Release Notes v3.0.0

Release Date: Nov 2, 2021

Important Notes

Update all v2.1.x Airwall Edge Services – It is recommended that you update all v2.1.x and earlier Airwall Edge Services with v2.2.x or later before installing v3.0.0. With this release, any Airwall Edge Services running v2.1.x firmware show an error in the Conductor. For more information, see Update v2.1.x Airwall Edge Services for the v3.0.0 Conductor.
If you are updating a virtual Conductor to v3.0.0 or later – You may need to expand the disk size for the virtual machine to 1GB. For instructions, see your virtual machine documentation, or the suggested VMware and Hyper-V instructions at Expand the Disk Size for a virtual Airwall Gateway.

End of Life/End of Support Bulletins

2.1.x End of Life – See Software support end of life for versions 2.1.x and earlier. For update instructions, see Update v2.1.x Airwall Edge Services for the v3.0.0 Conductor.
Ubuntu16 and Centos7 End of Support – See AWS and Azure Linux OS Versions End of Support

Update Considerations

You may want to update to this version to use the following features:

Downloads

For firmware and software downloads for this version, see 3.0.0 firmware and software.

What's New in 3.0.0

This version of the Airwall Solution includes several usability and functionality improvements that can simplify and streamline the setup and administration of an Airwall secure network.

Add Trust Policy using Drag-and-drop

You can now add and remove trust between devices on an overlay visually, or through context menus on a graph. Changes to trust on the graph are reflected on the Devices tab.

Learn more – Adding and removing device trust

Backhaul Bypass

You can designate an Airwall Gateway as a bypass egress and then point other Airwall Gateways at it so they can reach bypass destinations through the designated bypass egress Airwall Gateway.

Learn more – Backhaul Bypass

Bulk Editing of People and People Groups

You can add many local users to the Conductor at one time by importing them in bulk. You export a .csv file as a template or with current users, and then import to add people to the Conductor in one step.

Learn more –

Customized Permissions for System and Network Administrators

You can fine tune permissions for system and network administrators, giving you finer control over permissions on your network.

Learn more – Customize Permissions for System and Network Administrators

Streamlined Conductor View for Network Administrators

One of the custom permissions you can set for Network administrators provides them with a streamlined view that can simplify their workflow. Network administrators using the streamlined view can manage their overlays, and the devices, Device groups, and Airwall Edge Services in them.

Learn more – Set a Streamlined View for a Network Administrator

Reports

You can now run reports on different types of network activity on your Airwall secure network, including:

Onboarding and offboarding of Airwall Edge Services or people
Status of Airwall Edge Services or devices
Conductor local or remote access

Learn more – Run Network Activity Reports

Monitors and Alerts

This version includes the following additions:

CPU Frequency – The Airwall health data monitors can now monitor CPU frequency.
Details for Intrusion prevention – Intrusion prevention alerts now indicate which devices are the source or destination of the alert where possible.

Conductor Customization

You can customize the Conductor login screen and emails sent from the Conductor for your business. Here's what you can customize:

Conductor login screen – Add your company logo, and change the background colors and favicon.
Conductor emails – Add your company logo and change the text color. You can also customize the subject line and add a note from the administrator when sending Airwall Invitations.

Learn more –

Disconnected Mode

Reduce the traffic from Airwall Agents connecting to your Conductor by setting up Disconnected mode. In Disconnected mode, Airwall Agents connect to your Conductor at intervals – between 10 minutes and 12 hours (720 minutes) – to get updates when people are not actively using the connection.

By reducing the traffic on your Conductor, Disconnected mode allows you to improve performance and scalability of your Airwall secure network. In v3.0, Disconnected mode is supported by the v3.0 Android, Linux, and macOS Airwall Agents.

