Release Notes 2.2.8

Release Date: Jul 17, 2020

What’s New

Note: These release notes were updated Jul 31, 2020 to include the release of the v2.2.8 Windows Airwall Agents and Servers, and Sep 9, 2020, with an update for the all Airwall Agents and Servers. New versions are in the Latest firmware and software.

New Airwall Gateway Hardware – the Airwall-110

The Airwall-110 Series is a major upgrade for the 100-Series, with higher performance and global cellular connectivity – all in a smaller form factor that maximizes the v2.2.8 improvements. The Airwall-110 has more (4x) bandwidth performance and two serial ports, runs all Snort intrusion detection monitors, handles up to 6 HD video streams, and has more storage and memory (so it has higher capacity, quality, and scalability for production environments).

See more: Airwall Gateway 110 Series

New cellular modem support

Version 2.2.8 supports the upcoming North America and Global cellular expansion trays for our Airwall-150 appliance. These LTE Category 4 expansion modules come in two variants supporting North America and Rest of World. These expansion trays allow you to connect your Airwall 150 to more cellular carriers in more countries including the United States, Canada, Australia, New Zealand, Japan, the European Union, and other countries recognizing CE RED certificates.

Conductor Dashboard and Usability Improvements

The Conductor Dashboard has been improved to give you a broader look into the status of your Airwall secure network. New features include:
  • Ability to pin pages you visit frequently
  • See how many Airwall Edge Services are online, and how many authenticated users are logged in.
  • Easily manage new provisioning requests
  • See when new firmware and software is available, and easily update your network.
  • Improved user onboarding workflow (see Improved User Management below)

Improved User Management and Remote Access User Features

Remote access user management has been expanded to scale for large organizations, with the Conductor doing most of the work that admins used to have to do to invite, onboard (especially installing and activating the Airwall Agents), orchestrate, and authenticate remote access users. Onboarded users can see what they can access through the overlay networks in Conductor, eliminating frequent support calls to Conductor admins for help getting server IP addresses.

See more:

Enhanced Monitoring

You can now set monitor thresholds on health data and traffic stats to detect potential problems before they occur. We have redline stats for performance metrics of the Airwall Gateway, and for volumetric traffic stats.

Seamless Bypass (split tunnel)

Seamless bypass enables you to deploy without knowing all of the hosts to allow in an overlay policy. Seamless bypass replaces the need to create policy exceptions, and reduces the complexity, extra hardware, extra cabling, and reliance on configuration of your underlay infrastructure.

See more: Local Bypass

Alibaba Cloud Conductor and Airwall Gateways

You can now use Alibaba Cloud to deploy cloud Conductors and Airwall Gateways, and seamlessly connect cloud Conductors and Airwall Gateways with each other, as well as virtual and on-premises or physical environments. You can deploy an Airwall secure network on all of the major cloud providers.

Routed Port Group Improvements

The ability to configure port groups can give you up to a 30% performance increase for common deployment cases using a single interface in the overlay port group (for example, cloud gateways, virtual gateways, and optionally on physical gateways). It is simpler to deploy and avoids multicast/broadcast chatter over the tunnel.

Custom signed Certificate Improvements

You can replace a signed certificate on the Conductor with the old certificate remaining active until the new certificate is activated.

See more: Add or Replace a Signed Certificate for the Conductor UI

Easier Deployment of High Availability Cloud Conductors

The Airwall Solution has automated the process of creating high availability Conductors in the cloud across different providers. You can now back up your Conductor and easily create an HA standby in the cloud using the Conductor's automated process and be guaranteed a successful cloud HA deployment.

See more: Automatically Create an Standby HA Conductor in the Cloud

Remote Airshell Access into Airwall Gateways

You can securely log in to the overlay IP address of an Airwall Gateway with key-based SSH, and run Airshell (airsh) commands remotely. Airsh has been enhanced to perform many of the functions of diagnostic mode. Remote access can help avoid in-person visits to perform diagnostics and troubleshooting. Status and statistics are available using airsh, which includes tab-completion and inline help.

Port configuration replication

You can now replicate the port configuration between two Airwall Gateways when setting up an Airwall Gateway HA pairing, or when replacing an Airwall Gateway.

Device Manufacturer (MAC address OUI) is now displayed

The Devices list now shows the manufacturer's name determined from the MAC address OUI (organizationally unique identifier), where available, in the OUI column. You can also now update the OUI list as needed.

Manage Airwall Agents through an MDM

Some MDM solutions now support managing Airwall Agents.

See more: Manage Airwall Agents through an MDM (Mobile Device Management) solution.

SD-WAN

An option was added to expose the Differentiated Services Code Point (DSCP) field of the inner IP header (plaintext) to the outer (encrypted) encapsulating header. This allows for classification of different types of network traffic for routing and prioritization purposes.

Upgrade Considerations

Consider upgrading to 2.2.8 if:

You want to use any of the following features: You were impacted by any issues discovered in prior releases, especially if you have any of the following:

Seamless bypass (split tunnel)

Alibaba Cloud Airwall Gateways

Set up High-availability Cloud Conductors

New and updated Airwall help content

In addition to help for new features, here are the changes to content published since our last release:

Fixes

ID Applies to Description
DEV-14067 Airwall GatewaysConductor Fixed an issue on 2.2.8 Airwall Edge Services that could cause false negatives in the policy check for some overlay network configurations.
DEV-13963 Linux Airwall Server Fixed an issue where HIP was restarting on the Linux Centos7 Airwall Server.
DEV-13754 Airwall Agent The agent now waits for DNS to be available if the Conductor MAP address is a fully qualified domain name (FQDN).
DEV-13720 Conductor Setting "Disable pings on active link" no longer requires a reboot.
DEV-13683 Conductor Fixed an issue where cloud attributes smart device group rules were broken due to internal database reconfigurations. You can match devices on cloud Airwall Gateways that match certain attributes: provider, region, VPC ID, and subnet ID. For instance, you can match on "aws" to find all devices inside AWS.
DEV-13643 Airwall Gateway Peer auto-connect setting now must be done from the Conductor. It is no longer available in Diag mode.
DEV-13627 OpenHIP Fixed a deadlock which may occur on a busy gateway which is also acting as a relay.
DEV-13569 Airwall Gateway Fixed excessive CPU usage when using generic Serial over IP.
DEV-13566 OSX Airwall Agent Fixed an issue in the installer.
DEV-13542 Linux Airwall Agent The Conductor tunnel report is now working properly

DEV-13535

DEV-13513

Conductor Fixed an issue where Airwall agents and servers would publish transitory routing changes involving internal routing IP addresses as routing alerts in Conductor when there really was no problem. Any routing problems are still exposed via logging warnings.
DEV-13525 Airwall Gateway Fixed an issue that caused disabling auto-repair in Linkmanager failover groups to be ignored.
DEV-13508 Conductor Added PCI user activity entries for system level operations such as rebooting, restarting the metadata cache, and taking a database backup.
DEV-13439 Windows Airwall Agent

Fixed an issue when using Win update packages before v2.2.6 were not communicating whether they were 32- or 64-bit.

DEV-13405 Conductor Fixed an issue where very large provisioning requests sync jobs to the licensing server were timing out.
DEV-13382 Conductor Anonymous proxy servers are now allowed.
DEV-13353 Windows Airwall Agent Fixed a cert error that prevented unattended installation of the Windows Airwall Agent.
DEV-13275 Airwall Gateway Fixed an issue where a misconfigured local device can poison the ARP cache entries for peer Airwall Gateways.
DEV-13250 Airwall Gateway You can now replace HA-paired Airwall Gateways after failure without first destroying the HA pairing.
DEV-13244 Conductor Fixed an issue where Tag search device match rules (DMR - part of smart device groups) were not matching some matching device tags (e.g. query string of cell now matches cell1 or cellular). When adding a tag to a device that did not yet exist in the system, the DMR would miss adding the device to its group.
DEV-13217 Linux Airwall Agent The default profile profile1 now cannot be deleted.
DEV-13213 Conductor Fixed an issue where the Airwall Edge Service tunnel reporting data had Airwall Edge Service names truncated if they were too long. You can now see the full name by hovering over the clipped name.
DEV-13211 Windows Airwall Agent Airwall Agent now re-enable Tempered TAP adapter on start up if it is disabled.
DEV-13209 Conductor Ping peer Airwall Gateways now includes Airwall Gateways that are acting as both a gateway and a Relay.
DEV-13207 Airwall Gateway

Added the ability to specify PDP context IP type for cellular connections.

In previous versions, the carrier-specific default was not overridden by the "ipv6" checkbox used in diag mode and airsh.

This ipv6 checkbox has been replaced by an ip-type field, allowing customers to specify default (meaning carrier default), ipv4, ipv6, or dual-stack ipv4v6.

DEV-13202 Conductor Warning log on Airwall Edge Services that monitor is unsupported when the monitor is supported have been removed.
DEV-13147 OSX Airwall Agent Fixed an issue with packet captures on the OSX Airwall Agent.
DEV-13134 Conductor Fixed an issue where importing an Airwall Edge Service that doesn’t exist silently fails the import.
DEV-13122 Android Airwall Agent Fixed an issue where failover from cellular to Wifi didn’t always work without a restart.
DEV-13121 Airwall Gateway Fixed an issue that caused overlay network traffic to become blocked when using the Airwall Gateway's overlay IP for serial-over-IP.
DEV-13117 Conductor Now all changes to Airwall Gateway port configurations are logged in the PCI user activities log.
DEV-13116 Conductor It is no longer possible to add non-local users (that is, those created in LDAP or OIDC) to a people group during creation by using Select all. You manage these people group memberships via groups in their respective systems.
DEV-13107 Conductor Added PCI logging for changes to Conductor web certificate and CA chains.
DEV-13101 Conductor Fixed an issue that could cause the packet capture feature in the Conductor support tab to show no capture interfaces.
DEV-13100 Airwall Gateway 150

Fixed an issue where upon applying certain types of port configurations, the overlay ports fail to link up until the next reboot of the airwall.

DEV-13094 Airwall Gateway Fixed an issue that caused link fail-over times to be delayed by up to 30 seconds.
DEV-13078 Airwall Gateway Fixed an issue that caused the reboot setting in the underlay link manager to have no effect if any underlay port groups were configured as stand-alone.
DEV-13077 Serial-over-IP Fixed an issue that could cause serial-over-IP to be come unresponsive after cellular outages.
DEV-13076 Conductor Fixed a bug that could cause HIP tunnels to become stale after temporary cellular link failures.
DEV-13072 Conductor Fixed Cellular signal strength timed out message.
DEV-13064 Conductor Some event actions have a target box. Filtering the target box by name is now working.
DEV-13063 Conductor Fixed a UI issue where button text wasn't visible on the HIP tunnel stats page when in Dark Mode.
DEV-13062 Conductor Fixed a UI error when modifying the recipient list of an existing alert.
DEV-13061 Cloud Updated paths for the 2.2.3 AW image ID in Google Cloud.
DEV-13060 Conductor Fixed an issue where Agent hostnames were not being correctly shown for provisioning requests.
DEV-13017 Linux Airwall Agent Fixed a non-fatal error that occurred when installing Ubuntu package on Debian.
DEV-13007 Airwall Agent Fixed an issue where we stop sending heartbeat traffic.
DEV-13001 Android Airwall Agent Fixed an issue where the Android Airwall Agent was sending an incorrect hostname when provisioning.
DEV-12944 Conductor Clarified routing conflict alerts
DEV-12939 Airwall Gateway Fixed an issue where the noUnderlayNetwork status was not set properly. This resulted in the "No underlay network" status never being displayed on LCD screens of the Airwall Gateway-400 or -500.
DEV-12932 Conductor Fixed an issue where an Airwall Gateway generates routing alerts for east-west policy across two overlay port groups having the same subnet and overlay IP.
DEV-12906 Conductor Fixed an issue in device activity reporting.
DEV-12892 Conductor When there are no relay probe diagnostic results, a message now indicates that it is because the Airwall Gateway is not a member of any relay rules. Furthermore, fixed an issue where a value in the diagnostic data was misidentified as latency. In reality, this value is a score used to determine which relay to use. A lower score is better.
DEV-12882 Conductor Airwall Gateways that use stand-alone underlay port group configurations now reboot on link failure if the reboot feature is enabled.
DEV-12859 Airwall Gateway Removed extra repeated log messages that occurred when Airwall Gateway-300v did not have a virtual serial port attached.
DEV-12858 Conductor Fixed an issue where duplicate results in relay probe diagnostic data result from multiple interfaces attempting to connect to the relay. The Conductor now only shows the best results.
DEV-12855 Airwall Gateway Fixed an issue where when reconfiguring overlay port groups the DHCP server / relay was not restarted.
DEV-12828 Windows Airwall Agent Fixed an install issue with Windows 32-bit Airwall Agent.
DEV-12778 Windows Airwall Agent Installation timestamp now fixed in Conductor.
DEV-12755 Conductor Fixed an issue where User auth overlay membership was not correctly published in all cases when people were added and removed from people groups.
DEV-12731 Conductor HA-paired relays are now correctly named in the relay probe diagnostic tool.
DEV-12727 Airwall Gateway Fixed an issue where a relay was giving a “Relay could not find an IPv4 source address" error.
DEV-12710 Airshell Fixed an issue in Airshell where multiple cellular parameters could not be configured in one command.
DEV-12701 Airshell When using Airshell, if the Airwall Gateway is in Diagnostic Mode, networking is not automatically restarted when configuring underlay address ('conf network') or modem settings ('conf cell').
DEV-12697 Airshell Fixed an issue where the Airshell log command does not display the log file on virtual Airwall Gateways.
DEV-12684 Conductor When looking at voucher details, license model names are now in the same format as those on the licensing page.
DEV-12662 Airwall Gateway Fixed an issue where Airwall Gateways equipped with Quectel cellular modems did not properly report signal strength on the front-panel LEDs.
DEV-12648 Airwall Gateway Fixed an issue where the Airwall Gateway-150 USB console port USB descriptor reported that the port is AT command capable, causing ModemManager on Debian to probe the port as if it were a modem.
DEV-12608 Airwall Gateway Fixed an issue in firmware 2.2.3 and 2.2.5 where the SFP LEDs on the Airwall Gateway 150 remain on when the SFP port is not in use in some configurations.
DEV-12566 Conductor People groups created as a result of logging in via an authentication provider are now part of the PCI log.
DEV-12559 Conductor In the smart device group dialog, when "Ignore auto-discovered devices until accepted" is turned off, the group now picks up any existing discovered devices that match its rules.
DEV-12505 Conductor New PCI logs for Airwall Edge Services reconnect support function, starting a PCAP, stopping a PCAP, requesting a support bundle, and requesting a diagnostic report.
DEV-12496 Conductor Fixed an issue where event actions could have a text display error if you edit one action while editing another.
DEV-12434 Conductor, Airwall Gateway Now have support for NATing subnet broadcasts on the device network.
DEV-12232 Airshell The two logins available on both Airwall Gateways and Conductor are "airsh" and "diag". All previous logins have been removed.
DEV-11810 Conductor The Conductor now displays a more helpful error page for Conductor session timeout.
DEV-11806 Cloud Cloud Diagnostics page Refresh button now refreshes the Protected Route table.
DEV-11795 Linux Airwall Agent Fixed an issue where the current profile is not changed as a result of an update.
DEV-11679 Airwall Gateway Fixed an issue where HA configured Airwall Gateways did not support the overlay DHCP feature after a fail-over.
DEV-11408 Android Airwall Agent Fixed an issue where an Android Airwall Agent failed to connect with peers if it had policy to network objects.
DEV-10081 Conductor Fixed an issue in the Create Conductor certificate dialog where hitting Enter didn’t save the certificate.
DEV-8347 Windows Airwall Agent Windows Support Bundles are now encrypted.

Known Issues

ID Applies to Description
DEV-14197 MacOS Airwall Agent When you update the macOS Airwall Agent, you may be required to restart. If you do not see the tray icon after the update finishes, restart your Mac to restore operation of the Airwall Agent.
DEV-13944 Airwall Gateway When a device is disabled it will only stop traffic to other devices on remote Airwall Gateway's. Traffic to bypass destinations will continue. Traffic to other devices on the same Airwall Gateway will not be stopped in some situations.
DEV-13930 Alibaba Cloud Airwall Gateway, Conductor

If you have created a new Alibaba Cloud Airwall Gateway with v2.2.8, there is an issue with the protected subnet id on the Cloud tab actually being the public subnet.

Workaround: You can avoid this issue by waiting to install the upcoming 2.2.8 hotfix on the Conductor before creating any Alibaba Cloud Airwall Gateways.

Workaround if you have already created an Alibaba Cloud Airwall Gateway:
  1. Apply this hotfix to your Conductor.
  2. If you are not using an NTP for system time, on the Settings page, General setting tab, under System time, select Edit Settings, and then Under Update date and time, select Set browser time and then select Update.
  3. For any cloud Alibaba Airwall Gateways, on the Cloud tab, Diagnostic subtab, click Refresh.
DEV-13916 Airwall Gateway

Airwall Gateways running firmware version 2.2.8 will not use a Conductor URI that was previously learned from a DNS SRV record in v2.2.8 or a previous firmware revision.

This leaves the Airwall Gateways unable to connect to the Conductor if the Airwall Gateway previously used a DNS SRV record for configuration and is later moved to a network without a Tempered DNS SRV record.

Additionally, the Conductor setting that allows you to set the Conductor URI on all managed Airwall Gateways in Advanced Settings is not functional when used with DNS SRV record bootstrapping in firmware v2.2.8.

Workaround: Prior to installing 2.2.8 on Airwall Gateways, install Hotfix-13955. You can then install 2.2.8 on the Airwall Gateways.

If you have already installed 2.2.8 on Airwall Gateways and are experiencing this issue, please contact Customer Success for assistance, or you can manually configure the Conductor address in each Airwall Gateway using airsh or Diagnostic mode.

DEV-13913 Alibaba Cloud

The 2.2.5 Airwall Gateway image in Alibaba Cloud deploys a 2.2.3 image instead.

Workaround: After you finish deploying, upgrade the Airwall Gateway to the version you want.

DEV-13887 Windows Airwall Agent or Server There is a issue on some Windows machines where the Windows Airwall Agent or Server cannot connect, even though ipconfig shows an auto-configured IP address for the Tempered TAP adapter (169.254.*.*), and the Conductor shows the device as online but with no IP address.

Workaround:

Restart the service, or check your Airwall Agent or Server configuration in the Conductor.

DEV-13872 Conductor When running Ping all devices on the Support tab for a HA standby Airwall Gateway, no results are being displayed and the busy status indicator never times out.
DEV-13860 Conductor

If you add a device when multiple port groups are already configured, the Port affinity list defaults to the first overlay port group, but the value set is "Detect automatically."

Workaround: Edit the device again and change it to set port affinity.

DEV-13846 Conductor Network admins cannot get the list of CAs and cannot add customer certificates to Airwalls through the UI, because the PKI button is not shown.
DEV-13813 Airwall Gateway 110g RS-422 / RS-485 functionality is not guaranteed on the Airwall 110 for the 2.2.8 release.
DEV-13811 Airwall Gateway When using an Airwall Gateway to provide high availability across multiple underlay links, do not place multiple interfaces in the underlay port groups or use bypass with routed-only mode disabled.
DEV-13775 Cloud The Conductor rarely gives a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed – go to the Azure portal and check the actual deployment result.
DEV-13760 Conductor Device page export/import does not export or import Bypass Devices in this release.
DEV-13759 Airwall Gateway Detect Devices button may incorrectly report devices on attached to other port groups or peer Airwalls if policy permits traffic from an Overlay IP to those destinations.
DEV-13607 Conductor Creating a link failover group (Airwalls -> Ports -> Failover settings) does not apply the settings to any port groups. This is easy to miss since you have to set the failover group on the ports page.
DEV-13297 Airwall Gateway

When deploying seamless bypass in a layer 2 "bump in the wire" configuration, traffic from the protected device to non-bypass destinations outside of the local subnet does not work as expected. The traffic egresses the remote Airwall Gateway or other port group with the destination MAC address of the local default gateway. Using seamless bypass in layer 2 "bump in the wire" mode to provide remote access to the protected device with and overlay IP and SNAT enabled works as expected.

DEV-13194 Conductor An Airwall Edge Service's Check Connectivity / Ping Local Devices functionality can fail in Internet Explorer 11 if one of the devices is defined as a CIDR. To fix this, use one of the latest versions of Chrome, Firefox, Safari or Edge.
DEV-12852 Windows Airwall Agent

The Windows Airwall Agent may not connect when multiple interfaces are active

This issue can be caused by a Windows default that doesn't allow multiple simultaneous active network interfaces, and prefers ethernet over cellular or WiFi. It can be bypassed by editing a registry value. See the troubleshooting steps in I am having trouble connecting.

DEV-12744 Airwall Gateway

Customers with Airwall Agents version 2.2.1 or earlier connecting to HA-paired Conductors might not be able to authenticate a user auth session.

Recommendation: Upgrade Conductors and Airwall Agents to version 2.2.3 or above.

Workaround: After upgrades, if you still see connectivity issues, restart the Airwall Agent.

DEV-12692 API Documentation The API docs navigation section does not work in chrome 80 though it worked on previous versions of chrome. It is still working in Firefox and Safari, so customers should use one of these browsers to view the docs.
DEV-12544 Conductor If you restore a Conductor using a VM snapshot, and it is part of an HA pair, the Standby must be rebased as the standby. To do this, set the Standby Conductor to Active, and then back to Standby. This generates a new Standby Database.
DEV-12513 Cloud-Azure Conductor rarely gives a "Net::ReadTimeout" error when user tries to deploy an Azure Airwall Gateway 300v or server. This doesn't indicate that the deployment has failed. If you get this error message, go to the Azure portal and check the actual deployment result.
DEV-12275 OSX Airwall Agent DNS settings are seen and acted upon, but do not show up in resolver list.
DEV-12264 Airwall Agent

Revoking and then re-activating an Agent on a Conductor before v2.2.8 results in the Agent being unable to reconnect.

Restarting the metadata cache on the Conductor resolves this issue.

DEV-11840 Conductor Attempting to log into a Standby Conductor with an expired password cycles into a recycling change password prompt. If this occurs, log into the Active Conductor to change the password.
DEV-11523 Conductor In rare cases, the Airwall Edge Services online/offline status graph on the Dashboard might be blank.
DEV-10977 Cloud If one of the cloud attributes is missing, please reboot the Airwall Gateway by clicking the Airwall Gateway -> Actions -> Reboot.
DEV-10846 OSX Airwall Agent

On OSX Airwall Agents, it may not be possible to stop an ongoing packet capture.

Workaround: Wait for the capture duration to expire.

DEV-10710 Conductor Supported platforms for Upgrade are not listed in order in Conductor
DEV-10276 Windows Airwall Agent Tray Application doesn't start on Server 2008 because .NET fails to install silently.
DEV-8486 Conductor Clicking the Restart IF-MAP button will log the current user out.
DEV-8120 Conductor Infrequently, an Azure Airwall Gateway may fail to reconnect to Conductor after firmware upgrade. This can be fixed by going to the Azure portal and restarting the VM the Airwall Gateway resides on. It can take up to 10 or 15 mins to come back online.