collect than other VRFs. The difference in collection time negatively impacts the time-to-value for users operating in these environments. This improvement allows users to specify for which VRFs the required subnets specified in the FIB Collection advanced settings, will always be collected regardless of max number of routes value. The required subnets will only apply to matching VRFs.   

The 23.6 release introduces Entity Decorators, a great new functionality based, yet again, on one of the most loved feature of the Platform: NQE. With Entity Decorators our users can augment other Forward applications with metadata coming from the NQE data model. In this first iteration, our users can augment the device card, the interface card, and the host card; these components are referred to as the "entities". The idea is to link NQE queries results to these entities. These linked NQE queries are referred in this context to as the "decorators". This great new innovation allows the user to customize and enrich the data surfaced by some of Forward applications. In the next release, our users will be able to "decorate" path search results as well.  The following image shows how the decorators were applied to the device card, check out the Device Basic Info section: Our users can leverage Entity Decorators in conjunction with External Sources. By doing so, they can bring into the Forward UI metadata that lives outside the network and enrich their visibility and understanding of the infrastructure even further. A use case for this feature teaming is for example bringing in the end-host vulnerabilities leaving in vulnerability applications off-platform and show them within Forward's host card.

FWD-31079 Usability improvements to the Data Model ExplorerA few usability improvements to the NQE Data Model Explorer made it in the release:FWD-31190 Data Model - Adding the status of device collection and processingThe NQE data model now includes the status of collection and processing for each device. This additional data has been requested by our users to verify the status and completeness of the model. Additionally, it is needed as part of the new Inventory+ experience.FWDN-7967 Data Model - Adding parsing support for device chassis and serial numbersThis improvement enriches the NQE model by bringing in the device's chassis and serial numbers, which now can be easily retrieved and used for custom verification, auditing and hardware inventory.PLAN-2222 ESXi VMs Inventory+ viewThis release adds to the Inventory+ an NQE query showing details about the modeled VMware environment (if present in the collected infrastructure).

This improvement allows the user to create path queries where the from and/or to clauses contain a MAC address of a located host/device. While using a MAC address as host identifier is not common, there is no real reason not to support these kind of legit queries. 

To monitor the health of the cluster and its instances, Forward provides a configurable Dashboard based on Grafana available at https://<PRIMARY_NODE_IP>/monitoring.. The release 23.5 introduces several improvements that aim at providing an easier to consume and to understand dashboard centered around the pods' resources instead of single containers. 

This release introduces the first webhook for the Forward platform. Our users can now subscribe their external applications to receive an event anytime a snapshot has been processed successfully, and it's ready to be used. This is the first of a series of webhooks that will be made available in the following releases. Here an example of the event being sent out:To learn more about webhooks in Forward Enterprise, please read the documentation.

Release 23.4 introduced Inventory+, Forward's new Inventory experience based on fully customizable NQE queries. The new experience unlocks and democratizes access to the network data collected and processed by Forward.As part of this new experience, the release 23.5 introduces an additional component: the ability to run diffs for all NQE queries that are part of Inventory+. The system infers the presence of changes by analysing the NQE query table results, and it's capable of distinguishing between row addition, deletion and modification automatically without user intervention.  

FWD-29407 Host-centric Blast Radius This release changes the Blast Radius feature to use inferred end-hosts as the end targets of the blast calculation. Before this release, the system would calculate the blast radius using target subnets. Our users have expressed their preference for targeting end-hosts. The system preserves the old behavior by allowing the users to toggle between the target end-host and their subnets. To learn more about the Blast Radius feature, please read the documentation. FWD-28291 Integration with Tenable.sc One of the major features coming with release 23.4 is the integration of Forward Enterprise with Tenable.sc. Since Forward Enterprise introduced its security-focused features set, our users have asked us to integrate with host vulnerability platforms to help them: Identify which end-host impacted by critical vulnerabilities can be accessed from the Internet Know which compromised end-hosts can access internal critical infrastructure Augmenting the capabilities of SecOps teams with unmatched network visibility is one of the stated mission of Forward Networks. The integration with Tenable.sc adds to the already supported integration with Rapid7 InsightVM vulnerability. To learn more about the Tenable.sc integration, please read the documentation.

General UITable component improvements - An additional improvement for the table component coming in 23.4 is the counting of the rows in all tables. When filtering the counter will show how many matches are present out of the total number of rows. CollectionAdded sensitive data redaction to all devices -  Sensitive data redaction is now supported across all vendors and platforms supported by Forward Enterprise Modeling​Versa Networks​FWD-28923 Support for Versa SD WANBrocade​FWD-29974 Support for Brocade ADXCisco​FWD-30591 Support for Service graph on ACI

FWD-30080 Limited Read-Only role In this release, we are introducing a new pre-existing user role: Limited Read-Only. Forward Enterprise collects configuration and state files from network devices. Network device configurations contain information at various levels of sensitivity and confidentiality. Our users have expressed the need to expand the usage of Forward within their teams while restricting some users from accessing devices configuration and state files, where they could have access to this sensitive data. The newly introduced Limited Read-only role allows for restricted Read-only access without the ability to see nor download device configuration and state files. This new role also hides any application that could expose those sensitive data (e.g. NQE). To learn more about this new role, visit the RBAC documentation. FWD-30385 Let users with read-only network access view the Sources page This enhancement allows Network Operator and Read-only users to access the Sources page without the ability to make any edits, run connectivity tests, or see credentials and jump server details. The goal with this enhancement is to allow these users to have minimal access to the Sources page while possibly still being able to report connectivity or collection issues to higher privileged users that could take action.

NQE permission controlRelease 23.3 introduces the ability to restrict write access to the NQE library queries. Our users have expressed the desire to protect the queries they and their teams have been working on from accidental or intentional editing by other users. By default, users with an Admin or network operator role have full write access to NQE queries. With this release, our users can define permissions on folders within the NQE Library to control who can edit individual queries and the contents of query folders themselves.Expose hostnames in the data modelThis addition to the NQE data model brings in the network device's hostname. Our users have asked to add that information, so they could write queries that help them in the reconciliation and improved correctness of their CMDBs. New Discovery folder and queries in the Forward libraryThe release 23.3 adds a new Discovery folder to the NQE Forward library, the out-of-box library of NQE checks developed by Forward for its users. Within this new Discovery folder, our users can find two new queries: Uncollected CDP-LLDP neighbors - This query looks within the collected CDP/LLDP files and finds names of devices that have not been included in the Forward modeling, potentially uncovering areas of the network infrastructure that the Network Admin could then add to the Forward inventory for collection Uncollected next hops - This query looks into the collected routing tables to find any IP addresses of next hops that are not on currently collected devices. The goal, like for the previous query, is to help with discovery of devices that are missing from the model.

Release 23.3 introduces several UX improvements to the BGP topology layer, specifically:Inclusion of the synthetic nodes to the BGP topology if they participate to BGP. Ability to selectively display the physical underlying network within the BGP view. Display the first router ID and AS number in the details card. Increase font size of secondary label and align it with parent label.

Collection​ FWD-30054 Prettify JSON output for external sources FWDN-7755 Sensitive data redaction Additional vendors supported in the sensitive data redaction logic, specifically: F5 Bluecoat Riverbed SilverPeak HPE/Aruba Citrix Netscaler Juniper NetScreen Palo Alto Nokia General UI​FWD-30091 Additional improvements to the table UI componentModeling​Nokia​FWDN-7667 Additional support for Nokia 7700 platform This release adds to the initial support for Nokia 7700 platform, specifically: Support for EVPN-VXLAN Epipe Sensitive data filtering Support for IES service Support for VPLS-EVPN over VxLAN Support for multiple vlan tags on switch sub-interfaces Support for secondary address on L3 interface Arista​FWDN-7849 Support 'tap aggregation' modeBrocade​FWD-29975 Initial support for Brocade FastIron platform

The release 23.3 introduces the first iteration of our new Inventory experience representing an important evolution with respect to our current Inventory application. Inventory+ is entirely based on NQE and allows our users to fully customize what they see in the inventory. Inventory+ provides easy access to network data views in different technology areas based on users' preference. Users can add or modify what is shown in the inventory without waiting for Forward to deliver the change. Here is a view of what it looks like: To learn more about this functionality, visit its documentation.

