Released June 27 2025
New Features
Gateway
The max size of the Java heap size of the Session daemon is now configurable. See the cz-config section in the Admin guide for details.
Application Discovery
Added a new "Configure" action allowing users to filter the display of the Discovered apps.
Admin UI
Active Sessions are now possible to renew in bulk.
Policies and are now possible to export in bulk.
Updates
Security
Fixed an issue in which, under certain corner case conditions, multiple users may be assigned the same session identifier, potentially allowing a guest user to gain visibility to a logged-in user's Portal Client user interface.
Removed unused ability to log in to Azure Monitoring using client assertion via a certificate file.
Appliance
Fixed an issue in which DHCP routes were applied even though they were configured not to.
Upgrades
Fixed an issue in which upgrades from 6.4.6 or later would fail.
Fixed an issue in which old configuration backups would fill the disk after multiple upgrades.
Controller
Fixed an issue in which some database conflicts showed up as warnings despite the conflicts being auto-resolved.
Fixed an issue in which FIDO2 authentication failed when there were multiple devices with the same username and different Identity Providers.
Fixed an issue in which the Controller is reported to not be running when the Risk Engine integration is enabled and the Controller cannot reach ZTP.
Portal
Fixed an issue in which the session would timeout after 5 minutes unless there is traffic to the endpoint or a Portal tab is kept open.
Gateway
Fixed an issue in which Gateways sometimes fail to reload the GeoIP database when a new database is available.
Fixed an issue in which the VPN daemon under certain conditions could crash on the shutdown part of a restart, resulting in a core dump on the Gateway.
Memory usage was improved for the Session daemon.
Name resolving
Fixed an issue in which no IPs were returned if there was a partial error in the resolving.
The AWS resolver distributes the update API calls with a randomized jitter of up to 15 seconds to avoid spikes in traffic to AWS in case the system has multiple Accounts.
Fixed an issue in which unstable DNS Names continued producing dashboard warnings even after being removed from the Entitlement.
Fixed an issue in which the DNS Entitlement Names were resolved for all matching domains instead of only for the longest (best) match.
Support was added for unicast ARP requests.
LogForwarder/LogServer
Fixed an issue in which high load would make the LogForwarder stop accepting logs for short periods of time.
Reduced the severity of non-critical LogForwarder/LogServer Appliance healthcheck warning/error messages.
Admin messages
The Admin messages for when an Appliance joins the Collective and when a User fails to log in due to a missing Policy were removed. These events can be detected using Audit logs or metrics.
Metrics
Fixed two issues related to apn_audit_events:
LogForwarder and LogServer Appliances included forwarded log entries in the count.
The other Appliances did not include a count at all.
Fixed an issue in which the Client metrics aggregate statistics included inactive sessions.
The apn_audit_event_log_stat metric was replaced by lf_audit_logs on the LogForwarder and log_audit_logs on the LogServer.
Audit logs
Fixed an issue in which the session-duration field of acl_rules_update and tunnel_closed audit logs wasn't set to 0 when a session was disconnected.
Application Discovery
Updated the Application discovery list and details to display more relevant data:
A new "Additional data" tab was added to display IP Addresses and originating Entitlements of the discovered application.
The "Groups in common" tab was replaced with a Groups tab showing all groups and how large percentage of the accessing users that is in each group.
The Configure access flow of Application Discovery was improved to allow:
Creating Entitlements disabled or enabled and with Tags.
The created Entitlements can be connected to none, existing, or newly created policies.
Admin UI
Fixed multiple issues in which popups and dropdowns were partially covered by other elements.
Fixed an issue in which tags were not updated when refreshing a list.
Fixed an issue in which tag ordering was inconsistent on different pages.
Fixed an issue in editable lists where duplicate items were impossible to delete.
Updated the display of the LDAP Certificates list to show the subject names.
User Settings was re-labeled and folded into Sign-in Settings for Local and Service Identity Providers.
Fixed an issue in which the breadcrumb and heading wouldn't reflect the action when cloning.
Fixed an issue in which the search bar wouldn't close in some cases.
Fixed an issue in which the privileges display broke when cloning or adding an admin privilege.
Fixed an issue in which the table headers were hidden behind search pills on scroll.
Fixed an issue in which the Site selection dropdown in Acitve Session Details wasn't alhpabetically sorted.
Fixed a display issue in which multiple hosts in an Exclude Action were displayed without commas.
The Criteria Builder heading was updated to "Criteria Builder" instead of "Remedy".
Fixed an issue in which Policies with Ringfence Rules by Tags wouldn't show in Session Details' Policy Assignement Analysis.
Improved accessibility around tags and the tag modal.