Skip to main content

8.2.0

Release Date: 22 December 2025 Follow these links to learn about what’s new in this release: Deprecation Notices in Release 8.2.0 New and Enhanced Features in Release 8.2.0 Preview Features in Release 8.2.0 Behavior Changes in Release 8.2.0

Deprecation Notices in Release 8.2.0

Legacy Controller UI

The legacy Controller UI is deprecated in 8.2.0. Migrate all operational workflows to the modern UI. Legacy components will be removed in a future release.

Gateway Audit Status (Full Removal)

Gateway audit status indicators have been fully removed from the UI and API. Enhanced policy/rule change audit capabilities supersede this legacy mechanism.

Default Deny System Rule (Legacy Form)

The historical default deny bootstrap rule has been relocated into the user-manageable ruleset. Both legacy allow/deny bootstrap rules may be safely removed after confirming equivalent policy coverage.

New and Enhanced Features in Release 8.2.0

FlightPath 2.0

Adds deep, topology-aware troubleshooting:
  • CAI metrics for real-time analysis
  • Hop-by-hop path visualization
  • Route analytics accelerating root-cause isolation across multi-cloud fabrics
  • Improves operational visibility and reduces MTTR for complex network issues.

OCI Support with Distributed Cloud Firewall (DCF)

Aviatrix Cloud Firewall now supports Oracle Cloud Infrastructure (OCI) in addition to AWS, Azure, and GCP.
  • Enforce DCF rules on OCI gateways
  • Unified security posture across multi-cloud environments
See Distributed Cloud Firewall (DCF) on OCI for more details.

TLS Profile Extensions for DCF

Provides granular control over origin certificate validation for traffic inspected by DCF:
  • Per-rule TLS profiles replacing global settings
  • Support for multiple custom CA bundles
  • Stricter validation for sensitive workloads Benefits: Enhances compliance and security for encrypted traffic.

Hierarchical (MultiWriter) Policy via Terraform

Introduces hierarchical policy structure and attachment points for distributed policy management:
  • Enables multi-team collaboration and RBAC
  • Full Terraform support for creating and managing hierarchical policies
Benefits: Enterprise-scale governance and automation. See Managing MultiWriter Policies with Terraform for more details.

Logging Enhancements (Session Profiles)

Configurable session-level logging with flexible options:
  • Log at Start, End, or both
  • Adds session attributes such as duration, bytes transferred, and stage
  • Includes API and Terraform support for log profiles
  • Improves troubleshooting and compliance reporting.
See Distributed Cloud Firewall (DCF) Logging for more details.

Controller CA Rotation

Zero-downtime rotation of the Controller’s CA certificate to improve cryptographic agility and security posture. See details in CA Certificate Rotation of Internal Service.

Terraform Provider Updates

Adds and expands resources and attributes for:
  • IPv6 constructs (dual-stack enablement metadata)
  • Smart Gateway settings
  • IPS (Suricata-based) profiles
  • Advanced SNAT/DNAT options
  • Hierarchical / MultiWriter policy attachments
  • Logging and TLS profile objects

Supporting Kubernetes Private Cluster

Introduces support for Kubernetes private clusters in policy enforcement and SmartGroup discovery, enabling secure and compliant operations for containerized workloads. See Deploying DCF on Private Kubernetes Clusters for more details.

Upgrade Ciphers to NIST Standards for IPsec

Enhances IPsec encryption to meet NIST recommendations for stronger security:
  • Default tunnel attachments use AES-256-GCM for improved cryptographic strength
  • Weak ciphers are deprioritized when both endpoints support stronger options
  • Supports progressive migration of existing gateways to stronger ciphers
  • May require image upgrades for legacy gateways
Benefits: Aligns with FIPS 140-2/140-3 compliance and strengthens encryption for multi-cloud deployments. See Controller NetFlow Integration, Controller IPsec Configuration, and IPsec Tunnel Configurations for more details.

BGPoLAN Gateway Resizing

Enables dynamic resizing of BGPoLAN gateways to smaller AWS instance types when interface count requirements are met:
  • Supports downsizing below 4xlarge without service disruption
  • Validates interface count to ensure compatibility with target instance type
  • Helps customers reduce operational costs while maintaining connectivity
Benefits: Improves flexibility and cost optimization for BGPoLAN deployments. See BGPoLAN Gateway for more details.

Preview Features in Release 8.2.0

IPv6 Capability – Phase 1 (Preview)

Dual-stack (IPv4 + IPv6) enablement across Controller, CoPilot, AWS, and Azure:
  • Gateways, FireNet, segmentation domains, and S2C with Edge support
  • Terraform automation and diagnostics tooling
  • Early edge support
Benefits: Addresses IPv4 exhaustion and future-proofs deployments. See IPv6 Overview for more details.
IPv6 vendor integration in Azure is currently not functional. If you require vendor-driven IPv6 route programming in Azure, configure IPv6 routes manually in the firewall.

Active Mesh 4.0 – Phase 1 (Early Access)

Resiliency and lifecycle orchestration enhancements:
  • Primary gateway lifecycle control for safe deletion/replacement
  • Dynamic High-Performance Encryption (HPE) toggle
  • Make-Before-Break upgrade pipeline minimizing traffic impact
See ActiveMesh 4.0 for more details.

Smart Gateways – Phase 1 (Preview)

Early access fast convergence architecture:
  • Underlay fabric leveraging BGP-LU
  • Controller offload/headless resilience
  • Traffic drain/undrain operations
  • Enhanced telemetry export

Suricata-based IPS (Preview)

Inline detection & prevention with:
  • Customizable rulesets
  • External threat feed ingestion
  • Per-VPC/per-profile enforcement
  • Terraform + API automation
See Intrusion Prevention System (IPS) for more details.

Policy Audit Enhancement (Preview)

Structured diffs and change attribution (who/what/when) for DCF entities:
  • Exportable via API for compliance and CI governance pipelines
See Distributed Cloud Firewall (DCF) Policy Audit for more details.

DCF Serverless Rule Support (Preview)

AWS Lambda discovery and Smart Group-based policy application:
  • Enables least-privilege egress control for ephemeral serverless workloads
Managing Serverless Resources with DCF for more details.

Bump-in-the-Wire for AWS TGW + Cloud WAN (Preview)

Inter-VPC traffic inspection mode without TLS decryption:
  • Focused on PaaS and east-west visibility scenarios

IPv6 Edge Strategy (Additional Preview Scope)

Early routing behaviors and observability hooks:
  • Extends dual-stack support toward edge and hybrid perimeter use cases beyond core Phase 1 footprint

Behavior Changes in Release 8.2.0

Upgrade Flow Enforcement

Ordered Controller → Gateway sequencing via discrete API calls to prevent mixed-version operational states.

Default Deny System Rule Relocation

Legacy system default deny rule appears within user rulesets; administrators must explicitly retain or replace baseline posture. Legacy bootstrap artifacts can be removed.

Session Logging Behavior

Session logging supports Start, End, or Both lifecycle points with enriched metadata; review log retention policies due to potential volume increases.

Default IPv6 Route Propagation

When IPv6 is enabled, paired IPv4/IPv6 default routes propagate and display together, influencing route approval and governance workflows.

Enhanced IPS & DCF Logging Semantics

Unified, structured log events (high precision timestamps) across IPS and DCF streams improve correlation for analytics, SIEM pipelines, and forensic workflows.