Professional Documents
Culture Documents
5 Release Notes
TABLE OF CONTENTS
INTRODUCTION .................................................................................................. 2
About NetMRI 7.0.x ........................................................................................................ 2
7.0.5................................................................................................................. 2
7.0.4................................................................................................................. 2
7.0.3................................................................................................................. 3
7.0.2................................................................................................................. 3
7.0.1................................................................................................................. 3
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 1 of 23
4/14/2016
NEW FEATURES
This section describes new features for the current release.
NetMRI 7.0.5
No new features for this release.
NetMRI 7.0.4
No new features for this release.
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 2 of 23
4/14/2016
As the support for SHA1 certificates is being sunseted at the end of this year, all new certificates are generated
using SHA256. However, customers with existing certificates may want to update their existing ones.
Customers with self-signed certificates can refresh to the more secure setting. From the admin shell, run the
command: configure certificates https then select option 3 (Refresh self-signed certificate).
Customers with external certificates can re-run the Certificate Signing Request process from the admin shell to
generate a new CSR. That CSR will then need to go to the signing authority, and the resulting certificate
installed. Run the command: configure certificates https then selecting option 1 (Generate CSR).
Then follow the CSR process, and install the new certificate using option 2.
Should any issues be encountered in this process, the previous certificates can be restored from an archive file
from the admin shell. Run the command: restore <archive_name> -https_certs to restore the
original certificate.
New Device Functionality
NetMRI 7.0.3 now includes support for IOS-XE systems configured for VRF, and support for FortiGate devices
configured for VDOM.
Additional Information about Device Group Membership Logic
While not strictly new functionality, additional explanation of Device Group Logic is warranted. When evaluating
the group criteria, low-assurance (<20% Assurance) network devices are treated as end hosts and are not
processed at all (not even if the device is listed explicitly by IP address in the group criteria). The exception to
this handling is when the 'include end hosts and low-assurance devices' checkbox is selected. The checkbox was
previously available for both Basic and Extended device groups, but as of 7.0 was removed from Basic device
groups. The previous name of this checkbox was simply 'Include end hosts,' which may have contributed to the
confusion.
NetMRI 7.0.2
No new features for this release.
NetMRI 7.0.1
Blackout Periods
You can define recurring Blackout Periods during which discovery protocols and processes will not run. These
periods can be defined: globally across all networks; on specified discovery ranges; on device groups; or on
individual devices. Blackout periods prevent NetMRI from interacting with specified devices, device groups,
ranges or networks for any discovery or data collection task. A second blackout type, change blackout, restricts
NetMRI from device interaction via the CLI, preventing: logins; scheduled or run-now job executions; Telnet/SSH
proxy; and port control UI features. For information, see Defining Blackout Periods for Discovery Ranges and
Defining Discovery Blackout Periods in the NetMRI Administrators Guide.
Device Groups Enhancements
NetMRI 6.9 introduced two types of device groups: Basic and Extended, and limited the total number of
Extended groups to 50. In NetMRI 7.0.x you can create up to 375 groups, split between a limit of 125 Extended
and 250 Basic device groups. While the hard limit from NetMRI 6.9 has been raised, and scale testing has been
done at this level, there are many factors that impact performance (e.g. total load on the system, complexity
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 3 of 23
4/14/2016
NetMRI 7.0.1 has expanded its external authentication support, and adds external authorization capabilities.
NetMRI adds LDAP to its supported protocols for external authentication.
NetMRI also substantially expands its AAA external server support by enabling administrative authorization
through LDAP, Active Directory, RADIUS and TACACS+ protocols. You can use external AAA services to control
user access to NetMRI features with the same user roles and privileges defined on the local NetMRI system.
NetMRI enables you to add new authentication and authorization servers, and assign remote user groups to
NetMRI user roles and Device Groups. For information, see NetMRI Authentication and Authorization in the
NetMRI Administrators Guide.
There are significant changes to the User API calls necessitated by the external authorization capability.
Customers calling User API functions as part of custom scripts will likely need to rewrite those scripts to use the
newer 3.0 API.
OpenSSL has been upgraded to 1.0.2, which will cause SSL handshaking to be done only using TLS 1.2. Systems
providing AAA over SSL must be able to respond to TLS 1.2. If the AAA servers are older systems that have not
been upgraded to support TLS 1.2 (released in 2008) then SSL will not work.
Network Device Interaction Improvements
NetMRI 7.0.1 enhances the CCS scripting/Job engine to support improved approaches for collecting device
configurations, improved prompt detection and error handling for regular expressions and for general error
detection. Changes in this area allow better definition of device properties to better avoid false-positives on
running-to-saved configuration comparisons, or false changes on running-to-running or saved-to-saved. More of
the definition of the device interaction is stored in the database, resulting in more stream-lined Device Support
Bundles.
