Zerto 10.8: New Features for Cyber Security, Resilience, Interoperability and Simplicity
HPE released a new version of the Zerto software, featuring many new capabilities and improvements. Why does this matter to customers?
- Compliance with Security Standards: HPE Zerto version 10.8 complies with critical US federal government security standards (FIPS 140-2/3) and has received attestation of compliance from the Cybersecurity and Infrastructure Security Agency (CISA). HPE Zerto helps federal agencies comply with FISMA, DFARS 800-171, NIST 800-53, NIST CFS, CIS Level 1, ISO 27001 & 9001, HIPAA, PCI, and GDPR.
- Improved Security Posture: From enhanced operational controls to encryption and host attestation, Zerto 10.8 helps customers meet modern security and compliance standards.
- Cloud Agility & Coverage: Expanded region and OS support in AWS and Azure, plus tools for AWS architecture transition, make cloud DR more scalable and cost-effective.
- Operational Simplicity: Automated upgrades, centralized logging, and improved UI reduce administrative overhead and provide centralized security oversight.
- Resilient Recovery: Native integration with CrowdStrike, APIs for a new Integration Hub with third-party cybersecurity solutions, faster recovery from an isolated vault using HPE Alletra immutable snapshots, and improved VRA startup ensure rapid, clean recovery from threats and outages.
- Future-Ready Architecture: Support for VMware VCF 9.0 and more advanced interoperability options positions customers for hybrid and multi-cloud evolution.
Let’s take a look at each of the new significant capabilities in Zerto 10.8.
Compliance with Security Standards
Compliance with FIPS
HPE Zerto version 10 U8 complies with critical US federal government security standards (FIPS).
Federal Information Processing Standard (FIPS) is a U.S. government standard for cryptography required on federal systems.
With FIPS-validated encryption as of version 10 update 7, HPE Zerto satisfies federal standards for encrypted data, helping to reduce risk across critical IT environments for federal agencies, contractors, and other security-conscious organizations.
CISA attestation of compliance
With the Cybersecurity and Infrastructure Security Agency (CISA) attestation, HPE Zerto formally declares alignment with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) as of version 10 update 8.
It is now required for software suppliers to federal agencies. It affirms that HPE Zerto is developed in accordance with rigorous security practices designed to reduce cyber risk across U.S. government systems and their supply chains.
The SSDF framework outlines best practices that include secure coding, vulnerability management, the implementation of security controls, and the maintenance of a Software Bill of Materials (SBOM).
Broadcom VMware
ICMP Echo (Ping) Management
Starting with Zerto 10.0_U7, Zerto blocked ICMP Echo (Ping) as part of security hardening, reducing the risk of reconnaissance, denial-of-service, and other ICMP-based attacks.
Versions 10.7.20 and 10.8 introduce a new CLI option (Option 10: ICMP Echo (Ping) Management) that enables or disables ICMP Echo as needed.
- Default: Disabled (recommended for security).
- Behavior: If re-enabled, a warning message is displayed, highlighting the associated security risks.
This change provides flexibility for users who rely on Ping for diagnostics while maintaining Zerto’s security posture.
Updated Authentication for Zerto Analytics and CloudOps
To enhance security, Zerto has updated the authentication method for Cognito in Zerto Analytics and CloudOps.
Refer to the configuration procedure in the following link:
User Authentication with Amazon Cognito
Host Attestation and VAIO Support for Offline Recovery from a Storage Snapshot (zDriver and VAIO)
Zerto 10.0_U6 and later support offline recovery mode, in which an offline recovery site is used to recover VMs from a storage snapshot. Zerto’s offline recovery mode is designed for fast offline recovery, significantly reducing recovery time (RTO).
This feature is directly associated with the HPE Cyber Resilience Vault and with a safe recovery process inside the Vault Zone.
Host attestation is a security process that verifies the integrity and trustworthiness of a host machine (a computer or server) before it is allowed to interact with sensitive data or workloads. It involves the host proving its secure configuration state, typically through hardware-based measures such as a Trusted Platform Module (TPM).
Implementing host attestation in the Vault Zone ensures a trusted and secure recovery process, safeguarding the Cyber Resilience Vault and enabling reliable, secure system restoration after a cyber incident. It also complies with the vSphere security standards by allowing TPM and Secure Boot on all hosts.
VMware VAIO (vSphere APIs for I/O Filtering) adds a standardized, VMware-endorsed IO filtering layer, and HPE Zerto provides the advanced replication, recovery orchestration, and data protection services.
HPE Zerto now supports host attestation when performing offline recovery from a storage snapshot.
