It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

9.0.4 Migration Notes

  • Last updated on

Before You Begin

  • The information contained in this article applies insofar as it was not already taken into account in the 9.0.3 migration notes.

  • The following instructions apply both to firewalls and Control Centers.

Barracuda Firewall Admin

After updating a system, you must also download Firewall Admin with the same version. Firewall Admin is backward-compatible. That means you can manage 8.x and 9.x F-Series Firewalls and Control Centers with Firewall Admin 9.x.

Always use the latest version of Barracuda Firewall Admin!

Unlike in firmware 9.0 where Firewall Admin 9.0 no longer displayed GTI for firmware versions earlier than 9.0, this limitation has been removed as of the release 9.0.2. Firewall Admin now displays GTI for Control Centers < = 8.3.

However, because WANopt is no longer supported, note that Firewall Admin now ignores all WANopt settings from GTI regardless of the version.

New 2-Layer Service Architecture

As of firmware release 8.0.2, Barracuda introduced a new 2-layer service architecture that makes the former server node in the configuration tree obsolete. As already announced in previous migration notes, converting the former 3-layer server-service architecture to the new 2-layer service architecture was optional within the period of firmware versions 8.0.2 to 8.0.4

If you have not yet done so, you must now transform the former 3-layer architecture to the new 2-layer service architecture on the box level before upgrading to firmware version 9.0.4.

This applies both to firewalls and Control Centers.

New IPS Implementation

The previous major firmware version 9.0 includes a new implementation of the IPS system with a new signature database. IPS exceptions created with a version earlier than 8.3 will be deleted after the update.

There are certain restrictions for Control Centers and clusters:

  • IPS pattern updates of 9.0 firewalls in Control Centers with firmware earlier than or equal to 8.2.x are not supported.

Client-to-Site VPN

If you use Client-to-Site VPN and after updating to 9.0.4, you must also either update all NAC clients to 5.3.0 or manually set the MTU size as a pre-update value to 1398 for the pvpn0 interface until all clients are updated.

If you do not do this, uploads from the clients to or over the firewall may lead to packet drops because the uploads are too large.

After updating the clients, you can remove the workaround of manually setting the MTU size of 1398 for pvpn0.

SNMP

To use SNMP, select the SNMP version you want to use from the drop-down menu in the SNMP settings.

You can choose between v1, v2, and v3.

Supported Models for Firmware Version 9.0.4

The following models are capable of running firmware version 9.0.4:

Barracuda CloudGen F-Series and Control Center Models

Hardware Systems

F12 Rev A, F18 Rev A/B, F80 Rev A/B, F82 Rev A, F93 Rev A, F180 Rev A/B, F183 Rev A, F183R Rev A, F193 Rev A, F280 Rev B/C, F380 Rev A/B, F400 Rev B/C, F600 Rev C/D, F800 Rev C/D, F900 Rev B/C, F1000 Rev A/B

Virtual Systems

VF10, VF25, VF50, VF100, VF250, VF500, VF1000, VF2000, VF4000, VF8000, VC400, VC610, VC820

Virtual and Cloud Systems

VFC1, VFC2, VFC4, VFC8, VFC16, VFC48 (model number represents number of supported cores)

WWAN USB Modems

M30, M40, M41, M42

Secure Connectors

SC20a, SC21a, SC22a, SC23a, SC24a/b, SC25a/b, SC26a, SC27a, SC28a, SC29a, SC30a, SC31a, SC34a, SC35a

FSC20A, FSC21A, FSC24B, FSC25B, FSC30A, FSC31A, FSC34A, FSC35A

Public Cloud

AWS, Azure, Google Cloud

Virtual Platforms

VM-Ware, Hyper-V, XEN, KVM (Proxmox running with KVM images)

Standard Hardware Systems

Standard Hardware

A standard hardware system is a Barracuda CloudGen Firewall F-Series running on 3rd-party server hardware using an SF license. Consult Barracuda Networks Technical Support to find out if your specific standard hardware is supported.

Disk Space Requirements

Upgrading to version 9.0.4 requires your disk partitions to have enough free disk space. Firmware 9.0.4 requires the following partition spaces:

Disk Space Requirements FIREWALL:

Hard Drive Partition

Disk Space Required

swap

2 GB

boot

1 GB

/

8 GB

/phion0

4 GB

/art

3 GB

Disk Space Requirements CONTROL CENTER:

Hard Drive Partition

Disk Space Required

swap

2 GB

boot

1 GB

/

10 GB

/phion0

4 GB

/art

10 GB

Migration Path to 9.0.4

Because Python scripts are involved in the migration to a new firmware version, and because firmware 8.0 and 8.3.x use different Python versions, you must migrate to firmware 9.0.4 via the following path:

Current Operating Firmware

Update via

Target Firmware

8.0.x

8.3.2

9.0.4

8.2.x

-> DIRECTLY ->

9.0.4

8.3.x

-> DIRECTLY ->

9.0.4

9.0

-> DIRECTLY ->

9.0.4

9.0.1

-> DIRECTLY ->

9.0.4

9.0.2

-> DIRECTLY ->

9.0.4

9.0.3

-> DIRECTLY ->

9.0.4

Important Note before Upgrading to Release 9.0.4

If you are connecting from an iOS device via Client-to-Site VPN using IPsec, you must change the settings according to the example in the article Example - Client-to-Site IKEv1 IPsec VPN with PSK

Otherwise, the iOS device will not be able to connect and will report the error "Negotiation with the VPN server failed".

