v25.5.2 focuses on multi-site deployments and deeper inspection — Snort integration on enclave flows, cross-site entity sharing, security-level enforcement on TLS handshakes, and a durable backup/restore path during upgrades.
Highlights
Snort on enclave flows
Enclave traffic can now be inspected by Snort rules. Operators bind a Snort configuration to an enclave's flows and get signature-based detection on the same identity-enforced boundary, layered on top of the proxy controls. NetFlow data can be fed directly into Snort — no external conversion step.
Cross-site entity sharing
Entities — users, assets, groups — can now be shared between Access Gate sites, keeping multi-site deployments in sync without duplicating the policy surface. Changes flow bidirectionally with conflict handling on the source site.
TLS security levels on users and assets
Users and assets now carry explicit TLS security-level labels, enforced on the handshake. A sensitive asset can require TLS 1.3 + PIV-issued client cert while a general-purpose one accepts looser profiles. Security levels feed compliance reporting.
Database backup and restore during upgrades
System upgrades now include an automatic database backup + restore step. If an upgrade fails mid-way, the database rolls back to the pre-upgrade state without operator intervention. Reduces upgrade risk materially.
Passive listening port
A dedicated configuration surface for passive listening ports. Attach a span/mirror port to Access Gate for observation without affecting the traffic path.
Missing-asset detection via ARP
Access Gate now detects when a previously-observed asset goes silent — ARP probes without replies trigger a missing-asset signal, useful for detecting assets that have been disconnected or powered off unexpectedly.
Feature additions
- Attachment uploads — operators can upload supporting documents (diagrams, policies, evidence) directly on enclaves, assets, and incidents for audit context.
- SFTP log export — audit logs export over SFTP in addition to syslog/API destinations.
- DNS preference in overlay configuration — operators can pick which DNS resolver the overlay uses rather than inheriting the host's.
- No PTR record fix for assets — reverse-DNS resolution for overlay assets now works correctly.
- Safe defaults for port settings — port configuration forms ship with safer defaults to reduce misconfigurations.
- Field metrics collection — telemetry from the field (performance, errors, usage) can be collected for troubleshooting and product improvement.
Bug fixes
Access Screens / Enclaves
- Time limit now saved correctly on access-screen rules.
- ACL permission no longer reset to denied after successful access-screen login.
- Enclave description area sized correctly on all displays.
- Ghost ACL rule after archiving an enclave with a primary rule — fixed.
Overlay / Networking
- DHCP on overlay interface no longer crashes when enabled.
- Network configuration UI stability fixes.
- Slice-bounds panic in overlay runtime eliminated.
- Local PCAP file read no longer crashes NetFlow.
Platform
- VPN service now terminates cleanly, including child processes.
Upgrade notes
- The upgrade backup/restore path runs automatically — allow the additional disk headroom for the DB snapshot.
- Snort configurations bound to enclaves persist across upgrades; no re-binding required.
- Cross-site entity sharing is opt-in per site pair; no existing single-site configurations are affected.