Release Notes v3.0.0

Release Date: Nov 2, 2021

Important Notes

  • Update all v2.1.x Airwall Edge Services – It is recommended that you update all v2.1.x and earlier Airwall Edge Services with v2.2.x or later before installing v3.0.0. With this release, any Airwall Edge Services running v2.1.x firmware show an error in the Conductor. For more information, see Update v2.1.x Airwall Edge Services for the v3.0.0 Conductor.
  • If you are updating a virtual Conductor to v3.0.0 or later – You may need to expand the disk size for the virtual machine to 1GB. For instructions, see your virtual machine documentation, or the suggested VMware and Hyper-V instructions at Expand the Disk Size for a virtual Airwall Gateway.

End of Life/End of Support Bulletins

Update Considerations

What's New in 3.0.0

This version of the Airwall Solution includes several usability and functionality improvements that can simplify and streamline the setup and administration of an Airwall secure network.

Add Trust Policy using Drag-and-drop

You can now add and remove trust between devices on an overlay visually, or through context menus on a graph. Changes to trust on the graph are reflected on the Devices tab.

Learn more Add and remove device trust

Backhaul Bypass

You can designate an Airwall Gateway as a bypass egress and then point other Airwall Gateways at it so they can reach bypass destinations through the designated bypass egress Airwall Gateway.

Learn more Backhaul Bypass

Bulk Editing of People and People Groups

You can add many local users to the Conductor at one time by importing them in bulk. You export a .csv file as a template or with current users, and then import to add people to the Conductor in one step.

Learn more

Customized Permissions for System and Network Administrators

You can fine tune permissions for system and network administrators, giving you finer control over permissions on your network.

Learn more Customize Permissions for System and Network Administrators

Streamlined Conductor View for Network Administrators

One of the custom permissions you can set for Network administrators provides them with a streamlined view that can simplify their workflow. Network administrators using the streamlined view can manage their overlays, and the devices, Device groups, and Airwall Edge Services in them.

Learn more Set a Streamlined View for a Network Administrator

Reports

You can now run reports on different types of network activity on your Airwall secure network, including:

  • Onboarding and offboarding of Airwall Edge Services or people
  • Status of Airwall Edge Services or devices
  • Conductor local or remote access

Learn more Run Network Activity Reports

Monitors and Alerts

This version includes the following additions:

  • CPU Frequency – The Airwall health data monitors can now monitor CPU frequency.
  • Details for Intrusion prevention – Intrusion prevention alerts now indicate which devices are the source or destination of the alert where possible.

Conductor Customization

You can customize the Conductor login screen and emails sent from the Conductor for your business. Here's what you can customize:

  • Conductor login screen – Add your company logo, and change the background colors and favicon.
  • Conductor emails – Add your company logo and change the text color. You can also customize the subject line and add a note from the administrator when sending Airwall Invitations.

Learn more

Disconnected Mode

Reduce the traffic from Airwall Agents and Servers connecting to your Conductor by setting up Disconnected mode. In Disconnected mode, Airwall Agents and Servers connect to your Conductor at intervals – between 10 minutes and 12 hours (720 minutes) – to get updates when people are not actively using the connection.

By reducing the traffic on your Conductor, Disconnected mode allows you to improve performance and scalability of your Airwall secure network. In v3.0, Disconnected mode is supported by the v3.0 Android, Linux, and macOS Airwall Agents and Servers.

Learn more

Airwall Invitations

This version includes several enhancements to Airwall Invitations:

  • When you're creating People groups with user onboarding enabled, you now have the option to send email to users when they get an activation code in the system. The email provides instructions on how to download an Airwall Agent and connect it to the Conductor.
  • The email sent with Airwall Invitations has more options for customization. See Conductor Customization above.
  • Airwall Invitations can now be used to give activation codes to existing users in addition to sending them to an email address or bulk downloading them. See the Airwalls > New Airwall invitations.
  • The naming schema for Airwall Invitations can now include the hostname of the connecting Airwall Edge Service.
  • You can now include the hostname of the connecting Airwall Edge Service when naming devices connecting using Airwall Invitations.

Learn more Walkthrough - Onboard people to your Airwall secure network with User Authentication

Linux Airwall Server

This version includes these additions to the Linux Airwall Server:

  • DockerHub deployment – The Linux Airwall Server can now be deployed in a container from DockerHub using Ubuntu18 and CentOS8. For additional example Dockerfiles, contact Customer Success at Customer Success.
  • Supports Airshell – The Linux Airwall Server now has the Airshell command-line utility. To start it, type sudo airsh (root user) or sudo airwall -s
  • Ping from port groups – The ping function can now ping from the underlay or overlay port groups.
  • Firmware updates – The Linux Airwall Server can now be updated from the Conductor.