Operations Center to Collector Improvements
NetMRI 7.0.1 further improves Operations Center communications between the central OC node and its
Collector appliances. Among the enhancements are: improved delivery of collected configurations and job
execution logs from Collector appliances to the Operations Center; improved stream processing for multiple
simultaneous updates from Collectors to the OC; improved exception handling; and improvements to job
logging.
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 4 of 23
4/14/2016
Existing customers will see the following changes in their NetMRI deployment after an upgrade to Release 7.0.1:
A special setting has been added to Advanced Settings -> Configuration Management -> Config Syslog
Change Filter Username to provide special handling for configuration changes detected based on syslog
events. Up to five comma-separated user names can be defined in that setting. If a syslog event
matches one of those user-names, then it will bypass the configuration difference notifications and
policy triggers that would otherwise be invoked. This can be used in cases where an automated process
with a named automation user takes configuration actions such as bringing ports up and down, or
changing VLANs. In the case of frequent expected activity of this nature, the follow-on reporting of
change events often becomes overwhelming and unnecessary.
The ghosted/greyed out Security Control tab is removed. Customers with existing Security Control
feature licenses will retain their feature set. Documentation on this remains available through Infoblox
Support.
Specific VRF collection state information is added to the Device Viewer -> Settings & Status -> Device
Support -> under both the Data Collection and Device Support tabs.
A Device CLI Audit Log captures NetMRI CLI connections to network devices, including events from
processes such as config collection, credential collection, Job engine (including job approval identity),
and other CLI session connections. This is not exposed in the device viewer, or other readily available
form, but is available to support as a troubleshooting aide. This can be controlled under Advanced
Settings -> Notification with controls for disabling the logging (it is on by default), and the number of
days to retain the logs.
The API has been updated to version 3.0. Backwards compatibility has still been maintained wherever
possible, but there are some areas particularly for user administration that have been changed
significantly in this major release.
The NetMRI systems FQDN can be set within the advanced setting for use in Reports and Notifications.
Generated URLs in those documents will then use the FQDN, rather than IP address. This is useful if the
system is using https, and the certificate is registered only to the name.
Scripts that issue commands to devices can now override the expected response, changing it from the
expected prompt to something else temporarily. This is useful if the command issued results in a followon query, such as Are you sure (y/n)?
Deprecated Features
The following existing features are deprecated. Testing of these features was skipped during release
qualification. The code remains unchanged, but may be removed in a future release. Customer cases resulting
from bugs found in these features will be handled on a case-by-case basis, but in general, will not be acted
upon.
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 5 of 23
4/14/2016
Archive restore from the GUI CLI restore was the primary/recommended, and remains.
TAE Module
Cisco ISR4451 ISR4351, ISR4331Router v15.4(3)S1 (for the 4451) and v15.4(3)S2 for the others
The following devices are newly supported or updated for Release 7.0.4:
Alcatel 7210 SAS-M Switch-Router TiMOS-B-6.0.R6 and 7210 SAS-M24F2XP Switch-Router TiMOS-B-6.0.R6
Cisco IPS4240 IPS 7.1(9)E4 IPS [Telnet collection only due to IPS SSH implementation limits]
The following devices are newly supported or updated for Release 7.0.3:
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 6 of 23
4/14/2016
The following devices are newly supported or updated for Release 7.0.1:
Added CLI Forwarding and SwitchPort collection support for Nexus 7k NX-OS 6.*
Removed Disable paging command from F5 CLI collection, and increased timeout
Updated SwitchPort data collection support for Alcatel Lucent OS6400 and OS6450 models
Updated inventory data collection indicator to supported for Citrix devices except NSMPX-* models
NetMRI provides Config Template and Rollback features, in which the involved devices initiate the file transfer
connections. Due to the adoption of Network Views in 6.9.x, a device that starts a connection to NetMRI needs
to specify the interface it has present in the correct network view. However, this is not consistently possible on
supported VRF-aware devices. WORKAROUND: TFTP/HTTP file transfers on VRF-aware devices will work when
the NetMRI manages the device on the devices default VRF; when the devices Management IP address is on an
interface in the devices default VRF (such as (default)IOS for Cisco IOS, default for Nexus and master for
JunOS). If NetMRI cannot reach the VRF-aware device through the devices default VRF, this feature will not be
available.
SNMP Credentials in Juniper VRFs
For discovery and periodic polling on Juniper devices through an interface that is not in the Juniper default VRF
(master), the query must use a special default@credential format. This setting assumes that users do not
have management interfaces in a VRF. Hence, the SNMP credentials for VRF-aware Juniper devices must use
syntax similar to: @vrfsnmp. Enter these values for SNMP credentials under Settings icon > Setup >
Credentials > SNMP v1/v2c tab. (When querying VRF-aware Juniper devices via an interface that is in the
default VRF, a plain community string can be used without the @ character.)
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 7 of 23
4/14/2016
Remote Sandbox instances (e.g., Sandbox instances on a VM server) must be manually upgraded using
the sandbox reset command from the admin shell. See the topics Using the NetMRI Sandbox and
Setting Up a Remote Sandbox in the online Help for more information.
