diff --git a/management/server/grpcserver.go b/management/server/grpcserver.go
index 5786dc871..2b27f9e0f 100644
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -392,6 +392,18 @@ func extractPeerMeta(ctx context.Context, meta *proto.PeerSystemMeta) nbpeer.Pee
 			Cloud:    meta.GetEnvironment().GetCloud(),
 			Platform: meta.GetEnvironment().GetPlatform(),
 		},
+		Flags: nbpeer.Flags{
+			RosenpassEnabled:      meta.GetFlags().GetRosenpassEnabled(),
+			RosenpassPermissive:   meta.GetFlags().GetRosenpassPermissive(),
+			ServerSSHAllowed:      meta.GetFlags().GetServerSSHAllowed(),
+			DisableClientRoutes:   meta.GetFlags().GetDisableClientRoutes(),
+			DisableServerRoutes:   meta.GetFlags().GetDisableServerRoutes(),
+			DisableDNS:            meta.GetFlags().GetDisableDNS(),
+			DisableFirewall:       meta.GetFlags().GetDisableFirewall(),
+			BlockLANAccess:        meta.GetFlags().GetBlockLANAccess(),
+			BlockInbound:          meta.GetFlags().GetBlockInbound(),
+			LazyConnectionEnabled: meta.GetFlags().GetLazyConnectionEnabled(),
+		},
 		Files: files,
 	}
 }
diff --git a/management/server/peer/peer.go b/management/server/peer/peer.go
index afda55d17..8ce1dfb4e 100644
--- a/management/server/peer/peer.go
+++ b/management/server/peer/peer.go
@@ -94,6 +94,22 @@ type File struct {
 	ProcessIsRunning bool
 }
 
+// Flags defines a set of options to control feature behavior
+type Flags struct {
+	RosenpassEnabled    bool
+	RosenpassPermissive bool
+	ServerSSHAllowed    bool
+
+	DisableClientRoutes bool
+	DisableServerRoutes bool
+	DisableDNS          bool
+	DisableFirewall     bool
+	BlockLANAccess      bool
+	BlockInbound        bool
+
+	LazyConnectionEnabled bool
+}
+
 // PeerSystemMeta is a metadata of a Peer machine system
 type PeerSystemMeta struct { //nolint:revive
 	Hostname           string
@@ -111,6 +127,7 @@ type PeerSystemMeta struct { //nolint:revive
 	SystemProductName  string
 	SystemManufacturer string
 	Environment        Environment `gorm:"serializer:json"`
+	Flags              Flags       `gorm:"serializer:json"`
 	Files              []File      `gorm:"serializer:json"`
 }
 
@@ -155,7 +172,8 @@ func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
 		p.SystemProductName == other.SystemProductName &&
 		p.SystemManufacturer == other.SystemManufacturer &&
 		p.Environment.Cloud == other.Environment.Cloud &&
-		p.Environment.Platform == other.Environment.Platform
+		p.Environment.Platform == other.Environment.Platform &&
+		p.Flags.isEqual(other.Flags)
 }
 
 func (p PeerSystemMeta) isEmpty() bool {
@@ -315,3 +333,16 @@ func (p *Peer) UpdateLastLogin() *Peer {
 	p.Status = newStatus
 	return p
 }
+
+func (f Flags) isEqual(other Flags) bool {
+	return f.RosenpassEnabled == other.RosenpassEnabled &&
+		f.RosenpassPermissive == other.RosenpassPermissive &&
+		f.ServerSSHAllowed == other.ServerSSHAllowed &&
+		f.DisableClientRoutes == other.DisableClientRoutes &&
+		f.DisableServerRoutes == other.DisableServerRoutes &&
+		f.DisableDNS == other.DisableDNS &&
+		f.DisableFirewall == other.DisableFirewall &&
+		f.BlockLANAccess == other.BlockLANAccess &&
+		f.BlockInbound == other.BlockInbound &&
+		f.LazyConnectionEnabled == other.LazyConnectionEnabled
+}
diff --git a/management/server/peer/peer_test.go b/management/server/peer/peer_test.go
index 3d3a2e311..1aa3f6ffc 100644
--- a/management/server/peer/peer_test.go
+++ b/management/server/peer/peer_test.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net/netip"
 	"testing"
+
+	"github.com/stretchr/testify/require"
 )
 
 // FQDNOld is the original implementation for benchmarking purposes
@@ -83,3 +85,59 @@ func TestIsEqual(t *testing.T) {
 		t.Error("meta1 should be equal to meta2")
 	}
 }
+
+func TestFlags_IsEqual(t *testing.T) {
+	tests := []struct {
+		name   string
+		f1     Flags
+		f2     Flags
+		expect bool
+	}{
+		{
+			name: "should be equal when all fields are identical",
+			f1: Flags{
+				RosenpassEnabled: true, RosenpassPermissive: false, ServerSSHAllowed: true,
+				DisableClientRoutes: false, DisableServerRoutes: true, DisableDNS: false,
+				DisableFirewall: true, BlockLANAccess: false, BlockInbound: true, LazyConnectionEnabled: true,
+			},
+			f2: Flags{
+				RosenpassEnabled: true, RosenpassPermissive: false, ServerSSHAllowed: true,
+				DisableClientRoutes: false, DisableServerRoutes: true, DisableDNS: false,
+				DisableFirewall: true, BlockLANAccess: false, BlockInbound: true, LazyConnectionEnabled: true,
+			},
+			expect: true,
+		},
+		{
+			name: "shouldn't be equal when fields are different",
+			f1: Flags{
+				RosenpassEnabled: true, RosenpassPermissive: false, ServerSSHAllowed: true,
+				DisableClientRoutes: false, DisableServerRoutes: true, DisableDNS: false,
+				DisableFirewall: true, BlockLANAccess: false, BlockInbound: true, LazyConnectionEnabled: true,
+			},
+			f2: Flags{
+				RosenpassEnabled: false, RosenpassPermissive: true, ServerSSHAllowed: false,
+				DisableClientRoutes: true, DisableServerRoutes: false, DisableDNS: true,
+				DisableFirewall: false, BlockLANAccess: true, BlockInbound: false, LazyConnectionEnabled: false,
+			},
+			expect: false,
+		},
+		{
+			name:   "should be equal when both are empty",
+			f1:     Flags{},
+			f2:     Flags{},
+			expect: true,
+		},
+		{
+			name:   "shouldn't be equal when at least one field differs",
+			f1:     Flags{RosenpassEnabled: true},
+			f2:     Flags{RosenpassEnabled: false},
+			expect: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			require.Equal(t, tt.expect, tt.f1.isEqual(tt.f2))
+		})
+	}
+}