Release Notes v3.4.2
Release Date: February, 2024
Update Considerations
- Local Airwall overlay network
- Overlay DHCP client
- WebSocket relay proxy
Downloads
For firmware and software downloads for this version, see 3.4.2 firmware and software.
What's New in 3.4.2
This version of the Airwall Solution includes several usability and functionality improvements that can simplify and streamline the setup and diagnostics for an Airwall secure network.
Local Airwall Overlay network
Port group devices
Port group overlay IP and network devices are a new device type that represent IPs on Airwall Gateways, which allow you to more easily configure east-west policy between overlay port groups. There are two types of port group devices: a port group network device is the local network of the port group, while a port group IP device is the IP configured on the port group. See Configuring port group devices
Overlay DHCP client
Airwall Gateways now support assigning overlay IP addresses with DHCP, making it easier to setup an Airwall to allow access in an existing environment. See Set up Overlay Port Groups.
Support for WebSocket relay proxy
The WebSocket relay proxy allows Airwalls to function in environments where the TCP 8096 and UDP 10500 ports are not working by using the HTTPS TCP 443 port for all traffic. See Configuring a Conductor IP, Friendly URL, or Port and Creating WebSocket Relay certificate.
New search filters in Conductor Query Language
- apiUUID
- isPortMirrorSource
- isPortMirrorDestination
- hasCell
- hasWifi
- connectedVia
See further smart device group information in the Overlay page
You can now see further smart device group information in the Conductor’s Overlay page when you double click on the smart device group in the visualization window. See See the Trust Relationships in an Overlay network.
New bypass gateway tab
See the API UUID for monitors in Conductor
Simplified Airwall relay configuration steps
Pinned page folders
New and Updated Help
Here is the new and updated content published since our last release:
Deprecations
Transparent mode
As of version 3.4.1, Airwalls will no longer support running in transparent mode. This run mode is replaced by enabling bypass on the Airwall using a Hybrid L2+L3 overlay port group.
Airwalls that are configured to run in transparent mode will silently revert to running in protected mode after upgrading to version 3.4.1.
Fixes
| ID | Applies to | Description |
|---|---|---|
| AWDEV-1282 | Conductor | Fixed an issue that made the Conductor vulnerable to cross-site scripting (XSS). |
| AWDEV-957 | Conductor | Fixed an issue where the ignore auto-discovery device checkbox in smart device group settings cannot be unchecked. |
| AWDEV-714 | Conductor | Fixed an issue where port filtering tab is missing for Airwalls. |
| AWDEV-706 | Conductor | Fixed an issue with failover for HA provisioned with more than one Conductor URL. |
| AWDEV-703 | Airwall | Fixed an issue where redis lua scripts fail with error "too many results to unpack". |
| AWDEV-696 | Conductor | Fixed an issue where device CQL queries do not work on HA-standby Conductors. |
| AWDEV-694 | Conductor | Fixed an issue where check boxes on the onboarding request table do not respect filtered list. |
| AWDEV-662 | Airwall | Fixed an issue where error file not found when downloading package from repo. |
| AWDEV-655 | Conductor | Fixed an issue where the firmware update dialog checkboxes do not work. |
| AWDEV-653 | Conductor | Fixed an issue with the connection checker for relay WebSocket proxies. |
| AWDEV-413 | Conductor | Fixed an issue where connectivity checker is unaware of blocked IP range within a network object. |
| AWDEV-268 | Conductor | Fixed an issue where Airwall Relay diagnostics for HA paired Airwalls shows incorrect data. |
Known Issues
| ID | Applies to | Description |
|---|---|---|
| AWDEV-812 | Conductor | Swapping to a different Airwall in Conductor, airsh goes to
previous Airwall. Workaround - Go back to dashboard and then to the Airwall. |
| AWDEV-685 | Conductor | The Latest badge in the Conductor firmware
displays for multiple of the same model for certain
models. Workaround - Ignore the latest badge. |
| AWDEV-382 | Gateway | DHCP passthrough breaks in certain configurations. |
| AWDEV-381 | Server | AWS Airwall deployment requires Internet Gateway.
