Released April 17 2025
Main Features
Application Discovery
Application Discovery allows you to go from a VPN setup with broad access rules, to a ZTNA setup with precise access in a structured manner. It analyzes the client traffic and suggests to the user to create Policies and to allow only the users actually using specific resources to have access.
Digital Experience Monitoring Enhancement
The App Health view now shows name errors. This allows the Administrator to be proactive and detect wrongly configured Resource Names before the end user.
DNS Improvements
Client device DNS is now possible to auto-configure using Site level DNS resolver.
The DNS forwarder is now using CoreDNS, making it more performant and consistent with the DNS logic in Appgate SDP.
All sites come with a default DNS resolver. This resolver will handle all hostnames without match domains from the other DNS Resolvers. The resolver is always created on update if it is missing.
DNS Resolvers and Forwarders do not need to have DNS Servers filled any longer. If left empty, the Appliances' DNS Servers will be utilized.
DNS Forwarding is always enabled on Sites. It has no effect if it is not used.
DNS Forwarding has two new fields: Match Domains and Auto Client DNS. They can be used to generate automatic DNS config and Entitlements for DNS Forwarding, like the feature introduced for DNS Resolvers on 6.4.
Tag Management
Tags are now their own entities that can be managed via the admin UI. This allows for easier management and overview of the tags.
Copy Policies and Entitlements from one Collective to another
Policies and Entitlements can be exported from one Collective to another Collective. This is useful when going from a POC or test Collective to production.
Load Balanced LogForwarder
LogForwarder traffic can now be configured to be load balanced. This allows for better resource utilization and scalability. New LogForwarders can be added to the load balanced group when needed.
AWS Support for HA Connectors
Connectors in AWS can now be configured to work in high availability mode minimizing downtime. This allows resources like Lamda, EC2, and Kubernetes to continue working even though a Connector fails.
Enterprise Browser Integration
It is now possible for the full client to work together with enterprise browsers to create direct routing from the enterprise browser to the protected resources.
Client App Shortcuts UI Upgrades
The new list mode allows for a more compact way of showing app shortcuts. It also enables longer app shortcut names to be displayed without truncation.
App shortcuts can now be grouped from the admin UI. This allows allows the end user to more easily navigate when there are a lot of app shortcuts.
It is now possible to search for app shortcuts. This is very useful if there are a lot of app shortcuts.
Pinned app shortcuts are now in a separate tab.
New Features
Controller
It is now possible to download Appliance logs in journal file format using SDPCTL. This can be useful in case the normal log download times out due to large log files.
API
API specs now utilize "securitySchemes" instead of plain "Authorization" headers.
Gateway
Name resolving
It is now possible to disable auto discovery for subscription IDs on Azure Resolvers.
EKS and RDS are now supported by the AWS Resolver. They are disabled by default while EC2 continues to be enabled by default.
LogServer/LogForwarder
The LogServer Dashboards now communicate with the Controller over port 443 instead of 8443, removing the need for extra firewall rules.
Portal
It is now possible to select the TLS ciphers that should be accepted by the Portal.
Admin UI
The Forms layout has been updated to improve the navigation experience:
Some forms are reorganized.
All the groups can be collapsed.
The tabs are removed.
It is now possible to clone an Entitlement Action.
Entitlements can now be searched by using a subnet in CIDR format. It only searches IP-based hosts.
There is now an action in the Conditions list to show linked Entitlements.
Comboboxes now load all items instead of just the first 30.
It is now possible to "Save and Clone" when there are unsaved changes to the data in the form.
Headings and breadcrumbs in forms are updated to improve the navigation experience.
Client
Desktop
Linux/macOS Client UI will not be allowed to start as root as that causes privilege issues.
New device claim "isAlwaysOn". It will be set to true if the always-on client is installed on Windows/macOS for both the full and headless client. Neither needs to be configured for it to be true.
The driver will create a file called "driver.status" in the same folder as driver logs when the tunnel is up. This file will have up-to-date JSON about the current status of connectivity.
Mobile
Support for Browser auto sign-in is now available.
Updates
Security
Fixed an issue where setting DOWN rules ignored the IP states and allowed UP traffic that was not initiated by DOWN traffic.
Appliance
Geoip updates now favor download from Appgate CDN instead of directly for Maxmind.
Fixed an issue where IPv6 hosts would be added to the hosts list even when IPv6 was disabled.
Fixed an issue where the Appliance would crash on start with empty or invalid configuration.
Appliance configuration distribution was changed from push to pull.
Upgrades
Fixed several issues related to BDR and upgrades.
Fixed an issue where XDP certificate deprecation check would stop upgrades even though the certificate is new.
Controller
Token revocations are no longer based on tracked tokens. Instead it will be based on devices and timestamps. This will make the database usage significantly lighter. It will have no observable effect.
TokenRecord privilege type is no longer supported.
Registered devices' hostnames will now be updated on new sign-ins.
Authentication
The FIDO2 library was updated and is based on the metadata database provided by Fido Alliance. More devices will be identified and new FIDO2 devices will have UUID-based device IDs.
LDAP Certificate Identity Providers now have a read-only field for CA certificates with their details.
API
The /stats/user-logins API's behavior changes slightly as it used to depend on the individual tokens. If a device obtained two user Claims tokens within 24 hours, it was represented twice in the data. Now it will be once.
The /admin/health/app-connectivity API used to have one entry per Entitlement and Gateway Combination. Now Gateway information has been moved into the details of the Entitlement and Site combination. You may continue to use the old response format by using older peer versions in the Accept header.
Gateway
Gateway Appliance health status no longer contains information about users falling back to that Gateway. Prometheus metrics can be used to get this information.
There have been improvements to prevent the event queue from growing.
Fixed an issue where URL access failed when the returned headers were too big.
Fixed an issue where OUs with multiple spaces make Session Details fail to be displayed in the admin UI.
Fixed an issue where a memory leak would occur in case the Session daemon was turned off.
LogServer/LogForwarder
Opensearch and OpensearchDashboard were updated to version 2.18.0.
Admin messages
The "Failed to communicate with Risk Engine" admin message now will only appear if it happens consecutively in a short period of time.
Admin UI
Fixed an issue where logging in to the Admin UI would fail if the SAML response contained new lines.
Fixed an issue where searching for multiple values in nested entities (e.g. Action hosts in Entitlements) would return empty results.
The Criteria builder was updated to make it easier to:
Find and select a criterion.
See what has been typed and selected.
The Remote Command modal was given a facelift.
The dark theme was made darker.
The token renewal modal was updated to clearly indicate which tokens are renewed.
Fixed an issue where the search query was not remembered on cancel and on clone.
Fixed an issue where the UI would crash under certain circumstances when editing Policy Assignment Criteria javascript.
Fixed an issue where double clicking log download would cause the UI to crash.
Fixed an issue where ordering in a modal would instead order the list in the background.
Fixed an issue where “Reason” was not stored when blacklisting a user.
Fixed an issue where monitoring was possible to enable for HTTP UP action even though it is not possible to monitor.
Client
The details in the Entitlements list were moved to individual sub pages, making the list easier to view.
Fixed an issue where the Client stopped retrying to sign-in on start-up on a specific type of connectivity error.
Fixed a rare issue where client sent empty device claims to a Gateway after removing a Profile.
Fixed an issue where CA migration was not triggered when the CA switch occurred while the Client was running but wasn’t signed in.
Desktop
The landing page after signing in to an external Identity Provider using the browser was replaced.
The auto-update user experience was updated to trigger directly from the menu when possible.
Windows
The automatically delayed service start introduced in 6.4 was removed and replaced with the Wintun driver initialization delayed unless needed earlier.
Fixed an issue where the client always ignored the IP state updates from GW.
Fixed an issue where some of the installed binaries were unsigned.
macOS
Fixed an issue where the DNS resolver would not fall back to the default DNS server when there is an NXDOMAIN response.
Linux
Fixed an issue where Low attention mode on Linux made it impossible to access the Client UI.
Chromium sandbox mode was re-enabled on the Client UI process.
iOS
Fixed an issue where the "Configure OTP" button would not launch the relevant app.