Learn more

Conductor Tutorials and Help

The Conductor now contains several tutorials to help you set up and configure a new Conductor, as well as use and understand different features in the Conductor. You can also directly access Airwall help from the Conductor:


Accessing tutorials and help from the Conductor

Learn more

Licensing Updates

In v3.0, the following licenses have been changed:

  • The Airwall Gateway 100V is no longer available
  • You no longer need a separate license for port mirroring

Manage failover between underlay port groups

The Link Manager that Conductor uses to manage port failover groups has been improved. The following has been updated:

  • You can now set port group link auto-repair globally per Airwall Gateway.
  • You can now manage underlay links independently by traffic type.
  • When you set up link failover groups, you can now require all pings to be successful if multiple ping destinations are assigned.

Learn moreManage Failover between Underlay Port Groups

API Updates

The following updates and improvements have been made to the API:

  • Pagination is turned on by default in 3.0 for all index endpoints, which may affect existing scripts. Enabling pagination helps scale Conductor capacity. If you need to preserve existing behavior, add a query parameter for pagination=false to any index API endpoints you are using.
  • The API for Airwall Invitations now includes new invitation methods: email invites, download multiple activation codes, apply an invite to an existing person, or download a reusable invitation. The documentation has also been updated.
  • People reference now includes person_group_ids and overlay_network_ids.
  • Person groups reference now includes user onboarding configuration information.

Terraform Deployment Support

This version contains Terraform deployment support for Conductors, Airwall Gateways, and Linux Airwall Servers for all supported Cloud Providers. For example plans, please contact Customer Success at Customer Success.

New and Improved Conductor Features

Dashboard
The Dashboard now includes a Provisioning tab where you can see and manage all provisioning requests.
General
There is now infinite scrolling for lists on most pages, and streamlined inline editing, including direct editing of names and tags at the top on most pages.
Devices page
This page has been simplified, and provides more details on device conflicts to help you troubleshoot.
People page
Administrators can now view the Airwalls owned by a person from the person details page.
Settings
The Conductor Settings page has been streamlined and reorganized to make it easier to find the settings you want.
New Airwall Agent user authentication settings
New settings allow you to automate assigning an Airwall Agent owner: Require owner for Airwall Agent authorization and Auto-assign Airwall agent owner on login.
Replacing Airwalls
You now have the option to revoke, or both revoke and delete, a source Airwall Edge Service after replacing. Replaced Airwall Edge Services that are not deleted are named "<old name (Replaced by UID of replacement)>" to make them easier to find.
Diagnostic Tools on the Standby Conductor
You can now use diagnostic tools on a Standby Conductor.
Better CA certificate replacement and removal handling

When you replace your CA certificates, any Airwall Gateways with custom certs installed now check their cert against the new CA. If they cannot be verified, the cert is removed so the Airwall Gateway does not lose access to the Conductor. If the CA is removed entirely, all customer certs are also removed.

Learn more

New and Updated Help

In addition to the content added for new features linked above, here’s the new and updated content published since our last major release:

