TroutTrout
All docs

v26.3 Release Notes

What is new in the March 2026 release.

4 min read · Last updated 2026-04-22

v26.3.1 lands new capabilities around remote access, identity, and classification, plus a large batch of stability fixes across enclaves, overlay networking, and access screens.

Highlights

Privileged Access Management (PAM)

Access Gate now ships with an integrated proxy-based remote access layer, giving operators browser-based SSH, RDP and VNC access to protected assets without requiring a client install or an additional jump host. Sessions inherit the same identity, authorization, and audit rules as every other Access Gate session.

TLS bootstrap without pre-existing PKI

The pki service can now create and manage a self-signed root CA covering every vnet domain the appliance owns. This removes the chicken-and-egg problem of needing TLS (for access screens, encrypted overlays, admin UI) before a customer PKI exists. The root CA key is password-protected; the administrator enters the password after a system reboot — the password is never stored on disk.

Customers with an existing PKI can continue to use it. The bootstrap CA is an option, not a replacement.

Custom session expiration

Admin and access-screen sessions now have their own configurable lifetime, decoupled from the OIDC provider's token lifetime. This matters when the identity provider's session policy is either too permissive or not granular enough (e.g. Entra ID fixed-duration sessions). OAuth tokens are still used for the OIDC handshake, but the Access Gate session lifetime is set locally.

Subnets classification and labels

Networks can now be tagged with a type (VPN, IT, OT, Guest, Vendor, Public) and an implementation mode (Twin or Direct). Additional fields capture the Purdue classification and the impact level in case of attack. These labels feed policy, dashboards, and compliance reporting.

DHCP protocol support in asset inventory

Assets can now be discovered and tracked via DHCP traffic in addition to the existing passive-observation channels. This closes a gap for environments where DHCP is the primary source of ground-truth on endpoint IPs.

URL classifier model (preview)

A new classifier model is available for detecting obfuscated HTTP data exfiltration by pattern-matching request URLs. Trained on the structural differences between legitimate HTTP traffic and info-stealer payloads.

Identity and cybersecurity hardening

Users now carry an explicit list of AssignedAssets — personal assets no other user can claim. This replaces the prior free-form IP list on the user profile, closes an ACL-bypass edge case, and makes user-to-asset mapping auditable.

Feature additions

  • ACL table search — search the ACL table by user, asset, or rule text.
  • Filtering and searching over large enclave sets — search bar and filters on the enclave page now operate on large entity counts without stalling.
  • Access Screen permission updates recorded in enclave history — changes to access-screen permissions now appear in the enclave's audit trail.
  • Multiselect dropdown component — reusable multiselect widget across several surfaces.
  • Admin command to delete certificates — administrators can remove certificates from the CLI.
  • Custom session expiration timeout — see Highlights.
  • Subnet labels and impact fields — see Highlights.

Bug fixes

Stability, UI, and correctness fixes across the platform:

Access Screens

  • Line breaks in access-screen content now carry over to the splash page.
  • Enclave tag no longer duplicated in the access screen header.
  • Text editor responds correctly during editing.
  • Server no longer crashes when an access screen is triggered under specific conditions.
  • Logo, text, and button alignment stabilized.

Enclaves

  • Asset-modified audit entries no longer stuck in pending.
  • Access-screen permission updates captured in enclave history.
  • Adding M365 groups to an enclave succeeds without requiring a page reload.
  • Asset search preserves the previous selection.
  • ACL table no longer reports phantom changes on open.

Overlay networking

  • Virtual IP block UI validates network addresses.
  • Pings originating on the overlay interface leave via the same input interface.
  • Translations in CDNS corrected.
  • Repetitive spam log message suppressed.

Visibility

  • Plugin load ordering corrected.
  • NetFlow decoder no longer crashes on malformed data.

Compliance

  • IP cleanup now completes on the 24-hour schedule.
  • Forwarder handles unknown-app requests without crashing.
  • Snort starts correctly when the CIP module is configured as a protocol.

Upgrade notes

  • The pki bootstrap CA is opt-in; existing deployments with a customer PKI are unaffected.
  • Session expiration defaults are preserved on upgrade; configure new values under admin settings only if the new decoupled lifetime is required.
  • The collections screen has been reoriented; customer-authored rules continue to work, but the primary navigation has shifted toward security-event monitoring.
Next
v25.12 Release Notes