Release Notes 2.2.8
Release Date: Jul 17, 2020
What’s New
New Airwall Gateway Hardware – the Airwall-110
The Airwall-110 Series is a major upgrade for the 100-Series, with higher performance and global cellular connectivity – all in a smaller form factor that maximizes the v2.2.8 improvements. The Airwall-110 has more (4x) bandwidth performance and two serial ports, runs all Snort intrusion detection monitors, handles up to 6 HD video streams, and has more storage and memory (so it has higher capacity, quality, and scalability for production environments).
See more: Airwall Gateway 110 Series
New cellular modem support
Version 2.2.8 supports the upcoming North America and Global cellular expansion trays for our Airwall-150 appliance. These LTE Category 4 expansion modules come in two variants supporting North America and Rest of World. These expansion trays allow you to connect your Airwall 150 to more cellular carriers in more countries including the United States, Canada, Australia, New Zealand, Japan, the European Union, and other countries recognizing CE RED certificates.
Conductor Dashboard and Usability Improvements
- Ability to pin pages you visit frequently
- See how many Airwall Edge Services are online, and how many authenticated users are logged in.
- Easily manage new provisioning requests
- See when new firmware and software is available, and easily update your network.
- Improved user onboarding workflow (see Improved User Management below)
Improved User Management and Remote Access User Features
Remote access user management has been expanded to scale for large organizations, with the Conductor doing most of the work that admins used to have to do to invite, onboard (especially installing and activating the Airwall Agents), orchestrate, and authenticate remote access users. Onboarded users can see what they can access through the overlay networks in Conductor, eliminating frequent support calls to Conductor admins for help getting server IP addresses.
See more:
- Connect People's Devices to your Airwall secure network
- Connect People as Remote Access Users
- Connect People's Devices with Activation Codes
- Set up a People Group
- Manage Versions of Airwall Agents
- Provision Airwall Gateways using activation codes
- Walkthrough - Onboard people to your Airwall secure network with User Authentication
Enhanced Monitoring
You can now set monitor thresholds on health data and traffic stats to detect potential problems before they occur. We have redline stats for performance metrics of the Airwall Gateway, and for volumetric traffic stats.
Seamless Bypass (split tunnel)
Seamless bypass enables you to deploy without knowing all of the hosts to allow in an overlay policy. Seamless bypass replaces the need to create policy exceptions, and reduces the complexity, extra hardware, extra cabling, and reliance on configuration of your underlay infrastructure.
See more: Local Bypass
Alibaba Cloud Conductor and Airwall Gateways
You can now use Alibaba Cloud to deploy cloud Conductors and Airwall Gateways, and seamlessly connect cloud Conductors and Airwall Gateways with each other, as well as virtual and on-premises or physical environments. You can deploy an Airwall secure network on all of the major cloud providers.
Routed Port Group Improvements
The ability to configure port groups can give you up to a 30% performance increase for common deployment cases using a single interface in the overlay port group (for example, cloud gateways, virtual gateways, and optionally on physical gateways). It is simpler to deploy and avoids multicast/broadcast chatter over the tunnel.
Custom signed Certificate Improvements
You can replace a signed certificate on the Conductor with the old certificate remaining active until the new certificate is activated.
See more: Adding or Replacing a Signed Certificate for the Conductor UI
Easier Deployment of High Availability Cloud Conductors
The Airwall Solution has automated the process of creating high availability Conductors in the cloud across different providers. You can now back up your Conductor and easily create an HA standby in the cloud using the Conductor's automated process and be guaranteed a successful cloud HA deployment.
See more: Automatically Create an Standby HA Conductor in the Cloud
Remote Airshell Access into Airwall Gateways
You can securely log in to the overlay IP address of an Airwall Gateway with key-based SSH, and run Airshell (airsh) commands remotely. Airsh has been enhanced to perform many of the functions of diagnostic mode. Remote access can help avoid in-person visits to perform diagnostics and troubleshooting. Status and statistics are available using airsh, which includes tab-completion and inline help.
Port configuration replication
You can now replicate the port configuration between two Airwall Gateways when setting up an Airwall Gateway HA pairing, or when replacing an Airwall Gateway.
