What's New at Nile

8 min

from powering black hat mea 2025 for more than 40,000 attendees with zero reported incidents, to blocking more than 1 million targeted attacks at wild west hackin' fest, to presenting at mobility field day 14, the past several months have demonstrated what a secure by design network can achieve at scale this release builds on that momentum with native crowdstrike siem and microsoft global secure access integrations, continuous device fingerprinting, identity based microsegmentation, and a set of day n operational enhancements in the nile access service together, these capabilities strengthen our campus zero trust story and advance our mission of delivering secure, autonomous networking powered by nile experience intelligence (nxi) campus zero trust — nile trust service enhancements \# category feature title feature capability outcome 1 siem integrations crowdstrike siem integration for alerts, audit logs, and end user device events nile portal now supports native integration with crowdstrike siem, allowing administrators to configure a secure connection (e g , oauth or api key) and select which topics to stream • alerts • audit logs • end user device events, such as connection, disconnection, authentication, dhcp, and dns data is streamed in json format, with built in performance and scalability considerations it also outlines supported event volumes so customers understand expected capacity for more details on the data format, please refer to https //docs nilesecure com/nile siem event schema nile streams rich network, user, and device telemetry directly into crowdstrike siem, to build a unified view of all security events this enables faster threat detection, better incident investigations, and simpler operations without custom integrations between nile and crowdstrike siems 2 sse integrations microsoft global secure access (sse) integration with nile trust service nile trust service now supports fully orchestrated, redundant ipsec (ikev2) tunnels from nile to primary and secondary microsoft global secure access (sse) pops, leveraging microsoft apis for pop selection and tunnel lifecycle management this integration automatically provisions tunnels from the zero trust fabric, monitors tunnel health, and performs high availability failover when necessary administrators can map nile network segments to microsoft global secure access security segments and have the traffic be inspected by microsoft's cloud delivered security stack nile now provides fully automated, redundant ipsec tunnels to microsoft global secure access, enabling seamless integration with cloud delivered security this ensures high availability, automated failover, and consistent policy enforcement by extending zero trust controls to microsoft’s sse platform 3 authentication & identity after hours sso session expiry nile now supports per tenant sso session timeout configuration, letting each tenant define a maximum sso session lifetime with a custom value and time unit sessions now expire at 01 00 a m in the tenant's local time zone on the last valid day — rather than exactly n hours/days after login — ensuring timeouts never land mid workday or during an active call sso sessions now expire overnight, preventing unexpected disruptions/logouts during the workday or active meetings this ensures that the user experience is maintained 4 authentication & identity sso only admin access for federated tenants when sso is enabled via an external identity provider (idp), all local admin accounts except the root admin are automatically disabled, and new local admins cannot be created a warning is shown during setup to highlight this change this feature eliminates shadow admin accounts and reduces insider threat risk, ensures compliance with enterprise iam policies and audit requirements, and gives it teams a single control plane for access governance 5 authentication & identity continuous device fingerprinting & device integrity nile can now continuously fingerprint connected devices, tracking attributes such as device type, operating system, manufacturer, and model over time when a device’s fingerprint deviates from its learned baseline, the system generates security telemetry, including alerts and device events, and can optionally place the device into a denied or restricted state based on policy flexible matching logic allows organizations to treat benign changes—such as firmware updates within the same device family—differently from higher risk identity changes for example, if a device previously identified as a specific ip phone model suddenly appears as a different model or device type, the system can flag the change as suspicious for environments requiring stricter controls, administrators can enable exact match enforcement, ensuring that any deviation from the original device fingerprint triggers policy actions continuously fingerprints devices and detects deviations from their baseline, generating alerts and optionally enforcing restricted or denied access this enables adaptive, policy driven security—distinguishing benign changes from suspicious ones—and strengthens zero trust enforcement across the network 6 micro segmentation identity based micro segmentation safer access for users, devices & apps the enhanced nile trust engine delivers full identity driven zero trust across the campus, enforcing least privilege policies for all traffic directions—east–west, north–south, and internet—using identity based user, device, and application groups with customizable service profiles per traffic flow policies support allow, deny, or upstream forward actions and are enforced natively