Airlock Gateway 8.6
Airlock Gateway 8.6 strengthens protection, improves automation and reduces operational effort across key areas. The release introduces major improvements to Airlock Anomaly Shield, adds support for Red Hat OpenShift Virtualization, enhances DoS protection, extends ACME automation to the Configuration Center, and expands REST API capabilities.
Airlock Anomaly Shield: More accurate detection with less operational effort
Airlock Anomaly Shield now detects suspicious behaviour more accurately while reducing operational effort. Gateway 8.6 improves model quality, extends the available data basis and optimizes model evaluation to reduce false positives, improve detection precision and simplify upgrades.
The improved Client Behaviour feature significantly reduces false positives. This has been achieved through enhancements to the underlying model algorithms, as well as refinements in the way models are trained.
In addition, an extended data collection now includes request and response content types, enabling more precise analysis and improved detection accuracy.
A new URL Model further improves behavioural analysis. It evaluates transitions between request paths and compares them with learned usage patterns. If a session deviates significantly from expected navigation flows, Anomaly Shield identifies it as anomalous. This helps detect suspicious behaviour more effectively.
Optimized model evaluation improves performance. Anomaly Shield now evaluates models only as long as the classification of a session remains uncertain. Once it confidently identifies a session as normal, it stops further model evaluation. This reduces unnecessary processing and improves overall efficiency.
Pre-packaged models make upgrades to the latest Airlock Gateway version smoother. They eliminate the need for immediate model training after the upgrade and make the process faster and more efficient. If the training task uses the recommended setting “retrain and enforce”, Anomaly Shield automatically retrains models during the first night after the upgrade. After 35 days, once enough data has been collected, it performs a full retraining automatically. We recommend enabling both “retrain and enforce” and “training data collection” to keep operational effort low and ensure optimal model performance.
Enhanced Redis Monitoring automatically manages database cleanup based on current conditions. It dynamically adapts cleanup behaviour to both the fill level of the Redis database and the current traffic load. This ensures efficient resource usage and stable system performance.
Red Hat OpenShift Virtualization: Run Gateway on OpenShift
With Gateway 8.6, Airlock Gateway can be operated with Red Hat OpenShift Virtualization. This allows customers to standardize on OpenShift as their Kubernetes platform and "lift & shift" existing workloads while keeping a proven security gateway in place.
Running Airlock Gateway on OpenShift enables a more declarative, Kubernetes-native deployment approach.
Key benefits:
- OpenShift support: Operate Airlock Gateway in Red Hat OpenShift and move forward with a consistent Kubernetes strategy.
- Declarative deployment: Benefit from Kubernetes-native configuration for predictable and repeatable rollouts.
- Migrate to Microgateway: Since Microgateway is OpenShift certified, customers can migrate service by service from Airlock Gateway to Airlock Microgateway at their own pace.
This extension strengthens Airlock Gateway’s fit for modern platform teams. Standardize on OpenShift today, and keep a clear, incremental path toward Airlock Microgateway tomorrow.
DoS protection – Protects backends from attacks
Airlock Gateway strengthens protection against denial of service (DoS) attacks and helps shield backend systems from such traffic. By blocking malicious actors already on Layer 3, unwanted traffic can be stopped using less resources, improving overall performance and reducing unnecessary load on backend services.
- Higher performance: Block DoS attacks early on Layer 3 to reduce load and improve overall efficiency.
- Backend protection: Keep backend services available and resilient under attack.
- Better insights: Benefit from operational improvements that provide clearer visibility into attack situations and protection behaviour.
This feature was built in close exchange with selected customers, ensuring it addresses real-world requirements from modern operations and security teams.
ACME Services: Certificate Automation for the Configuration Center
With Gateway 8.6, we are extending ACME automation to the management interface. In addition to automating certificates for protected web applications, Gateway can now provision and renew certificates for the Configuration Center using DNS-01. The DNS-01 support is especially useful for endpoints that are not publicly reachable.
Key benefits:
- Automated certificates for the Configuration Center: Use DNS-01 to provision ACME-based certificates for the management interface.
- Consistent certificate lifecycle management: Manage certificates for protected web applications and the Configuration Center with the same automated approach.
- Reduced operational effort and risk: Fully automated issuance and renewal helps prevent expired certificates on critical administrative access paths.
This improvement strengthens security for administrative access while further reducing manual certificate maintenance.
REST API enhancements: More automation, less effort
Airlock Gateway’s REST API is a key building block for automating configuration tasks in large environments. The automation toolkit now offers customers and partners more control in the following areas:
- Mapping import: Optional strict mode makes automated workflows safer and more predictable by failing on unresolved references.
- Allow Rules: These can now be created and updated using the REST API
- ICAP: The same ICAP service can now be used multiple times within a single mapping for more flexible inspection flows.
- Access roles: New dedicated roles for read-only and full access provide clearer separation of privileges and safer operations in automated environments.
- Documentation: Various refinements to the documentation make implementation and day-to-day work smoother.
These enhancements make the REST API an even more powerful tool for fully automated configuration workflows.
Add-on Tomcat: Tomcat 11 only (Java 17+ required)
As announced in the Gateway 8.5 release communication, starting with Gateway 8.6 the Add-on Tomcat is available exclusively in version 11.
Upgrade behaviour:
- An upgrade is possible if no Add-on Tomcat is installed or if Add-on Tomcat 11 is installed.
- An upgrade is not possible if Add-on Tomcat 9 is installed.
Starting with Gateway 8.6, only Tomcat 11 is supported. It requires Java 17 or newer. Please update your applications accordingly or deploy them externally on an older Tomcat version.
End of life
NTLM support: End of LifeNTLM has been part of Windows authentication for more than three decades, but it no longer meets modern security expectations. Microsoft classifies NTLM as deprecated and is moving Windows toward Kerberos-based authentication. Network NTLM is planned to be disabled by default in future Windows releases.
Microsoft highlights several security risks associated with NTLM, including weak cryptography, missing server authentication and exposure to replay, relay, pass-the-hash and man-in-the-middle attacks.
This industry shift also affects the software ecosystem around Airlock Gateway. Libraries used by Gateway, such as Curl, are phasing out NTLM support. As a result, Airlock Gateway is ending support for NTLM-based integration scenarios.
This affects:
- Front-side NTLM: Authentication of clients against Airlock IAM using NTLM
- NTLM passthrough: Clients authenticate with back-end systems through Airlock Gateway.
- NTLM SSO credential propagation: User identities are propagated to back-end systems using NTLM.
Airlock Gateway 8.6 is the last release supporting front-side NTLM, NTLM passthrough and NTLM SSO credential propagation. These features will be removed in the next Gateway release.
We recommend migrating to modern and more secure authentication protocols such as OIDC or Kerberos.
Hardened filter rules thanks to bug bounties
Last but not least, our Airlock Bug Bounty Program, successfully running since 2020, has led to numerous security improvements, which are now included in this release. We thank the white-hat hackers who share their findings with us. Learn more about the Airlock Bug Bounty Program here.
Updating is easy
Airlock Gateway 8.6 is now available on the Airlock Techzone. Updating to this minor version requires no manual adjustments – your existing configuration can be easily migrated and activated. A detailed overview of all updates and fixes can be found in the release notes.
Airlock Gateway 8.6
Release videoIn our release video you learn all the details about Airlock Gateway 8.6.
