8.3.4 Release Notes

Last updated on 2024-10-25 05:39:35

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and inside these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.


	Note that depending on a certain release, the sections can vary both in content and number. In addition, a headline may be followed by certain symbols with the following meaning: Critical information to be considered. Important information included in the section. Updated information available. Product-related information, e.g., new features, solved bugs. Product-related information that relates to known bugs. Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section. Each section can be expanded individually for informational or printing purposes.
	Important Announcements and Notes for Release 8.3.4 Click here to read more about important announcements for this firmware release. Read this section before you continue with the Release Notes below. End-of-Life and End-of-Support Status For information on which devices and services have reached EoL or EoS, see: Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions End-of-Support for CloudGen Firewall Firmware
	General and Maintenance Information for the 8.3.4 Release Notes Click here to read more about basic aspects of this firmware release. Firmware version 8.3.4 is a minor release. Before installing the new firmware version: Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes. To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box. 23.10.2024 – Release of firmware 8.3.4
	Recommendations and Prerequisites for Running Firmware Release 8.3.4 Click here to read more about specific aspects that are relevant for the update. Use the Appropriate Firewall Admin Release Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release. As of the public availability of firmware 8.3.4, Barracuda Networks recommends using at least Firewall Admin version 8.3.4. You can download this version here: https://dlportal.barracudanetworks.com/#/packages/5984/FirewallAdmin_8.3.4-38.exe. Who Can Update to Firmware Release 8.3.4 Read the Migration Notes 8.3.4 before updating to firmware 8.3.4. For more information on the migration process, see the article 8.3.4 Migration Notes.
	Update-Relevant Information for 8.3.4 Click here to read more about specific aspects that are relevant for the update. Special Step to Be Taken after Updating to Firmware 8.3.4 Due to a known issue (BNNGF-95350), the CC Event daemon refuses connections after updating to firmware 8.3.4. After updating to firmware 8.3.4, restart the CC Event daemon manually! Feature Removals While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology. Features that Are No Longer Included as of this Version 8.3.4 If you require one of the listed features, do not update to this firmware version! Features that Will Become Obsolete in an Upcoming Release If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative. Currently, there are no features planned for removal. However, Barracuda Networks recommends checking for this again in the newest 9.x.x release notes. FW Audit As of firmware 9.x, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead. Web-UI As of firmware 9.x, support for the Web-UI is being discontinued. SMSd As of firmware 9.x, the SMSd is being discontinued. WANopt As of firmware 9.x, WANopt is being discontinued.
	New Features in Version 8.3.4 Click here to read about new features. As a minor release, version 8.3.4 contains important fixes.
	Solved Bugs and Improvements in Release 8.3.4 Click here to see a list of solved bugs and improvements. Authentication Memory leaks no longer occur in certain situations. [BNNGF-78803] TS Agent and DC Client users are now synced properly between HA partners. [BNNGF-90958] The authentication service now sends special characters correctly with the RADIUS authentication scheme. [BNNGF-90980] Template admins no longer experience issues in connection with different admin-handler daemons. [BNNGF-90984] Barracuda Firewall Admin Disabling Force regular password change for CC Admins now works as expected. [BNNGF-93020] It is now possible to enforce minimum endpoint settings via Firewall Admin that VPN clients must comply to if they want to remotely connect. [BNNGF-94183] After the update to 8.3.4, ‘-' is the only special character that is allowed to be used in firewall section names. [BNNGF-94617] Barracuda OS xDSL and PPoE options are now present on VCF models. [BNNGF-93600] A firewall as part of an HA pair no longer detects its counterpart as unknown. [BNNGF-94287] OpenSSH has been updated to version 9.8.p1. [BNNGF-94737] ART creates the SSH socket as expected. [BNNGF-94877] Cloud Azure The waagent lease file is now created as expected on non-DHCP boxes. [BNNGF-94798] Control Center The trustzone sync no longer stops syncing information in certain situations. [BNNGF-91358] When executing a script for remote execution that includes the string 'BOX' with capital letters in the name, the script now executes flawlessly. [BNNGF-93752] DHCP Multi-homing no longer causes issues with relay agent IP addresses. [BNNGF-90960] DHCPv6 relay now forwards requests on all available interfaces. [BNNGF-93780] Firewall SSL Inspection no longer fails for new connections after a longer period. [BNNGF-91043] Flood ping protection thresholds now work as