Skip to main content

Install zLAN offline

Use this page when deploying a zLAN firewall on a system without internet access. NetFoundry provides an offline bundle containing all required packages and dependencies for supported OS versions and architectures.

note

This page covers offline installation of the zLAN firewall only. For offline installation of NetFoundry Self-Hosted, see the Self-Hosted documentation.

Before you start

  • Confirm the bundle matches your target OS and architecture before transferring it.
  • Obtain your JWT token from the NetFoundry console. The console must be reachable from within your private network.

What's in the bundle

NetFoundry provides an archive named zlan-offline-<os>-<version>-<arch>.tar.gz that contains:

  • All required DEB or RPM packages and their dependencies for the specified OS and architecture
  • An offline installer script and README with OS-specific notes

Packages

PackageDescription
zlan-installerzLAN install script that configures the local system.
zfwzLAN firewall module.
zlan-routerzLAN router module.
filebeatElastic Filebeat; gathers and ships metrics.

Additional dependencies

  • Ubuntu/Debian:
    • chrony: Required for accurate system time synchronization.
  • RHEL/CentOS/Rocky/AlmaLinux:
    • chrony: Required for accurate system time synchronization.
    • systemd-resolved: Required for zlan-router to manage local DNS resolution.

Install and enroll

  1. Obtain the offline bundle from NetFoundry and transfer it to the target system (USB drive, external disk, or secure file transfer). Verify the archive integrity using the provided checksums:

    sha256sum zlan-offline-<os>-<version>-<arch>.tar.gz

    Keep the checksum manifest alongside the bundle for audit and troubleshooting.

  2. Unpack the bundle to a local path, for example /opt/zlan-offline.

  3. Run the offline installer from the unpacked bundle:

    /opt/zlan-offline/offline_install.sh

    The installer installs all required packages from the bundle. No internet access is required.

  4. Enroll and configure zLAN using your JWT token:

    /opt/openziti/zlan/scripts/zlan-firewall-setup.sh <JWT_TOKEN>
warning

The controller must be reachable at enrollment time. If your environment is fully isolated and cannot reach the controller, you can't proceed until that connectivity is resolved.

Troubleshoot installation issues

  • Missing dependencies: Verify the bundle matches your target OS release and architecture, and that you ran the included offline installer.
  • Service startup failures: Check that DNS and time synchronization services are active (chrony, systemd-resolved).
  • For further assistance, collect relevant logs and configuration files and contact NetFoundry support.