Migration Instructions for 9.0.4

Before upgrading to firmware version 9.0.4, you may first need to complete a few additional steps. Check the following topic(s) and, if applicable, complete the migration steps listed below:

PKI (Public Key Infrastructure)

As of firmware 9.0 release, the Barracuda Firewall Control Center Public Key Infrastructure has been completely removed.

If you are still using PKI on your current firmware (earlier than 9.0), you must first remove all PKI configurations before upgrading to 9.0.4. Otherwise, you will not be able to upgrade to firmware release 9.0.4.

If you still need information on the PKI service for any reason, see the last supported version (8.0) of this article: How to Configure the PKI Service

1. Upgrade of Virtual Machines for Forward Error Correction (FEC) and IPS
  • Firmware versions 8.3.1 and later contain the new VPN feature Forward Error Correction (FEC).

For these features to work as expected on virtual deployments, the virtual hardware must be upgraded to the newest version to work on the ESXi hypervisor directly after the deployment of the virtual machine. To use FEC, the supported version of your hypervisor must be higher than or equal to version 6.5.

For more information, see Step 2 in How to Deploy a CloudGen Firewall Vx OVA on VMware Hypervisors

2. VPN – Usage of VPN Next Hop IPs

The following instructions apply only if you have transformed your firewall from the former 3-layer server-service architecture to the new 2-layer assigned services architecture.

Before firmware version 8.3.0, certain VPN scenarios required you to configure next-hop interface IP addresses for the shared networks. Due to the new 2-layer service architecture, which is represented through the Assigned Services node in the configuration tree, it is no longer necessary to explicitly configure these IP addresses.

However, in this special case, it is necessary to apply some additions to the host firewall rule set.

If you have made changes/additions manually to your host firewall rule set, you must back up these host firewall rules to restore them later.

To update the host firewall rule set, you have two options:

  1. Add the missing rules manually

  2. Update the host firewall rule set with "Copy from Default".

How to Update the Host Firewall Rule Set
Step 1. (optional) In case you have made additions/changes to the host firewall rule set manually:

Create a copy of all these firewall rules.

Option 2.1. (recommended) Add the missing rules to the host firewall rule set manually.

For more information on how to create a pass rule, see How to Create a Pass Access Rule

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Service > Host Firewall Rules.

  2. Ensure that Inbound is selected in the top-left corner of the rule list display area.

  3. Click Lock.

  4. Add each of the rules in the list to the Inbound Host Firewall Rule Set.

    vpn_routed_hfw_inbound_rules_to _add.png
  5. Click Outbound in the top-left corner of the rule list display area.

  6. Add each of the rules in the list to the Outbound Host Firewall Rule Set.

    image-20240918-130807.png

  7. Click Send Changes.


Option 2.2. (Only if you did not complete Option 2.1) Update the host firewall rule set with "Copy from Default".

After the transformation to the new 2-layer service architecture, the host firewall rule set can be rebuilt by copying it from the default.

"Copy from Default" will overwrite your existing host firewall rule set. Any previously added custom rules will be lost!

  1. Log into the firewall.

  2. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services.

  3. Right-click Host Firewall Rules.

  4. In the list, click Lock.

lock_host_firewall_rules.png
  1. Right-click Host Firewall Rules.

host_firewall_ruleset_copy_from_default.png
  1. In the list, click Copy From Default.

  2. Click Activate in the top-right corner of the window.

Step 3. (optional) In case you have made a copy of individual firewall rules, you must restore them now.

Add the firewall rules that you copied before to the host firewall rule set.

How to Migrate to Version 9.0.4

Download the appropriate download file.

If You Migrate from Version 8.0.0 to 9.0.4

You must update in two steps:

  1. Go to the download portal https://dlportal.barracudanetworks.com/#/packages/5804/update.GWAY-8.3.3-0238+1hotfix.tgz.

  2. Download the update package for firmware 8.3.3.

  3. Update your firewall to 8.3.3.

  4. Go to the download portal https://dlportal.barracudanetworks.com/#/packages/6124/update.GWAY-9.0.4-0097.tgz.

  5. Download the update package for firmware 9.0.4.

  6. Update your firewall to 9.0.4.

If You Migrate from Versions 8.2.x, 8.3.x
  1. Go to the download portal https://dlportal.barracudanetworks.com/#/packages/6124/update.GWAY-9.0.4-0097.tgz.

  2. Download the update package.

If You Migrate from Versions 9.0/9.0.1 to 9.0.4
  1. Go to the download portal https://dlportal.barracudanetworks.com/#/packages/6123/patch.GWAY-9.0.4-0097.tgz.

  2. Download the patch package.

Start the Update

You can now update the CloudGen Firewall or Control Center.

For more information, see Updating CloudGen Firewalls and Control Centers.