Diffs

Overview

Behavior Diffs enable network operators to gain visibility into changes that have occurred within the network between two configurable points in time. Behavior Diffs provide more than just text-file diffs of device configurations; it's capable of surfacing what has changed at different layers in the network stack. Behavior Diffs show the changes in the topology (devices, links, interfaces), Layer 2 (VLANs), Layer 3 (Routes), security (ACL, NAT), and what effects changes have on the network intent policies defined by the network operators.

Main Use Cases

Faster Updates and Change Management Windows

At Forward, full visibility is needed to exert control. With Behavior Diffs our users gain the confidence that intended changes don’t have unintended consequences. This confidence is crucial when closing change management windows. With Behavior Diffs Forward Enterprise users can:

Reduce the time it takes to verify network behavior correctness after a change to a device's configuration and state.
Increase confidence in change correctness.
Reduce the chances of change-induced outages and needing to roll back a failed change.

Diagnostics and Troubleshooting

Another use case that finds Behavior Diffs applicable is ticket troubleshooting. The first thing that a network operator may want to do when presented with a problem is to understand what changed from the last known good snapshot. Behavior Diffs offer exactly that and helps network teams reduce the time it takes to pinpoint and solve issues.

File History

File History enables network operators to see exactly when a change first appeared in a configuration file or other collected file. Instead of only comparing against the last known good snapshot, it provides a timeline of changes across snapshots, making it easier to identify when unexpected edits were introduced and how long they persisted.

Diffs UI

Navigating to Diffs

Open the Diffs application.
Select two snapshots to compare.
After the analysis completes, select the Overview tab.

Overview Tab

The Overview tab provides a high-level summary of changes between two snapshots. It highlights both the executed changes and their effects across the network, helping users quickly identify potential issues or areas that require further investigation.

The results show a summary of the diffs analysis performed between the two snapshots. Each summary widget includes a link to the specific Behavioral Diffs Analysis tab it summarizes (i.e. Collected files).

Behavior Diffs Summary

Executed Changes Panel

The Executed Changes panel summarizes direct configuration changes:

Shows how many configuration lines were changed across devices and locations.
Displays location tags to indicate where changes occurred. Clicking a tag opens the config diffs for that location.
Provides a Details icon to view all configuration file diffs.

Effects of the Changes Panel

The Effects of the Changes panel summarizes the downstream impact of executed changes. It is divided into three categories:

Warnings: Lists new risk conditions detected in the diff. A details link is available for each item.
- New routing loops detected.
- Newly activated CVEs.
- Devices newly exposed to the Internet.
- New violations in NQE verification.
- New violations in Intent verification.
Change Propagation: Lists indirect impacts caused by the change set. A details link is available for each item.
- Devices indirectly impacted across locations.
- State files changed.
Routing: Lists routing impacts caused by the change set. A details link is available for each item.
- Prefixes with route changes.
- Routes removed across devices and locations.

Configs Panel

Summarizes configuration file changes across devices.

Displays the number of config file changes.
Includes a Details link to the Configs section.

IP Routes Panel

Summarizes IP route–related changes.

Additions, removals, and modifications across devices.
A list of the top 10 devices with the most route changes.

Interfaces Panel

Summarizes interface-level changes.

Additions, removals, and modifications across devices.
A list of the top 10 devices with the most interface changes.

VLANs Panel

Summarizes VLAN-level changes.

Additions, removals, and modifications across devices.
A list of the top 10 VLANs with the most changes.

Verify Violations Panel

Summarizes intent verification results.

Highlights checks that transitioned from Passed to Failed.

Links Panel

Summarizes topology link changes.

Links that were added or removed.

Devices Panel

Summarizes device-level changes.

Additions, removals, or modifications to attributes such as vendor, model, OS version, or status

Files Tab

The Collected Files tab shows changes in device configuration and state. Changes are grouped by file type:

Config
State
Custom Commands
All Files (displays files from the other three groups)

Diffs display what has been added, removed, or modified, similar to code diffs used in software engineering. Devices are grouped on the left based on their role in the network (e.g., routers, firewalls).

You can download the before and after files as well as the patch file in text format. The Previous Diff and Next Diff links allow you to quickly move between different diffs.

The following image shows an example of a firewall config diff: Behavior Diffs Configs

This image shows an example of changes discovered in a router VRF table: Behavior Diffs State

The Diffs view can be changed from a split view to a unified view: Behavior Diffs Unified

Inventory Tab

The Inventory Diffs page presents two tabs: Network Devices and Cloud Objects. In these two tabs, each row is presented as Added, Removed, or Modified. The assumption is that most of the rows will fall in the last category, Modified. Each row is filterable and the table content is exportable in CSV format.

In the Network Devices tab, the system shows the Diffs for the following data: Name, Vendor, Model, OS version, Management IP(s), and (Connectivity) Status.