within the zero trust fabric, with all traffic denied by default until explicitly permitted in addition, nile trust service performs agentless device validation for iot/ot devices using snmpv3, ssh, and http/https administrators define validation policies within device groups based on mac/oui or fingerprint match criteria, along with credentials and check intervals (defaulting to one hour) devices that pass are classified into the appropriate group, while those that fail are automatically quarantined—ensuring that non user devices such as cameras, printers, and other iot endpoints meet corporate security requirements without requiring agents for more details, refer to https //docs nilesecure com/nile trust service full identity driven zero trust across the campus, enforcing granular, least privilege policies for all traffic—east west and north south, including internet access this provides precise control, stronger security by default deny, and flexible policy enforcement directly within the network fabric day n – operational efficiency enhancements in nile access service \# category feature title feature capability outcome 7 security & authentication mac authentication rules based on switch hostname and port nile's access service now supports a new mab rule type that matches on switch hostname and port — in addition to the existing fingerprint and mac based rules — allowing administrators to assign segments based on where a device is connected devices can now be segmented based on where they connect (switch and port) in addition to the existing identity or mac based access, enabling reliable access control even when identity is unknown this simplifies onboarding, reduces operational overhead, and provides location based security context 8 security & authentication mac authentication (mab) — waiting for approval” dashboard indicator on the nile portal dashboard, an icon shows the number of wired devices pending mab approval it acts as an alert and is clickable, taking admins directly to a filtered view where they can approve devices it teams get a nile portal alert of unapproved mab devices, making it easy to identify pending device backlogs they can quickly approve or investigate devices, reducing overhead and streamlining wired onboarding and troubleshooting 9 security & authentication upsk ssid with multiple segments support a single upsk ssid can now map to multiple segments—similar to 802 1x—enabling identity based segmentation on the same ssid a single upsk ssid now supports multiple segments, enabling role and device based segmentation without the rf overhead of multiple ssids different departments or device types—such as cameras, printers, or zoom rooms—can be routed into distinct segments, each with the right policies applied automatically based on the upsk used this simplifies wlan design and operations while delivering more granular, scalable, and identity based access control 10 wireless & rf nile mesh support for extending wireless access nile has added support for wi fi ap to ap mesh capability for distances up to 100 ft between the root ap and mesh point ap customers do not have to configure a dedicated ssid for mesh, and nile takes care of auto forming the mesh link note the mesh support entails extending the wi fi access coverage up to a short distance and does not support or act as a point to point link for more details, refer to https //docs nilesecure com/nile mesh nile now supports ap to ap mesh, automatically extending wi fi coverage over short distances without requiring cabling this simplifies deployments in hard to wire areas while maintaining seamless connectivity 11 wireless & rf support for 6ghz standard power on nile wifi6e/wifi7 aps using afc nile has added support for 6ghz standard power by getting certified for afc in the usa this allows nile to plan a deployment with standard power on 6 ghz, where low power indoor mode may fall short on providing the coverage needed nile automatically determines the need for standard power based on site survey data uploaded to the nile cloud by partners and/or customers, and enables afc seamlessly and allocates standard power levels across aps on the 6ghz band supports 6ghz standard power with afc, enabling stronger coverage where low power indoor modes fall short this allows optimized, survey driven deployments with automatic power allocation—improving performance and coverage without manual tuning 12 wireless & rf rogue ap detection — ability to mark end devices as ignore from wids nile now provides the ability to mark end device mac addresses as safe to avoid wids rogue ap alerting on admin approved devices for more details, refer to https //docs nilesecure com/widswips#excluding trusted device from wids mark approved device mac addresses as safe, preventing unnecessary rogue ap alerts to reduce false positives and improving the accuracy of wids based threat detection 13 troubleshoot wired and wireless packet capture support in nile portal nile now offers packet capture as a built in troubleshooting capability directly within the nile portal administrators can initiate packet captures from the ap details page to capture over the air traffic observed by that access point for wired clients, administrators can run per port packet captures from the switch details page they can also initiate packet captures from device → run test, which defaults to the client’s mac address as the primary filter, with optional filters such as packet count, protocol (tcp/udp), and port it teams can capture packets directly from the portal for both wired and wireless devices this accelerates root cause analysis and