Learn more –

Airwall Invitations

This version includes several enhancements to Airwall Invitations:

When you're creating People groups with user onboarding enabled, you now have the option to send email to users when they get an activation code in the system. The email provides instructions on how to download an Airwall Agent and connect it to the Conductor.
The email sent with Airwall Invitations has more options for customization. See Conductor Customization above.
Airwall Invitations can now be used to give activation codes to existing users in addition to sending them to an email address or bulk downloading them. See the Airwalls > New Airwall invitations.
The naming schema for Airwall Invitations can now include the hostname of the connecting Airwall Edge Service.
You can now include the hostname of the connecting Airwall Edge Service when naming devices connecting using Airwall Invitations.

Learn more – Walkthrough - Onboard people to your Airwall secure network with User Authentication

Linux Airwall Linux Agent

This version includes these additions to the Linux Airwall Linux Agent:

DockerHub deployment – The Linux Airwall Linux Agent can now be deployed in a container from DockerHub using Ubuntu18 and CentOS8. For additional example Dockerfiles, contact Customer Success at Customer Success.
Supports Airshell – The Linux Airwall Linux Agent now has the Airshell command-line utility. To start it, type sudo airsh (root user) or sudo airwall -s
Ping from port groups – The ping function can now ping from the underlay or overlay port groups.
Firmware updates – The Linux Airwall Linux Agent can now be updated from the Conductor.

Learn more –

Conductor Tutorials and Help

The Conductor now contains several tutorials to help you set up and configure a new Conductor, as well as use and understand different features in the Conductor. You can also directly access Airwall help from the Conductor:

Accessing tutorials and help from the Conductor

Learn more –

Licensing Updates

In v3.0, the following licenses have been changed:

The Airwall Gateway 100V is no longer available
You no longer need a separate license for port mirroring

Manage failover between underlay port groups

The Link Manager that Conductor uses to manage port failover groups has been improved. The following has been updated:

You can now set port group link auto-repair globally per Airwall Gateway.
You can now manage underlay links independently by traffic type.
When you set up link failover groups, you can now require all pings to be successful if multiple ping destinations are assigned.

Learn more – Manage Failover between Underlay Port Groups

API Updates

The following updates and improvements have been made to the API:

Pagination is turned on by default in 3.0 for all index endpoints, which may affect existing scripts. Enabling pagination helps scale Conductor capacity. If you need to preserve existing behavior, add a query parameter for pagination=false to any index API endpoints you are using.
The API for Airwall Invitations now includes new invitation methods: email invites, download multiple activation codes, apply an invite to an existing person, or download a reusable invitation. The documentation has also been updated.
People reference now includes person_group_ids and overlay_network_ids.
Person groups reference now includes user onboarding configuration information.

Terraform Deployment Support

This version contains Terraform deployment support for Conductors, Airwall Gateways, and Linux Airwall Linux Agents for all supported Cloud Providers. For example plans, please contact Customer Success at Customer Success.

New and Improved Conductor Features

Dashboard: The Dashboard now includes a Provisioning tab where you can see and manage all provisioning requests.
General: There is now infinite scrolling for lists on most pages, and streamlined inline editing, including direct editing of names and tags at the top on most pages.
Devices page: This page has been simplified, and provides more details on device conflicts to help you troubleshoot.
People page: Administrators can now view the Airwalls owned by a person from the person details page.
Settings: The Conductor Settings page has been streamlined and reorganized to make it easier to find the settings you want.
New Airwall Agent user authentication settings: New settings allow you to automate assigning an Airwall Agent owner: Require owner for Airwall Agent authorization and Auto-assign Airwall agent owner on login.
Replacing Airwalls: You now have the option to revoke, or both revoke and delete, a source Airwall Edge Service after replacing. Replaced Airwall Edge Services that are not deleted are named "<old name (Replaced by UID of replacement)>" to make them easier to find.

Diagnostic Tools on the Standby Conductor: You can now use diagnostic tools on a Standby Conductor.

Better CA certificate replacement and removal handling: When you replace your CA certificates, any Airwall Gateways with custom certs installed now check their cert against the new CA. If they cannot be verified, the cert is removed so the Airwall Gateway does not lose access to the Conductor. If the CA is removed entirely, all customer certs are also removed.

Learn more –

New and Updated Help

In addition to the content added for new features linked above, here’s the new and updated content published since our last major release:

New –

Updated –

Fixes


ID	Applies to	Description
DEV-16491	Cellular Airwall Gateways	Fixed an issue where underlay interface MTU was not considered in tunnel overlay MTU, and another where the path MTU didn't work correctly across local bypass configurations. Known issue – The path MTU doesn't work across backhaul bypass. Make sure any backhaul bypass egress Airwall Gateways have a full 1500 byte standard Ethernet MTU (that is, do not use a cell modem).
DEV-16233	Airwall Gateways	Fixed an issue where Ping <ip or hostname> (in Airwall Diagnostics) returned false negatives for hostnames longer than 46 bytes.
DEV-16102	Airshell, Airwall Gateways	The Airshell `firmware-fallback` command is now functional on Advantech (Airwall AV-3200 series).
DEV-15942	Airwall Gateways	Fixed a DNS resolver issue that could cause long delays for Airwall Gateways trying to reconnect to the Conductor when configured with a hostname.
DEV-15938	Airshell	The 'activate' command in Airshell now takes the activation code as an optional argument. For example, `activate 75820b33fa5a`.
DEV-15860	Hardware Conductor	Fixed an issue where the Conductor-500 LCD panel would display "Conductor unreachable".
DEV-15835	Conductor	Fixed an issue where the Traffic stats monitor alerts indicated traffic in kB/s when the correct value is Kb/s (kilobits per second).
DEV-15784	Diagnostic mode	Fixed an issue where bridging all overlay interfaces was causing problems when an Airwall Gateway was in Diag mode.
DEV-15762	Conductor	Fixed an issue where readonly users appeared to be able to edit some tag-related event actions.
DEV-15761	Conductor	Fixed an issue where readonly users appeared to be able to edit some person group user onboarding settings.
DEV-15760	Conductor	Intrusion prevention controls are now disabled unless the user has edit permission for the Airwall Edge Service.
DEV-15759	Conductor	Fixed an issue where readonly users appeared to be able to create Airwall Invitations with a template.
DEV-15757	Conductor	Fixed an issue where readonly users appeared to be able to edit tags.
DEV-15736	Airwall Gateways	Fixed an issue where the Ping Peers diagnostic feature didn't support multiple peers with the same underlay IP address.
DEV-15707	Conductor	Fixed an issue where users could not remove all relays from an overlay-managed relay rule.
DEV-15679	Conductor	Your previous login selection is now saved regardless of provider (local, LDAP, or OpenID connect).
DEV-15653	Conductor	Instructions for setting up OpenID Connect on HA standby Conductors are now clearer.
DEV-15534	Cloud Airwall Gateways	Fixed an issue where detecting the underlay NAT IP of a cloud 300v Airwall Gateway wasn't being sent to peer Airwall Gateways
DEV-15525	Conductor	Fixed an issue during a device import where you could select Next even though there was an error.
DEV-15420	Conductor	Fixed an issue where you could enable passive device discovery before selecting an Overlay port group.
DEV-15393	Linux Airwall Linux Agents	Fixed the invalid log level error message when starting up a Linux Airwall Linux Agent.
DEV-15203	Airwall Gateways	Fixed an issue that could cause passive device detection to ignore devices when traffic is seen immediately after reboot.
DEV-14908	Conductor	Display a warning when there is a mismatch in authentication providers for an Airwall Agent owner and the user auth allowed in the Conductor that would prevent a user from authenticating a remote session.
DEV-14608	Airwall Gateways	Fixed an issue that could prevent initialization of port groups with VLAN interfaces if the parent port was removed from another port group.
DEV-14471	Diagnostic mode	Port group numbers are no longer incremented by 2 in diag mode.
DEV-14318	Conductor, Linux Airwall Linux Agents	Fixed an issue where the Linux Airwall Linux Agent wouldn't always get policy updates until it was rebooted.
DEV-13587	Conductor	Clarified language in the Add / Remove tag monitor action.
DEV-11607	Airwall Gateways	Fixed an issue in the health data capture for Airwall Gateways that showed all overlay ports as having no link.
DEV-11524	Android Airwall Agents	Fixed an issue where Android was reporting incorrect IPs for interfaces on its Ports tab in the Conductor.

Known Issues


ID	Applies to	Description
DEV-16807	Airwall Gateways	Airwall Gateways that used an auto-configured Conductor URL from a DNS SRV record appear for initial provisioning but fail to connect back to the Conductor to be managed. Workaround – Set the Conductor URL manually on the Airwall Gateway using `conductor set <conductor_url>`. For example, `conductor set conductor.example.com`.
DEV-16503	macOS Airwall Agents	Deleting a profile does not immediately delete the associated private key. Workaround – Switch to a different profile before creating a profile after deleting one.
DEV-16397	Conductor	If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to Settings > Diagnostics and select Restart metadata cache to update the LSI prefix.
DEV-16322	Conductor	If a person is in more than one person group that has access windows set for the group, they can only authenticate for a remote session during times that are inside all of the access windows for those person groups.
DEV-16068	Amazon Web Services Conductor	To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image.
DEV-16059	Airwall Gateways	When HA-pairing two Airwall Gateways that do not have the HA link plugged in correctly, the Conductor displays no actionable error message and the HA setup never completes.
DEV-15982	Conductor	Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor.
DEV-15887	Airwall Gateways	You cannot currently add VLAN interfaces to the Ruggedcom platform.
DEV-15808	Google Cloud Airwall Gateways	Google Cloud Airwall Gateways with the same VM name have the same device serial number, which can result in a failure when you make a license request in the Conductor. Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways.
DEV-15791	Airwall Gateways	On the Airwall Gateway 100, Port 2 might be inactive after a factory-reset. Workaround – After a factory reset, manually reboot the Airwall Gateway 100.
DEV-15787	macOS Airwall Agents	If a person who already has a profile makes a Request to Connect from the Remote Access User portal on the same Conductor, no profile is created. Workaround – If the user wants a second profile, they can use an invite code or enter the Conductor information manually.
DEV-15705	macOS Airwall Agents	Establishing a tunnel TO a mobile Airwall Agent (iOS or Android) fails when there is no Airwall Relay involved. Workaround – Establish the tunnel FROM the mobile Airwall Agent.
DEV-15572	Airwall Gateways	If you do not specify a gateway in the DHCP server configuration, the DHCP client cannot configure a default gateway. Workaround – Unless you want to configure a single isolated subnet, always specify a gateway. For example, a subnet for networked PDUs that should not have any outside connectivity aside from remote access through an Airwall Gateway, and used in conjunction with SNAT over the overlay port group. See https://tempered.force.com/TemperedSupportCenter/s/article/DHCP-server-isn-t-serving-as-a-gateway.
DEV-15357	macOS Airwall Agents	If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to the Conductor. Workaround – Restart the Airwall Agent or reapply the update.
DEV-15338	Linux Airwall Linux Agents	If using a recent systemd-based Linux distribution including Fedora 33 and Debian 11, disable systemd-networkd MAC address randomization of the hip1 interface.
DEV-15302	macOS Airwall Agents	The profile for a macOS Airwall Agent does not work correctly when restored to a new computer using Time Machine. Workaround – Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one.
DEV-15219	Cellular 110g Airwall Gateways	The Airwall Gateway 110g does not on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy.
DEV-15031	Airwall Gateways	Remote syslog over TLS doesn't work when using keys stored in TPM.
DEV-14860	Conductor	Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off.
DEV-14835	Conductor	Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number.
DEV-14739	Airwall Gateways	If you set IPv4 to DHCPv4 and set a static IP address for IPv6, the setting that you set second doesn't get saved. Workaround – If you need both IPv4 and IPv6, set static IP addresses for both.
DEV-14736	Cellular Airwall Gateways	Cellular details may display as "unavailable" on the first boot after you update anAirwall Gateway. The cellular connections are not affected. Workaround – Reboot the Airwall Gateway again to correctly display the cellular details.
DEV-14726	Conductor	If you're viewing an Android Airwall Agent Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from WiFi to cellular), the display doesn't update correctly. Workaround – Refresh the page.
DEV-14715	macOS Airwall Agents	Big Sur ARM64 Macs are not supported in this release
DEV-14610	Conductor	After changing the Reporting traffic stats reporting time, the CPU graph does not display. Workaround – Refresh your browser page.
DEV-14584	Cellular Airwall Gateways	Hot-swapping the SIM on an Airwall Gateway 110 with firmware version v2.2.11 may not work. Workaround – Reboot the Airwall Gateway after installing a new SIM card.
DEV-14570	Conductor	If you set an Airwall Agent owner to a user (LDAP, local, or OIDC) and someone attempts to user authenticate with a different OIDC user, they will not be able to authenticate (which is the correct behavior), but they see a 500 instead of a helpful error message.
DEV-14551	Conductor	The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message.
DEV-14426	Conductor, Airwall Gateways	Bypass destinations with a hostname do not show device activity in the Conductor.
DEV-14308	OpenHIP	Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway.
DEV-14249	iOS Airwall Agents	Check Secure TunnelsTunnel Status may show as unavailable on iOS. Workaround – You can determine tunnel status by checking packets sent or received.
DEV-14218	Airwall Gateways	NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices.
DEV-14045	Android and iOS Airwall Agents	iOS does not currently support overlay ping.
DEV-14015	OpenHIP	If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay. Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate.
DEV-13775	Azure Cloud Airwall Gateways	The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result.
DEV-13650	Conductor	SoIP device activity is not being reported on an Airwall Gateway Local Devices tab.
DEV-13640	Conductor	Airwall Relay diagnostics do not work on a Standby Conductor.
DEV-13633	Conductor	A standby Conductor shows available firmware downloads, but they cannot be downloaded. Workaround – Download firmware from the active Conductor.
DEV-13620	Conductor	In Airwall > Ports > Failover settings, the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly.
DEV-13607	Conductor, Airwall Gateways	Creating a link failover group (Airwall > Ports > Failover settings) does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page.
DEV-13588	Conductor	Opening the Conductor on Internet Explorer 11 can be very slow for medium to large deployments. Workaround – Use the latest version of Chrome, Firefox, or Edge instead.
DEV-13531	Cloud Conductor	Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and standby Conductors. For example, AWS HA Active and AWS HA Standby. Workaround – You can manually set up different cloud providers as HA pair Conductors.
DEV-13474	Airwall Gateways	If you configure multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then create a local device equal to the entire subnet with port affinity set, it may not lead to the expected result.
DEV-13331	Alibaba Cloud Airwall Gateways	The Alibaba Cloud Conductor system time is incorrect. Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings.
DEV-13195	Conductor, Airwall Gateways	When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become "Unavailable." Workaround – Reboot and the details return.
DEV-13194	Conductor	Check Connectivity > Ping Local Devices for an Airwall Gateway fails in Internet Explorer 11 if one of the devices is defined as a CIDR. Workaround – Use one of the latest versions of Chrome, Firefox, Safari or Edge.
DEV-11710	macOS Airwall Agents	If you change the LSI prefix on the Conductor, the macOS Airwall Agent doesn't update the routes correctly. Workaround – Close and reopen the macOS Airwall Agent.
DEV-10590	Cloud Airwall Gateways	The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider.
DEV-10039	Airwall Gateways	An Airwall Gateway-150 can show "could not detect attached switch" intermittently.
DEV-9546	Airwall Gateways, Airwall Gateways 150	The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console.