For more details, refer to:
Offline Recovery Process from a Storage Snapshot
Improved Upgrade Process
Zerto now supports an improved upgrade process. The new UI displays a complete manifest of all upgrade steps while highlighting the current step, its status, and the remaining steps. It provides detailed error and warning messages tied to the actual issue and shows the result of the last upgrade attempt.
For more details, refer to:
Upgrading the ZVM Appliance From Version 10.8
VMware Cloud Foundation (VCF) 9.0 Support
Zerto now supports VMware Cloud Foundation (VCF) 9.0 for new deployments, enabling resilient protection and recovery across VMware’s integrated cloud infrastructure.
For more details, refer to:
Public Cloud
Expanded AWS Region Support
AWS ZCA and ZIC now support the following new AWS regions: Malaysia, Thailand and Mexico.
AWS Launch Template Support
The integration with AWS Launch Templates enables customers to use an existing template to launch an EC2 instance during the recovery process in VPG settings.
During the recovery operation, the selected launch template (if any) will be included in the launch instance request for each recovery VM. You can apply launch templates that set predefined, automatic properties, thereby streamlining failover configuration. This enhancement enables you to quickly and seamlessly use the default configuration, saving time and reducing manual setup.
With Launch Templates, failover instances can inherit consistent metadata, tags, and other configuration options, making your disaster recovery faster, more reliable, and easier to manage.
Currently, some settings, such as networking, storage, AMIs, instance type, and security groups, still need to be configured separately.
For more information about AWS Launch Template, refer to:
AWS Consolidation Tool for Single ZCA Architecture Transition
The AWS Consolidation tool assists with transitioning to the new AWS architecture: a single AWS Linux ZCA with multiple VRAs.
The tool creates a VRA for each ZCA it consolidates from, and, during the consolidation process, recreates existing VPGs from a source recovery ZCA to a target recovery ZCA.
The purpose of the tool is to optimize the transition to a single Linux ZCA by automating the VPG recreation process. It is recommended to consolidate the environment gradually, and once the VPGs are successfully recreated and sufficient history has been gathered, the original ZCA can be terminated to avoid additional costs and network load.
The tool is available for download on MyZerto.
For more details, refer to:
AWS Consolidation Tool Overview
Expanded Guest OS Support for AWS and Azure
Zerto now supports additional guest operating systems when failing over to AWS and Azure.
This means a broader range of workloads can be recovered seamlessly without manual configuration. Failover to supported OS types is fully automatic—the system detects the OS and applies the necessary settings during recovery.
Operating Systems Supported Automatically when Failing over to AWS:
- CentOS 7.x, CentOS 8.x
- Red Hat Enterprise Linux 7.x, Red Hat Enterprise Linux 8.x. Red Hat Enterprise Linux 9.x
- Windows Server 2016. Windows Server 2019, Windows Server 2022, Windows Server 2025
- Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04
- Debian 11.x
- Oracle Linux 8
Operating Systems Supported Automatically when Failing over to Azure:
- Windows 2016, Windows 2019, Windows 2022, Windows 2025
- CentOS 7.x, CentOS 8.x
- Red Hat Enterprise Linux (RHEL) 7.x, Red Hat Enterprise Linux (RHEL) 8.x
- Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04
- Debian 11.x, Debian 12.x
- Oracle Linux 8.x, Oracle Linux 9.x
Platform Encryption for AWS Recovery
Zerto now offers platform encryption capabilities for recovery using AWS encryption keys. Using key encryption provides essential data protection for security and compliance requirements. In VPG configuration, you can now select an encryption key from your existing key list, which is automatically applied to encrypt all recovery volumes.
AWS customers must leverage Customer Managed Keys (CMKs) to gain control, visibility, and compliance over encryption.
Zerto now offers platform encryption capabilities for recovery using AWS encryption keys. Using key encryption provides essential data protection for security and compliance requirements.
Users will be able to set the CMK ARN as the VPG default or per VM in VPG settings. On recovery operations, each volume will be created as encrypted with the selected CMK.
IMDSv2 Configuration
WS ZCA, VRA, and zImporter instances now support Instance Metadata Service Version 2 (IMDSv2), which enhances security by requiring session-based access to the instance metadata.
IMDSv2 was introduced in November 2019. Unlike its predecessor (IMDSv1), which allowed unauthenticated HTTP requests, IMDSv2 requires a session-oriented approach using temporary tokens. This makes it significantly harder for malicious actors to exploit metadata endpoints.
The recommended approach is to migrate the ZVM, VRA, and ZImporter components to use IMDSv2.
Deployment via AWS Marketplace (ZCA)
- New ZCAs deployed through the AWS Marketplace using CloudFormation will have IMDSv2 set to “required” by default.