enables faster resolution of complex endpoint connectivity issues 14 visibility & monitoring end device inventory & tagging nile now surfaces client descriptions from the access management tab as tags on the devices page when administrators add a description under access management → clients, it appears as a tag on the wired device details page note that this currently applies to wired devices only — wireless clients are not yet supported this provides a simple way to label and identify important wired endpoints, such as key servers, across sites without duplicating information tag and group important devices using simple human readable labels that carry across views this improves visibility and audits, especially in large, geographically distributed environments 15 visibility & monitoring floor map with ap location in the device inventory page in the device inventory, selecting an ap's location details—such as its site, building, or floor—will navigate you directly to the corresponding floor map view ap location attributes (site, building, floor) in the device inventory enable direct navigation to the floor map view this provides faster visual context and simplifies troubleshooting and location based analysis 16 operations & reporting exportable network summary reports network summary page in nile portal now includes an export option that lets any user who can view the page download the full summary for offline analysis and reporting the exported file reflects the same scope, time window, and filters as the on screen view, so what is downloaded matches exactly what was visible in the network summary ui at the time of export network and security teams can quickly generate shareable network summary reports from the nile portal for leadership discussions, audits, and capacity reviews — without rebuilding views or copying data manually 17 ability to customize the nile device hostname network teams can now assign custom, intuitive names to nile devices — typically reflecting device location — directly from the nile portal via global settings > device inventory simply select an ap or switch and customize the device name to align with your operational naming conventions for more details, refer to https //docs nilesecure com/custom hostname for nile elements improves operational clarity, making it easier to identify devices by assigning intuitive, location based names to aps and switches directly from the device inventory 18 integrations forescout app integration with nile portal nile now provides a forescout app integration, exposing a public client list api that gives forescout real time programmatic access to the same device inventory shown in the portal the api supports site and time window filters and honors both basic and advanced client filters, returning exactly what operators see in the ui via a consistent rest interface with the forescout integration, security and it teams get a real time, complete view of all devices across the network and can build automated workflows to quarantine devices that do not meet corporate standards the device posture can be continuously assessed and enforced automatically using nile's mab table, enabling faster response, stronger policy enforcement, and reduced operational overhead nile dhcp service enhancements \# category feature title feature capability outcome 19 dhcp options pxe boot support in nile dhcp nile dhcp service now supports pxe boot using dhcp options 66 and 150, allowing it admins to configure the pxe/tftp “next server” on a per subnet range basis when these options are set, nile automatically advertises the correct next server ip address so pxe clients can fetch boot files from the intended pxe server dhcp service now supports pxe boot by automatically providing the correct next server information per subnet this enables seamless zero touch device provisioning workflows nile alerts enhancements \# category feature title feature capability outcome 20 link & network health monitoring uplink saturation alerts for nile fabric upstream devices nile access service now generates a customer visible “uplink saturated” alert when a nile gateway switch's uplink to the router or firewall approaches full capacity for a sustained period the alert appears under nile infrastructure and clearly identifies the affected link, including switch name and serial number, uplink port, peer device/port via lldp, site/building, duration, maximum bandwidth, and observed utilization notifications—via email, webhook, or other channels—deliver the same detailed information, enabling customers to troubleshoot directly from their own monitoring and automation tools alerts customers when uplinks approach sustained saturation, providing detailed, actionable context on the affected link this enables faster troubleshooting and proactive capacity management to prevent performance degradation 21 link & network health monitoring link speed degradation alerts for nile gateways and isp connections nile access service now detects when critical links renegotiate to a speed lower than their provisioned capacity, including ap to switch, switch to switch, and nile gateways to isp (ds to isp) uplink connections when this occurs, nile raises an infrastructure alert titled “link operating with lower than provisioned speed”, providing detailed context such as the affected devices and ports, site, building, floor, and the duration for which the link has been in a degraded speed state notifications reuse this context so it teams can act directly from email or webhook payloads faster identification and resolution of performance issues, helping maintain network