Version 13.0

Introduction

We are excited to announce the features and enhancements implemented in version 13.0 of Flowmon ADS. This release:

• Introduces new detection methods for OT protocols.
• Improves responsiveness of the user interface.
• Adds support for the new collector engine in Flowmon 13.

Flowmon ADS 13.0.4 release date: 1st April 2026

Let us know your feedback

Customers helped to choose and validate some of the features that went into this release. We want to hear from you to continue to improve Flowmon ADS. You can request to join and participate in pre-release activities on the Flowmon Customer Validation Program (CVP) and vote on and submit your product ideas on our ideas portal. Thank you for helping to make Flowmon ADS better!

What's New in Flowmon ADS 13.0?

New machine-learning based detection methods for Operation Technology protocols

Flowmon ADS 13.0 brings the new possibility of automatic anomaly detection in Operation Technology (OT) environments. The detection method use various machine-learning algorithms to model normal OT traffic and detect anomalies.

• Clustering method uses the K-Means clustering algorithm to model traffic as a collection of clusters. Based on identified clusters of normal flows, it is possible to classify the new flow either as normal or unknown.
• Probabilistic Automata method creates and trains traffic models. Based on learned communication patterns, it is possible to classify the sequence of new flows either as normal or unknown.
• Statistical method uses statistical models to classify sequences of new flows either as normal or anomalous. It creates a separate model for each monitored device in a network.

Method name (code)	Supported protocols	Machine-learning approach
OT Clustering Anomaly (OTCLANOM)	IEC104, GOOSE, DNP3, Modbus	Clustering
OT Probabilistic Automata Anomaly (OTPAANOM)	IEC104	Probabilistic Automata
OT Statistical Models Anomaly (OTSMANOM)	IEC104, GOOSE	Statistical

The events detected by the OT methods may indicate a malfunctioned, misconfigured, or malicious devices, or new devices that communicated using the supported protocol. The event detail provides information about what monitored attribute or metric from the OT traffic was anomalous.

How to enable anomaly detection in OT traffic

Before you are able to detect anomalies in the OT traffic, you must first finish couple of configuration steps. The OT detection methods are inactive by default and require a new specific OT Data Feed for proper function (similar to the SIP detection methods using the SIP Data Feed). You also need a Flowmon Probe that is capable of monitoring various OT protocols and exporting the information to the Flowmon Collector. Since Flowmon 13.0, it is not required to enable the OT protocols on the collector side because it is enabled automatically.

1. Enable monitoring of OT protocols on your Flowmon Probes in Configuration Center → Monitoring Ports → Advanced Settings. Select the protocols you want to monitor and Save the settings.
2. Create a new OT data feed in Flowmon ADS → Settings → Processing → Data Feeds. Click New data feed to create a new one. Ensure that the selected profile contains OT traffic (you can check this in the Monitoring Center) and Operation Technologies as selected as the Flow data type. Keep the Assign to detection methods option checked to avoid the need to assign the Data Feed to detection methods manually.

3. Once the Data Feed is created, click Start to active data processing.
4. Activate the detection methods in Settings → Processing → Methods by clicking Start in the method instance settings of the OT detection methods.
5. Assign the new detection methods to any of the current perspectives or create a new one in Settings → Processing → Perspectives.

After finishing the configuration steps above (including activating the detection methods), the 24-hour learning period starts (this is a default value that can be changed). During this period you will not be able to see any detected events. After the models are learned, the methods will start detect anomalies.

Improved responsiveness of the User Interface

Following the database migration and subsequent performance optimizations, overall UI responsiveness has been significantly improved. The most notable enhancements can be observed in the Analysis Summary on the Analysis page, in addition to the Simple List, By MITRE View, and By Hosts View on the Events page.

Data and event rendering performance has been significantly improved — the results show at least a twofold increase in speed, depending on configuration complexity, event volume, and environment type. The best performance gains were observed on pages calculating the threat score, with up to a sevenfold improvement in single-tenant setups a and thirtyfold improvement in multi-tenant environments.

False Positives reduced using DNS enrichment

Flowmon 13 enriches flow records with domain name information derived from DNS traffic. When enabled, you can see the fully qualified domain names (FQDNs) in addition to IP addresses in flow data. This is particularly useful for identifying specific services in environments where multiple domains share the same server, such as Content Delivery Networks (CDNs). This feature is enabled by default and can be toggled in Configuration Center → Monitoring Center → Collector → Processing Modules.

In Flowmon ADS, DNS enrichment now enhances the evaluation of False Positive rules that use hostnames in their definitions (under Advanced Filtering Parameters). Previously, these rules applied only to DNS and HTTP(S) traffic, excluding such flows from further processing. With DNS enrichment, the rules also apply to non-DNS and non-HTTP(S) traffic associated with the same domains, resulting in a lower rate of false positive detections.

