9.0.3 Release Notes

Last updated on 2024-11-12 03:25:01

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and inside these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.


	Note that depending on a certain release, the sections can vary both in content and number. In addition, a headline may be attributed by certain symbols with the following meaning: Critical information to be considered. Important information included in the section. Updated information available. Product-related information, e.g., new features, solved bugs. Product-related information that relates to known bugs. Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section. Each section can be expanded individually for informational or printing purposes.
	Important Announcements and Notes for Release 9.0.3 Click here to read more about important announcements for this firmware release. Read this section before you continue with the Release Notes below. End-of-Life and End-of-Support Status For information on which devices and services have reached EoL or EoS, see: Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions End-of-Support for CloudGen Firewall Firmware CloudGen Access Proxy When updating HA systems with the CloudGen Access Proxy enabled, you must reconfigure the proxy to generate a new enrollment URL. For more information, see CloudGen Access Proxy. Using Special Characters when Creating a Section in the Forwarding Ruleset After the update to 9.0.3, ‘-' is the only special character that is allowed to be used in firewall section names. SAML Authentication Updating to version 9.0.3 disables SAML authentication. SAML authentication needs to be re-enabled again if configured before the update. See https://campus.barracuda.com/doc/170820079/
	General and Maintenance Information for the 9.0.3 Release Notes Click here to read more about basic aspects of this firmware release. Firmware version 9.0.3 is a minor release. Before installing the new firmware version: Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes. To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box. 18.9.2024 – Release of firmware 9.0.3. 23.9.2024 – Hotix-1134 – The hotfix fixes a regression for TINA transports without a provider created in GTI. Those will be disabled after the CC is updated to 9.0.3. This hotfix only applies to Control Center boxes! For more information, see https://dlportal.barracudanetworks.com/#/packages/5968/VPN-1134-9.0.3-226753162.tgz 11.11.2024 – Hotix-1134 – Proxy Startup. This hotfix addresses an issue where the HTTP Reverse Proxy terminated too early if a certain number of backend entries exceeded the given limit. With this hotfix, the HTTP Reverse Proxy is now granted 10 seconds to start up and to work as expected. For more information, see https://dlportal.barracudanetworks.com/#/packages/6018/proxy-1135-9.0.3-230798194.tgz.
	Recommendations and Prerequisites for Running Firmware Release 9.0.3 Click here to read more about certain prerequisites for running the new firmware. Use the Appropriate Firewall Admin Release Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release. As of the public availability of firmware 9.0.3, Barracuda Networks recommends using at least Firewall Admin version 9.0.3. You can download this version here: https://dlportal.barracudanetworks.com/#/packages/5946/FirewallAdmin_9.0.3-49.exe Unlike in firmware 9.0.0 where Firewall Admin 9.0 no longer displayed GTI for firmware versions earlier than 9.0, this limitation has been removed as of release 9.0.1. Firewall Admin now displays GTI for Control Centers < = 8.3. However, because WANopt is no longer supported, note that Firewall Admin now ignores all WANopt settings from GTI regardless of the version. Who Can Update to Firmware Release 9.0.3 Read the Migration Notes 9.0.3 before updating to firmware 9.0.3. For more information on the migration process, see the article Migration Notes 9.0.3.
	Update-Relevant Information for 9.0.3 Click here to read more about specific aspects that are relevant for the update. While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology. Features that Are No Longer Included as of this Version 9.0.3 If you require one of the listed features, do not update to this firmware version! FW Audit As of firmware 9.0.0, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead. Web-UI As of firmware 9.0.0, support for the Web-UI is being discontinued. SMSd As of firmware 9.0.0, the SMSd is being discontinued. WANopt As of firmware 9.0.0, WANopt is being discontinued. Features that Will Become Obsolete in an Upcoming Release If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative. Currently, there are no features planned to be announced for removal. However, Barracuda Networks recommends checking for this again in the release notes 9.1.0.
	New Features in Version 9.0.3 Click here to read about new features. As a minor release, version 9.0.3 contains important fixes.
	Solved Bugs and Improvements in Release 9.0.3 Click here to see a list of solved bugs and improvements. Barracuda Firewall Admin Compatibility issues have been fixed in URL filtering, Application Detection, and TLS Inspection when using recent versions of Chrome and Firefox that use the Kyber TLS key encapsulation mechanism. [BNNGF-93365] Configured 'Single IPv4 network' objects that contain a single host now work as expected. [BNNGF-93450] The preset value for transport classes for providers can now be overridden for site-to-site GTI transports. [BNNGF-94054] When enabling or disabling “Use IPsec dynamic IPs” in the VPN settings, the Send Changes button is triggered as expected. [BNNGF-94101] It is now possible to enforce minimum endpoint settings via Firewall Admin that VPN clients must comply to if they want to remotely connect. [BNNGF-94183] Firewall Admin no longer crashes when closing multiple tabs to free resources. [BNNGF-94243] In Firewall Admin, all tabs (VPN, ATP, DHCP,...) and their subtabs can be accessed as expected after logging into the box using OTP with a session password. [BNNGF-94393] After the update to 9.0.3, ‘-' is the only special character that is allowed to be used in firewall