Device Manufacturer (MAC address OUI) is now displayed
The Devices list now shows the manufacturer's name determined from the MAC address OUI (organizationally unique identifier), where available, in the OUI column. You can also now update the OUI list as needed.
Manage Airwall Agents through an MDM
Some MDM solutions now support managing Airwall Agents.
See more: Manage Airwall Agents through an MDM (Mobile Device Management) solution.
SD-WAN
An option was added to expose the Differentiated Services Code Point (DSCP) field of the inner IP header (plaintext) to the outer (encrypted) encapsulating header. This allows for classification of different types of network traffic for routing and prioritization purposes.
Upgrade Considerations
Consider upgrading to 2.2.8 if:
You want to use any of the following features: | You were impacted by any issues discovered in prior releases, especially if you have any of the following: |
Seamless bypass (split tunnel) Alibaba Cloud Airwall Gateways Set up High-availability Cloud Conductors |
New and updated Airwall help content
In addition to help for new features, here are the changes to content published since our last release:
- Back up Azure Airwall Gateway 300v
- Restore an Azure Cloud Airwall Gateway
- Back up your Conductor
- Restore your Conductor from a database backup
- Set the Conductor system time
- Best Practices for Conductor Configuration
- Create an Event Monitor
- See and Manage Alerts
- Set who sees Event Monitors
- Set your Email Alert Level
- The Conductor Dashboard
- Conductor Icon Reference
- Configure Authentication Options
- Limit Device Traffic on an Airwall Gateway with Port Filtering
- Set up Port Filtering on an Airwall Gateway
- What makes up an Airwall secure network?
- Deploy a Physical Conductor
- Configure a Conductor
- Create an Event Monitor
- Connect to the console port using Windows
- Set up physical Airwall Gateways
- Configure Advanced Airwall Edge Service Options
- Set up a virtual Airwall Gateway in Microsoft Hyper-V
- Allow an Airwall Agent to access your Airwall secure network
- Airshell (airsh) Command Reference
Fixes
ID | Applies to | Description |
---|---|---|
DEV-14067 | Airwall GatewaysConductor | Fixed an issue on 2.2.8 Airwall Edge Services that could cause false negatives in the policy check for some overlay network configurations. |
DEV-13963 | Linux Airwall Linux Agent | Fixed an issue where HIP was restarting on the Linux Centos7 Airwall Linux Agent. |
DEV-13754 | Airwall Agent | The agent now waits for DNS to be available if the Conductor MAP address is a fully qualified domain name (FQDN). |
DEV-13720 | Conductor | Setting "Disable pings on active link" no longer requires a reboot. |
DEV-13683 | Conductor | Fixed an issue where cloud attributes smart device group rules were broken due to internal database reconfigurations. You can match devices on cloud Airwall Gateways that match certain attributes: provider, region, VPC ID, and subnet ID. For instance, you can match on "aws" to find all devices inside AWS. |
DEV-13643 | Airwall Gateway | Peer auto-connect setting now must be done from the Conductor. It is no longer available in Diag mode. |
DEV-13627 | OpenHIP | Fixed a deadlock which may occur on a busy gateway which is also acting as a relay. |
DEV-13569 | Airwall Gateway | Fixed excessive CPU usage when using generic Serial over IP. |
DEV-13566 | OSX Airwall Agent | Fixed an issue in the installer. |
DEV-13542 | Linux Airwall Agent | The Conductor tunnel report is now working properly |
DEV-13535 DEV-13513 |
Conductor | Fixed an issue where Airwall agents and servers would publish transitory routing changes involving internal routing IP addresses as routing alerts in Conductor when there really was no problem. Any routing problems are still exposed via logging warnings. |
DEV-13525 | Airwall Gateway | Fixed an issue that caused disabling auto-repair in Linkmanager failover groups to be ignored. |
DEV-13508 | Conductor | Added PCI user activity entries for system level operations such as rebooting, restarting the metadata cache, and taking a database backup. |
DEV-13439 | Windows Airwall Agent |
Fixed an issue when using Win update packages before v2.2.6 were not communicating whether they were 32- or 64-bit. |
DEV-13405 | Conductor | Fixed an issue where very large provisioning requests sync jobs to the licensing server were timing out. |
DEV-13382 | Conductor | Anonymous proxy servers are now allowed. |
DEV-13353 | Windows Airwall Agent | Fixed a cert error that prevented unattended installation of the Windows Airwall Agent. |
DEV-13275 | Airwall Gateway | Fixed an issue where a misconfigured local device can poison the ARP cache entries for peer Airwall Gateways. |
DEV-13250 | Airwall Gateway | You can now replace HA-paired Airwall Gateways after failure without first destroying the HA pairing. |
DEV-13244 | Conductor | Fixed an issue where Tag search device match rules (DMR - part of smart device groups) were not matching some matching device tags (e.g. query string of cell now matches cell1 or cellular). When adding a tag to a device that did not yet exist in the system, the DMR would miss adding the device to its group. |
DEV-13217 | Linux Airwall Agent | The default profile profile1 now cannot be deleted. |
DEV-13213 | Conductor | Fixed an issue where the Airwall Edge Service tunnel reporting data had Airwall Edge Service names truncated if they were too long. You can now see the full name by hovering over the clipped name. |
DEV-13211 | Windows Airwall Agent | Airwall Agent now re-enable Tempered TAP adapter on start up if it is disabled. |
DEV-13209 | Conductor | Ping peer Airwall Gateways now includes Airwall Gateways that are acting as both a gateway and a Relay. |
DEV-13207 | Airwall Gateway |
Added the ability to specify PDP context IP type for cellular connections. In previous versions, the carrier-specific default was not overridden by the "ipv6" checkbox used in diag mode and airsh. This ipv6 checkbox has been replaced by an ip-type field, allowing customers to specify default (meaning carrier default), ipv4, ipv6, or dual-stack ipv4v6. |
DEV-13202 | Conductor | Warning log on Airwall Edge Services that monitor is unsupported when the monitor is supported have been removed. |
DEV-13147 | OSX Airwall Agent | Fixed an issue with packet captures on the OSX Airwall Agent. |
DEV-13134 | Conductor | Fixed an issue where importing an Airwall Edge Service that doesn’t exist silently fails the import. |
DEV-13122 | Android Airwall Agent | Fixed an issue where failover from cellular to Wifi didn’t always work without a restart. |
DEV-13121 | Airwall Gateway | Fixed an issue that caused overlay network traffic to become blocked when using the Airwall Gateway's overlay IP for serial-over-IP. |
DEV-13117 | Conductor | Now all changes to Airwall Gateway port configurations are logged in the PCI user activities log. |
DEV-13116 | Conductor | It is no longer possible to add non-local users (that is, those created in LDAP or OIDC) to a people group during creation by using Select all. You manage these people group memberships via groups in their respective systems. |
DEV-13107 | Conductor | Added PCI logging for changes to Conductor web certificate and CA chains. |
DEV-13101 | Conductor | Fixed an issue that could cause the packet capture feature in the Conductor support tab to show no capture interfaces. |
DEV-13100 | Airwall Gateway 150 |
Fixed an issue where upon applying certain types of port configurations, the overlay ports fail to link up until the next reboot of the airwall. |
DEV-13094 | Airwall Gateway | Fixed an issue that caused link fail-over times to be delayed by up to 30 seconds. |
DEV-13078 | Airwall Gateway | Fixed an issue that caused the reboot setting in the underlay link manager to have no effect if any underlay port groups were configured as stand-alone. |
DEV-13077 | Serial-over-IP | Fixed an issue that could cause serial-over-IP to be come unresponsive after cellular outages. |
DEV-13076 | Conductor | Fixed a bug that could cause HIP tunnels to become stale after temporary cellular link failures. |
DEV-13072 | Conductor | Fixed Cellular signal strength timed out message. |
DEV-13064 | Conductor | Some event actions have a target box. Filtering the target box by name is now working. |
DEV-13063 | Conductor | Fixed a UI issue where button text wasn't visible on the HIP tunnel stats page when in Dark Mode. |
DEV-13062 | Conductor | Fixed a UI error when modifying the recipient list of an existing alert. |
DEV-13061 | Cloud | Updated paths for the 2.2.3 AW image ID in Google Cloud. |
DEV-13060 | Conductor | Fixed an issue where Agent hostnames were not being correctly shown for provisioning requests. |
DEV-13017 | Linux Airwall Agent | Fixed a non-fatal error that occurred when installing Ubuntu package on Debian. |
DEV-13007 | Airwall Agent | Fixed an issue where we stop sending heartbeat traffic. |
DEV-13001 | Android Airwall Agent | Fixed an issue where the Android Airwall Agent was sending an incorrect hostname when provisioning. |
DEV-12944 | Conductor | Clarified routing conflict alerts |
DEV-12939 | Airwall Gateway | Fixed an issue where the noUnderlayNetwork status was not set properly. This resulted in the "No underlay network" status never being displayed on LCD screens of the Airwall Gateway-400 or -500. |
DEV-12932 | Conductor | Fixed an issue where an Airwall Gateway generates routing alerts for east-west policy across two overlay port groups having the same subnet and overlay IP. |
DEV-12906 | Conductor | Fixed an issue in device activity reporting. |
DEV-12892 | Conductor | When there are no relay probe diagnostic results, a message now indicates that it is because the Airwall Gateway is not a member of any relay rules. Furthermore, fixed an issue where a value in the diagnostic data was misidentified as latency. In reality, this value is a score used to determine which relay to use. A lower score is better. |
DEV-12882 | Conductor | Airwall Gateways that use stand-alone underlay port group configurations now reboot on link failure if the reboot feature is enabled. |
DEV-12859 | Airwall Gateway | Removed extra repeated log messages that occurred when Airwall Gateway-300v did not have a virtual serial port attached. |
DEV-12858 | Conductor | Fixed an issue where duplicate results in relay probe diagnostic data result from multiple interfaces attempting to connect to the relay. The Conductor now only shows the best results. |
DEV-12855 | Airwall Gateway | Fixed an issue where when reconfiguring overlay port groups the DHCP server / relay was not restarted. |
DEV-12828 | Windows Airwall Agent | Fixed an install issue with Windows 32-bit Airwall Agent. |
DEV-12778 | Windows Airwall Agent | Installation timestamp now fixed in Conductor. |
DEV-12755 | Conductor | Fixed an issue where User auth overlay membership was not correctly published in all cases when people were added and removed from people groups. |
DEV-12731 | Conductor | HA-paired relays are now correctly named in the relay probe diagnostic tool. |
DEV-12727 | Airwall Gateway | Fixed an issue where a relay was giving a “Relay could not find an IPv4 source address" error. |
DEV-12710 | Airshell | Fixed an issue in Airshell where multiple cellular parameters could not be configured in one command. |
DEV-12701 | Airshell | When using Airshell, if the Airwall Gateway is in Diagnostic Mode, networking is not automatically restarted when configuring underlay address ('conf network') or modem settings ('conf cell'). |
DEV-12697 | Airshell | Fixed an issue where the Airshell log command does not display the log file on virtual Airwall Gateways. |
DEV-12684 | Conductor | When looking at voucher details, license model names are now in the same format as those on the licensing page. |
DEV-12662 | Airwall Gateway | Fixed an issue where Airwall Gateways equipped with Quectel cellular modems did not properly report signal strength on the front-panel LEDs. |
DEV-12648 | Airwall Gateway | Fixed an issue where the Airwall Gateway-150 USB console port USB descriptor reported that the port is AT command capable, causing ModemManager on Debian to probe the port as if it were a modem. |
DEV-12608 | Airwall Gateway | Fixed an issue in firmware 2.2.3 and 2.2.5 where the SFP LEDs on the Airwall Gateway 150 remain on when the SFP port is not in use in some configurations. |
DEV-12566 | Conductor | People groups created as a result of logging in via an authentication provider are now part of the PCI log. |
DEV-12559 | Conductor | In the smart device group dialog, when "Ignore auto-discovered devices until accepted" is turned off, the group now picks up any existing discovered devices that match its rules. |
DEV-12505 | Conductor | New PCI logs for Airwall Edge Services reconnect support function, starting a PCAP, stopping a PCAP, requesting a support bundle, and requesting a diagnostic report. |
DEV-12496 | Conductor | Fixed an issue where event actions could have a text display error if you edit one action while editing another. |
DEV-12434 | Conductor, Airwall Gateway | Now have support for NATing subnet broadcasts on the device network. |
DEV-12232 | Airshell | The two logins available on both Airwall Gateways and Conductor are "airsh" and "diag". All previous logins have been removed. |
DEV-11810 | Conductor | The Conductor now displays a more helpful error page for Conductor session timeout. |
DEV-11806 | Cloud | Cloud Diagnostics page Refresh button now refreshes the Protected Route table. |
DEV-11795 | Linux Airwall Agent | Fixed an issue where the current profile is not changed as a result of an update. |
DEV-11679 | Airwall Gateway | Fixed an issue where HA configured Airwall Gateways did not support the overlay DHCP feature after a fail-over. |
DEV-11408 | Android Airwall Agent | Fixed an issue where an Android Airwall Agent failed to connect with peers if it had policy to network objects. |
DEV-10081 | Conductor | Fixed an issue in the Create Conductor certificate dialog where hitting Enter didn’t save the certificate. |
DEV-8347 | Windows Airwall Agent | Windows Support Bundles are now encrypted. |
Known Issues
ID | Applies to | Description |
---|---|---|
DEV-14197 | MacOS Airwall Agent | When you update the macOS Airwall Agent, you may be required to restart. If you do not see the tray icon after the update finishes, restart your Mac to restore operation of the Airwall Agent. |
DEV-13944 | Airwall Gateway | When a device is disabled it will only stop traffic to other devices on remote Airwall Gateway's. Traffic to bypass destinations will continue. Traffic to other devices on the same Airwall Gateway will not be stopped in some situations. |
DEV-13930 | Alibaba Cloud Airwall Gateway, Conductor |
If you have created a new Alibaba Cloud Airwall Gateway with v2.2.8, there is an issue with the protected subnet id on the Cloud tab actually being the public subnet. Workaround: You can avoid this issue by waiting to install the upcoming 2.2.8 hotfix on the Conductor before creating any Alibaba Cloud Airwall Gateways. Workaround if you have already created an Alibaba Cloud Airwall Gateway:
|
DEV-13916 | Airwall Gateway |
Airwall Gateways running firmware version 2.2.8 will not use a Conductor URI that was previously learned from a DNS SRV record in v2.2.8 or a previous firmware revision. This leaves the Airwall Gateways unable to connect to the Conductor if the Airwall Gateway previously used a DNS SRV record for configuration and is later moved to a network without a Tempered DNS SRV record. Additionally, the Conductor setting that allows you to set the Conductor URI on all managed Airwall Gateways in Advanced Settings is not functional when used with DNS SRV record bootstrapping in firmware v2.2.8. Workaround: Prior to installing 2.2.8 on Airwall Gateways, install Hotfix-13955. You can then install 2.2.8 on the Airwall Gateways. If you have already installed 2.2.8 on Airwall Gateways and are experiencing this issue, please contact Customer Success for assistance, or you can manually configure the Conductor address in each Airwall Gateway using |
DEV-13913 | Alibaba Cloud |
The 2.2.5 Airwall Gateway image in Alibaba Cloud deploys a 2.2.3 image instead. Workaround: After you finish deploying, upgrade the Airwall Gateway to the version you want. |
DEV-13887 | Windows Airwall Agent | There is a issue on some Windows machines where the Windows Airwall Agent cannot connect, even though ipconfig shows an auto-configured IP
address for the Tempered TAP adapter (169.254.*.*), and the Conductor shows the device as online but with no IP address.