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 8 of 23
4/14/2016
Browser
The unsupported browser warning has been removed. There may be the occasional display issues as these
browsers go through their rapid release cycle; however we expect enough compatibility in their coding that it
doesnt make sense to highlight the version difference in red during every login.
When viewing NetMRI, set the screen resolution of your monitor as follows:
Minimum resolution: 1024x768
Recommended resolution: 1280x800 or better
TECHNICAL SUPPORT
Product Support
Download the latest documentation from the Infoblox Support page: https://support.infoblox.com/app/docs.
Training
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 9 of 23
4/14/2016
Page 10 of 23
4/14/2016
Page 11 of 23
4/14/2016
Page 12 of 23
4/14/2016
Page 13 of 23
4/14/2016
Page 14 of 23
4/14/2016
Page 15 of 23
4/14/2016
NETMRI-25450 Correctly drop/clean-up ARP entries collected as part of VRF data collection.
NETMRI-25433 Correct logging output for CCS debug.
NETMRI-25422 Update SPM End Hosts Present timestamp with end-host in a discovery range
NETMRI-25420 Improve query performance for SPM End Hosts VLAN change.
NETMRI-25415 Correctly send quit command to log out of F5 devices.
NETMRI-25383 Populate Scheduled Jobs in UI from different table, handling cases with jobs over 30 days old.
NETMRI-25352 Declutter log message file.
NETMRI-25346 Improve query performance for topology calculations.
NETMRI-25340 Validate the Syslog recipient address properly in the UI.
NETMRI-25334 Populate VLAN correctly when discovering SPM End Hosts without an IP address.
NETMRI-25308 Restrict access to Cisco Command tool for users with View: Non Sensitive privilege (and not
higher level).
NETMRI-25199 OC: Javascript did not keep correct Object ID integer.
NETMRI-25197 NetMRI did not return HTTP status 503 during Weekly Maintenance.
NETMRI-25174 Send syslog information when multiple syslog servers are defined.
NETMRI-25147 API call to assign VRFs failed with Argument list too long error.
NETMRI-25138 Prune stale entries from Virtual Device Context in certain scenarios.
NETMRI-25110 Feature added to allow background processing of an Update when no .GPG file was provided
the autoupdate command.
NETMRI-25108 Prune syslog log files more aggressively.
NETMRI-25103 Use proper ContextName for firewalls and load balancers.
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 16 of 23
4/14/2016
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 17 of 23
4/14/2016
All externally and internally discovered SQL injections have been corrected.
All externally discovered XSS vulnerabilities have been corrected.
Some internally discovered XSS and CSRF issues still exist, and are being addressed during the NetMRI
7.0 maintenance cycle. All of these require an authenticated account in order to attempt the exploit.
Security reports from the following individuals and agencies/companies were instrumental in this effort:
Giuseppe-Diego Gianni of NCIA/CS-NCIRC TC (NATO)
Ozkan Aziz, Paul Bradley, and George Christopoulos of VISA, UK
Travis Emmert of Salesforce.com
NETMRI-24975 System Health grid was blank on Operations Center with no collectors (warm standby-mode).
NETMRI-24962 OC: Improved reboot protection during weekly maintenance.
NETMRI-24936 Requested to maintain a copy of the root diagnostic during a Factory Reset.
NETMRI-24903 Nortel ERS-88xx series belonged to different Config Collection Filter-Action block.
NETMRI-24893 - Failure to start CCS collectors caused Comm Requests & Jobs to remain pending.
NETMRI-24881 Upgrade failed in Reports.sql.
NETMRI-24855 Perl Jobs did not send "exit" command to explicitly end CLI sessions to Fortinet devices.
NETMRI-24838 Added CLI forwarding and SwitchPort collection support for Nexus 7k NX-OS 6.*
NETMRI-24835 - Riverbed config collection experienced error when finding Not Found string in config file.
NETMRI-24825 - Request to include DeviceIP and timestamp into filename when exporting SNMP/CLI Credentials
table to CSV file.
NETMRI-24813 - Long Running Queries occurred in Discover Now output.
NETMRI-24799 - Nortel/Avaya ERS-5650-TD-PWR Config Collection issues.
NETMRI-24794 Appliance experienced occasional instability due to incorrect setting during kernel upgrade.
NETMRI-24768 - Collector started skipjack service after trying to stop it.
NETMRI-24767 Feature added to add CLI collection support for inventory data.
NETMRI-24760 OC: Remnants of DB/Config archiving system and checks need to be removed from collectors.
NETMRI-24748 Feature added to increase config collection timeout for Riverbed Steelhead devices.
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 18 of 23
4/14/2016
Page 19 of 23
4/14/2016
Page 20 of 23
4/14/2016
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-001
Page 21 of 23
4/14/2016
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-000
Page 22 of 23
4/14/2016
2016 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners.
P/N 400-0608-000
Page 23 of 23
4/14/2016