Release Notes v3.4.2

Release Date: February, 2024

Update Considerations

You may want to update to this version to use the following features:
  • Local Airwall overlay network
  • Overlay DHCP client
  • WebSocket relay proxy

What's New in 3.4.2

This version of the Airwall Solution includes several usability and functionality improvements that can simplify and streamline the setup and diagnostics for an Airwall secure network.

Local Airwall Overlay network

Airwall Gateways now have a local overlay network to better manage east-west traffic. See Adding trust between devices in the local overlay network.
Local overlay network

Port group devices

Port group overlay IP and network devices are a new device type that represent IPs on Airwall Gateways, which allow you to more easily configure east-west policy between overlay port groups. There are two types of port group devices: a port group network device is the local network of the port group, while a port group IP device is the IP configured on the port group. See Configuring port group devices

Overlay DHCP client

Airwall Gateways now support assigning overlay IP addresses with DHCP, making it easier to setup an Airwall to allow access in an existing environment. See Set up Overlay Port Groups.

AirProxy: support for WebSocket relay proxy

AirProxy is a WebSocket relay proxy that allows Airwalls to function in environments where the TCP 8096 and UDP 10500 ports are not working by using the HTTPS TCP 443 port for all traffic. See Configuring a Conductor IP, Friendly URL, or Port and Creating an AirProxy WebSocket relay certificate.

New search filters in Conductor Query Language

Use these additional filter properties to better search with the Conductor Query Language:
  • apiUUID
  • isPortMirrorSource
  • isPortMirrorDestination
  • hasCell
  • hasWifi
  • connectedVia
See Search by expression with the Conductor Query Language.

See further smart device group information in the Overlay page

You can now see further smart device group information in the Conductor’s Overlay page when you double click on the smart device group in the visualization window. See See the Trust Relationships in an Overlay network.

New bypass gateway tab

You can now see which Airwalls currently use a selected bypass gateway in the new bypass tab, Airwalls > Bypass. See Backhaul Bypass.
Bypass tab

See the API UUID for monitors in Conductor

You can now see the API UUID in the event monitor wizard. See Create an Event Monitor.
Event monitor wizard

Simplified Airwall relay configuration steps

You can now more easily configure an Airwall Gateway as an Airwall Relay using the Airwall relay tab. See Set Up an Airwall Relay.
Airwall relay tab

Pinned page folders

You can now use folders to better organise your pinned pages. See The Conductor Dashboard.
Airwall relay tab

New and Updated Help

Here is the new and updated content published since our last release:


Transparent mode

As of version 3.4.1, Airwalls will no longer support running in transparent mode. This run mode is replaced by enabling bypass on the Airwall using a Hybrid L2+L3 overlay port group.

Airwalls that are configured to run in transparent mode will silently revert to running in protected mode after upgrading to version 3.4.1.


ID Applies to Description
AWDEV-1282 Conductor Fixed an issue that made the Conductor vulnerable to cross-site scripting (XSS).
AWDEV-957 Conductor Fixed an issue where the ignore auto-discovery device checkbox in smart device group settings cannot be unchecked.
AWDEV-714 Conductor Fixed an issue where port filtering tab is missing for Airwalls.
AWDEV-706 Conductor Fixed an issue with failover for HA provisioned with more than one Conductor URL.
AWDEV-703 Airwall Fixed an issue where redis lua scripts fail with error "too many results to unpack".
AWDEV-696 Conductor Fixed an issue where device CQL queries do not work on HA-standby Conductors.
AWDEV-694 Conductor Fixed an issue where check boxes on the onboarding request table do not respect filtered list.
AWDEV-662 Airwall Fixed an issue where error file not found when downloading package from repo.
AWDEV-655 Conductor Fixed an issue where the firmware update dialog checkboxes do not work.
AWDEV-653 Conductor Fixed an issue with the connection checker for relay WebSocket proxies.
AWDEV-413 Conductor Fixed an issue where connectivity checker is unaware of blocked IP range within a network object.
AWDEV-268 Conductor Fixed an issue where Airwall Relay diagnostics for HA paired Airwalls shows incorrect data.

Known Issues

ID Applies to Description
AWDEV-812 Conductor Swapping to a different Airwall in Conductor, airsh goes to previous Airwall.

Workaround - Go back to dashboard and then to the Airwall.

AWDEV-685 Conductor The Latest badge in the Conductor firmware displays for multiple of the same model for certain models.

Workaround - Ignore the latest badge.

AWDEV-382 Gateway DHCP passthrough breaks in certain configurations.
AWDEV-381 Server AWS Airwall deployment requires Internet Gateway.

Workaround - Deploy with a temporary internet gateway, and then modify settings in AWS to use the transit gateway once deployed.

AWDEV-371 Conductor Remote airsh sometimes corrupts output.
AWDEV-319 Conductor Airwalls can become disconnected from Conductor due to receiving bad configuration data while upgrading HA paired Conductors.

Workaround - Do not demote a Conductor around the top of the hour when the consistency checker is running. Wait until 15 minutes into the hour.

AWDEV-285 Conductor Postgresql deadlock issue on Conductor restart.
AWDEV-252 Conductor Cannot clear incorrect login from OIDC user auth browser.
DEV-17648 Linux Airwall Servers Many Airshell functions (including changing log level) are non-functional until you have configured and licensed your Conductor.
DEV-17263 Conductor

If you fix a conflict in a smart device group by changing the IP of one of the conflicted devices, sometimes the change in IP does not result in the device being removed from the group and the change is not propagated to the Airwall Gateway.

Workaround – Fully remove the device from the smart device group and then add it back again.

DEV-16503 macOS Airwall Agent Deleting a profile does not immediately delete the associated private key.

Workaround - After deleting a profile, switch to a different profile before creating a new profile. If you have already created the new profile, delete it, switch, and then re-create it.

DEV-16431 Conductor When specifying a port mirror destination IP address, ensure that it doesn't conflict with any of the Airwall Gateway's local device IPs
DEV-16397 Conductor If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor, or go to Settings > Diagnostics and select Restart metadata cache to update the LSI prefix.
DEV-16068 Amazon Web Services Conductor To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image.
DEV-16067 Cloud, Conductor, Airwall Gateways If you are adding a new interface to an existing cloud Airwall Gateway, you must set the source and destination check to false (see your cloud provider for the terminology they use for source and destination checks).
DEV-16059 Airwall Gateways When HA-pairing two Airwall Gateways that do not have the HA link plugged in correctly, the Conductor displays no actionable error message and the HA setup never completes.
DEV-15982 Conductor Traffic stats reporting graphs generally show a smooth curve between data points. However, over time the graph can show up with sharper angles. The data is still correct, but this is a known issue with the graphing library used by the Conductor.
DEV-15945 Airwall Gateways If you configure port mirroring using a remote destination local device, GRE/ERSPAN traffic from remote Airwall Gateways will arrive with a source IP in the LSI prefix (defaults to
DEV-15923 Airwall Gateways When you run Check secure tunnels on a v3.0 Airwall Gateway, the check falsely reports a bad tunnel status for any peer airwall running a firmware version that is v2.2.8 or lower.
DEV-15808 Google Cloud Airwall Gateways Google Cloud Airwall Gateways with the same VM name have the same device serial number, which can result in a failure when you make a license request in the Conductor.

Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways.

DEV-15791 Airwall Gateway On the Airwall Gateway 100, Port 2 might be inactive after a factory-reset.

Workaround - After a factory reset, manually reboot the Airwall Gateway 100.

DEV-15705 iOS, Android Airwall Agent Establishing a tunnel TO a mobile Airwall Agent (iOS or Android) fails when there is no Airwall Relay involved.

Workaround - Establish the tunnel FROM the mobile Airwall Agent.

DEV-15572 Airwall Gateways If you do not specify a gateway in the DHCP server configuration, the DHCP client cannot configure a default gateway.

Workaround – Unless you want to configure a single isolated subnet, always specify a gateway. For example, a subnet for networked PDUs that should not have any outside connectivity aside from remote access through an Airwall Gateway, and used in conjunction with SNAT over the overlay port group. See DHCP server is not serving as a gateway

DEV-15489 Windows Airwall Agent Windows 7 sends an extra Windows system popup when the Windows Airwall Agent UserAuth prompt appears. You can safely ignore this popup.
DEV-15357 macOS Airwall Agent If you update the macOS Airwall Agent to a release later than v2.2.11 on macOS Mojave using a Conductor-based update package, it may not report the updated version to the Conductor.

Workaround - Restart the Airwall Agent or reapply the update.

DEV-15302 macOS Airwall Agent The profile for a macOS Airwall Agent does not work correctly when restored to a new computer using Time Machine.

Workaround - Create a new profile on the Airwall Agent, and then on the Conductor, replace the old profile with the new one.

DEV-15219 Cellular 110g Airwall Gateways The Airwall Gateway 110g does not work on the Bell Mobility (Canada) cellular provider because they require the use of a http/https proxy.
DEV-15031 Airwall Gateways Remote syslog over TLS does not work when using keys stored in TPM.
DEV-14860 Conductor Airwall Gateways on older firmware (pre v2.2.0) may send passively-discovered device events to the Conductor even when the feature is off.
DEV-14835 Conductor Airwall Gateway 150 serial numbers look like exponentiated numbers to Windows Excel, so the column displaying the Serial number shows xxxEyyy instead of the full serial number.
DEV-14736 Cellular Airwall Gateways Cellular details may display as "unavailable" on the first boot after you update anAirwall Gateway. The cellular connections are not affected.

Workaround – Reboot the Airwall Gateway again to correctly display the cellular details.

