Before You Begin
Barracuda Firewall Admin
After updating a system, you must also download Firewall Admin with the same version. Firewall Admin is backward-compatible. That means you can manage 8.x and 9.x F-Series Firewalls and Control Centers with Firewall Admin 9.x.
New 2-Layer Service Architecture
As of firmware release 8.0.2, Barracuda introduced a new 2-layer service architecture that makes the former server node in the configuration tree obsolete. As already announced in previous migration notes, converting the former 3-layer server-service architecture to the new 2-layer service architecture was optional within the period of firmware versions 8.0.2 to 8.0.4
New IPS Implementation
The previous major firmware version 9.0 includes a new implementation of the IPS system with a new signature database. IPS exceptions created with a version earlier than 8.3 will be deleted after the update.
There are certain restrictions for Control Centers and clusters:
IPS pattern updates of 9.0 firewalls in Control Centers with firmware earlier than or equal to 8.2.x are not supported.
Client-to-Site VPN
If you use Client-to-Site VPN and after updating to 9.0.4, you must also either update all NAC clients to 5.3.0 or manually set the MTU size as a pre-update value to 1398
for the pvpn0
interface until all clients are updated.
If you do not do this, uploads from the clients to or over the firewall may lead to packet drops because the uploads are too large.
After updating the clients, you can remove the workaround of manually setting the MTU size of 1398 for pvpn0
.
SNMP
To use SNMP, select the SNMP version you want to use from the drop-down menu in the SNMP settings.
You can choose between v1, v2, and v3.
Supported Models for Firmware Version 9.0.4
The following models are capable of running firmware version 9.0.4:
Barracuda CloudGen F-Series and Control Center Models | ||
---|---|---|
Hardware Systems | F12 Rev A, F18 Rev A/B, F80 Rev A/B, F82 Rev A, F93 Rev A, F180 Rev A/B, F183 Rev A, F183R Rev A, F193 Rev A, F280 Rev B/C, F380 Rev A/B, F400 Rev B/C, F600 Rev C/D, F800 Rev C/D, F900 Rev B/C, F1000 Rev A/B | |
Virtual Systems | VF10, VF25, VF50, VF100, VF250, VF500, VF1000, VF2000, VF4000, VF8000, VC400, VC610, VC820 | |
Virtual and Cloud Systems | VFC1, VFC2, VFC4, VFC8, VFC16, VFC48 (model number represents number of supported cores) | |
WWAN USB Modems | M30, M40, M41, M42 | |
Secure Connectors | SC20a, SC21a, SC22a, SC23a, SC24a/b, SC25a/b, SC26a, SC27a, SC28a, SC29a, SC30a, SC31a, SC34a, SC35a FSC20A, FSC21A, FSC24B, FSC25B, FSC30A, FSC31A, FSC34A, FSC35A | |
Public Cloud | AWS, Azure, Google Cloud | |
Virtual Platforms | VM-Ware, Hyper-V, XEN, KVM (Proxmox running with KVM images) |
Standard Hardware Systems | ||
---|---|---|
Standard Hardware | A standard hardware system is a Barracuda CloudGen Firewall F-Series running on 3rd-party server hardware using an SF license. Consult Barracuda Networks Technical Support to find out if your specific standard hardware is supported. |
Disk Space Requirements
Upgrading to version 9.0.4 requires your disk partitions to have enough free disk space. Firmware 9.0.4 requires the following partition spaces:
Disk Space Requirements FIREWALL:
Hard Drive Partition | Disk Space Required |
---|---|
swap | 2 GB |
boot | 1 GB |
/ | 8 GB |
/phion0 | 4 GB |
/art | 3 GB |
Disk Space Requirements CONTROL CENTER:
Hard Drive Partition | Disk Space Required |
---|---|
swap | 2 GB |
boot | 1 GB |
/ | 10 GB |
/phion0 | 4 GB |
/art | 10 GB |
Migration Path to 9.0.4
Because Python scripts are involved in the migration to a new firmware version, and because firmware 8.0 and 8.3.x use different Python versions, you must migrate to firmware 9.0.4 via the following path:
Current Operating Firmware | Update via | Target Firmware |
---|---|---|
8.0.x | 8.3.2 | 9.0.4 |
8.2.x | -> DIRECTLY -> | 9.0.4 |
8.3.x | -> DIRECTLY -> | 9.0.4 |
9.0 | -> DIRECTLY -> | 9.0.4 |
9.0.1 | -> DIRECTLY -> | 9.0.4 |
9.0.2 | -> DIRECTLY -> | 9.0.4 |
9.0.3 | -> DIRECTLY -> | 9.0.4 |
Important Note before Upgrading to Release 9.0.4
Migration Instructions for 9.0.4
Before upgrading to firmware version 9.0.4, you may first need to complete a few additional steps. Check the following topic(s) and, if applicable, complete the migration steps listed below:
PKI (Public Key Infrastructure)
As of firmware 9.0 release, the Barracuda Firewall Control Center Public Key Infrastructure has been completely removed.
If you still need information on the PKI service for any reason, see the last supported version (8.0) of this article: How to Configure the PKI Service
1. Upgrade of Virtual Machines for Forward Error Correction (FEC) and IPS
Firmware versions 8.3.1 and later contain the new VPN feature Forward Error Correction (FEC).
For these features to work as expected on virtual deployments, the virtual hardware must be upgraded to the newest version to work on the ESXi hypervisor directly after the deployment of the virtual machine. To use FEC, the supported version of your hypervisor must be higher than or equal to version 6.5.
For more information, see Step 2 in How to Deploy a CloudGen Firewall Vx OVA on VMware Hypervisors
2. VPN – Usage of VPN Next Hop IPs
Before firmware version 8.3.0, certain VPN scenarios required you to configure next-hop interface IP addresses for the shared networks. Due to the new 2-layer service architecture, which is represented through the Assigned Services node in the configuration tree, it is no longer necessary to explicitly configure these IP addresses.
However, in this special case, it is necessary to apply some additions to the host firewall rule set.
To update the host firewall rule set, you have two options:
Add the missing rules manually
Update the host firewall rule set with "Copy from Default".
How to Update the Host Firewall Rule Set
Step 1. (optional) In case you have made additions/changes to the host firewall rule set manually:
Create a copy of all these firewall rules.
Option 2.1. (recommended) Add the missing rules to the host firewall rule set manually.
For more information on how to create a pass rule, see How to Create a Pass Access Rule
Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Service > Host Firewall Rules.
Ensure that Inbound is selected in the top-left corner of the rule list display area.
Click Lock.
Add each of the rules in the list to the Inbound Host Firewall Rule Set.
Click Outbound in the top-left corner of the rule list display area.
Add each of the rules in the list to the Outbound Host Firewall Rule Set.
Click Send Changes.
Option 2.2. (Only if you did not complete Option 2.1) Update the host firewall rule set with "Copy from Default".
After the transformation to the new 2-layer service architecture, the host firewall rule set can be rebuilt by copying it from the default.
Log into the firewall.
Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services.
Right-click Host Firewall Rules.
In the list, click Lock.
Right-click Host Firewall Rules.
In the list, click Copy From Default.
Click Activate in the top-right corner of the window.
Step 3. (optional) In case you have made a copy of individual firewall rules, you must restore them now.
Add the firewall rules that you copied before to the host firewall rule set.
How to Migrate to Version 9.0.4
Download the appropriate download file.
If You Migrate from Version 8.0.0 to 9.0.4
You must update in two steps:
Go to the download portal https://dlportal.barracudanetworks.com/#/packages/5804/update.GWAY-8.3.3-0238+1hotfix.tgz.
Download the update package for firmware 8.3.3.
Update your firewall to 8.3.3.
Go to the download portal https://dlportal.barracudanetworks.com/#/packages/6124/update.GWAY-9.0.4-0097.tgz.
Download the update package for firmware 9.0.4.
Update your firewall to 9.0.4.
If You Migrate from Versions 8.2.x, 8.3.x
Go to the download portal https://dlportal.barracudanetworks.com/#/packages/6124/update.GWAY-9.0.4-0097.tgz.
Download the update package.
If You Migrate from Versions 9.0/9.0.1 to 9.0.4
Go to the download portal https://dlportal.barracudanetworks.com/#/packages/6123/patch.GWAY-9.0.4-0097.tgz.
Download the patch package.
Start the Update
You can now update the CloudGen Firewall or Control Center.
For more information, see Updating CloudGen Firewalls and Control Centers.