New Features and Enhancements:

• Sri Lanka country support.
• Designated broadcast and multicast forwarding support. This feature allows the access point (AP) to drop all unwanted broadcast and multicast traffic that reaches local wireless clients through a wired connection.
• Support for Layer 2/Layer 3 (L2/L3) access control lists (ACLs). Use this feature to control traffic entering or leaving the WiFi networks based on MAC and IP addresses.
• Change of Authorization (CoA) support for RADIUS-based external captive portal authentication.
• Option to separately enable or disable 802.11k/v protocols when the AP is managed through NETGEAR Insight. Now these protocols can be enabled irrespective of the 802.11r and band steering configuration.
• Option to check the reachability of the configured RADIUS server from the AP.
• Support for additional special characters in the device login password.
• Enhanced logic to prevent client connectivity issues while the AP scans for neighboring APs.
• Blocking of IPv6 traffic for a client that is connected to a guest SSID until the client is authenticated.
• After a captive portal session expires for a client, the client is now disconnected from the SSID so that the client can be automatically redirected to the captive portal login page.
• Option to configure the DTIM interval, beacon interval, broadcast/multicast rate limiting, ARP proxy, and DHCP offer for broadcast traffic from NETGEAR Insight.
• Alarms are now generated if a RADIUS server failover occurs.
  An alarm is generated if the primary RADIUS server becomes unreachable and a switchover occurs to the secondary RADIUS sever, or the other way around. An alarm is also raised if only a single RADIUS server is configured and the RADIUS server stops responding to the requests from the AP.
• Load balancing alarms now include the reason a client is denied a connection to the AP.
• Support for broadcast probes when you probe clients.

Bug Fixes:

• Fixes the issue where an access point (AP) that is running firmware version 10.8.5.7 and has an uptime of more than 10 days might lose connectivity to Insight or a new AP configuration on Insight might not be applied to the AP.
• Fixes the issue where the data path is blocked for clients that are connected to a guest SSID if the session length value is not present in the RADIUS access-accept message from the external captive portal server.
• Fixes the issue where the error message “ERR_TOO_MANY_REDIRECTS" is shown on the splash page while authenticating through an external captive portal server.
• Fixes the issue where a client that is connected to a guest SSID might get Internet access without authentication.
• Fixes the issue where a client that is connected to a guest SSID might access HTTPS websites without authentication.
• Fixes the issue where 802.11r roaming does not work if only a 6 GHz SSID is configured.
• Fixes the issue where the spatial stream configuration is shown as 3x3 instead of 4x4 for the 5 GHz radio on the AP Dashboard and on the monitoring page when the AP is operating on 802.3at power.
• Fixes the issue where the OWE Transition SSID is not broadcast for the 5 GHz radio even though the 5 GHz radio is enabled.
• Fixes the issue where re-association alarms are not sent by the AP after roaming.
• Fixes the issue where invalid RSSI values are  shown for neighboring APs.
• Fixes the issue where clients connected to the same SSID and the same radio can ping each other even though client isolation is enabled.
• Fixes the issue where the AP sends duplicate alarms on client association and re-association.
• Fixes the issue where clients are not redirected to the splash page during captive portal authentication if the AP is configured with a non-default management VLAN.
• Fixes various stability issues that are related to the Captive Portal feature.
• Fixes issues that are related to system stability.

Known Issues:

• The CPU utilization can become high, and throughput might be impacted when 8 SSID and 256 ACL groups are configured.
  Workaround: Do not configure a large number of SSIDs when you also use a large number of ACL groups.
• Changes to a NAT SSID configuration might take up to 3 minutes to be applied.
  Workaround: Wait at least 3 minutes before connecting any clients.
• The AP stops responding after changing or enabling an Instant Captive Portal and then changing or enabling a dynamic VLAN (DVLAN) configuration, or the other way around.
  Workaround: After enabling the Instant Captive Portal, wait a few minutes before enabling the DVLAN configuration. Or, after enabling the DVLAN configuration, wait a few minutes before enabling the Instant Captive Portal.
• Clients connected to a captive portal that is configured on an SSID might not see the splash page for authentication when the VLAN of the SSID is the same as the management VLAN, a VLAN that is configured as a DVLAN, or a VLAN that has a Multi Pre-Shared Key (Multi PSK) configured.
  Workaround: For the SSID on which the captive portal is configured, use the default VLAN or a unique VLAN that is not used as the management VLAN, that is not a DVLAN, or that does not use Multi PSK.
• A RADIUS based MAC ACL does not work with Multi PSK and DVLAN.
• With the mDNS Gateway feature enabled, a device running Windows might not discover certain printers.
  Workaround: Manually add the IP address of the printer on the Windows device.
• With the mDNS Gateway feature enabled, even though Apple AirPlay services are discoverable, they might not be accessible.
• Your web browser might not redirect automatically to the login page after a firmware upgrade.
  Workaround: Refresh the web browser.
• Radio information on the AP Dashboard page might not be displayed properly.
  Workaround: Refresh the web browser.
• Captive portal authentication does not work if the captive portal and the VLAN configuration for an SSID are changed simultaneously.
  Workaround: Change either the captive portal configuration or the VLAN configuration for an SSID and save the changes. Then go back to the SSID and make the other configuration changes.
• When client isolation is enabled for an SSID, clients that are connected to this SSID cannot reach each other even if their IP addresses are added to the allowed list.
• Clients that use the Intel AX210 might encounter disruptions when roaming.
• Video streaming to multiple clients does not work properly if there are more than eight clients in a single multicast group.
• If clients experience connectivity issues on the higher band channels of the 5 GHz radio and subsequently switch to the 2.4 GHz radio, they might experience lower throughput.
  Workaround: Configure lower band channels on the 5 GHz radio.
• Some newer IoT devices might experience issues connecting to the AP.
  Workaround: Upgrade the IoT devices to the latest driver version and try again. If security is set to WPA3 or WPA2/WPA3 mixed mode, change it to WPA2 mode, and try again.

Download Link: https://www.downloads.netgear.com/files/GDC/WAX620/WAX620_firmware_V10.8.6.3.zip

Firmware Update Instructions:

To update the firmware of your product, follow the instructions mentioned in the product manual. To refer the user manual, visit https://www.netgear.com/support/, enter your model number in the search box, and click the Documentation button on the product page.