DEV-14726 Conductor If you are viewing an Android Airwall Agent Ports tab and the Airwall Agent changes how it is connected to the Conductor (for example, from WiFi to cellular), the display does not update correctly.

Workaround – Refresh the page.

DEV-14610 Conductor After changing the Reporting traffic stats reporting time, the CPU graph does not display.

Workaround – Refresh your browser page.

DEV-14584 Cellular Airwall Gateways Hot-swapping the SIM on an Airwall Gateway 110 with firmware version v2.2.11 may not work.

Workaround – Reboot the Airwall Gateway after installing a new SIM card.

DEV-14551 Conductor The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message.
DEV-14426 Conductor, Airwall Gateways Bypass destinations with a hostname do not show device activity in the Conductor.
DEV-14308 OpenHIP Initial packets are dropped while building a new tunnel to a new peer Airwall Gateway.
DEV-14223 Google Cloud Add an overlay IP to agent in order to talk to device behind Google 300v.
DEV-14218 Airwall Gateways NAT broadcast applied to traffic between ports within a single port group. Use an external switch if you need to connect multiple devices to a single port group and use the NAT broadcast feature and require IP broadcast un-NATed between those local devices.
DEV-14015 OpenHIP If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.

Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate.

DEV-13775 Azure Cloud Airwall Gateways The Conductor might rarely give a "Net::ReadTimeout" error when you try to deploy an Azure Airwall Gateway 300v or server. This error does not indicate that the deployment has failed. If you get this error message, go to Azure portal and check the actual deployment result.
DEV-13650 Conductor SoIP device activity is not being reported on an Airwall Gateway Local Devices tab.
DEV-13640 Conductor Airwall Relay diagnostics do not work on a Standby Conductor.
DEV-13633 Conductor A standby Conductor shows available firmware downloads, but they cannot be downloaded.

Workaround – Download firmware from the active Conductor.

DEV-13620 Conductor In Airwall > Ports > Failover settings, the failover ping occurs only every "ping rate" + "ping timeout" seconds, somewhat unexpectedly.
DEV-13607 Conductor, Airwall Gateways Creating a link failover group (Airwall > Ports > Failover settings) does not apply the settings to any port groups. You must also assign the failover group to port groups on the Ports page.
DEV-13588 Conductor Opening the Conductor on Internet Explorer 11 can be very slow for medium to large deployments.

Workaround – Use the latest version of Chrome, Firefox, or Edge instead.

DEV-13536 Windows Airwall Agent When you uninstall the Windows Airwall Agent, it does not remove the tun-tap driver.

Workaround - Delete the driver from C:\Windows\System32\drivers\tnw-tap.sys.

DEV-13531 Cloud Conductor Automatically creating Cloud HA Conductors only works if you use the same cloud provider for both active and standby Conductors. For example, AWS HA Active and AWS HA Standby.

Workaround – You can manually set up different cloud providers as HA pair Conductors.

DEV-13474 Airwall Gateways If you configure multiple overlay port groups with the same overlay IP subnet (same or different IP addresses) and then create a local device equal to the entire subnet with port affinity set, it may not lead to the expected result.
DEV-13331 Alibaba Cloud Airwall Gateways The Alibaba Cloud Conductor system time is incorrect.

Workaround – Change the Conductor system time to browser time: In Conductor Settings, under System time, select Edit Settings, select Set browser time, and then select Update Settings.

DEV-13195 Conductor, Airwall Gateways When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become "Unavailable."

Workaround – Reboot and the details return.

DEV-12852 Windows Airwall Agent Windows by default does not allow multiple 'active' interfaces. It prefers ethernet over cellular whenever possible.

Workaround - Set Windows to keep multiple interfaces open by editing the fMinimizeConnections registry value:

  1. Hold the Windows Key and Press R.
  2. In the run dialog, type regedit and click OK.
  3. Navigate to the following path in Registry Editor: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\4
  4. See if the GroupPolicy subkey exists. If not with, WcmSvc highlighted, right click on WcmSvc and Choose New > Key and name it GroupPolicy.
  5. Right-click GroupPolicy and choose New > DWORD (32-bit) > Create value.
  6. Name the value "fMinimizeConnections," and select OK. (The value should be 0, or false).
  7. Reboot and test.
DEV-10590 Cloud Airwall Gateways The Conductor does not display an error when adding a route that would exceed the maximum number of allowed routes in the cloud provider.
DEV-10039 Airwall Gateways An Airwall Gateway-150 can show "could not detect attached switch" intermittently.
DEV-9546 Airwall Gateways, Airwall Gateways 150 The Airwall Gateway-150 serial connection has an intermittent issue when large amounts of data are sent over the console.
DEV-9429 Windows Airwall Agent When you update the Overlay Device IP address for a Windows Airwall Server in the Conductor, it does not always update the first time.

Workaround - Open and update the address a second time.