Workaround - Deploy with a temporary internet gateway, and then modify settings in AWS to use the transit gateway once deployed. |
| AWDEV-371 | Conductor | Remote airsh sometimes corrupts output. |
| AWDEV-319 | Conductor | Airwalls can become disconnected from Conductor due to receiving
bad configuration data while upgrading HA paired
Conductors. Workaround - Do not demote a Conductor around the top of the hour when the consistency checker is running. Wait until 15 minutes into the hour. |
| AWDEV-285 | Conductor | Postgresql deadlock issue on Conductor restart. |
| AWDEV-252 | Conductor | Cannot clear incorrect login from OIDC user auth browser. |
| DEV-17648 | Linux Airwall Servers | Many Airshell functions (including changing log level) are non-functional until you have configured and licensed your Conductor. |
| DEV-17263 | Conductor |
If you fix a conflict in a smart device group by changing the IP of one of the conflicted devices, sometimes the change in IP does not result in the device being removed from the group and the change is not propagated to the Airwall Gateway. Workaround – Fully remove the device from the smart device group and then add it back again. |
| DEV-16503 | macOS Airwall Agent | Deleting a profile does not immediately delete the associated
private key. Workaround - After deleting a profile, switch to a different profile before creating a new profile. If you have already created the new profile, delete it, switch, and then re-create it. |
| DEV-16431 | Conductor | When specifying a port mirror destination IP address, ensure that it doesn't conflict with any of the Airwall Gateway's local device IPs |
| DEV-16397 | Conductor | If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to and select Restart metadata cache to update the LSI prefix. |
| DEV-16068 | Amazon Web Services Conductor | To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image. |
| DEV-16067 | Cloud, Conductor, Airwall Gateways | If you are adding a new interface to an existing cloud Airwall Gateway, you must set the source and destination check to false (see your cloud provider for the terminology they use for source and destination checks). |
| DEV-16059 | Airwall Gateways | When HA-pairing two Airwall Gateways that do not have the HA link plugged in correctly, the Conductor displays no actionable error message and the HA setup never completes. |
| DEV-15982 | Conductor | Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor. |
| DEV-15945 | Airwall Gateways | If you configure port mirroring using a remote destination local device, GRE/ERSPAN traffic from remote Airwall Gateways will arrive with a source IP in the LSI prefix (defaults to 1.0.0.0/8). |
| DEV-15923 | Airwall Gateways | When you run Check secure tunnels on a v3.0 Airwall Gateway, the check falsely reports a bad tunnel status for any peer airwall running a firmware version that is v2.2.8 or lower. |
| DEV-15808 | Google Cloud Airwall Gateways | Google Cloud Airwall Gateways with the same VM name have the same device serial number, which
can result in a failure when you make a license request in the Conductor. Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways. |
| DEV-15791 | Airwall Gateway | On the Airwall Gateway 100, Port 2 might be inactive after a
factory-reset. Workaround - After a factory reset, manually reboot the Airwall Gateway 100. |
| DEV-15705 | iOS, Android Airwall Agent | Establishing a tunnel TO a mobile Airwall Agent (iOS or Android)
fails when there is no Airwall Relay involved. Workaround - Establish the tunnel FROM the mobile Airwall Agent. |
| DEV-15572 | Airwall Gateways | If you do not specify a gateway in the DHCP server configuration,
the DHCP client cannot configure a default
gateway. Workaround – Unless you want to configure a single isolated subnet, always specify a gateway. For example, a subnet for networked PDUs that should not have any outside connectivity aside from remote access through an Airwall Gateway, and used in conjunction with SNAT over the overlay port group. See DHCP server is not serving as a gateway |
| DEV-15489 | Windows Airwall Agent | Windows 7 sends an extra Windows system popup when the Windows Airwall Agent UserAuth prompt appears. You can safely ignore this popup. |
| DEV-15357 | macOS Airwall Agent | If you update the macOS Airwall Agent to a release later than
v2.2.11 on macOS Mojave using a Conductor-based update package, it
may not report the updated version to the
Conductor. Workaround - Restart the Airwall Agent or reapply the update. |
| DEV-15302 | macOS Airwall Agent | The profile for a macOS Airwall Agent does not work correctly
when restored to a new computer using Time
Machine. Workaround - Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one. |
| DEV-15219 | Cellular 110g Airwall Gateways | The Airwall Gateway 110g does not work on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy. |
| DEV-15031 | Airwall Gateways | Remote syslog over TLS does not work when using keys stored in TPM. |
| DEV-14860 | Conductor | Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off. |
| DEV-14835 | Conductor | Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number. |
| DEV-14736 | Cellular Airwall Gateways | Cellular details may display as "unavailable" on the first boot
after you update anAirwall Gateway. The cellular connections are not affected. Workaround – Reboot the Airwall Gateway again to correctly display the cellular details. |
| DEV-14726 | Conductor | If you are viewing an Android Airwall Agent
Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from WiFi to cellular), the display does not update
correctly. Workaround – Refresh the page. |
| DEV-14610 | Conductor | After changing the Reporting traffic stats reporting time, the
CPU graph does not display. Workaround – Refresh your browser page. |
| DEV-14584 | Cellular Airwall Gateways | Hot-swapping the SIM on an Airwall Gateway 110 with firmware version v2.2.11 may not work.