Workaround: Restart the service, or check your Airwall Agent configuration in the Conductor. |
DEV-13872 | Conductor | When running Ping all devices on the Support tab for a HA standby Airwall Gateway, no results are being displayed and the busy status indicator never times out. |
DEV-13860 | Conductor |
If you add a device when multiple port groups are already configured, the Port affinity list defaults to the first overlay port group, but the value set is "Detect automatically." Workaround: Edit the device again and change it to set port affinity. |
DEV-13846 | Conductor | Network admins cannot get the list of CAs and cannot add customer certificates to Airwalls through the UI, because the PKI button is not shown. |
DEV-13813 | Airwall Gateway 110g | RS-422 / RS-485 functionality is not guaranteed on the Airwall 110 for the 2.2.8 release. |
DEV-13811 | Airwall Gateway | When using an Airwall Gateway to provide high availability across multiple underlay links, do not place multiple interfaces in the underlay port groups or use bypass with routed-only mode disabled. |
DEV-13775 | Cloud | The Conductor rarely gives a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed – go to the Azure portal and check the actual deployment result. |
DEV-13760 | Conductor | Device page export/import does not export or import Bypass Devices in this release. |
DEV-13759 | Airwall Gateway | Detect Devices button may incorrectly report devices on attached to other port groups or peer Airwalls if policy permits traffic from an Overlay IP to those destinations. |
DEV-13607 | Conductor | Creating a link failover group (Airwalls -> Ports -> Failover settings) does not apply the settings to any port groups. This is easy to miss since you have to set the failover group on the ports page. |
DEV-13297 | Airwall Gateway |
When deploying seamless bypass in a layer 2 "bump in the wire" configuration, traffic from the protected device to non-bypass destinations outside of the local subnet does not work as expected. The traffic egresses the remote Airwall Gateway or other port group with the destination MAC address of the local default gateway. Using seamless bypass in layer 2 "bump in the wire" mode to provide remote access to the protected device with and overlay IP and SNAT enabled works as expected. |
DEV-13194 | Conductor | An Airwall Edge Service's Check Connectivity / Ping Local Devices functionality can fail in Internet Explorer 11 if one of the devices is defined as a CIDR. To fix this, use one of the latest versions of Chrome, Firefox, Safari or Edge. |
DEV-12852 | Windows Airwall Agent |
The Windows Airwall Agent may not connect when multiple interfaces are active This issue can be caused by a Windows default that doesn't allow multiple simultaneous active network interfaces, and prefers ethernet over cellular or WiFi. It can be bypassed by editing a registry value. See the troubleshooting steps in I am having trouble connecting. |
DEV-12744 | Airwall Gateway |
Customers with Airwall Agents version 2.2.1 or earlier connecting to HA-paired Conductors might not be able to authenticate a user auth session. Recommendation: Upgrade Conductors and Airwall Agents to version 2.2.3 or above. Workaround: After upgrades, if you still see connectivity issues, restart the Airwall Agent. |
DEV-12692 | API Documentation | The API docs navigation section does not work in chrome 80 though it worked on previous versions of chrome. It is still working in Firefox and Safari, so customers should use one of these browsers to view the docs. |
DEV-12544 | Conductor | If you restore a Conductor using a VM snapshot, and it is part of an HA pair, the Standby must be rebased as the standby. To do this, set the Standby Conductor to Active, and then back to Standby. This generates a new Standby Database. |
DEV-12513 | Cloud-Azure | Conductor rarely gives a "Net::ReadTimeout" error when user tries to deploy an Azure Airwall Gateway 300v or server. This doesn't indicate that the deployment has failed. If you get this error message, go to the Azure portal and check the actual deployment result. |
DEV-12275 | OSX Airwall Agent | DNS settings are seen and acted upon, but do not show up in resolver list. |
DEV-12264 | Airwall Agent |
Revoking and then re-activating an Agent on a Conductor before v2.2.8 results in the Agent being unable to reconnect. Restarting the metadata cache on the Conductor resolves this issue. |
DEV-11840 | Conductor | Attempting to log into a Standby Conductor with an expired password cycles into a recycling change password prompt. If this occurs, log into the Active Conductor to change the password. |
DEV-11523 | Conductor | In rare cases, the Airwall Edge Services online/offline status graph on the Dashboard might be blank. |
DEV-10977 | Cloud | If one of the cloud attributes is missing, please reboot the Airwall Gateway by clicking the Airwall Gateway -> Actions -> Reboot. |
DEV-10846 | OSX Airwall Agent |
On OSX Airwall Agents, it may not be possible to stop an ongoing packet capture. Workaround: Wait for the capture duration to expire. |
DEV-10710 | Conductor | Supported platforms for Upgrade are not listed in order in Conductor |
DEV-10276 | Windows Airwall Agent | Tray Application doesn't start on Server 2008 because .NET fails to install silently. |
DEV-8486 | Conductor | Clicking the Restart IF-MAP button will log the current user out. |
DEV-8120 | Conductor | Infrequently, an Azure Airwall Gateway may fail to reconnect to Conductor after firmware upgrade. This can be fixed by going to the Azure portal and restarting the VM the Airwall Gateway resides on. It can take up to 10 or 15 mins to come back online. |