1. NetFoundry
  2. Docs & Guides
  3. Tech Bulletins

NetFoundry Platform Update March 2026

Overview

This bulletin covers announcements from NetFoundry, details on features released between November 2025 & February 2026 and information on latest blogs & articles. Highlights include automated back up and offline installation options for the NetFoundry Self-hosted solution and the features upcoming in Ziti 2.0.

New installation options for NetFoundry Self Hosted (On-prem)

NetFoundry Self-Hosted now supports different deployment scenarios based on your environment and use case

Deployment type Best for Requirements
Production cluster Production workloads Existing Kubernetes cluster with specific resource requirements
K3s quickstart Virtual appliance, single-node deployments Single Ubuntu VM, quickstart script handles setup
Offline installation Air-gapped environments Pre-downloaded installation tarball, K3s onl

Deployment is now supported in existing kubernetes clusters for production workloads.

For air-gapped environments without internet access, NetFoundry has launched support for offline installations using an offline installation tarball for the NetFoundry On-Prem (Self Hosted) deployment model. The offline installer includes the required images and dependencies and can be used where online package repositories are not accessible.

Installation steps and prerequisites are documented on our website.

Full cluster back up for NetFoundry Self Hosted:

 In addition to the automated daily snapshot backup of the data base, full cluster backup has been added with Valero. Complete backup of all Kubernetes resources and persistent volumes to an external storage target (AWS S3 or on-site MinIO). Use these for disaster recovery, cluster migration, or when you need to restore the entire installation including the support stack.

Learn more at https://netfoundry.io/docs/selfhosted/category/backup-and-recovery 

 

NetFoundry zLAN - Newly added features

NetFoundry zLAN is a next-generation solution designed to help OT operators implement precise microsegmentation within their LAN environments while gaining deep visibility into operational traffic. zLAN brings modern zero-trust principles into traditionally flat, vulnerable OT networks—without requiring architectural overhauls. 

NetFoundry has added below new features within zLAN.

  • Built-in DHCP Server: DHCP server can now be enabled directly from the zLAN console and configuration is supported per LAN interface. Eliminates the need for manual installation and external DHCP setup.

  • /32 DHCP Support: DHCP configuration supports /32 subnet assignment applicable per interface - Enables LAN-level micro-segmentation.

  • Immediate Enforcement of Deny Rules:  When a deny rule is applied - any active sessions matching the rule are immediately terminated. Enforcement is real-time, not limited to new connections.

  • NetworkDiscovery Download: Discovery data can now be downloaded directly from the console. Supported export formats: CSV, JSON, YAML

Learn more: https://netfoundry.io/docs/zlan/intro

NetFoundry zLAN Offline Install

For airgapped environments or OT networks that cannot be exposed to the intermnet, we have launched offline installers for the zLAN firewall. The bundle contains all required packages and their dependencies for supported OS versions and architectures to enable deployment in environments without internet connectivity

Installation details are documented here: https://netfoundry.io/docs/zlan/reference/offline_installation

CSV export option for Traffic Analysis data

Traffic Analysis report under the Metrics section now supports a CSV download option. Customers can now easily export and retain this traffic analysis data in CSV format directly from the NetFoundry console.

The Traffic Analysis feature would be highly useful for customers who wish to move from flat networks or network segmentation to microsegmention. The feature would provide admins, details of specific identities, source IPs / ports  & estination IPs / ports used in a network without investing in an additional solution for traffic analysis.
 

Windows ZDE – Service Visibility (Dial / Bind )

Starting from version 2.9.0.0, Windows ZDE now offer visibility to the users about the dial and bind type of services. With this information, the user of a ZDE can understand which services are hosted on the identity ( Bind)  and which services are provided access to the identity to reach ( Dial)

Upcoming Ziti version 2.0

We have in pre-release, a significant "pre-major" version that introduces several high-impact features aimed at scalability, granular security, and ease of management.

1. Fine-Grained Permissions (BETA)

This release moves away from the binary "admin/non-admin" model to a more flexible, attribute-based permission system:

  • Global Permissions: New roles like admin_readonly, which allows viewing resources and debugging without the ability to modify configurations.

  • Entity & Action Level Permissions: Admins can now grant CRUD (Create, Read, Update, Delete) access to specific entity types (e.g., service.read or identity.update) rather than full system access.

2. OIDC/JWT Token-Based Enrollment

A new enrollment flow allows identities to be provisioned using external Identity Providers (IdPs):

  • Automated Identity Creation: Identities can be created automatically based on claims in a JWT from an OIDC provider.

  • Claim Mapping: New selectors (enrollNameClaimsSelector and enrollAttributeClaimsSelector) allow you to map JWT claims (like roles or usernames) directly to Ziti identity names and attributes.

  • Authentication Options: Supports both exchanging a JWT for a certificate (enrollToCertEnabled) or using the token itself for authentication (enrollToTokenEnabled).

3. Performance & HA Improvements

  • Concurrent Model Updates: Multiple model updates can now be "in-flight" simultaneously, significantly improving performance in clustered (HA) environments.

  • Smart Routing Enhancements: The dynamic cost range for smart routing has been expanded beyond the previous 64K limit, allowing for more nuanced traffic steering in large meshes.

  • Non-Blocking Auth: Authentication-related model updates can now be non-blocking or dropped if the system is under heavy load, preventing authentication bottlenecks from stalling the controller.

4. Enhanced Connectivity & Debugging

  • Identity-Based API Access: The Controller API can now be bound to an OpenZiti service itself. This allows admins to manage the controller over the Ziti overlay network rather than needing a public IP or standard firewall rule.

  • CLI Updates: The ziti edge login command now supports a --network-identity flag to facilitate these overlay-based management connections.

  • Better Error Context: Routers now provide more detailed error context to SDKs during "terminator" failures, allowing applications to make smarter retry decisions.

5. Infrastructure Updates

  • Priority-Based Routing: Router-to-controller control channels now support multiple underlays with priority-based routing for improved resilience.

  • IPv6 Support: Standard bind points now fully support IPv6 address notation.

Terraform Provider for NetFoundry Cloud v8

Support has been added for creating and managing the following resources via Terraform:

  • Posture Checks

  • Authenticators

  • Authentication Policies

  • Certificate Authorities

  • JWT Signers

  • Additional Identity Types

    • OTTCA (One-Time Token Certificate Authority)

    • UPDB (Username / Password Database)

Improved firewall info display

The firewall information presented in the NetFoundry Console has been updated to improve viewability.

Articles, updates and software releases:

Latest Blogs & Materials:

Follow our ziti releases at - https://github.com/openziti/ziti/releases

Updated WDE released - https://github.com/openziti/desktop-edge-win/releases

Updated Linux tunneler released (check that your ERs and controller are on the same version as the tunneler) - https://github.com/openziti/ziti-tunnel-sdk-c/releases

Watch the announcements section for announcements about the NetFoundry cloud services. 

Closing Thoughts:

Refer our docs at https://netfoundry.io/docs and videos at our youtube channel & openziti channel for updates, demos and all exciting stuff on NetFoundry. If you have queries on the latest features, or have valuable feedback to share, we’d love to hear from you! Reach out to us at customer.success@netfoundry.io


 

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful