6.7

Released April 2, 2026.

New Features

Collective Replication enables customers to split large environments into multiple Collectives while keeping them consistent and manageable through secure, controlled replication of access rules and identity management. It addresses scalability limits and improves resilience by allowing configuration and identity data to be shared across Collectives without creating configuration drift or operational confusion. Key use cases:
- Resilient architectures and failover where clients can switch to another Collective if the primary one becomes unavailable.
- Easy promotion from an evaluation to a production Collective or from a production to a test Collective.
- Scalable environments beyond Controller limits by dividing deployments into multiple Collectives and replicating required entities between them.
- Centralized governance with local safety by replicating entities as read‑only in target Collectives, with the option to clone entities for local customization.

An inactivity timeout was added to the admin UI. It is enabled by default with a 60-minute timeout. Users will be provided with a warning shortly before being logged out.
Certificate healthchecks for Gateways now include the local hostname used when clients connect from specific public IPs.

Added a validation against modifying IP pools that are in use for IP pool mapping in Translation mode.
Fixed an issue in which a Gateway could enter a state where active session details were missing Site information.

NAT traversal now works on mobile and Windows lite clients.
Addressed an issue in which NAT traversal would not work in cases where the Gateway hostname was an IP address.
Addressed an issue in which NAT traversal would not work if the tunnel protocol was QUIC and SPA mode was “UDP (and TCP)”.

New audit logs have been added for testing of criteria scripts, policies, conditions, entitlement scripts, and user claims scripts. The entity.expression field of entity_updated and entity_created logs is no longer filtered out to hide potential secrets. If you have secrets in your scripts, migrate them to the Secrets Manager.
Support was added for new, region-specific Coralogix endpoints to replace their deprecated endpoints. To use the new endpoints, update the Coralogix URL in your LogForwarder to the format: https://ingress.<YOURDOMAIN>/logs/v1/singles

Metrics for gw_fallback_usage and gw_vpn_sessions now both use the primary_site_name field for aggregation instead of name.

It is now possible to adjust how many errors are accepted before the address cache is cleared. To do this, enter the following command: cz-config set -j gateway/nameResolution/nameMaxAllowedErrors <value>
A dashboard warning will now appear when a parsing error of an ACL rule occurs, but processing and enforcement of other valid ACL rules will continue.
Addressed an issue in which the GCP resolver would make extra calls to GCP and was subsequently rate limited.

New bulk upsert APIs have been introduced for access rules and identity management entities. These includes policies and entitlements.
Client profile group URL values are no longer treated as write-only secrets. The profileUrls.url field is now returned by the relevant GET APIs, making it easier to inspect and replicate client profile groups across environments.

Behavior for bulk resetting and deleting of discovered apps has been improved.
Addressed an issue where Delete all data did not actually delete all data and the application would reappear after the next analysis.

Downloading logs has been improved for appliances with large log sets.
Adjusted admin UI rate limits introduced in 6.6.1 to address slowness in some scenarios.

Connector clients can now start reliably even when multiple connectors have similar names, eliminating startup failures caused by interface name collisions.

Client update notifications are now preserved after signing out, making it easier for users automatically signed out to apply client updates at a later time.

The client update page now has a copy command button when a package manager update isn’t available.