Fixes

ID Applies to Description
DEV-16491 Cellular Airwall Gateways Fixed an issue where underlay interface MTU was not considered in tunnel overlay MTU, and another where the path MTU didn't work correctly across local bypass configurations. Known issue – The path MTU doesn't work across backhaul bypass. Make sure any backhaul bypass egress Airwall Gateways have a full 1500 byte standard Ethernet MTU (that is, do not use a cell modem).
DEV-16233 Airwall Gateways Fixed an issue where Ping <ip or hostname> (in Airwall Diagnostics) returned false negatives for hostnames longer than 46 bytes.
DEV-16102 Airshell, Airwall Gateways The Airshell firmware-fallback command is now functional on Advantech (Airwall AV-3200 series).
DEV-15942 Airwall Gateways Fixed a DNS resolver issue that could cause long delays for Airwall Gateways trying to reconnect to the Conductor when configured with a hostname.
DEV-15938 Airshell The 'activate' command in Airshell now takes the activation code as an optional argument. For example, activate 75820b33fa5a.
DEV-15860 Hardware Conductor Fixed an issue where the Conductor-500 LCD panel would display "Conductor unreachable".
DEV-15835 Conductor Fixed an issue where the Traffic stats monitor alerts indicated traffic in kB/s when the correct value is Kb/s (kilobits per second).
DEV-15784 Diagnostic mode Fixed an issue where bridging all overlay interfaces was causing problems when an Airwall Gateway was in Diag mode.
DEV-15762 Conductor Fixed an issue where readonly users appeared to be able to edit some tag-related event actions.
DEV-15761 Conductor Fixed an issue where readonly users appeared to be able to edit some person group user onboarding settings.
DEV-15760 Conductor Intrusion prevention controls are now disabled unless the user has edit permission for the Airwall Edge Service.
DEV-15759 Conductor Fixed an issue where readonly users appeared to be able to create Airwall Invitations with a template.
DEV-15757 Conductor Fixed an issue where readonly users appeared to be able to edit tags.
DEV-15736 Airwall Gateways Fixed an issue where the Ping Peers diagnostic feature didn't support multiple peers with the same underlay IP address.
DEV-15707 Conductor Fixed an issue where users could not remove all relays from an overlay-managed relay rule.
DEV-15679 Conductor Your previous login selection is now saved regardless of provider (local, LDAP, or OpenID connect).
DEV-15653 Conductor Instructions for setting up OpenID Connect on HA standby Conductors are now clearer.
DEV-15534 Cloud Airwall Gateways Fixed an issue where detecting the underlay NAT IP of a cloud 300v Airwall Gateway wasn't being sent to peer Airwall Gateways
DEV-15525 Conductor Fixed an issue during a device import where you could select Next even though there was an error.
DEV-15420 Conductor Fixed an issue where you could enable passive device discovery before selecting an Overlay port group.
DEV-15393 Linux Airwall Servers Fixed the invalid log level error message when starting up a Linux Airwall Server.
DEV-15203 Airwall Gateways Fixed an issue that could cause passive device detection to ignore devices when traffic is seen immediately after reboot.
DEV-14908 Conductor Display a warning when there is a mismatch in authentication providers for an Airwall Agent owner and the user auth allowed in the Conductor that would prevent a user from authenticating a remote session.
DEV-14608 Airwall Gateways Fixed an issue that could prevent initialization of port groups with VLAN interfaces if the parent port was removed from another port group.
DEV-14471 Diagnostic mode Port group numbers are no longer incremented by 2 in diag mode.
DEV-14318 Conductor, Linux Airwall Servers Fixed an issue where the Linux Airwall Server wouldn't always get policy updates until it was rebooted.
DEV-13587 Conductor Clarified language in the Add / Remove tag monitor action.
DEV-11607 Airwall Gateways Fixed an issue in the health data capture for Airwall Gateways that showed all overlay ports as having no link.
DEV-11524 Android Airwall Agents Fixed an issue where Android was reporting incorrect IPs for interfaces on its Ports tab in the Conductor.

Known Issues

ID Applies to Description
DEV-16807 Airwall Gateways Airwall Gateways that used an auto-configured Conductor URL from a DNS SRV record appear for initial provisioning but fail to connect back to the Conductor to be managed.

Workaround – Set the Conductor URL manually on the Airwall Gateway using conductor set <conductor_url>. For example, conductor set conductor.example.com.

DEV-16503 macOS Airwall Agents Deleting a profile does not immediately delete the associated private key.

Workaround – Switch to a different profile before creating a profile after deleting one.

DEV-16397 Conductor If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to Settings > Diagnostics and select Restart metadata cache to update the LSI prefix.
DEV-16322 Conductor If a person is in more than one person group that has access windows set for the group, they can only authenticate for a remote session during times that are inside all of the access windows for those person groups.
DEV-16068 Amazon Web Services Conductor To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image.
DEV-16059 Airwall Gateways When HA-pairing two Airwall Gateways that don't have the HA link plugged in correctly, the Conductor displays no actionable error message and the HA setup never completes.
DEV-15982 Conductor Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor.
DEV-15887 Airwall Gateways You cannot currently add VLAN interfaces to the Ruggedcom platform.
DEV-15808 Google Cloud Airwall Gateways Google Cloud Airwall Gateways with the same VM name have the same device serial number, which can result in a failure when you make a license request in the Conductor.

Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways.

DEV-15791 Airwall Gateways On the Airwall Gateway 100, Port 2 might be inactive after a factory-reset.

Workaround – After a factory reset, manually reboot the Airwall Gateway 100.

DEV-15787 macOS Airwall Agents If a person who already has a profile makes a Request to Connect from the Remote Access User portal on the same Conductor, no profile is created.

Workaround – If the user wants a second profile, they can use an invite code or enter the Conductor information manually.

DEV-15705 macOS Airwall Agents Establishing a tunnel TO a mobile Airwall Agent (iOS or Android) fails when there is no Airwall Relay involved.

Workaround – Establish the tunnel FROM the mobile Airwall Agent.

DEV-15572 Airwall Gateways If you don't specify a gateway in the DHCP server configuration, the DHCP client cannot configure a default gateway.

Workaround – Unless you want to configure a single isolated subnet, always specify a gateway. For example, a subnet for networked PDUs that should not have any outside connectivity aside from remote access through an Airwall Gateway, and used in conjunction with SNAT over the overlay port group. See https://tempered.force.com/TemperedSupportCenter/s/article/DHCP-server-isn-t-serving-as-a-gateway.

DEV-15357 macOS Airwall Agents If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to the Conductor.

