What's New and Release Notes for 26.x

The all_except feature helps you apply a policy to everything in scope while excluding only the items you specify, allowing you to manage broad rules with minimal effort.

You can apply a rule to everything in scope except the items you explicitly exclude to manage broad policies without building long include lists. It works like an exclusion mechanism: define what should not be affected and the system applies the rule to everything else.

The PCE resolves all_except as “universe minus exclusions” and sends the VEN a fully expanded policy. The VEN enforces the resolved result—no extra client‑side evaluation—so behavior is stable, predictable, and scales with the size of the exclusion set, not the environment. As your environment grows, new workloads or services automatically fall under the “all” side of the rule unless they match your exclusions, reducing routine maintenance.

You’ll see all_except in segmentation rule‑building workflows.

The feature all_except reduces routine maintenance. New workloads or services automatically fall under the “all” portion of the rule without requiring edits unless they match your exclusions.

You can avoid large, complex selection lists and easily create broad policies as your environment grows.

Rely on all_except when you need one rule to cover most of your environment while shielding a small number of workloads or services. It’s also useful when scopes remain stable over time or when label‑driven policies benefit from automatic inheritance.

Apply the feature All Except when you want to:

Rule coverage results do not currently reflect policy rules that use "All IPs Except".