Release Notes v3.5.1
Release Date: August, 2024
Update Considerations
- bug fixes for Linux Airwall Agent since last release in 2022.
This version includes the following upgrades for Linux:
- OpenSSL 1.1.1q to 3.0.11
- cURL 7.82.0 to 8.7.1
- zlib 1.2.8 to 1.2.13
- c-ares 1.18.1 to 1.27.0
- Added libwebsockets 4.3.3 (for AirProxy)
- Removed libpcre 8.39 requirement (now using C++ std::regex)
Downloads
For firmware and software downloads for this version, see 3.5.1 firmware and software.
What's New in 3.5.1
This version of the Airwall Solution includes Conductor UI scaling improvements and the first Airwall Linux Agent release in two years.
Airwall Linux Agent
The Airwall Linux Server receives its first update in two years and is now more accurately named the Airwall Linux Agent. The Airwall Linux Agent supports AirProxy, contains many security and performance updates, and can better support development and test environments in virtual machines and cloud servers. See Installing and configuring an Airwall Linux Agent, Connecting with an Airwall Linux Agent, and Airwall Linux Agent Airshell commands.
Overlay global layout
You can now save a particular overlay network layout visualisation as a global layout using the Use global layout toggle. See Creating an overlay network.
Airwall Gateway 175 series
The Airwall Gateway 175 Series is a five-port gateway that replaces the Airwall Gateway 150. The Airwall Gateway 175 includes PoE, along with optional cellular and Wi-Fi. Refer to the Airwall Gateway 175 Series Datasheet and Airwall Gateway 175 Series Installation Guide.
Additions to Conductor Query Language (CQL)
isBypassRegion, isBypassSpecify, isBypassNone added to CQL. Airwall HIT and Airwall HA HIT can now also be accessed through CQL through the hits variable. See Airwalls Query Options.
Cookies
The v3.5.1 Conductor prompts you to accept or decline cookies when you log in for the first time. These cookies store your recently viewed items and network layouts when you log in for the first time. They do not track or identify you, or store your sensitive information. After accepting or declining cookies, you can change your preference in Preferences > Allow cookies for this Conductor.
New and Updated Help
Here is the new and updated content published since our last release:
- Airwall Gateway 175 Series Datasheet
- Airwall Gateway 175 Series Installation Guide.
- Installing and configuring an Airwall Linux Agent
- Connecting with an Airwall Linux Agent
- Airwall Linux Agent Airshell commands
- Integrate Third-party Authentication with OpenID Connect
- Setting up intrusion prevention
- Airwalls Query Options
- Installing and configuring a Windows Airwall Agent
Deprecations
AuthO actions
Auth0 is replacing rules with actions. If you currently use Auth0 rules to access Airwall, you must replace these with actions before November 18, 2024. To complete this process, see the updated steps in Integrate Third-party Authentication with OpenID Connect.
Intrusion Prevention
Intrusion prevention is deprecated for Airwalls v3.5.1 and greater.
Fixes
| ID | Applies to | Description |
|---|---|---|
| AWDEV-1935 | Conductor | Fixed an issue where assigning a local IP to an Agent can create a validation conflict in overlay network configurations with a cryptic error message, that requires you to navigate away to the Dashboard, then back to the Agent properties, to try a different address. |
| AWDEV-1921 | Conductor | Fixed an issue where a people group's description is also applied to activation codes generated through the people group. This caused new Airwalls provisioned using those activation codes to have the same description as the people group. A minor API update resolved the issue, renaming the description field to “group_description”. |
| AWDEV-1743 | Airwall Linux Agent | Fixed an issue where the unit file remains active after Airwall Linux upgrade. |
| AWDEV-1694 | Conductor | Fixed an issue where the Connectivity Checker shows false negative when pinging a public bypass destination |
| AWDEV-1644 | Conductor | Fixed an issue that prevented removal of overlay IP network from people group. |
| AWDEV-1285 | Conductor | Fixed an issue where a tag name change breaks the association in the Conductor UI. |
| AWDEV-1185 | Conductor | Fixed an issue that prevented the export device CSV download. |
| AWDEV-1140 | Conductor | Fixed an issue where passive device discovery detects Internet when traffic bridged through overlay. |
| AWDEV-245 | Conductor | Fixed an issue where an Airwall HA HIT does not appear in CQL or the Airwall page. |
|
Note: See release notes v3.1.2 through v3.4.3 for other fixes
that impact Airwall Linux Agent.
|
||
Known Issues
| ID | Applies to | Description |
|---|---|---|
| AWDEV-812 | Conductor | Swapping to a different Airwall in Conductor, airsh goes to
previous Airwall. Workaround - Go back to dashboard and then to the Airwall. |
| AWDEV-685 | Conductor | The Latest badge in the Conductor firmware
displays for multiple of the same model for certain
models. Workaround - Ignore the latest badge. |
| AWDEV-382 | Gateway | DHCP Passthrough breaks in certain
configurations. Workaround - Remove DHCP configuration from the disabled Overlay port groups. |
| AWDEV-381 | Server | AWS Airwall Deployment requires Internet Gateway.
Workaround - Deploy with a temporary internet gateway, and then modify settings in AWS to use the transit gateway once deployed. |
| AWDEV-371 | Conductor | Remote airsh sometimes corrupts output. |
| AWDEV-319 | Conductor | Airwalls can become disconnected from Conductor due to receiving
bad configuration data while upgrading HA paired
Conductors. Workaround - Do not demote a Conductor around the top of the hour when the consistency checker is running. Wait until 15 minutes into the hour. |
| AWDEV-285 | Conductor | Postgresql deadlock issue on Conductor restart. |
| AWDEV-252 | Conductor | Cannot clear incorrect login from OIDC user auth browser. |
| DEV-17648 | Linux Airwall Servers | Many Airshell functions (including changing log level) are non-functional until you have configured and licensed your Conductor. |
| DEV-17263 | Conductor |
If you fix a conflict in a smart device group by changing the IP of one of the conflicted devices, sometimes the change in IP does not result in the device being removed from the group and the change is not propagated to the Airwall Gateway. Workaround – Fully remove the device from the smart device group and then add it back again. |
| DEV-16431 | Conductor | When specifying a port mirror destination IP address, ensure that it doesn't conflict with any of the Airwall Gateway's local device IPs |
| DEV-16397 | Conductor | If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to and select Restart metadata cache to update the LSI prefix. |
| DEV-16068 | Amazon Web Services Conductor | To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image. |
| DEV-16067 | Cloud, Conductor, Airwall Gateways | If you are adding a new interface to an existing cloud Airwall Gateway, you must set the source and destination check to false (see your cloud provider for the terminology they use for source and destination checks). |
| DEV-15982 | Conductor | Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor. |
| DEV-15808 | Google Cloud Airwall Gateways | Google Cloud Airwall Gateways with the same VM name have the same device serial number, which
can result in a failure when you make a license request in the Conductor. Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways. |
| DEV-15219 | Cellular 110g Airwall Gateways | The Airwall Gateway 110g does not work on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy. |
| DEV-14860 | Conductor | Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off. |
| DEV-14835 | Conductor | Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number. |
| DEV-14726 | Conductor | If you are viewing an Android Airwall Agent
Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from WiFi to cellular), the display does not update
correctly. Workaround – Refresh the page. |
| DEV-14610 | Conductor | After changing the Reporting traffic stats reporting time, the
CPU graph does not display. Workaround – Refresh your browser page. |
| DEV-14551 | Conductor | The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message. |
| DEV-14426 | Conductor, Airwall Gateways | Bypass destinations with a hostname do not show device activity in the Conductor. |
| DEV-14308 | OpenHIP | Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway. |
| DEV-14223 | Google Cloud | Add an overlay IP to agent in order to talk to device behind Google 300v. |
| DEV-14015 | OpenHIP | If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.
Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate. |
| DEV-13775 | Azure Cloud Airwall Gateways | The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error does not indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result. |
| DEV-13650 | Conductor | SoIP device activity is not being reported on an Airwall Gateway Local Devices tab. |
| DEV-13640 | Conductor | Airwall Relay diagnostics do not work on a Standby Conductor. |
| DEV-13633 | Conductor | A standby Conductor shows available firmware downloads, but they cannot be
downloaded. Workaround – Download firmware from the active Conductor. |
| DEV-13620 | Conductor | In , the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly. |
| DEV-13607 | Conductor, Airwall Gateways | Creating a link failover group () does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page. |
| DEV-13588 | Conductor | Opening the Conductor on Internet Explorer 11 can be very slow for medium to large
deployments. Workaround – Use the latest version of Chrome, Firefox, or Edge instead. |
| DEV-13531 | Cloud Conductor | Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and
standby Conductors. For example, AWS HA Active and AWS HA
Standby. Workaround – You can manually set up different cloud providers as HA pair Conductors. |
| DEV-13331 | Alibaba Cloud Airwall Gateways | The Alibaba Cloud Conductor system time is incorrect. Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings. |
| DEV-13195 | Conductor, Airwall Gateways | When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become
"Unavailable." Workaround – Reboot and the details return. |
| DEV-10590 | Cloud Airwall Gateways | The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider. |