Other changes

• Compatibility with the Flowmon 13 new collector engine and Operating System (Rocky Linux 9).
• Biflow data from 3rd party flow sources can be stored on the Collector. Flowmon ADS can process the biflow data, saving processing power by bypassing flow pairing. This results in more accurate and instant detection.
• All Flowmon Origin blacklist feeds are available only with valid support.
• The Delete events marked as false positive feature has been removed.
• The FPI groups are now loaded for the Traffic Recording event response from the Flowmon Packet Investigator (FPI) Collector, so there is no need to manually check the group ID in the Configuration Center.

Fixed issues

Issues fixed in Flowmon ADS 13.0.4

Ticket number	Issue topic	Issue details	Resolution details
-	Upgrade Process	Upgrading Flowmon ADS after upgrading Flowmon to version 13 (from 12.5) could fail if there was insufficient Flowmon ADS disk quota. The system required increasing the quota, but this was no longer possible.	The Flowmon ADS upgrade process now automatically allocates sufficient disk space or provides a clear error message indicating how much disk space must be freed before retrying the installation.

Issues fixed in Flowmon ADS 13.0.3

Ticket number	Issue topic	Issue details	Resolution details
-	Security	CVE-2026-2513	Fixed a vulnerability that could allow an administrator who clicks a malicious link to inadvertently trigger unintended actions within their authenticated web session.
-	Security	CVE-2026-2514	Fixed a vulnerability that could allow unintended actions to be executed when viewing maliciously crafted network data.

Issues fixed in Flowmon ADS 13.0.2

Ticket number	Issue topic	Issue details	Resolution details
01817723, 01829617, 01830673	Database	Concurrency of multiple database operations (such as Filters reindexing) occasionally leads to an unresponsive UI and system freeze.	Resolved the issue by optimizing concurrency between database cleanup and indexing processes.
01839648	Analysis Summary	The Analysis Summary does not provide any results.	Fixed a log file permission issue which led to an empty Analysis Summary.

Issues fixed in Flowmon ADS 13.0.1

Ticket number	Issue topic	Issue details	Resolution details
-	Security	CVE-2025-13774	Fixed an SQL injection vulnerability that allows authenticated users to execute unintended SQL queries and commands.
01817723	Database	During periods of high event volume, some events were not processed in time and were dropped. Users were informed about this through System Messages.	The event insertion process into the database was optimized, resulting in higher throughput.

Issues fixed in Flowmon ADS 13.0.0

Ticket number	Issue topic	Issue details	Resolution details
01753489	Filters	It is not possible to create a filter because of a “Name is not unique” error even though the name is unique.	Fixed a rare issue caused by the incorrect order of Relation Filter operations stored in the database, which resulted in a “Name is not unique” error.

Known issues

• The compatible Flowmon QRadar Application is not available yet.
• Operations with a tenant (deleting and creating a new one) after updating to Flowmon 13.0 and before updating to Flowmon ADS 13.0 can result in errors. To prevent any issues, do the operations after updating both Flowmon and Flowmon ADS to version 13.0.

Release information

Flowmon Anomaly Detection System

Version: 13.0.4

Date: 1st April 2026

This package can be used for new installation or to upgrade Flowmon ADS on a Flowmon appliance.

Copyright notice

Copyright © 2007 - 2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Support information

If you need help, contact our Support team at the Flowmon Support and Learning Hub.

Compatibility

This package is compatible with Flowmon 13.0.0 or higher.

Dependencies

The following table summarizes the minimum required versions of Flowmon and Flowmon ADS for various versions of the package.

The table only lists versions with dependency changes.

Flowmon ADS version	Minimum required version of Flowmon	Minimum required version of ADS	Notes
13.0.0	13.0.0	12.5.2
12.4.0	12.4.0	12.3.0
12.3.0	12.3.5	12.2.0
12.2.0	12.3.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.3.0
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.2.0
12.0.0	12.0.0	11.1.1*	*ADS 11.2.4+ is needed when upgrading FM to 12.0.0
11.4.1	11.1.9	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.9
11.3.2	11.1.7	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.7
11.3.0	11.1.6	10.0.0*	*ADS 11.1.1+ is needed when upgrading to 11.1.6
11.2.0	11.1.0	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.0
11.0.4	11.0.1	10.0.0

Installation

The installation requires a Flowmon ADS license. To upgrade from previous major versions, a license with the Standard or Extended Support is required.

The first installation and uninstallation of Flowmon ADS restarts the flow collector for a short period of time, during which flow data is not collected. This affects traffic charts in the Flowmon Monitoring Center and the event chart in Flowmon ADS.

1. Download the package from the Support portal. Do NOT unpack it.
2. Log in to Flowmon Configuration Center on your Flowmon appliance.
3. Open the Version page.
4. Click Import package and choose the installation package.
5. Wait until a notification is displayed informing you that the update was successful.

After upgrading from a previous major version, the web User Interface (UI) may display incorrectly with visual issues like missing text. If that happens, try to clear the browser cache.

Cleaning local storage in Firefox/Chrome browser:

1. Press F12 on your keyboard to open developer tools.
2. Select the Console tab.
3. Type the following command: localStorage.clear();
4. Press enter to confirm the command.