9.0.2 Release Notes

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

• Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions

• End-of-Support for CloudGen Firewall Firmware

CloudGen Access Proxy

Using Special Characters when Creating a Section in the Forwarding Ruleset

After the update to 9.0.2, '-' is the only special character that is allowed to be used in firewall section names.

SAML Authentication

The SAML authentication issue has been fixed. However, to work as expected, the SAML authentication must be re-enabled in the user interface.

Firmware version 9.0.2 is a minor release.

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 9.0.2, Barracuda Networks recommends using at least Firewall Admin version 9.0.2. You can download this version here: https://dlportal.barracudanetworks.com/#/packages/5843/FirewallAdmin_9.0.2-58.exe

Who Can Update to Firmware Release 9.0.2

Read the Migration Notes 9.0.2 before updating to firmware 9.0.2.

For more information on the migration process, see the article Migration Notes 9.0.2.

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Are No Longer Included as of this Version 9.0.2

FW Audit

As of firmware 9.0.0, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead.

Web-UI

As of firmware 9.0.0, support for the Web-UI is being discontinued.

SMSd

As of firmware 9.0.0, the SMSd is being discontinued.

WANopt

As of firmware 9.0.0, WANopt is being discontinued.

Features that Will Become Obsolete in an Upcoming Release

If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative.

As a minor release, version 9.0.2 contains important fixes.

Authentication

• TS Agent and DC Client users are now synced properly between HA partners.    [BNNGF-90958]

• The authentication service now sends special characters correctly with the RADIUS authentication scheme.    [BNNGF-90980]

• Template admins no longer experience issues in connection with different admin-handler daemons.    [BNNGF-90984]

• SAML authentication now works as expected after re-enabling it manually in the user interface. [BNNGF-94611]

Barracuda Firewall Admin

• Barracuda Firewall Admin reads the authentication database as expected.    [BNNGF-92030]

• Barracuda Firewall Admin is no longer slow to respond with multiple GTI tunnels.    [BNNGF-92048]

• Disabling Force regular password change for CC Admins now works as expected.    [BNNGF-93020]

• In-place edit of NAT mode or policy usage now works as expected.    [BNNGF-93161]

• Firewall Admin no longer crashes when the VPN tab is opened.    [BNNGF-93497]

• Several bugs causing memory issues in Firewall Admin have been solved.    [BNNGF-93602]

• In the Control Center, the menu entries in the configuration tree for Show Back Links...  and Show Back Link Overrides are now displayed as expected.    [BNNGF-93816]

• The preset value for transport classes for providers can now be overridden for site-to-site GTI transports.    [BNNGF-94054]

• The DST criterion is now allowed to be used in the URLCat and FileContent policy list and in the URLCat in the dialog.    [BNNGF-94213]

Barracuda OS

• Memory leaks no longer occur in certain situations.    [BNNGF-78803]

• VRF now works on Bond with VLANs as expected.    [BNNGF-84386]

• Error messages are no longer displayed if the kernel parameter is set to 'ACPI=off'.    [BNNGF-85369]

• SNMP queries now work as expected.    [BNNGF-87467]

• Unexpected HA failovers no longer occur in certain situations.    [BNNGF-88845]

• SNMP memory leaks no longer occur in certain situations.    [BNNGF-90956]

• The status display Neg.  for auto-negotiation of network interfaces now shows correct values.     [BNNGF-91050]

• Sessions from dynamic rules are now correctly terminated when the dynamic rule expires or is disabled.    [BNNGF-91184]

• Duplicate MAC addresses no longer occur after HA pairing. [BNNGF-91977]

• The PPE config file is now applied as expected during a box installation.    [BNNGF-92437]

• The cctool command line tool is now also available for boxes.    [BNNGF-92462]

• Re-imaging boxes with ISO images now works as expected.    [BNNGF-92603]

• The control daemon no longer crashes in certain situations.    [BNNGF-92694]

• After an update via the DASHBOARD, all update/hotfix files will be removed from the filesystem as expected.    [BNNGF-92758]

Cloud General

• The CLOUD-LB-PROBE rule is now included in the default FW ruleset again.    [BNNGF-94128]

Control Center

• Force password change on next login for CC Admins now works as expected.    [BNNGF-78889]

• The trustzone-sync no longer stops syncing information in certain situations.    [BNNGF-91358]

• Performing a ccactivate on a Control Center now updates licenses correctly.    [BNNGF-91981]

• After updating a Control Center to a firmware version greater than 9.0.x and rolling out a user for OTP, emails are now sent out as expected.    [BNNGF-92695]

• The CONF service no longer crashes in certain situations, and GTI tunnels now remain functional in their configured ranges.    [BNNGF-93017]

• Accessing/showing the Firmware Update tab no longer responds slowly.    [BNNGF-93152]

DHCP

• Multihoming no longer causes issues with relay agent IP addresses.    [BNNGF-90960]

• DHCPv6 relay now forwards requests on all available interfaces.    [BNNGF-93780]

Firewall

• Replacing a single certificate after a whole certificate chain file was imported now works as expected.    [BNNGF-86558]

