Skip to main content

Release Notes

version 2.6.1 (2023-10-10)​

  • operating system kernel tuning parameters tweaked (to match with the AWS build) resulting in improved performance of the see-thru mode
  • health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs)
  • fixed a bug where a certain configuration of a Firewall Rule would have DiscrimiNAT drop all rules
  • two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue:
    • for example test for TLS on failed – port 80 was not listening with TLS
    • and for example timed out testing connection to – port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view)
  • minor update to Terraform modules increasing the health check initial delay from 120 seconds to 360 seconds

version 2.6.0 (2023-07-11)​

  • the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example discriminat:tls:
  • the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Firewall Rules. Previously, it had required IP addresses to be set to and Ports & Protocols to be to set to all.
  • two new -flow log reason messages when a network packet is disallowed have been introduced:
    • cache not ready: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)
    • spoofing detected: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
  • enabled Finite Field Diffie–Hellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
  • enabled ciphers without Forward Secrecy for TLS 1.2

Breaking Changes

  • the -config log has its fqdn field name changed to addr. Field names have not changed in the -flow log.
  • in the -config log, association of a public IP for egress from the firewall had its category (cat field) set to static-ip. This is now set to egress-ip.

version 2.5.3 (2023-05-22)​

  • increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them

version 2.5.2 (2023-03-16)​

  • change of base OS from Ubuntu 18.04 to Ubuntu 20.04
The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4.

version 2.5.1 (2023-01-29)​

  • External IPs can now be pinned to specific deployments. If the value of a DiscrimiNAT instance VM label discriminat matches the label-key & value of an External IP, that External IP will be preferred for self-attaching. Fallback behaviour remains to self-attaching any allocated but unassociated External IPs with the label-key discriminat set to any value.
  • Terraform module updated to support custom deployment IDs (see variable custom_deployment_id), to optionally override the randomly generated ones. This allows fine-grained control over naming and can also be used for matching allocated External IPs to a specific fleet of DiscrimiNAT instances.
  • replaced google-fluentd with ops-agent. Ops Agent requires the Monitoring Metric Writer predefined role to be added to the service account. See our Service Account page for more details.

version 2.4.2 (2022-10-05)​

  • added support for Network Tags in Cloud Composer v2 GKE Clusters
  • improved audit (config) logging for subnets
  • improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)

version 2.4.1 (2022-05-05)​

  • fixed an excessive retries issue with automatic config building where the service account's role allowed querying of Service Projects but the Host Project did not have shared VPC setup enabled
  • fixed a sporadic connection reset issue, that emitted unexpected response in the logs, and which only occurred in the see-thru monitoring mode while connecting to a destination at very high latency

version 2.4.0 (2022-03-13)​

  • new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
  • serverless support introduced; VPC connectors from Cloud Functions etc. will have their outbound traffic filtered
  • added support for self-attaching an allocated External IP
  • change of one of the default scopes, when the service account is not overridden,from compute-ro to compute-rw; this is to support self-assignment of labelled external IPs
  • discrimiNAT's own instance ID added to every log line under the key instance, indicating which instance the log line was emitted from
  • updated TLS ECH draft extension identifiers

version 2.3.0 (2021-11-02)​

  • added support for shared VPC; now Service Projects can use a discrimiNAT instance deployed in their Host Project

version 2.2.0 (2021-08-31)​

  • see-thru mode introduced; build allowlists super-quick by putting a Firewall Rule in monitor mode first
  • improved handling for a large number of FQDNs in the allowlists
  • full bypass hook added; please reach out to support for instructions on this
  • updated TLS ECH draft extension identifiers

version 2.0.5 (2021-05-03)​

  • restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in

version 2.0.4 (2021-04-03)​

version 2.0.3 (2020-11-05)​

  • v2 launch
  • completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
  • rewritten in Rust

version 20200529 (2020-05-29)​

available on request; v1 is now deprecated; please upgrade to v2

version 20200524 (2020-05-24)​

available on request; v1 is now deprecated; please upgrade to v2

version 20200516 (2020-05-16)​

available on request; v1 is now deprecated; please upgrade to v2

version 20191207 (2019-12-07)​

available on request; v1 is now deprecated; please upgrade to v2

version 20191107 (2019-11-07)​

  • v1 launch