Workaround – Reboot the Airwall Gateway after installing a new SIM card. |
| DEV-14551 | Conductor | The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message. |
| DEV-14426 | Conductor, Airwall Gateways | Bypass destinations with a hostname do not show device activity in the Conductor. |
| DEV-14308 | OpenHIP | Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway. |
| DEV-14223 | Google Cloud | Add an overlay IP to agent in order to talk to device behind Google 300v. |
| DEV-14218 | Airwall Gateways | NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices. |
| DEV-14015 | OpenHIP | If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.
Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate. |
| DEV-13775 | Azure Cloud Airwall Gateways | The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error does not indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result. |
| DEV-13650 | Conductor | SoIP device activity is not being reported on an Airwall Gateway Local Devices tab. |
| DEV-13640 | Conductor | Airwall Relay diagnostics do not work on a Standby Conductor. |
| DEV-13633 | Conductor | A standby Conductor shows available firmware downloads, but they cannot be
downloaded. Workaround – Download firmware from the active Conductor. |
| DEV-13620 | Conductor | In , the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly. |
| DEV-13607 | Conductor, Airwall Gateways | Creating a link failover group () does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page. |
| DEV-13588 | Conductor | Opening the Conductor on Internet Explorer 11 can be very slow for medium to large
deployments. Workaround – Use the latest version of Chrome, Firefox, or Edge instead. |
| DEV-13536 | Windows Airwall Agent | When you uninstall the Windows Airwall Agent, it does not remove
the tun-tap driver. Workaround - Delete the driver from C:\Windows\System32\drivers\tnw-tap.sys. |
| DEV-13531 | Cloud Conductor | Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and
standby Conductors. For example, AWS HA Active and AWS HA
Standby. Workaround – You can manually set up different cloud providers as HA pair Conductors. |
| DEV-13474 | Airwall Gateways | If you configure multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then create a local device equal to the entire subnet with port affinity set, it may not lead to the expected result. |
| DEV-13331 | Alibaba Cloud Airwall Gateways | The Alibaba Cloud Conductor system time is incorrect. Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings. |
| DEV-13195 | Conductor, Airwall Gateways | When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become
"Unavailable." Workaround – Reboot and the details return. |
| DEV-12852 | Windows Airwall Agent | Windows by default does not allow multiple 'active' interfaces.
It prefers ethernet over cellular whenever
possible. Workaround - Set Windows to keep multiple interfaces open by editing the fMinimizeConnections registry value:
|
| DEV-10590 | Cloud Airwall Gateways | The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider. |
| DEV-10039 | Airwall Gateways | An Airwall Gateway-150 can show "could not detect attached switch" intermittently. |
| DEV-9546 | Airwall Gateways, Airwall Gateways 150 | The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console. |
| DEV-9429 | Windows Airwall Agent | When you update the Overlay Device IP address for a Windows
Airwall Server in the Conductor, it does not always update the first
time. Workaround - Open and update the address a second time. |