• In case a box has a corrupt ruleset caused by a faulty object reference, an appropriate warning is displayed.    [BNNGF-90551]

• SSL Inspection no longer fails for new connections after a longer period.    [BNNGF-91043]

• Terminating existing sessions on scheduled objects now works as expected.    [BNNGF-91568]

• Flood ping protection thresholds now work as expected.    [BNNGF-91605]

• Binding the resolver connection to the DNS Caching service no longer blocks other services.    [BNNGF-91666]

• Some affected ipoque applications now work as expected with app-based provider selection.    [BNNGF-91983]

• CNA + CTA now honor port filters as expected.    [BNNGF-92511]

• Reconfiguring the WSG bridge no longer breaks ARP negotiations.    [BNNGF-92703]

• The custom user agent is matching for all described test scenarios and pages are blocked with a proper block page.    [BNNGF-92802]

• Websites are now blocked correctly (URL filter, TLS encryption) on old browsers like Internet Explorer.    [BNNGF-92965]

• Tickets can be created, edited, and saved as expected for the guest ticketing system.    [BNNGF-93071]

• The web monitor "suspicious keyword" search has been adjusted to be appropriately sensitive.    [BNNGF-93236]

• The OP-SRV-VPN-DYNIF rule now works correctly if xDSL is used.    [BNNGF-93253]

• After a reboot, the firewall no longer writes call traces to the logs that are related to the offloading settings in Azure boxes. Warnings, errors, and other information are written to the log as expected.    [BNNGF-93282]

• Improvements have been made to shaping performance.    [BNNGF-93377]

• HTTPS traffic is now detected as expected for Internet Explorer. [BNNGF-93486]

• A new user agent was added that matches the Microsoft CryptoAPI.    [BNNGF-93822]

• The detection of MS Office files has been improved.    [BNNGF-93824]

• The memory handling for uports in the SIPS proxy no longer causes out-of-bounds errors and now works as expected.    [BNNGF-93859]

REST

• Some REST-related incompatibilities have been successfully removed.    [BNNGF-93155]

• The site-specific object confunit now works for cluster firewall services.    [BNNGF-93734]

• The underscore character ( _ ) is now allowed for site-specific objects.    [BNNGF-94051]

HTTP Proxy

• Exchange authentication over the reverse proxy now works as expected.    [BNNGF-90426]

• Error pages are now located at their appropriate place.    [BNNGF-93482]

Virus Scanner

• Timeouts of the AV no longer occur.    [BNNGF-92968]

VPN

• Wi-Fi traffic is moved into a VPN tunnel as expected.    [BNNGF-90957]

• The firewall no longer experiences unexpected high CPU loads with a large number of VPN tunnels.    [BNNGF-91223]

• Changes to a GTI transport configuration no longer cause secondary transports to be terminated on all tunnels.    [BNNGF-91452]

• IPSec/IKEv2 PSK authentication has been added to support Android.    [BNNGF-92321]

• Client-to-site VPN with RADIUS MFA now works as expected.    [BNNGF-92696]

• Dynamic High-Performance mode now contains the 3 new options for configuration: Auto mode, No mode, and Dynamic mode.    [BNNGF-92810]

• SSL VPN License Count now works as expected.    [BNNGF-92964]

• Changes to Log Level For Proxy no longer require a manual restart so that a client can connect.    [BNNGF-93428]

• GTI no longer causes Firewall Admin to crash during connections to 8.3 Control Centers.    [BNNGF-93434]

• The configuration for VPN/IKEv2 is loaded correctly.    [BNNGF-93779]

• Barracuda OS – If a QoS profile has been created and assigned to a physical interface, this profile will be automatically overwritten by the simple QoS band when performing an HA failover or deleting the VPN tunnel assigned to this physical interface.    [BNNGF-90831]

• Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]

• Firewall - App Detection – Initially failing app detection or invalid TLS certificate due to large Client Hello.
  Certain browsers force the use of Kyber, a post-quantum key agreement algorithm, in TLS. In turn, the Client Hello gets unusually large and initially might cause app detection to fail or an invalid TLS certificate for TLS inspection. After a page refresh in the browser, the app is detected correctly and the TLS certificate is valid.     [BNNGF-93365]
  
  Workaround: A workaround is to disable the flag "TLS 1.3 hybridized Kyber support" / X25519Kyber768 in Google Chrome (chrome://flags/), Microsoft Edge (edge://flags/), and "security.tls.enable_kyber" in Firefox (about:config).
  For Google Chrome and Chrome OS there is also a policy that can alternatively be used to control this flag. See https://chromeenterprise.google/policies/#PostQuantumKeyAgreementEnabled.

• Licensing – If the pool license is renewed, the permission scope for pool licenses is reset.    [BNNGF-94610]

• SSL-VPN and Cuda-Launch – Shared folders are no longer accessible via CudaLaunch if the name of the shared folder contains a blank space.    [BNNGS-3970]
  
  Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

• Telemetry – For managed firewalls note that settings displayed in the UI on the Control Center and the managed box can differ depending on the cluster and firmware version.    [BNNGF-89044]

• VPN – Dynmesh tunnels do not get established when both sites are behind a NAT after updating to 9.0.0.    [BNNGF-90377]