Skip to main content

26.4.0 - Apr 21

Released: 2026-04-21

We're happy to announce the immediate release of Forward Enterprise version 26.4.0.

What's New 🚀

🌐 Topology

Topology Export to Image

A new export button at the bottom of all topology views lets you download the current topology as a high-resolution PNG image. The export captures everything visible in the topology — device labels, link states, annotations, device tags, neighbor locations, and unbundled elements such as access points or virtual contexts.

The export automatically finds an optimal zoom level that keeps all device labels and node icons visible, producing a full-resolution image suitable for network documentation. This works across all topology layers — physical, PTP, and cloud — and in any browser that supports the topology view.

Topology image export

🔒 Security & Compliance

STIG Quarterly Update (Y26Q1)

Completed the Q1 2026 DISA STIG update. The four remaining rules from the previous release are now in place, bringing full compliance with the latest DISA baselines.

📈 NQE Analysis

NQE Diff Performance Improvements

NQE diffs are now dramatically faster for queries that declare a primary key. Previously, the diff computation had to infer which columns to use for correlating rows between the before and after results — a process that could be relatively slow for large, wide tables. For example, computing a diff on the ACL Entries query (a million rows, 20–30 columns) took approximately 13 minutes on large networks.

Now, when a query declares a primary key, the diff computation uses it directly, reducing that same operation to roughly 30 seconds. Primary keys have been added to many NQE library queries to take advantage of this improvement. As a best practice, query authors should declare primary keys on queries they intend to use with diffs or inventory.

Additionally, the diff view now displays key icons on the columns being used for row correlation, making it clear how rows are being matched — whether through a declared primary key or automatic inference.

IPv6 Support for IP Address Sets

The IpAddressSet data type in NQE now supports IPv6 addresses alongside IPv4. Previously, passing IPv6 addresses to IP address set constructors would produce errors, forcing query authors to filter out IPv6 addresses as a workaround. This was especially painful for queries operating on host or interface data, where mixed IPv4/IPv6 subnets are common.

IPv4 and IPv6 addresses can now be freely mixed in IP address set operations, simplifying queries and removing a common source of runtime errors. This improvement is particularly relevant for organizations with IPv6 migration mandates.

Additional NQE Improvements

  • Native NQE Status for EoL Queries: End-of-Life queries in the GUI now use native NQE status information instead of hardcoded status mappings, improving consistency and maintainability of EoL verification results.
  • CVE Query Performance: Queries accessing CVE finding data (e.g., cveFinding.isVulnerable) are now 5–10x faster. The system now reuses pre-computed vulnerability findings instead of recalculating on the fly, reducing query times on large networks from 20–30 seconds to under 5 seconds.
  • isEmpty Extended to More Types: The isEmpty function now works on strings, bags, and lists in addition to IP address sets, enabling shorter and more efficient queries compared to the previous length(x) == 0 pattern.
  • Location ID in Device Data Model: Devices now expose a locationId field alongside the existing locationName, allowing queries and checks to remain stable when location names are renamed.

🔌 Network Setup

Bulk Edit for HTTP and Additional Credential Types

The bulk edit workflow for classic devices now supports HTTP login credentials in addition to CLI credentials. Users can also bulk edit privilege mode, expert mode, and API credentials. When multiple devices are selected, all must share the same credential type for bulk editing to apply — tooltips explain which devices are excluded and why when types are mixed.

Bluecat Driver Enhancements

The Bluecat DDI driver now collects configuration drift data, reporting discrepancies between the golden configuration and actual device state. This data is exposed in NQE for compliance monitoring and drift detection.

💻 Modeling

  • NAT64 Support for IOS and IOS-XE: Forward Enterprise now models dynamic NAT64 translations on Cisco IOS and IOS-XE platforms. Static NAT64 support is planned for the next release.