Skip to main content

Release 25.2

Platform Updates

Xshield Documentation

What to Expect: New portal for the Xshield platform documentation and release notes made available for SaaS and On-prem customers.

Why this matters: The new portal provides a one stop access to product documentation, knowledge articles, release notes, FAQs and more. This ensures enterprises can stay informed about new features, best practices, and how to guides which aid in optimizing the security posture of the IT and OT environments.

Process Based Policy Support for Windows

What to expect: The Xshield Security Platform will support defining process based policies (for Windows Operating Systems only) for performing micro-segmentation. Full process path with name that sends or receives traffic can be used as a filter in policy templates instead or in conjunction with service port and protocol.

Why this matters: Process based rules are a good option when the ports on which the service listens are dynamic in nature. Additionally, process based rules allow the operator to restrict the traffic communication on a given port only to the specific process.
For example, Create a process based policy to define that only chrome.exe is allowed to make an outbound communication to destination port 8080. This rule will ensure that no outbound communication to port 8080 will be allowed if did not originate from the chrome.exe process.

Note: Process based policy support is available only for Windows Platform and not supported for MacOS and Linux. Customer must upgrade to agent version 25.2 to enable this feature.

  • We also recommend that for outbound connections the user specify the process path name in the policy template.
  • More information on process based policies can be found here Process Based Policies.

Breach Response (Quarantine mode)

What to expect: If an asset is identified (externally) to be under threat of attack, an operator has the opportunity to move the asset to a restricted (quarantined) state with limited access. This ensures that the attacked asset cannot spread the attack any further (blast radius). This limits the impact to the business any further. The feature allows the operator to define their policy template to be applied in case of moving to a quarantined state.

Assets moving to quarantine mode reduce the scope of communication to and from the assets thereby preventing the spread of things that can impact the business of the enterprise. This is primarily done by applying a minimal set of allow policies on the assets to enforce the reduced scope of communications. The new solution proposes the below constructs:

  1. Breach Response Template - Every Policy Template is a candidate for being programmed during breach response and one can state in the template if it is associated with a breach response level.
  2. Breach Response Level - These will be pre-defined labels (ex:Level1, Level2 & Level3) which can be associated to one or more Breach Response Templates
  3. User can associate one or more breach response templates to assets
  4. When the need arises to initiate breach response mode for an asset, users can turn on breach response mode at the asset level, by choosing one of the breach response labels (The levels to choose from for a given asset is determined by breach response templates associated with the asset)
  5. On choosing the appropriate label, the rules corresponding to the templates associated with the label will be applied with default deny rules (equivalent to secure-all mode) and will be applied on the asset.

Why this matters: By moving compromised asset(s) to a quarantined state, the spread of malware, ransomware and/Or unauthorized access is contained by preventing lateral movement. Operators can quickly isolate the affected assets without having to shutdown entire networks and operations. Xshield enables proactive breach response readiness and business continuity by limiting the impact in early stages.

Find more information on breach response mode here Quarantine Isolation Zone.

Policy Viewer for Single Asset

What to expect: In the Xshield Security Platform, Policies are attached to Segments and an Asset can be part of multiple Segments. This makes a single Asset inherit policies from multiple Segments and it gets hard to visualize the rules that are to be applied to the Asset. This feature allows the user to view the policies that will be programmed on the asset.

Why this matters: Simplifies the complexity of managing security policies in a dynamic environment. This feature provides clarity by allowing users to visualize the exact rules that will be applied to an asset and review if there are policy conflicts and refine the rules as per the requirement. This also aids in troubleshooting connectivity issues which might occur due to conflicts.

User-Defined subnet selection for Tag-Label Rules

What to expect: Administrators can create tag label rules with the criteria as subnet in CIDR format.

Why this matters: Currently, we could create Tag-Based Rules by selecting the existing subnet of the assets where the agent is installed and reporting to the dashboard. This new feature will enable users to create rules even before the asset is tokenized. When new assets are added, the assets within the specified subnet shall be automatically tagged with the appropriate tag rule which enhances the flexibility and improve asset management.

Enable reports for CrowdStrike Segments

What to expect: The CrowdStrike Xshield integration enables agentless microsegmentation by leveraging Falcon Platform APIs and Amazon S3 buckets to import host groups, enforce firewall rules, and gain network visibility. Xshield retrieves host and network telemetry data from Falcon, allowing administrators to define and apply segmentation policies. We have added reports functionality for CrowdStrike segments - Users can generate and download reports for CrowdStrike segments in the same way as generating reports for Colortokens segments.

Why this matters: The reports in the Xshield platform provide critical visibility into network security and segmentation effectiveness. They help customers track policy enforcement, identify security gaps, at every stage and ensure compliance with organizational or regulatory standards.