section names. [BNNGF-94617] The URL category “Uncategorized” can be configured as expected. [BNNGF-94620] Barracuda OS The database for software updates now updates regularly as expected. [BNNGF-90515] Logging has been improved for the backup daemon to work flawlessly with Azure blobs. [BNNGF-91569] When configuring a VLAN with a shared IP simultaneously, the soft activation nows works as expected. [BNNGF-91571] xDSL and PpoE options are now present on VCF models. [BNNGF-93600] After clicking Send Changes, Reachable IPs no longer disappear and are now displayed as expected. [BNNGF-94176] The URL filter cache now works as expected with WCS3. [BNNGF-94200] A firewall as part of an HA pair no longer detect its counterpart as unknown. [BNNGF-94287] Cluster admins no longer see license information from other clusters. [BNNGF-94443] OpenSSH has been updated to version 9.8.p1. [BNNGF-94737] Non-root users are now allowed to use the ping command. [BNNGF-94824] ART creates the SSH socket as expected. [BNNGF-94877] Cloud Azure The waagent lease file is now created as expected on non-DHCP boxes. [BNNGF-94798] Control Center When executing a script for remote execution that includes the string 'BOX' with capital letters in the name, the script now executes flawlessly. [BNNGF-93752] Automated Security Update parameters now work as expected. [BNNGF-94678] Firewall TLS Inspection now works as expected. [BNNGF-93113] When enabling or disabling Use IPsec dynamic IPs in the VPN Settings, the Send Changes button is triggered as expected. [BNNGF-94101] It is now possible to enforce minimum endpoint settings via Firewall Admin that VPN clients must comply to if they want to remotely connect. [BNNGF-94183] Firewall Admin no longer crashes when closing multiple tabs to free resources. [BNNGF-94243] TCP sessions are no longer blocked erroneously. [BNNGF-94304] DOCX files are no longer identified as Microsoft Publisher Data files. [BNNGF-94334] The HA-sync port 688 is now allowed in the host firewall ruleset. [BNNGF-94406] The sharefile-app no longer contains non-permitted domains. [BNNGF-94425] The ‘per source limit’ documentation in the article General Firewall Configuration has been updated. [BNNGF-94435] MAC addresses no longer break TLS Inspection in policy profiles. [BNNGF-94483] Weaknesses addressed by “CVE-2002-20001, CVE-2022-40735 - Diffie-Hellman key agreement protocol” have been removed. [BNNGF-94506] Fixes a race condition in the firewall bridge that caused a deadlock on a certain CPU. [BNNGF-94602] REST The REST daemon no longer produces memory consumption issues. [BNNGF-91159] When creating output via the REST-API for an HA pair of firewalls, both partners now return the same output. [BNNGF-92577] Virus Scanner The AV-service no longer becomes unresponsive in certain situations. [BNNGF-94853] VPN Unexpected memory consumption no longer occurs when running dynmesh tunnels. [BNNGF-92578] The VPN GTI editor shows live VPN animations as expected. [BNNGF-93070] Unused devices no longer show up in the Client to Site status view. [BNNGF-93487] KTINA frees C2S IP addresses as expected. [BNNGF-94374] The error message VPN shaping not licensed no longer occurs in certain situations. [BNNGF-94376] A priority field has been added to the VPN transport configuration that enables the user to determine the transport ID in VPN > Site-to-Site, column SD-WAN. [BNNGF-94378] The MainTable Routing setting will be ignored for IPsec tunnels, and the MainTable Routing setting will be ignored for IKEv2 tunnels with one tunnel per subnet. [BNNGF-94561] When removing an IKEv2 tunnel from the configuration, the `/phion0` partition no longer runs full. [BNNGF-94762] When tunnels are drawn in the GTI editor, OSPF routes are now correctly advertised. [BNNGF-94889] The GTI editor no longer pushes undefined tunnels unexpectedly. [BNNGF-94988]
	Known Issues in Release 9.0.3 Click here to see which issues are still subject to be solved. Authentication – After the firmware update to 9.0.2, SAML authentication no longer works for C2S VPN. Workaround: Select the check box Enable SAML support in the VPN Client to Site configuration. See https://campus.barracuda.com/doc/170820079/ [BNNGF-94611] Barracuda OS – If a QoS profile has been created and assigned to a physical interface, this profile will be automatically overwritten by the simple QoS band when performing an HA failover or deleting the VPN tunnel assigned to this physical interface. [BNNGF-90831] Barracuda OS - SNMP does currently not indicate the issue if a power supply unit (PSU) is down. [BNNGF-95463] Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported. [BNNGF-74540] Licensing – If the pool license is renewed, the permission scope for pool licenses is reset. [BNNGF-94610] SSL-VPN and Cuda-Launch – Shared folders and files are no longer accessible via CudaLaunch if the name of the shared folder or file contains a blank space. [BNNGS-3970] Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20. Telemetry – For managed firewalls note that settings displayed in the UI on the Control Center and the managed box can differ depending on the cluster and firmware version. [BNNGF-89044] VPN – Dynmesh tunnels do not get established when both sites are behind a NAT after updating to 9.0.0. [BNNGF-90377]

9.0.3 Release Notes

Important Announcements and Notes for Release 9.0.3

End-of-Life and End-of-Support Status

CloudGen Access Proxy

Using Special Characters when Creating a Section in the Forwarding Ruleset

SAML Authentication

General and Maintenance Information for the 9.0.3 Release Notes

Recommendations and Prerequisites for Running Firmware Release 9.0.3

Use the Appropriate Firewall Admin Release

Who Can Update to Firmware Release 9.0.3

Update-Relevant Information for 9.0.3

Features that Are No Longer Included as of this Version 9.0.3

FW Audit

Web-UI

SMSd

WANopt

Features that Will Become Obsolete in an Upcoming Release

New Features in Version 9.0.3

Solved Bugs and Improvements in Release 9.0.3

Barracuda Firewall Admin

Barracuda OS

Cloud Azure

Control Center

Firewall

REST

Virus Scanner

VPN

Known Issues in Release 9.0.3