In the Cloud Object tab, the system shows the Diffs for the following data: Name, Identifier, Vendor, Type, Account Name, VPC, and Status. The image below provides an example of the Network Device tab:

Behavior Diffs Inventory

Routes Tab

In addition to viewing route changes by device or by prefix, the Routes tab helps correlate the two perspectives:

Devices: See which route changes occurred on each device.
Prefix: See which devices were impacted by changes to a specific prefix.

This dual view makes it easier to trace the scope of routing changes across the network and understand how a single change propagates across multiple devices.

Devices Tab

The Devices tab shows routing table differences for each device, grouped by Added, Removed, and Modified routes.

The number displayed in the tab title indicates how many devices had routing table changes.
The IP route changes table lists the devices with routing table changes. A Device changes column shows the number of Added, Removed, and Modified routes per device.
When a device is selected, the table displays the Route Type to clarify the type of route affected.
Each row contains a link to the corresponding state file with highlighted differences.

Diffs IP Route Devices

Prefixes Tab

The Prefixes tab shows routing differences grouped by IP prefix.

The number displayed in the tab title indicates how many devices had prefix changes.
Each row represents a prefix and shows how many devices were impacted.
Prefix changes are categorized as Added, Modified, or Removed.
Each row contains a link to the corresponding state file with highlighted changes.

Diffs IP Route Prefixes

Interfaces Tab

The Interfaces tab shows changes related to the network interfaces grouped by device. The diffs show the interfaces that have been added, removed, and modified. Each row shows the interface name, status, IP address (if applicable), and a link to the interface card with side-by-side configuration and state file comparison:

Behavior Diffs Interfaces

Behavior Diffs Interfaces Details

VLANs Tab

The VLANs tab shows if anything has changed for the network layer 2 domain: VLANs that have been added, VLANs that have been removed, interfaces assigned to VLANs, changes in VLAN trunking, changes in Spanning Tree, etc. The changes are grouped by VLAN ID:

Behavior Diffs VLANs

NATs (Network Address Translation) Tab

NAT Diffs help users identify whether any changes affect the NAT behavior of a system. NAT changes are grouped by device and can be filtered by changes based on the specific traffic they affect, their action on traffic, and the devices on which they are configured. Each row contains a link to the Device Config and/or the State where the relevant section is highlighted for quick identification:

Behavior Diffs NAT

ACLs (Access Control Lists) Tab

Similar to NAT Diffs , the ACLs tab shows the differences found in ACL configurations grouped by Network Devices and Cloud Objects:

Behavior Diffs ACL Devices

Behavior Diffs ACL Cloud Objects

ARPs Tab

The ARP Entries tab shows the devices with ARP entry changes grouped by device type:

Behavior Diffs ARP Entries

MACs Tab

The MAC Addresses tab shows the devices with MAC address changes grouped by device type:

Behavior Diffs MAC Addresses

Links Tab

The Topology Links tab shows the differences found in topology links, showing the links that have been added and those that have been removed. Each row has links to the devices and interfaces affected by the changes (the rows can be filtered by interface name):

Behavior Diffs Links

Verify Tab

The Verification tab shows a menu to select the NQE Verification, Predefined Verification or the Intent Verification changes.

With the filtering capability easily narrows down the scope and focuses on those checks that transitioned from Passed to Failed.

Behavior Diffs NQE Checks

Behavior Diffs Predefined Checks

Behavior Diffs Intent Checks

Device Configuration File History

The Device Configuration File History viewer provides visibility into configuration file changes across snapshots. When viewing a Device Configuration file, located under the Device Configurations section of its Device Card, select History to open the viewer. This view makes it easier to identify when a specific change was introduced and how long it remained in place, which is particularly useful for troubleshooting and vulnerability tracking.

The Change history pane lists all snapshots where differences were detected. Selecting a snapshot displays the configuration diff in the main panel, with changes highlighted.

The Device Configuration File History viewer provides tools to review configuration changes. You can download versions of the configuration (before, after, or patch) from a snapshot, and quickly move through highlighted differences with the diff navigation arrows.

Overview​

Main Use Cases​

Faster Updates and Change Management Windows​

Diagnostics and Troubleshooting​

File History​

Diffs UI​

Navigating to Diffs​

Overview Tab​

Executed Changes Panel​

Effects of the Changes Panel​

Configs Panel​

IP Routes Panel​

Interfaces Panel​

VLANs Panel​

Verify Violations Panel​

Links Panel​

Devices Panel​

Files Tab​

Inventory Tab​

Routes Tab​

Devices Tab​

Prefixes Tab​

Interfaces Tab​

VLANs Tab​

NATs (Network Address Translation) Tab​

ACLs (Access Control Lists) Tab​

ARPs Tab​

MACs Tab​

Links Tab​

Verify Tab​

Device Configuration File History​