Start various manual operations from CrowdStrike UI

What to Expect: The Xshield platform periodically pulls host information from CrowdStrike at pre-define intervals. However, the operator can override the following operations by forcing them to be performed immediately through the CrowdStrike hostgroups page.

  1. Sync Host Groups: In CrowdStrike, Host Groups are logical groupings of endpoints (hosts) that help administrators manage security policies & assign configurations. By default, the Xshield platform scans CrowdStrike for new host groups every 24 hours, during this window If there are changes performed to host groups in the CrowdStrike platform such as adding or removing host groups, the Xshield operator may choose to manually Synchronize Host Groups from CrowdStrike to Xshield using this feature.
  2. Sync Hosts: If there are new hosts added to the CrowdStrike platform, The Xshield operator may choose to manually synchronize the hosts from CrowdStrike
  3. Sync Firewall Memberships: Xshield platform creates a matching Host Group in CrowdStrike platform for every Segment created in Xshield platform. Xshield make sure that all the assets that become part of this Segment are added as members to this Host Group. This membership synchronisation happens at regular intervals (currently every 30 minutes). To manually trigger the operation, this option can be used.
  4. Sync Policies: Xshield platform synchronizes the segmentation policies to the CrowdStrike platform at certain intervals. The synchronization can me initiated manually from here.

Improvements to Reports

What to expect: Reports will include new Lateral Movement Attack Analysis sections. The sections will present port distribution categories for both inactive and active ports. For each distribution category (e.g., Infrastructure Ports), the report will highlight:

  • MITRE Attack Techniques and Procedure Examples that could exploit these ports.
  • Recommended actions to reduce the breach impact score.
  • Service names associated with the ports, where applicable.

Why this Matters: These insights help security teams quickly identify potential lateral movement risks and take targeted actions to reduce breach impact using real-world MITRE techniques and service-specific context.

Appliance Updates

What to expect: If the gatekeepers are in HA mode (either active/active or active/standby) A row with the HA group is displayed with the collective details of devices and. When expanded, all the gatekeepers in the HA group are displayed.
Scan button is placed in the HA group actions menu instead of individual gatekeepers in the group.
Upon clicking the HA group name, user shall be redirected to a new Gatekeeper home page which includes Summary, Managed Devices and Unmanaged devices tabs

Summary Tab: Consolidates key information about the HA group, offering insight into system health, connectivity, and security status and has the below information

  • General: This section displays the HA group's name, the operating system (OS) of its gatekeepers, and their respective architectures. It also provides the last check-in timestamp, showing the most recent heartbeat among all gatekeepers, alongside their location details.
  • Interfaces: This section lists the WAN Virtual IP(s) and LAN/VLAN Virtual IP(s), ensuring users can quickly verify network connections and configurations within the HA group.
  • Devices: Users can view interactive graphs representing the count of managed and unmanaged devices connected to the gatekeepers. These graphs are clickable, allowing deeper analysis of device presence and security monitoring.
  • Gatekeeper & Firewall: This section provides key insights into the HA group's security posture.
    • Displays the number of active and absent gatekeepers.
    • Shows the minimum version among active gatekeepers, ensuring version consistency across the network.
    • Indicates firewall synchronization status, confirming whether all active gatekeepers' policies are aligned.
  • DHCP & High Availability: These sections mirror the information displayed on an individual Gatekeeper home page, ensuring visibility into DHCP configurations and HA status across the entire group.

Why this matters: Grouping HA gatekeepers in the UI enhances clarity and efficiency by providing a holistic system view rather than fragmented details.

Breach Impact Score:

What to expect: The Breach Impact Score calculation has been updated. Previously, assets with no vulnerability information received a default non-zero value, which lowered their overall score. In this release, vulnerability data only affects the Breach Impact Score when actual vulnerability information is available for an asset. For more details about the Breach Impact Score and its contributing factors, please refer to the product documentation here Breach Impact Score

Armis Integration:

What to expect: Integration with Armis for Operational Technology (OT) devices. The Armis Centrix Platform integration enables the import of critical telemetry data, including vulnerabilities detected on OT devices.

Why this matters: This integration enhances visibility and security by enabling enterprises to monitor asset vulnerabilities in real-time. The Xshield platform can now calculate accurate Breach Impact scores for OT devices and assist in isolating vulnerable devices through micro-segmentation policies

Agent Updates

Support for RHEL 6.10

What to Expect: The Xshield platform adds support for legacy RHEL 6.10 operating system.

Why this matters: Legacy operating systems are all EOL and do not have support especially for critical security patches. This makes the applications running on these versions of operating systems vulnerable to lateral movement. By adding agent support for this operating system, the Xshield agent can configure and manage the host firewall table (ip table) to ensure prevention of lateral movement.