- New VRAs and ZImporters will also have IMDSv2 set to “required” by default.
Existing VRAs and ZCAs
- VRAs and ZCAs created before version 10.8 will retain their current IMDS settings during upgrades.
- Customers may optionally update these instances to enforce IMDSv2 by manually setting the IMDS configuration to “required.”
VAIO (vSphere APIs for I/O Filtering)
Microsoft AVS Automatic Host Replacement (AHR)
Microsoft AVS Automatic Host Replacement (AHR) is now officially supported in VAIO-based environments.
AHR is a Microsoft AVS capability that automatically replaces ESXi hosts during hardware failures or planned maintenance. Zerto has enhanced its handling of these events to ensure:
- Replication continues without disruption during host replacement.
- Virtual Protection Groups (VPGs) are automatically evacuated.
- Orphaned Zerto components (such as VRAs) are cleaned up automatically.
This ensures business continuity during AVS infrastructure changes.
For more information, refer to:
Microsoft AVS Automatic Host Replacement (AHR) Support in Zerto 10.8 (VAIO)
Automated VAIO I/O Filter Upgrade
Zerto automatically enters Maintenance Mode and performs the VAIO I/O Filter upgrade automatically. No manual action is needed, and you no longer need to place the host into Maintenance Mode manually.
When upgrading the I/O filter, Zerto first upgrades the filter on the cluster level and upgrades each host sequentially by:
- Placing the host into Maintenance Mode.
- Waiting for the upgrade to complete on the host level
- Exiting the host from the Maintenance Mode.
This new feature creates two Zerto tasks:
- Upgrade IOFilter on the cluster: initiate the I/O Filter upgrade in vCenter.
- Upgrade IOFilter on host: individual task for each host.
Convert Existing AVS Deployments from Non-VAIO to VAIO
Now, you can now convert existing AVS deployments from non-VAIO to VAIO using a new RunCommand, simplifying migration away from the legacy Zerto driver with minimal disruption.
For more information, refer to:
Deploying Zerto 10.8 on Azure VMware Solution (AVS)
VPGs Across VAIO/Non-VAIO
That´s a great new feature. You can now protect virtual entities from a vSphere non-VAIO (zDriver) site to a vSphere site in the VAIO variant, and vice versa.
In this version, Hyper-V and public cloud environments are not supported.
For more information:
VAIO with Zerto: Frequently Asked Questions (FAQs)
General
Crowdstrike Falcon Integration
You can now integrate Zerto with CrowdStrike Falcon to enhance cybersecurity resilience through advanced threat detection and recovery capabilities.
Configure your CrowdStrike instance to receive alerts for VMs protected by Zerto, and Zerto will automatically tag checkpoints associated with those alerts. This enables you to fail over to a clean point in time before the detected threat, strengthening both security and recovery.
For more information, refer to:
Centralized Log Management
You can now forward all Zerto logs, including ZVM and service logs, to an external Centralized Log Management server. Configure log forwarding from the new Log Management screen in the Management Console, supporting syslog over TCP and optional TLS encryption.
For more information, refer to:
Secure NTP Configuration
You can now configure secure NTP (Network Time Protocol) settings on the Zerto Appliance to enhance time synchronization security and ensure accurate, tamper-resistant system time.
For the configuration procedure, refer to:
Configuring NTP in ZVM Appliance
Improved Performance and Usability
The VRA now starts up faster when performing an offline recovery from a snapshot.
For more details, refer to:
Offline Recovery Process from a Storage Snapshot
API
New Integration Hub APIs
The Integration Hub enables integration with third-party cybersecurity platforms to enhance threat detection and recovery. Zerto now provides a set of REST APIs for managing integrations with third-party platforms through the Integration Hub. The new endpoints enable you to create, retrieve, update, and delete integrations:
- POST /v1/integrationhub/{type} – Create a new integration.
- GET /v1/integrationhub/{type}/{id} – Retrieve details for a specific integration.
- GET /v1/integrationhub – List all existing integrations.
- PUT /v1/integrationhub/{type}/{id} – Update an existing integration.
- DELETE /v1/integrationhub/{type}/{id} – Remove an existing integration.
NTP Configuration APIs
The following API endpoints are now available in the ZVM Appliance for managing NTP settings:
- GET /configuration/v1/ntp – Retrieves the current NTP configuration.
- POST /configuration/v1/ntp – Sets or updates the configured NTP servers.
- DELETE /configuration/v1/ntp – Deletes all configured NTP servers.
- GET /configuration/v1/ntp/status – Displays the current NTP synchronization status.
Reference
You can access the 10.8 release notes on the following page:
Discover more from CloudnRoll
Subscribe to get the latest posts sent to your email.
