Firmware Version 1.8 Release Notes
Release Date: 19th December 2023
Firmware release 1.8
New Features
Summary | Release |
|---|---|
Add option to automatically create non-existing OpenID users when they sign-in the first time. | 1.8.8 |
Support for modems without a built-in DHCP server. | 1.8.5 |
External network access for endpoints behind a gateway can now be controlled with egress policies. The old "Allow outbound external connectivity" option has been deprecated. | 1.8.0 |
A CLI console for gateways has been added to the orchestrator UI. | 1.8.0 |
Policies can now be enabled/disabled without deleting them. | 1.8.0 |
Bug Fixes
Summary | Release |
|---|---|
Add option to automatically create non-existing OpenID users when they sign-in the first time | 1.8.8 |
SCIM group provisioning was not compatible with recent Microsoft Entra ID changes | 1.8.8 |
Clients and agents would not try to resolve DNS entries using the secondary DNS server(s) if the request to the primary DNS server timed out. | 1.8.8 |
Agents would sometimes not re-connect properly after quick repeated losses of connectivity to the Orchestrator. | 1.8.7 |
Groups with large number of users and/or agents in a policy using said group both as "to" and "from" were slow to compile. | 1.8.7 |
Uni-directional open tunnel ports were not detected correctly, resulting in return traffic being dropped. | 1.8.6 |
AD DNS Update requests were not parsed correctly and would log an exception in the bs-firewalld journal. | 1.8.5 |
The virtual console could leave an "orphaned" appliance-status process behind. | 1.8.5 |
Switching the uplink interface from a dedicated one to a shared uplink/endpoint interface required a reboot for the gateway to come back online. | 1.8.5 |
Support for unlocking Quectel EM05-G modems. | 1.8.4 |
If the fetching of the OpenID JWK keys failed, the orchestrator would not retry the fetch. | 1.8.4 |
Uppercase characters in DNS names were not allowed. | 1.8.4 |
Clients/gateways/agents would not always fall back to querying lighthouse.blastwave.io for network information in case the DNS results were filtered by the local DNS resolver. | 1.8.4 |
On some Lenovo hardware appliances the UEFI boot loader was not configured correctly during install. | 1.8.3 |
In an egress policy with both prefixes and DNS names, only the DNS names would be allowed. | 1.8.3 |
Made P2P handshake more robust in high packet loss scenarios. | 1.8.2 |
RPM based agents would not always upgrade to a new version unless they had the new version list in the repository cache. | 1.8.2 |
Don't disconnect the client if the authentication fails when launching the Orchestrator UI. | 1.8.2 |
Migrating a Gateway to a new Gateway did not send the correct policy configuration to the new Gateway until a policy change was made. | 1.8.2 |
Creating new policies did not work if the orchestrator firmware was upgraded from version 1.7.x to 1.8.0. | 1.8.1 |
Various improvements have been made to the tunnel hole-punching algorithm to increase the chances of a direct tunnel being established. | 1.8.0 |
VLAN mode for gateways with Realtek NICs did not work correctly. | 1.8.0 |
Components to be upgraded
New firmware is available for the following applications.
BlastShield™ orchestrator.
BlastShield™ gateway.
BlastShield™ host agent.
BlastShield™ desktop client.
Upgrade instructions
Upgrade your BlastShield™ desktop client.
See the following page for details. Update the BlastShield™ Desktop Client
Upgrade the firmware of the BlastShield™ orchestrator.
See the following page for details.Upgrade the Orchestrator firmware
Upgrade the firmware of the connected BlastShield™ gateways.
See the following page for details.Upgrade the Gateway
Upgrade your BlastShield™ host agents.
See the following pages for details.Upgrade an Agent from the host or Upgrade the Agent from the Orchestrator
Feature Descriptions
Egress policies for endpoint external network access
External network access for endpoints behind a gateway can now be controlled with egress policies. This allows endpoints isolated behind a Gateway to have external access for a software update, for example.
The Egress Policy menu in the Orchestrator allows policies for external network access to be configured on a per-endpoint group basis, where the groups are defined in the Orchestrator Groups menu. Allowed destinations may be defined either by network prefix or by DNS names and the policy may be further controlled by specifying an allowed service. An egress policy may be enabled or disabled from the Orchestrator if the external network access is only temporary.
 |
To learn more about Egress Policies, please click on this link
To learn how to configure an Egress Policy, please click here.
Remote CLI console for Gateways
A CLI console for remote configuration, management and troubleshooting of gateways is available from the orchestrator UI.
This permits an Orchestrator user to remotely login to the CLI console interface of a Gateway and access the console functionality which permits you to view logs and peer connections, configure the Gateway's network interfaces, access the shell and reboot the Gateway.
 |
To learn how to use the Gateway remote CLI console access, click here.
Enabling and disabling of policies
Individual policies may be enabled and disabled from the Orchestrator policy menu page. This makes it quick and easy to manage the applicability of policies and retain them in the Orchestrator even when they are not being applied to a node.
A policy may be controlled by checking or unchecking the Policy Enabled checkbox.
 |