Multiple Proxy support

What to Expect: The Xshield agent can be configured with multiple proxy servers. If the agent cannot establish communication through the first proxy (due to unreachability or failure), it will automatically attempt to connect using the next configured proxy. This sequence continues until communication is successful or all proxies are exhausted.

Why this matters: This failover mechanism increases reliability by ensuring that the agent can maintain connectivity to the Xshield platform even if one or more proxy servers are unavailable.

Automatic Proxy bypass

What to Expect: If the configured proxy(s) are unreachable, or if only one proxy is configured and it becomes unavailable, the Xshield agent will attempt a direct connection to the Xshield platform—bypassing the proxy altogether.

Why this matters: This feature ensures uninterrupted communication with the Xshield platform even when proxy infrastructure fails, helping to keep assets continuously synchronized.

UI/UX Updates

Filter edits shortcut

What to expect: Xshield Platform allows filter edits by automatically expanding the filter criteria when the user clicks on the selected filter chip. This feature is applicable across all the pages where filters can be applied

Why this matters: The new feature allows for making faster changes to the filters by reducing the steps required to edit the filters.

Other Enhancements in UI & UX

  • The status indicators - Critical, High, Medium, Low and Unknown are redesigned to a pill shape and these will be consistent across the platform.
  • When filtering using the status badge in any page, the status badge(s) in the column is highlighted to indicate the selection
  • Reduced visual clutter by providing separation between the search box and action buttons in the manage templates, manage named networks & assign template pages
  • Displays complete Name and Version of the operating system. Example: Windows server 2016, Ubuntu 20.04 instead of windows, Linux. This requires an upgrade to the latest agent version
  • Firewall sync status column has been added to the CrowdStrike segments page as well as the asset details page which indicates the firewall status
  • Agent version column added in the assets page for quick view

Asset details updates

  • Serial number and Version are removed from core tags and will not be shown in the asset details page
  • Asset details page will display the complete OS with version (Ex: you will see Windows 11 pro, RHEL 8.4 instead of windows, Linux)
  • Filter pop over menu
    1. “Serial Number” is moved from Tags to Asset facet
    2. “Version” is renamed to “Kernel version” and moved from Tags to Properties facet
    3. Added “OS version” to Properties facet
    4. New column added to assets page which shows the “Serial Number”

Xshield Utility

Xshield Utility section added to documentation

What to expect: The XshieldUtil is a Python based SDK tool that can be used by the Xshield operator to automate several manual functions without having to use the UI especially in large scale environment. We have added a new document section for the XshieldUtility and updated the help section within XshieldUtil. Also added a list of comprehensive operations that can be performed from the XshieldUtil.
For more information on how to setup the util and available options, please refer to the Xshield Utility guide here - Utility Setup Guide

Why this matters: This enables operators to automate and scale Xshield operations efficiently without relying on the UI, saving time and reducing manual errors.

Download configuration file for XshieldUtil

What to expect: Operators can now download the config.yaml file for XshieldUtility which is specific to their tenant (pre-filled attributes of the tenant). This simplifies the process of the operator by not having to navigate to different pages in the tenant and gather the information to configure XshieldUtility.

How to download: Navigate to Settings in the sidebar, select API keys & download the config.yaml file from the respective fingerprint.

Why this matters: This process simplifies and makes it an error-free process to start using the XshieldUtil application.

The “private_key_location” parameter in the config file shall be empty, the user needs to edit the path to private key manually.

Resolved Issues

  • Problem: The toggle option for ports is missing when a port is added to the filter via the paths view. It only appears if the filter is cleared and the port is manually searched again in the port filter tab.
    Resolution: Toggle option was removed when advanced filter was introduced for ports. This has been fixed

  • Problem: The Xshield UI displays an incorrect asset count on the dashboard, Example: showing "2k" instead of a more accurate "1.5k" for 1519 assets, causing confusion among customers
    Resolution: Asset counts will be rounded and formatted consistently across the platform with one decimal point (e.g., 1.5k when there are 1501-1599 assets), dropping ".0" when applicable (e.g., 44.0k → 44k).

  • Problem: Citrix VDI assets went offline after a system reboot
    Resolution: The service disable command in registerAgent.ps1 was incorrectly formatted, causing failures on Windows Server 2016. Additionally, the agent registration failed because it was triggered immediately after service deletion. The fix corrects the disable command and adds a 90-second delay post-deletion to ensure the service state is properly updated.

  • Problem: IPv6 and APIPA subnet traffic were dropped in simulation mode. These should have been allowed as Xshield does not explicilty support IPv6 based segmentation.
    Resolution: The Xshield agent has been updated to allow all IPv6 and APIPA subnet traffic while in enforced or simulation mode. Support for segmentation for these traffic will be available in the future.