v25.12.1 lands broad capability work across Compliance, Visibility, and Enclaves — built-in alerts, log exports, per-entity history — plus a wide sweep of stability fixes.
Highlights
Initial alert library embedded in Access Gate
A starting set of built-in alerts ships with the product. Out of the box, operators get detection rules for the most common OT threat patterns without having to author rules from scratch. Two representative additions: S7 Programming-Mode Enabled (alerts when a Siemens controller is put into program mode) and Log Access to Resources (audit trail for resource access inside the enclave).
Automatic asset registration from traffic
Passive traffic observation now proposes new assets automatically as they appear on the wire. Operators confirm or drop the suggestions rather than manually registering every device — large brownfield sites get to an accurate inventory faster.
Log export with built-in destinations
Audit and event logs now export to external systems with a curated list of built-in destinations. Adding a downstream syslog, SIEM, or archive target is a configuration, not a custom pipeline. NFT (netfilter) logging joins NetFlow as a first-class data source.
Per-entity history of changes
Every entity — enclaves, assets, users, rules — now carries a chronological history of configuration changes. Who changed what, when, and what the previous value was. Audit-ready for CMMC and NIS2 without additional tooling.
Roles and definitions
Administrator roles are now defined explicitly with granular capabilities instead of a single admin/operator split. Assign roles to users or groups; permissions compose predictably.
Risk assessment matrix
A built-in risk assessment matrix lets compliance teams score and track the risk posture of network segments, assets, and flows directly inside Access Gate, aligned with IEC 62443 Security Level concepts.
Network zones for detection
Detection rules now scope cleanly to named network zones rather than raw IP ranges. Writing an alert that fires only for traffic crossing from OT into IT is now a zone selection, not a CIDR expression.
Feature additions
- Overlay port home page — landing page for the overlay port surfaces current state, traffic, and enrollment at a glance.
- Download backup from remote HTTP — pull a system backup from an external HTTP endpoint (useful for scripted restore or air-gap transfer).
- Access Screen end session — operators can explicitly terminate a user's access-screen session from the admin UI.
- Built-in sources for log exports — curated list of log destinations (no hand-rolled pipelines required).
- Input field accepts direct UDP/TCP service — when creating a service entry, operators can type
tcp/8080shorthand instead of picking from a fixed list. - Assets page refactored — denser table, faster load on large inventories.
- DNS service inspector — built-in DNS inspector surfaces what the service exposes and how clients interact with it.
Bug fixes
Access Screens
- Button and text color fixed (no more white-on-white).
- Access-screen IP association cleared up correctly after session end.
- Access flow no longer requires a re-auth cycle to create the TCP proxy entry.
Enclaves
- Crash on the enclave page fixed.
- Assets can no longer be created without a service (validation added).
Overlay / Networking
- Fabric configuration correctness fixes.
- NetFlow decoder no longer crashes on specific TCP listener input.
- Data race in NetFlow path removed.
Upgrade notes
- The built-in alert library is enabled by default; existing custom rules continue to work alongside.
- Entity history is captured going forward from upgrade; pre-upgrade state is not retroactively reconstructed.
- Admin users are migrated automatically into the new roles system; no manual intervention required.