expected. [BNNGF-91605] Websites are now blocked correctly (URL filter, TLS encryption) on old browsers like Internet Explorer. [BNNGF-92965] The OP-SRV-VPN-DYNIF rule now works correctly if xDSL is used. [BNNGF-93253] After a reboot, the firewall no longer writes call traces to the logs that are related to the offloading settings in Azure boxes. Warnings, errors, and other information are written to the log as expected. [BNNGF-93282] Compatibility issues have been fixed in URL Filtering, Application Detection, and TLS Inspection when using recent versions of Chrome and Firefox that use the Kyber TLS key encapsulation mechanism. [BNNGF-93365] Improvements have been made to shaping performance. [BNNGF-93377] A new user agent was added that matches the Microsoft CryptoAPI. [BNNGF-93822] The detection of MS Office files has been improved. [BNNGF-93824] TCP Sessions are no longer blocked erroneously. [BNNGF-94304] DOCX files are no longer identified as Microsoft Publisher data files. [BNNGF-94334] The HA-sync port 688 is now allowed in the host firewall ruleset. [BNNGF-94406] The sharefile app no longer contains non-permitted domains. [BNNGF-94425] Weaknesses addressed by “CVE-2002-20001, CVE-2022-40735 - Diffie-Hellman key agreement protocol” have been removed. [BNNGF-94506] Fixes a race condition in the firewall bridge that caused a dead lock on a certain CPU. [BNNGF-94602] HTTP Proxy Exchange authentication over the reverse proxy now works as expected. [BNNGF-90426] Virus Scanner Anti-virus timeouts no longer occur. [BNNGF-92968] The anti-virus service no longer becomes unresponsive in certain situations. [BNNGF-94853] VPN Wi-Fi traffic is moved into a VPN tunnel as expected. [BNNGF-90957] The firewall no longer experiences unexpected high CPU loads with a large number of VPN tunnels. [BNNGF-91223] Unexpected memory consumption no longer occurs when running dynmesh tunnels. [BNNGF-92578] Client-to-site VPN with RADIUS MFA now works as expected. [BNNGF-92696] SSL VPN License Count now works as expected. [BNNGF-92964] KTINA frees C2S IP addresses as expected. [BNNGF-94374] The error message VPN shaping not licensed no longer occurs in certain situations. [BNNGF-94376] The ‘MainTable Routing’ setting will be ignored for IPsec tunnels, and the ‘MainTable Routing’ setting will be ignored for IKEv2 tunnels with one tunnel per subnet. [BNNGF-94561]
	Known Issues in Release 8.3.4 Click here to see which issues are still subject to be solved. Known Issues Related to CGF Policy Profiles IMPORTANT – Policy profiles cannot be used on a VPN concentrator or Secure Access Controller! Firewall – If a VPN TINA tunnel transport over a specific ISP goes down, the Internet traffic over the same ISP link will not work either. [BNNGF-81749] Provider class in boxnet must not be changed "afterward" unless existing VPN tunnels are reconfigured accordingly. There is currently no VRF support for policies in 8.3.4. Known Issues Related to Other Topics Currently, no RCS information is logged for Named Networks. [BNNGF-47097] The learn-only mode for OSPF is not working as expected. [BNNGF-65299] Barracuda OS - SNMP does not currently indicate the issue if a power supply unit (PSU) is down. [BNNGF-95463] Control Center – The CC Event daemon refuses connections after an update with the error “access denied”. [BNNGF-95350] Workaround: Restart the CC Event service manually, and it will operate as expected. Firewall – Inspecting traffic for QUIC / UDP 443 is currently not supported. [BNNGF-74540] Firewall – SSL inspection breaks on Office 365 admin page with TLS 1.3. [BNNGF-83026] NOTE: If a contacted server does not support at least the configured minimum TLS version, then no connections to that server will be possible. Connections will be reset. This can especially have an impact on embedded frames or Cross-Origin Resource Sharing (CORS) when those servers do not support the same TLS version as the main site. For troubleshooting: Turn Box > Infrastructure Services > General Firewall Configuration > Advanced Log Settings > SSL/TLS loglevel to debug. Look out for "alert protocol version" in SSL logs (Assigned Services > NGFW > SSL), e.g.: `11.04.2022 15:36:46 Info firewall: [TAP3Worker] Worker 1: Session 1271: SSL handshake to server failed: ID 2400 192.168.100.95:54525 <=> 104.103.84.247:443 assets.onestore.ms: error in OpenSSL library:` error:0A00042E:SSL `routines::tlsv1 alert protocol version`

8.3.4 Release Notes

Important Announcements and Notes for Release 8.3.4

End-of-Life and End-of-Support Status

General and Maintenance Information for the 8.3.4 Release Notes

Recommendations and Prerequisites for Running Firmware Release 8.3.4

Use the Appropriate Firewall Admin Release

Who Can Update to Firmware Release 8.3.4

Update-Relevant Information for 8.3.4

Special Step to Be Taken after Updating to Firmware 8.3.4

Feature Removals

Features that Are No Longer Included as of this Version 8.3.4

Features that Will Become Obsolete in an Upcoming Release

FW Audit

Web-UI

SMSd

WANopt

New Features in Version 8.3.4

Solved Bugs and Improvements in Release 8.3.4

Authentication

Barracuda Firewall Admin

Barracuda OS

Cloud Azure

Control Center

DHCP

Firewall

HTTP Proxy

Virus Scanner

VPN

Known Issues in Release 8.3.4

Known Issues Related to CGF Policy Profiles

Known Issues Related to Other Topics