6.6.1 Appliance

Released March 23, 2026

New Features

The Controller now uses dynamic, response-time-aware rate limiting to improve how the Controller protects itself under heavy load during authorization calls.
Added detection for MitM issues caused by firewalls or network devices terminating Client–appliance connections. You can enable it on affected appliances with cz-config set -j reportBogusTLS/enabled true. When a TLS connection lacks expected extensions, the appliance raises a five-minute warning that includes the source IP:port to help identify misconfigured devices.
NAT traversal is now available as a beta feature, simplifying the onboarding of difficult-to-reach Sites. For more details, see the Admin Guide.

Admin users will now see tags only for resources they have the privileges to view or edit. If a user does not have tagging privileges, tag fields will be disabled.
Low-privileged admin users can no longer elevate their privileges through policies or crafted API requests.
If a Gateway does not retrieve an updated token revocation list for 12 hours or more after previously receiving one successfully, the Gateway will stop creating new user sessions and new users will be prevented from connecting through that Gateway. These conditions will remain in effect until communication with the Controller is restored.

Improved the database upgrade process by ensuring that prerequisite processes are running and checking for “ghost” BDR nodes that could potentially cause issues.

The DNS forwarder will reflect changes from an appliance’s hosts file within ten seconds instead of one hour.
Addressed an issue in which DNS forwarding stopped working for all sessions when an Entitlement script took an abnormal amount of time to complete.
Reverted the deprecation in 6.5 of the domain:// scheme to define hosts.
When creating a DNS policy, the match domains field now accepts comma-separated input to help with migration from the deprecated IdP DNS.
Addressed an issue in which certain hostname glob patterns would be handled as pure strings preventing them from matching correctly.
The DNS forwarder will keep the IPs of hostnames for 12 hours to improve resiliency.
Legacy syntax for resolver resource names is deprecated. SDPCTL can be used to convert to the new common JSON syntax by running sdpctl entitlements names-migration.
Addressed an issue in which the status of LogForwarders was erroneously updated to Warning when their status moved to Healthy.
Fixed an issue in which sessions would stop receiving IP updates for names if the Names test button API was used frequently.
Fixed an issue in which the ESX resolver did not properly clear errors under certain circumstances.

The link on a Site’s Health Details page now shows all appliances related to a Site, not just appliances with the Site as their primary.
When configuring Local Resources in an Advanced Connector, the Address field is no longer always marked as required (*), as that is not always the case.
Fixed an issue where removing usage data after creating narrow access rules for a discovered app incorrectly reset all related apps, rather than only those tied to the new Entitlement.
Fixed an issue in which the hashed verified profile link DNS was not displayed in the Licenses page.

Addressed an issue in which the Controller was unable to establish a connection to ZTP for Dynamic Risk Alerts to be received.
Resolved an issue in which licenses could not be applied when a ZTP connection failed.

Metrics for gw_fallback_usage and gw_vpn_sessions now both use the primary_site_name field for aggregation instead of name.
The following entries have been added to the MIB:
- 1.3.6.1.4.1.7607.1.2.27.1 APPGATE-MIB::appgate.sdp.sdpGw.gwVpnRTTsStats.gwVpnRttSamples
- 1.3.6.1.4.1.7607.1.2.28 APPGATE-MIB::appgate.sdp.sdpGw.gwSessionTraffic

Event logs no longer contain plaintext credentials or sensitive URL parameters.
An audit log entry is now written every time an appliance downloads a GeoIP database.