Workaround – Restart the Airwall Agent or reapply the update.

DEV-15338 Linux Airwall Servers If using a recent systemd-based Linux distribution including Fedora 33 and Debian 11, disable systemd-networkd MAC address randomization of the hip1 interface.
DEV-15302 macOS Airwall Agents The profile for a macOS Airwall Agent does not work correctly when restored to a new computer using Time Machine.

Workaround – Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one.

DEV-15219 Cellular 110g Airwall Gateways The Airwall Gateway 110g does not on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy.
DEV-15031 Airwall Gateways Remote syslog over TLS doesn't work when using keys stored in TPM.
DEV-14860 Conductor Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off.
DEV-14835 Conductor Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number.
DEV-14739 Airwall Gateways If you set IPv4 to DHCPv4 and set a static IP address for IPv6, the setting that you set second doesn't get saved.

Workaround – If you need both IPv4 and IPv6, set static IP addresses for both.

DEV-14736 Cellular Airwall Gateways Cellular details may display as "unavailable" on the first boot after you update anAirwall Gateway. The cellular connections are not affected.

Workaround – Reboot the Airwall Gateway again to correctly display the cellular details.

DEV-14726 Conductor If you're viewing an Android Airwall Agent Ports tab and the Airwall Agent changes how it's connected to the Conductor (for example, from WiFi to cellular), the display doesn't update correctly.

Workaround – Refresh the page.

DEV-14715 macOS Airwall Agents Big Sur ARM64 Macs are not supported in this release
DEV-14610 Conductor After changing the Reporting traffic stats reporting time, the CPU graph does not display.

Workaround – Refresh your browser page.

DEV-14584 Cellular Airwall Gateways Hot-swapping the SIM on an Airwall Gateway 110 with firmware version v2.2.11 may not work.

Workaround – Reboot the Airwall Gateway after installing a new SIM card.

DEV-14570 Conductor If you set an Airwall Agent owner to a user (LDAP, local, or OIDC) and someone attempts to user authenticate with a different OIDC user, they will not be able to authenticate (which is the correct behavior), but they see a 500 instead of a helpful error message.
DEV-14551 Conductor The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message.
DEV-14426 Conductor, Airwall Gateways Bypass destinations with a hostname do not show device activity in the Conductor.
DEV-14308 OpenHIP Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway.
DEV-14249 iOS Airwall Agents Check Secure TunnelsTunnel Status may show as unavailable on iOS.

Workaround – You can determine tunnel status by checking packets sent or received.

DEV-14218 Airwall Gateways NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices.
DEV-14045 Android and iOS Airwall Agents iOS does not currently support overlay ping.
DEV-14015 OpenHIP If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.

Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate.

DEV-13775 Azure Cloud Airwall Gateways The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error doesn't indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result.
DEV-13650 Conductor SoIP device activity is not being reported on an Airwall Gateway Local Devices tab.
DEV-13640 Conductor Airwall Relay diagnostics don't work on a Standby Conductor.
DEV-13633 Conductor A standby Conductor shows available firmware downloads, but they cannot be downloaded.

Workaround – Download firmware from the active Conductor.

DEV-13620 Conductor In Airwall > Ports > Failover settings, the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly.
DEV-13607 Conductor, Airwall Gateways Creating a link failover group (Airwall > Ports > Failover settings) does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page.
DEV-13588 Conductor Opening the Conductor on Internet Explorer 11 can be very slow for medium to large deployments.

Workaround – Use the latest version of Chrome, Firefox, or Edge instead.

DEV-13531 Cloud Conductor Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and standby Conductors. For example, AWS HA Active and AWS HA Standby.

Workaround – You can manually set up different cloud providers as HA pair Conductors.

DEV-13474 Airwall Gateways If you configure multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then create a local device equal to the entire subnet with port affinity set, it may not lead to the expected result.
DEV-13331 Alibaba Cloud Airwall Gateways The Alibaba Cloud Conductor system time is incorrect.

Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings.

DEV-13195 Conductor, Airwall Gateways When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become "Unavailable."

Workaround – Reboot and the details return.

DEV-13194 Conductor Check Connectivity > Ping Local Devices for an Airwall Gateway fails in Internet Explorer 11 if one of the devices is defined as a CIDR.

Workaround – Use one of the latest versions of Chrome, Firefox, Safari or Edge.

DEV-11710 macOS Airwall Agents If you change the LSI prefix on the Conductor, the macOS Airwall Agent doesn't update the routes correctly.

Workaround – Close and reopen the macOS Airwall Agent.

DEV-10590 Cloud Airwall Gateways The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider.
DEV-10039 Airwall Gateways An Airwall Gateway-150 can show "could not detect attached switch" intermittently.
DEV-9546 Airwall Gateways, Airwall Gateways 150 The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console.