reliability and capacity by proactively detecting when critical links drop below their expected speed and alerting teams with detailed, location aware context 22 link & network health monitoring ap capacity exceeded alert for overloaded wi‑fi radios nile now generates a new “ap association exceeded recommended threshold” alert when a wi fi radio sustains more than 40 associated clients and channel utilization above 80% over a 3 minute rolling window each incident includes detailed diagnostics to help operators investigate the condition this includes client association counts per band and radio over the preceding 10 minutes, nss statistics, tx/rx byte counters at the ap, and ap channel utilization—providing the context needed to validate and respond to the alert proactively detects wi fi congestion by alerting when aps exceed recommended client and utilization thresholds with built in diagnostics and historical context, teams can quickly validate issues and take action to maintain performance and user experience 23 link & network health monitoring zscaler zia tunnel health and bandwidth alerts nile now provides customer facing alerts and notifications for zscaler sse integration if a tunnel goes down, nile generates an “sse tunnel down” alert in the portal and sends notifications via supported channels such as email, webhooks, and slack alerts appear under a new integrations category and include details on the affected cloud provider, site/building, outage duration, and a direct link to the relevant policy nile also monitors tunnel utilization when a tunnel exceeds 90% bandwidth, it raises an “sse tunnel bandwidth threshold reached” alert, providing capacity metrics and a link highlighting the top five devices contributing the most traffic nile now provides real time alerts for zscaler sse integrations, notifying teams of tunnel outages and high utilization with detailed context this enables faster issue resolution and proactive capacity management, ensuring reliable and secure traffic inspection 24 alert management alert severity in notifications and integrations nile now includes a clear alert severity level in every notification email alerts, chat style messages (e g , slack/teams), webhooks, and siem integrations all carry a numeric severity field from 0–5 (critical (0) → informational (5)) if a severity is not explicitly set for an alert, it defaults to 3 in user facing notifications, this appears immediately after the impact line (for example, “severity 2”), so teams can quickly understand how urgent an issue is across all channels teams can quickly assess the urgency of issues across all channels, enabling faster prioritization and response this is enabled by adding a standardized severity level (0–5) to all alerts and notifications, consistently displayed across email, chat, webhooks, and siem integrations 25 alert management webhook — enhanced json payload and test button nile has enhanced the json payload for alert notifications sent as webhooks to customer it ticketing systems the json body now includes separate fields for device type and serial number, as part of the newly introduced device entity additionally, customers will be able to test the webhook connectivity when configuring the webhook itself with the newly introduced 'test' button in the nile portal webhook settings cards for more details, refer to https //docs nilesecure com/webhook enhancements webhook alert payloads now include richer device details (type and serial number) and a structured device entity, improving integration with it systems the new “test” capability simplifies validation, ensuring reliable webhook connectivity and faster setup nile guest service enhancements \# category feature title feature capability outcome 26 guest access control configurable session timeout for employee self‑approved guest access nile's guest portal supports an email approval flow where a connecting user enters their name, email, and a sponsor's name and email to request network access for employees using self approval — where they act as both the guest and the sponsor — administrators can now configure an employee timeout that controls how long that self approved session remains valid before re authentication is required employees using personal devices on the guest network get longer session durations, reducing repeated re authentication and improving user experience at the same time, periodic revalidation is maintained—balancing convenience for trusted users with continued security and access control 27 guest access control geo scope selection for nile guest admins can now scope nile guest access by location (site, tag, zone, building, or floor) instead of using a single global configuration create guest portals with specific authentication types and map them to defined geoscopes set different guest access policies by location (site, building, floor, zone, or tag), instead of relying on a single global configuration this enables an enterprise grade, context aware guest experience and simplifies policy management across geographically distributed environments 28 guest access control restrict guest sponsors for email‑approval admins can now restrict guest approval requests to a defined list of designated sponsor email addresses when using email approval, rather than allowing any user with a company domain email to act as a sponsor this ensures guest access approvals are handled exclusively by authorized teams such as network admins or it limit guest approvals to a defined set of sponsor email addresses, ensuring only authorized individuals can approve access this strengthens security controls while streamlining and standardizing the approval workflow 29 authentication sms authentication for nile guest service admins can now enable sms access code as a guest authentication method in the nile portal guests enter their phone number with country code, receive a one time code via sms, and use it to connect nile provides fully managed sms based guest access, removing the need to manage sp vendors, regulations, or phone number provisioning this enables seamless, global guest onboarding with zero operational overhead for it teams 30 api guest access code api support nile guest service now supports generating and managing guest access codes via api, enabling admins and external systems to programmatically create, update, and delete guest codes at scale this supports both shared codes (reusable by any guest during a configured validity window) and guest specific codes (bound to an individual guest's name and email) guest access codes can now be created and managed via both ui and api, with full audit tracking for all actions this enables a scalable, automated guest onboarding experience without the complexity of a psk authentication approach nile nav app enhancements \# category feature title feature capability outcome 31 integrations site discovery enhancement hamina integration with nile nav nile site discovery now integrates natively with hamina, streamlining the wireless design workflow from survey to deployment once a hamina survey is complete, simply export the design in open intent format (file → export → to file) and upload the zip file into your nile site survey job nile ingests the open intent output via api into nile nav, importing key rf design details including wall attenuation, map scale, ap and sensor locations, predicted signal strength, power levels, antenna height and tilt, and ceiling type this data is then used to automate bom creation and coverage analysis — consistent with the existing ekahau integration experience faster, more accurate wireless design and deployment with reduced manual effort, enabled by nile’s native integration with hamina to ingest survey data and automate bom creation and coverage analysis 32 enhancements independent installers onboarding for installer and msp tenant types, nile now supports onboarding user accounts with personal email domains (for example, gmail com, outlook com, icloud com), under explicit administrative control under global settings → domains, the root admin can enable “allow external/personal emails” for a tenant, explicitly accepting liability for the use of these accounts and their impact on the tenant’s security posture once enabled, only the root user can create or update external users for that tenant, and those users must be members of the installer group standard domain verification checks remain enforced for normal tenants; this relaxation is scoped strictly to installer/msp environments and does not apply to customer login flows partners and installers can use their existing email identities across multiple tenants, simplifying access and reducing onboarding friction at the same time, built in controls ensure governance, accountability, and security remain fully intact new premium nile services \# category feature title feature capability outcome 33 nile cloud radius nile cloud radius nile radius delivers cloud native authentication and authorization as a fully managed service, eliminating the need for on premises nac appliances all communication between nile infrastructure and the radius service is encrypted over secure grpc tunnels, with no additional configuration of shared secrets, nas ips, or radsec required eap tls (certificate based authentication) is supported today, with additional eap methods coming in future releases nile radius integrates natively with microsoft entra via scim for dynamic identity sync and with microsoft intune for device compliance enforcement policy actions include accepting or rejecting access, assigning users to specific network segments, or applying palo alto tags for firewall integration the service is highly available, auto scaling, and monitored continuously — with detailed authentication logs available per device for more details, refer to https //docs nilesecure com/nile radius customers can offload radius authentication to nile’s cloud service, eliminating on prem infrastructure and simplifying secure 802 1x adoption this delivers a unified, scalable authentication to authorization workflow with higher reliability, lower operational overhead, and consistent access control across the network 34 nile edge service nile internet gateway (igw) nile edge service extends the nile access service to provide secure internet and cloud connectivity for offices without requiring separate sd wan appliances, firewalls, or routers at each site it transforms nile distribution switches into managed internet gateways with built in nat, stateful firewall, dos/ddos protection, and lte based disaster recovery to ensure uninterrupted connectivity, all monitored and managed through the familiar nile portal with the initial release, nile supports the virtual internet gateway (vgw) role on nsw250 switches, enabling smaller sites to achieve secure internet breakout without additional hardware the functionality will be enabled automatically by the system if the customer has subscribed to the nile edge service secure internet and cloud connectivity is delivered without separate sd wan, firewall, or router appliances—reducing cost and simplifying branch architecture this is enabled by extending nile switches into managed gateways with built in security, nat, and resilience for smaller sites