Release Notes v4.0.3
Release date: December, 2025
Summary
This version of the Airwall solution includes security upgrades and bug fixes. To download the firmware, see 4.0.3 firmware and software
New Features and Enhancements
- Enhanced Conductor Overlays page adding a column to display Managed Relay status.
- Enhanced the Airwall status report to include cellular modem information (such as IMEI and phone number).
-
Extended Conductor API to retrieve "Wireless Site Survey" information from WiFi-enabled Airwall Gateways and Linux Agents.
-
Improved Conductor navigation by including links in alert notifications, allowing users to directly navigate to the affected Airwall, device, user, or monitor referenced in each alert.
- Added support for Airwall 275 gateway platform (beta). A new 6 port gateway with two SFP interfaces.
-
New Airwall Android Agent release (beta), the first since 3.1.0. This brings new features and fixes since 3.1.0 to the Android platform, refreshed graphics, and improved documentation.
Security Updates
- Upgraded to nokogiri v1.18.9
- Upgraded to libxslt v1.1.43
- Upgraded to rack v2.2.14
- Upgraded to thor v1.4.0
Fixes
| ID | Applies to | Description |
|---|---|---|
| OBSLS-14408 | Airwall Conductor | Fixed an issue where viewing Airwall agent 2.2.1.3 in Airwall Conductor triggered an error pop-up for users, ensuring stable agent viewing for all customers. |
| OBSLS-14318 | Airwall Conductor | Fixed an issue where non-System Administrator users could not view events under the Overlay | History tab in Airwall Conductor; all user roles now have full event visibility. |
| OBSLS-14049 | Airwall Conductor |
Fixed an issue where clicking any item in Airwall Conductor triggered a TypeError when the active scmpCert was missing, ensuring smooth navigation for all users. |
| AWDEV-3367 | Airwall Conductor | Fixed a UI issue where the "Build new tunnels if none exists" checkbox in Airwall Conductor caused confusion by showing tunnel status before tunnels were fully established, now users are advised to re-run "Check secure tunnels" with the checkbox unchecked. |
| AWDEV-3108 | Airwall Conductor | Fixed an issue where the label for editing People groups properties was incorrect in Airwall Conductor 4.0.1/4.0.2, ensuring the label displays correctly. |
| AWDEV-3405 | Airwall Gateway | Fixed an issue where updating relay_wss in M2 peer updates did not update the relay peer in HipConfigPlugin::m2, so Airwall failed to probe relays over WSS after AirProxy changes; now relay peers are correctly updated and probed. |
| AWDEV-3308 | Airwall Conductor | Fixed an issue where sensitive data was logged in clear text in Airwall Conductor, preventing exposure of confidential information in logs. |
| AWDEV-3309 | Airwall Conductor | Fixed a high vulnerability in the activestorage library in Airwall Conductor by upgrading the dependency, addressing potential security risks. |
| AWDEV-3320 | Airwall Gateway, Server | Fixed a medium vulnerability in Airwall Gateway and Server that allowed arbitrary file read, ensuring proper validation and access controls. |
| AWDEV-3319 | Airwall Gateway, Server | Fixed a high vulnerability in Airwall Gateway and Server that allowed OS command injection, improving input sanitization and system security. |
Known issues
| ID | Applies to | Description |
|---|---|---|
| AWDEV-2852 | Airwall | The TLS checkbox for logging Airwall events to a remote syslog server is ignored and will always result in using TLS transport. |
| AWDEV-381 | Airwall Cloud AWS | AWS Airwall Deployment requires Internet Gateway.
Workaround - Deploy with a temporary internet gateway, then modify settings in AWS to use the transit gateway once deployed. |
| AWDEV-252 | Airwall Agent | Cannot clear incorrect login from OIDC user auth browser. |
| DEV-17263 | Airwall Conductor |
In v3.1.0, if you fix a conflict in a smart device group by changing the IP of one of the conflicted devices, sometimes the change in IP does not result in the device being removed from the group and the change is not propagated to the Airwall Gateway. Workaround – Fully remove the device from the smart device group and then add it back again. |
| DEV-16431 | Airwall Conductor | When specifying a port mirror destination IP address, ensure that it does not conflict with any of the Airwall Gateway's local device IPs |
| DEV-16397 | Airwall Conductor | If you change the LSI prefix and have port mirroring configured, you need to either reboot the Conductor or go to and select Restart metadata cache to update the LSI prefix. |
| DEV-16068 | Amazon Web Services Conductor | To enable enhanced networking for a cloud Amazon Web Services Airwall Gateway or Conductor, use the custom images instead of the marketplace image. |
| DEV-15808 | Google Cloud Airwall Gateways | Google Cloud Airwall Gateways with the same VM name have the same device serial number, which
can result in a failure when you make a license request in the Conductor. Workaround – In Google Cloud, use unique deployment names (VM names) for Airwall Gateways. |
| DEV-14551 | Conductor | The Android Airwall Agent lets you press the Edit Settings button on the Ports page; however, submitting any changes to the page results in an error message. |
| DEV-14015 | OpenHIP | If an Airwall Relay is also used as a bypass gateway, Airwall Edge Services behind the relay are not able to use that relay.
Workaround – Deploy multiple relays so at least one relay is usable by each pair of Airwall Edge Services that need to communicate. |
| DEV-13650 | Conductor | SoIP device activity is not being reported on the Airwall Gateway Local Devices tab. |
| DEV-13195 | Conductor, Airwall Gateways | When you upgrade a Cellular Airwall Gateway-150 from 2.2.3 to 2.2.5, the cellular details all become
"Unavailable." Workaround – Reboot and the details return. |
| OBSLS-11636/AWDEV-3012 | Airwall |
Airwall Firmware 4.0.1 breaks VLAN Functionality on Airwall 75 Devices. Workaround – Avoid bridging both a VLAN-tagged sub-interface and its parent port simultaneously; instead, use routed traffic only, separate physical ports for tagged and untagged VLANs, or tag the native VLAN on the switch. Downgrading the Airwall 75 device to firmware version 3.4.3 also restores VLAN functionality. |
| AWDEV-3414 | Airwall Gateways | High Availability (HA) failover does not function correctly when
using overlay port groups configured with Routed Traffic
Only. The standby unit may not successfully take over
during a failover event. Workaround – Keep HA Gateways with Routed Traffic Only overlay port groups on firmware version 3.5.2 until the issue is resolved in version 4.0.3. |