8.1.10 Release Notes

Fixed an issue where Azure Standard_B1ms SNAT-enabled Egress Spoke Gateways experienced severe throughput drops under high connection loads. Resource handling has been optimized to sustain expected connection levels without traffic collapse.

Resolved a CoPilot UI bug where SmartGroups and ExternalGroups with multiple filter sets did not display correctly after being saved. The UI now accurately preserves and displays all configured filter sets.

Fixed an issue in OCI environments where new CIDRs added to a VCN were not reflected in the Controller after the initial spoke-transit attachment. The Controller now correctly refreshes and includes newly added CIDRs, enabling gateway deployment in those ranges.

Fixed a problem where PEM certificate files containing a Unicode Byte Order Mark (BOM) failed to apply and could crash the Controller with a missing private key error. The Controller now strips BOM markers automatically, ensuring reliable certificate uploads.

Corrected Controller UI upgrade messaging during large-scale gateway software upgrades. The workflow no longer shows repeated, incomplete, or “undefined” entries. Status reporting now accurately reflects upgrade progress and completion.

Fixed an issue where, after upgrading to 8.1.0, Edge gateways with multiple WAN interfaces bound the StrongSwan service only to the first interface. IPSec tunnels now establish properly across all WAN interfaces without requiring manual restarts.

Resolved an issue where refreshing VPC/VNet route tables in CoPilot caused the primary gateway SNAT IP to be removed from all route tables, or HA routes to be missing. The refresh process now consistently preserves and propagates both primary and HA gateway SNAT/DNAT routes.

Fixed a CoPilot bug where using Administration > Upgrade > Upgrade Plan to upgrade a Gateway image from 8.0.0 to 8.1.0 did not launch the correct containerized image, leaving the Gateway on the original version. Upgrade plans now correctly trigger containerized image upgrades.

Fixed an issue where restarting the Controller (cloudxd) or upgrading it could cause high CPU utilization and temporary traffic loss when BGP communities were configured. Route propagation logic has been improved to avoid disruption and reduce CPU spikes.

Fixed a regression where deleting a cloud account from the Controller failed to trigger email notifications. Notification handling now ensures emails are sent to configured recipients, restoring audit visibility.

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time.

Affected Scenarios:

Impact:

Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade.

Recommendations:

When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement.

Workaround:

Impact:

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Workaround:

Impact:

When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log field threat_severity not found errors if unsupported selectors (such as threat_severity) are used.

These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged.

Workaround:

Impact:

Resolution:

Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.

When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration.

Affected Scenario:

Workaround:

Impact: Only affects notifications. Traffic enforcement continues to function as expected.

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Workaround:

Impact:

OpenVPN Okta authentication does not support the new Okta Integrator Free Plan URL format (https://integrator-xxxxxx.okta.com), which replaced the Developer Edition on July 18, 2025.

When using this new format, the Controller shows a "Not a valid Okta URL" error because it only accepts the older dev-xxxxxx.okta.com format.

Affected Scenarios:

Workaround:

Use an Okta paid plan with supported URL format.

Existing setups using the old Developer Edition will keep working until Okta deactivates them.

Resolution:

A fix to support the new format is planned for release 8.2.0 or later.

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

When upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes.

Impact:

Workaround:

In some cases, the Controller UI may not display the kernel version for gateways, even though the correct version is present on the gateway itself. This typically affects environments with a large number of gateways (500+) that have gone through multiple upgrade cycles.

Impact:

Workaround:

In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage.

Impact:

Workaround:

During software upgrades of Edge gateways from 8.1 to 8.1.10, services may restart as part of the upgrade process, which can cause temporary traffic disruption.

Impact:

Workaround:

Recommendations:

The Controller may fail to automatically restart gateways after a Controller power cycle or restart. This occurs because the auto-restart task scheduler does not resume properly after reboot, preventing the gateway auto-recovery function from working.

Impact:

Affected Configuration:

Workaround: