Actions required when upgrading

This section describes changes in Airlock Gateway 8.4 that may require manual actions. Read this section carefully to see whether your configuration is affected.

Breaking changes

  • The size of the root partition will be increased to 10GB if currently smaller during the update. The /var partition will be decreased to accommodate the increase. Therefore, ensure the /var partition has at least 3GB plus the size of the update zip file free before starting the update process.

Airlock Anomaly Shield

In Airlock Gateway 8.4, improvements have been made to the Query Parameter Model. This model now analyzes body parameters and is effective against attacks like password spraying or credential stuffing. Special care has been taken to consider power users and to protect the model against inflated parameter usage.

Anomaly Shield now offers a Quick Start, enabling a risk-free setup in under five minutes. It uses specialized ML methods to suggest five suitable mappings automatically and trains the models immediately without configuration or license required. The process is risk-free, as Anomaly Shield operates in log-only mode after setup. Kibana visualization remains available for immediate result analysis.

Automatic upgrade actions:

  • Updating to Airlock Gateway 8.4 will add new columns to the database schema.
  • Existing trained models will be removed because the new version of Anomaly Shield provides improved models.

After the upgrade, follow our approach for migration from 8.3 to 8.4:

  1. Re-train the models as described in the article Training and model enforcement.
  2. Enforce the prepared model to secure your Anomaly Shield application as before the upgrade.
  3. (Suggested) settings:
    • Enable training data collection for your Anomaly Shield application to collect traffic. It is recommended to keep training data collection enabled at all times so that automatic retraining can be used.
    • For Automatic retraining, we recommend the Retrain and enforce setting.
    • For Training strategy, we recommend the default setting Best sessions.
    • Comment out any custom Anomaly Shield threshold settings on your mappings to take advantage of the improved false-positive detection.

ICAP services

Airlock Gateway setups with ICAP services configured must check the path pattern in the mappings. ICAP services that define a path pattern are flagged by a validator.

Check the ICAP path pattern

  1. Click on the error sign next to the Activate button.
  2. An error with the message The mapping <mapping name> has a path pattern that must be verified by hand. For more information ... is raised. Click on the link <mapping name> to switch to the affected mapping.
  3. Expand the ICAP service.
  4. The regex comment (?#check this ICAP path pattern) has been prepended to the configured path pattern.
  5. Remove the regex comment (?#check this ICAP path pattern) and verify that the path pattern is valid. Ensure that the pattern is a path pattern and not a URL pattern.
  6.  
    Info

    Path patterns describe the path to a specific resource or functionality on the web, whereas URL patterns also include the protocol (HTTP or HTTPS) and the Fully Qualified Domain Name (FQDN) used.

  7. Examples for path patterns

    • ^/upload/
    • ^/internal/transfer/
    • ^/myApp/scan/.+\.(zip|tar|tar\.gz|gz)$

  8. Examples for invalid or unsafe path patterns

    • https?://[^/]+/upload/
    • ^https?://[^/]+/upload/
    • https?.+/upload/
    • https://myhost:8080/upload/
    • .*/upload/
    • ^.+/transfer/
  9. Click on Validate to process the validators.
  10. Re-start at 1. of this instruction list if there are any other mappings raising the same error.
 
Info

It is highly recommended that you test your ICAP service configuration after upgrading.

OpenAPI specification enforcement

In Airlock Gateway 8.4, OpenAPI specifications can now be enforced based on the entry path. The benefit of this new feature brings potential reduction in Mappings. This improvement introduces changes which should be taken care of.

Introduced changes

  • The path for published OpenAPI specifications has changed. For more detail see Section – OpenAPI.
  • The Security Gatekeeper Expert-Setting OpenApi.Response.Validation.Strict is available in the Configuration Center under Check responses. Remove the Expert-Setting and configure Check responses with the desired behavior.