DEC OpenUTM is a complete UTM appliance on its own. The plugin ecosystem is how we extend it — first-party commercial plugins that add platform-specific capability, and community plugins that broaden coverage. Every plugin is signed, auditable, and drops into the same rule-explanation and policy-engine pipeline that the core appliance runs on.
Premium SKUs that run on top of OpenUTM Professional or higher. Each is available standalone or bundled.
Reads configurations from Astaro UTM, OPNsense, pfSense, Palo Alto PAN-OS, Sophos XGS, Cisco ASA, FortiGate, and firewalld — translates the rules, objects, NAT, and routing into the target platform's syntax while preserving intent, and emits a deploy-ready configuration plus a verification report.
Automates IPv6 rollout alongside existing IPv4: address-plan generation, prefix delegation, RA / DHCPv6 policies, dual-stack NAT64 / DNS64, firewall-rule mirroring across v4 and v6, and drift detection so the two stacks stay in step as the network changes.
Ingests paid threat-intel feeds (CrowdStrike, Recorded Future, Mandiant, Cisco Talos enterprise tiers) and translates indicators into OpenUTM block-lists, IDS signatures, and reverse-proxy WAF rules — with automatic de-duplication and age-out.
Reads configurations from upstream perimeter firewalls and host-level ACLs across the environment. Scores posture against CIS benchmarks and NIST 800-53 controls, surfaces drift between declared policy and observed state, and feeds findings back into the OpenUTM policy engine.
Turns a federation of OpenUTM appliances into an SD-WAN fabric: path selection, application-aware steering, WAN-link SLA monitoring, automatic failover between IPsec / WireGuard / MPLS underlays. Works alongside NIVMIA's multi-vendor SD-WAN plugin so the fabric can span DEC gateways and third-party SD-WAN edges.
Fronts internal applications with an identity-aware proxy: OIDC / SAML / device-posture checks, per-request authorization, session recording for privileged access. Replaces a separate ZTNA product for teams that already run OpenUTM at the edge.
Free, open-source, first-party. Ship with every edition including Community.
The core rule-explanation engine exposed as a reusable plugin hook. Any rule in any layer — packet filter, NAT, WAF, reverse-proxy — can be queried for a human-readable rationale plus the history of who added and last touched it.
Exposes FRR routing state as Prometheus metrics and structured events: neighbor status, route-table size, flap counts, withdrawn routes. Drops into any dashboarding stack — no dashboard prescribed.
Unified view across IPsec, WireGuard, OpenVPN, Tailscale, and custom-SSL VPNs. Shows who is connected, from where, via which protocol, how long, and what they're reaching — without terminating TLS.
Unifies Kea DHCPv4 / DHCPv6 and BIND9 DNS so reservations, forward, and reverse records are authored together. Eliminates the common failure mode where DHCP and DNS drift out of sync after subnet changes.
Drives HAProxy from the same policy engine that authors firewall rules, so “allow clients to reach the API” becomes one declaration that provisions the firewall, the NAT, and the load-balancer together.
Continuously compares the live nftables / FRR / HAProxy configuration against the declared policy. Flags manual edits, vendor-driven changes, and post-incident band-aids that were never rolled back.
OpenUTM exposes a signed-plugin SDK so customers can extend the policy engine, add inspection modules, or integrate bespoke threat feeds without forking the appliance. Plugin manifests, signing keys, and the audit pipeline are documented in the Developer Handbook shipped with every Professional+ license.
Every plugin on this page runs through the same policy engine and audit trail as the core appliance — no second-class citizens, no sidecar products that drift out of compliance.
Back to All Products Talk to Us