UsabilityFWD-30091 Table component improvements The release 23.2 introduces the first set of improvements to the table component in the UI. This release specifically introduces the following table usability improvements: Sticky row actions column Default min and max widths for flexible columns Resizable columns Processing and Collection​FWD-30280 Throttle vCenter collections Throttling collections from vCenter allows for a safer and more consistent collection. This task limits collection to a single vCenter per collector.Modeling​ FWD-30071 Add sensitive data redaction to all Cisco, Juniper and F5 platform This release introduces a highly requested item from our users, that is the ability to redact sensitive data in device configurations (e.g., password fields, SNMP server names) or replace it with a MD5 hash. To enable the redaction or the replacement with a hash, go to Collection > Collection Settings and look for Sensitive data redaction. FWDN-7753 Support Azure public IP prefix This release introduces support for Azure public IP prefix. A public IP address prefix is a reserved range of public IP addresses in Azure. Public IP prefixes are assigned from a pool of addresses in each Azure region. You create a public IP address prefix in an Azure region and subscription by specifying a name and prefix size. To learn more about this functionality, please visit the Azure documentation. FWDN-7668 Support GCP private service connect Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. Release 23.2 introduces support for this GCP feature. To learn more, please visit GCP documentation. FWDN-7750 Support managed firewall rule groups in AWS Managed rule groups are collections of predefined, ready-to-use rules that AWS and AWS Marketplace sellers write and maintain for AWS users. To learn more, please visit the AWS documentation.

FWD-30120 Download NQE reports in XLSX or CSV formats The size of most NQE query results can be handled by Excel workbooks. However, some of our biggest customers are able to create queries that generate reports too large for Excel to handle. For these cases, the system now allows to download the report as a .csv file. FWD-29699 Floating point numbers This enhancement introduces support for floating point numbers. This support also enables extraction of floating point numbers making floating point numbers part of the pattern language. Literals, comparison, arithmetic, conversions, pattern matching now support floating point numbers. FWD-30014 Improved hostname consistency query (Forward Library) This enhancement increases the accuracy of the NQE query (Forward Library) that verify the consistency of hostname to device name. This improvement targets Cisco, Arista and Palo Alto devices.

Topology​FWD-29297 Remove synthetic device editing from location toolbar Release 22.11 had already placed the managing of the synthetic devices at pair with the other collection sources. A new tab was in fact added to the Sources page and from there the user can fully manage these critical objects. This additional enhancement completes the transition by removing the synthetic device editing from the location toolbar.Processing​FWD-29506 Improve duplicate device removal This enhancement improves the order of preference when choosing the winner among what appear to be duplicate devices. The logic to verify that two network devices that are discovered by Forward or added by the users are not the same device is quite complex and takes into account several factors. This enhancement further improves the logic for deduplication by implementing the following preferences: Prefer the device that does not use a jump server Prefer the device referenced to with a hostname rather than an IP address Prefer the device with shorter name Modeling​ FWDN-7613 AWS - Support layer 7 features in AWS application load balancer Learn more on the AWS documentation page. FWDN-912 Nokia - Support for additional features on Nokia devices Support for Nokia 7750 and 7700 family was introduced in the 22.12 release. The 23.1 release adds support for additional functionality like ACL filters and EVPN for MPLS in Epipe service. FWDN-7281 ForcePoint - Initial support for ForcePoint Next Gen Firewalls FWDN-7633 Viptela - vSmart collection The collector now places the state files collected for vSmart into each vEdge snapshot for modeling. FWDN-7663 Privilege mode password association with login credentials This enhancement implements a logic that allows for retries when a privilege mode error occurs. When this happens, the system will now also try the other available credentials, until one of them passes the privilege password discovery part. If none of them passes, then the system reports the failure as a privilege password issue.