Release Notes v4.0.2
Release date: October, 2025
Summary
This version of the Airwall solution includes security upgrades and bug fixes. To download the firmware, see 4.0.2 firmware and software.
New Features and Enhancements
- Add custom logos in the Conductor UI, enabling easy branding of the solution.
- The session timeout for privileged (Admin) accounts is reduced to 5 minutes to enhance security and minimize risks from unattended sessions.
- Conductor supports minimum browser versions, (Versions 3.3, 3.4, 3.5, 4.0), ensuring backwards compatibility.
- New AirProxy WebSocket Secure (WSS) Transport documentation is now available.
Security Updates
- Upgraded to nokogiri v1.18.4
- Upgraded to libxslt v1.1.43
- Upgraded to rack v2.2.14
Linux Agent Updates
- Airwall Linux Agent no longer supports Ubuntu 18.04 LTS, now supports 22.04 LTS and 20.04 LTS.
Fixes
| ID | Applies to | Description |
|---|---|---|
| AWDEV-2846 | Airwall | Fixed the issue with overlay port group detection, ensuring secure tunnel tests run properly. |
| AWDEV-2662 | Airwall Conductor | Fixed the visibility issue of device names in dark mode on the overlay page in the Conductor UI. |
| AWDEV-3034 | Airwall | Fixed an issue where Rack::QueryParser allows unbounded parameter parsing, enabling potential denial-of-service via excessive memory and CPU usage. |
| AWDEV-3011 | Airwall Conductor | Fixed an issue where Conductor reports incorrect information about physical connection to AW75 gateway. |
| AWDEV-2955 | Airwall Conductor | Upgraded nokogiri to v1.18.4. |
| AWDEV-2925 | Airwall | Fixed an issue where Rack::Static could expose unintended files under the specified root directory due to improper path sanitization. |
| AWDEV-2894 | Airwall Conductor | Fixed an issue where admins see all bypass destinations as part of every device group. |
| AWDEV-2737 | Airwall Gateway | Fixed an issue where Windows Airwall Agent incorrectly reports to be a non-production build. |
| AWDEV-3071 | Airwall Conductor | Fixed an issue where extra spaces in the DNS address caused the connectivity checker to fail. |
| OBSLS-11661 | Airwall Conductor | Fixed an issue where the Conductor UI incorrectly showed active connections on ports 2 and 3 of the AW75 gateway when nothing was connected, ensuring accurate port status display. |
| AWDEV-3237 | Airwall | Fixed an issue where the TMStat diagnostic tool and its Lua bindings were missing on devices running Ubuntu, restoring full diagnostic reporting capabilities. |
| AWDEV-2739 | Airwall Conductor | Fixed an issue where the Conductor overlay page displays inaccurate device names/statuses. |
| OBSLS-12998 | Airwall | Fixed an issue where devices failed to use the configured HTTP WAN proxy for outbound communication, restoring connectivity by routing traffic through the proxy as required. |
| OBSLS-12773 | Airwall Conductor | Adding Minimum Supported Browser Versions for Conductor (Versions 3.3, 3.4, 3.5, 4.0), ensuring users are informed of compatibility requirements and experience fewer UI problems. |
| OBSLS-12618 | Airwall Conductor | Fixed an issue where Device Policy Groups in the Airwall Conductor displays incorrect or unrelated policy entries for devices, ensuring administrators now see only the accurate policies applied to each group. |
| AWDEV-2459 | Airwall Conductor | Added support for custom logos at the top of the Conductor UI, allowing organizations to easily display their own branding. |
| AWDEV-2954 | Airwall | Fixed an issue where improper input handling in the Redoc library could allow Denial of Service (DoS) attacks via crafted payloads, by updating Redoc to a secure version. |
| AWDEV-3197 | Airwall | Fixed an issue where the Airwall 175e bootloader limited WAN port #5 to 1Gbps only, by updating and verifying a new bootloader that restores proper 100Mbps and 1Gbps support. |
| OBSLS-12619 | Airwall Conductor | Fixed an issue where the system failed to send email notifications for scheduled reports when the recipient list exceeded three addresses, ensuring all intended recipients now reliably receive scheduled report emails. |
Known issues
| ID | Applies to | Description |
|---|---|---|
| AWDEV-2852 | Airwall | The TLS checkbox for logging Airwall events to a remote syslog server is ignored and will always result in using TLS transport. |
| AWDEV-381 | Airwall Cloud AWS | AWS Airwall Deployment requires Internet Gateway.
Workaround - Deploy with a temporary internet gateway, then modify settings in AWS to use the transit gateway once deployed. |
| AWDEV-252 | Airwall Agent | Cannot clear incorrect login from OIDC user auth browser. |
| DEV-17263 | Airwall Conductor |
In v3.1.0, if you fix a conflict in a smart device group by changing the IP of one of the conflicted devices, sometimes the change in IP does not result in the device being removed from the group and the change is not propagated to the Airwall Gateway. Workaround – Fully remove the device from the smart device group and then add it back again. |
| DEV-16431 | Airwall Conductor | When specifying a port mirror destination IP address, ensure that it does not conflict with any of the Airwall Gateway's local device IPs |
| DEV-16397 | Airwall Conductor | If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor or go to and select Restart metadata cache to update the LSI prefix. |
| DEV-16068 | Amazon Web Services Conductor | To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image. |
| DEV-15808 | Google Cloud Airwall Gateways | Google Cloud Airwall Gateways with the same VM name have the same device serial number, which
can result in a failure when you make a license request in the Conductor. Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways. |
| DEV-14551 | Conductor | The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message. |
| DEV-14015 | OpenHIP | If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.
Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate. |
| DEV-13650 | Conductor | SoIP device activity is not being reported on the Airwall Gateway Local Devices tab. |
| DEV-13195 | Conductor, Airwall Gateways | When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become
"Unavailable." Workaround – Reboot and the details return. |
| AWDEV-3012 | Airwall |
Airwall Firmware 4.0.1 breaks VLAN Functionality on Airwall 75 Devices. Workaround – Avoid bridging both a VLAN-tagged sub-interface and its parent port simultaneously; instead, use routed traffic only, separate physical ports for tagged and untagged VLANs, or tag the native VLAN on the switch. Downgrading the Airwall 75 device to firmware version 3.4.3 also restores VLAN functionality. |
| AWDEV-3414 | Airwall Gateways | High Availability (HA) failover does not function correctly when
using overlay port groups configured with Routed Traffic
Only. The standby unit may not successfully take over
during a failover event. Workaround – Keep HA Gateways with Routed Traffic Only overlay port groups on firmware version 3.5.2 until the issue is resolved in version 4.0.3. |