We are thrilled to announce the release of NSO 6.5, a short-lived release packed with exciting new features and enhancements. We would like to highlight the key innovations and improvements that make this release a significant milestone. 

Summary

• Improved interoperation in the face of out-of-band changes
• Policy-defined handling and protection of services
• Support for installing NSO in a FIPS 140-3 compliant mode
• Enhanced UI experience of package handling, alarm management and compliance reporting in the NSO Web UI
• Support for YANG-Push subscription over RESTCONF
• Added and extended support for generating templates based on device configuration
• A label and comment can now be specified as commit parameters and be propagated down to the devices where applicable
• Enhanced device auto-configuration with improved reliability
  
  

Brownfield Service Protection and Out-of-band Interoperation 

NSO now supports a new confirm-network-state commit mode for improved interoperation in the face of out-of-band changes. Using this commit mode, it is now possible to avoid provisioning pre-checks and pre-provisioning sync-from operations, even if there are out-of-band changes on NSO-managed devices.

Additionally, NSO introduces support for policy-defined handling of configuration data that overlaps with NSO-configured services. This eases coexistence with other controllers and protects already provisioned services from unwanted modification.

FIPS Support for NSO Installs

In NSO 6.5, we are introducing support for installing NSO in a FIPS-compliant mode. With this update, you can now install (or upgrade) NSO in the usual standard mode or in a more targeted FIPS mode to meet the specific crypto requirements of the FIPS 140-3 standard in your organization. Bear in mind that FIPS mode targets a very specific use case and should only be used in FIPS-restricted setups.

Continued Enhancements in the NSO Web UI 

This release brings more improvements to extend the design and functionality of the NSO Web UI. This time, we have implemented substantial new updates in the Web UI tools, namely the Package Manager (now called Packages), Alarms, and Compliance Reporting. More specifically: 

• The Packages tool now benefits from an all-new design coherent with Cisco's design philosophy. It also includes new feature updates to handle package management in the Web UI in a more detailed and appealing manner. 
• The Alarms tool now offers a vastly updated design as well as improved functionality to handle NSO alarms. Users will see enhancements in the information and options to interact with alarms. 
• New improvements have also been made in the Compliance Reporting tool to offer more visual details via graphs in report results.
  
  

Support for RFC 8650 (YANG-Push over RESTCONF) 

Implemented support for RFC 8650, "Dynamic Subscription to YANG Events and Datastores over RESTCONF". This update enables subscribed notifications and YANG-Push functionality for RESTCONF. Note that subtree filtering and JSON format are not yet supported and are planned for a future release. 

Compliance Templates Checks for Operational Data 

Support has been added in compliance templates to read the live status of devices. This feature is optional and requires opting in. To activate this functionality, NEDs must be recompiled using the new ncsc flag --ncs-with-operational-compliance. 

Template Creation Enhancements 

Added and extended support for generating templates based on device configuration structures: 

• New Action: /devices/create-template enables creation of device templates from user-defined config paths. 
• Extended Action: /compliance/create-template now supports generating compliance templates from specified config paths. 
• New Action: /services/create-template allows creation of service templates and infers a resource-facing service model from config path structures. Outputs include the template and service model, optionally exportable as a service package.
  
  

Unified Label for Commit 

This release adds label and comment as commit parameters across all northbound interfaces and selected actions. These parameters will appear in rollback files, be propagated through the NSO cluster, and applied to devices where needed. 

This update removes the need for the tag parameter in the commit queue, with label now serving as the primary method for event correlation. label will replace commit-queue/tag in all northbound events, allowing for better event tracking across NSO nodes. 

Enhanced Device Auto-Configuration with Improved Reliability 

The device auto-configure feature in NSO is now more robust and reliable, with enhanced retry mechanisms to handle common deployment challenges. This update ensures smoother and more successful device onboarding in a wider range of network environments. 

The auto-configure process now automatically retries in scenarios where: 

• The device requires a commit operation before configuration can be copied. 
• The device is unreachable. 
• Concurrent auto-configuration processes are running for other devices.
  
  

Other Noticeable Enhancements 

Apart from these highlights, we have also completed some other noticeable enhancements: 

• NSO has added support for OpenSSL 3.0 in this release. The Cisco SSL library in this regard has been updated to version 3.0.15.8.0.221 (ciscossl-3.0.15.8.0.221). 
• NSO is now installed with the --run-as-user option for build and production containers to run NSO from the non-root nso user. 
• Added new ncs.conf configuration to modify read-set and write-set size limits for transaction checkpoints. 
• NSO supports serving web traffic from multiple domains and IP addresses. In addition, the web server refuses to serve requests to other domain names and addresses by default, to not expose the system to redirect-related attacks. 
• NSO now supports the option to use SFTP to transfer files between NSO and devices in addition to SCP. 
• SSH connections by the built-in NETCONF client are now logged in the device and cluster traces, including details for successful connections and errors when establishing SSH connections and why an SSH connection was terminated. 
• New methods have been added to the MAAGIC Python API making it possible to set large amounts of data using an XML document as input. 
• Each modified path in the schema diff for packages reload and device migrate actions now contain a list of all modifications done to the node. This includes all added, removed, or modified constraints, for example, when or must expressions. 
• Added CLI functionality to display dry-run output and prompt the user to confirm before the commit operation and selected actions. 
• The JSON parser has been improved from a non-streaming model to a streaming one. This reduces memory usage, especially for large inputs. 
• Improved execution of configuration changes when using the CLI on a subset of devices. An array of keys can be entered for it to be detected as a range. 
• Added possibility to do device selections based on XPath expressions on actions executing on multiple devices.
  
  

Moving forward we will continue our journey of enhancing the operational performance of NSO, concerning non-traffic areas such as start-up time, upgrade, and memory efficiency. We will also work on long-awaited features such as TLS encryption for rule-based HA, a new configuration editor in the web UI, and improved logging structure. 

These and other notable features and improvements will appear in NSO 6.6 (fall 2025). Until then, enjoy all our new additions in the short-lived NSO 6.5 release.