It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

9.0.5 Release Notes

  • Last updated on

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and inside these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.

Note that depending on a certain release, the sections can vary both in content and number. In addition, a headline may be attributed by certain symbols with the following meaning:

red_warning_tiny.png Critical information to be considered.

yellow_warning_tiny.png Important information included in the section.

update_tiny.png Updated information available.

feature-related.png Product-related information, e.g., new features, solved bugs.

know_issues_tiny.png Product-related information that relates to known bugs.

Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section.

Each section can be expanded individually for informational or printing purposes.

yellow_warning_tiny.png

Important Announcements and Notes for Release 9.0.5

Read this section before you continue with the Release Notes below.

Running a Control Center on KVM

An 8.3 or 9.0.x Control Center cannot be updated to any firmware version up to 9.0.5 on a KVM server.

Updating might cause an error; in this case, a re-installation of your 9.x Control Center is required!

SSH DSA-Keys

SSH DSA keys are no longer considered secure enough. [BNNGF-94751]
Note that they will be removed in the upcoming major 10.0 firmware release!

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

CloudGen Access Proxy

When updating HA systems with the CloudGen Access Proxy enabled, you must reconfigure the proxy to generate a new enrollment URL. For more information, see CloudGen Access Proxy.

Using Special Characters when Creating a Section in the Forwarding Ruleset

With the release of the preceding firmware version 9.0.3, ‘-' is the only special character that is allowed to be used in firewall section names.

SAML Authentication

Updating to the preceding firmware version 9.0.3 disables SAML authentication. SAML authentication needs to be re-enabled again if configured before the update. See https://campus.barracuda.com/doc/170820079/

update_tiny.png

General and Maintenance Information for the 9.0.5 Release Notes 

Firmware version 9.0.5 is a minor release.

Before installing the new firmware version:

Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes.

To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box.

12.08.2025– Release of firmware 9.0.5.

Recommendations and Prerequisites for Running Firmware Release 9.0.5

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 9.0.5, Barracuda Networks recommends using at least Firewall Admin version 9.0.5. You can download this version here: https://dlportal.barracudanetworks.com/#/packages/6229/FirewallAdmin_9.0.5-88.exe

For more information, see also Release Notes for Barracuda Firewall Admin, Release 9.0.5-88, August 2025.

Who Can Update to Firmware Release 9.0.5

Read the Migration Notes 9.0.5 before updating to firmware 9.0.5.

For more information on the migration process, see the article 9.0.5 Migration Notes.

yellow_warning_tiny.png

Relevant Update Information for 9.0.5 

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Are No Longer Included as of this Version 9.0.5

If you require one of the listed features, do not update to this firmware version!

FW Audit

As of firmware 9.0.0, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead.

Web-UI

As of firmware 9.0.0, support for the Web-UI is being discontinued.

SMSd

As of firmware 9.0.0, the SMSd is being discontinued.

WANopt

As of firmware 9.0.0, WANopt is being discontinued.

Features that Will Become Obsolete in an Upcoming Release

If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative.

Currently, there are no features planned to be announced for removal. However, Barracuda Networks recommends checking for this again in the release notes 9.1.0.

New Features in Version 9.0.5 

As a minor release, version 9.0.5 contains important fixes.

feature-related.png

Resolved Bugs and Improvements in Release 9.0.5

Authentication

  • If a VIP is entered in the remote management tunnel configuration, generating SAML metadata no longer sends traffic into the disabled tunnel. [BNNGF-93928]

  • The error {{construct null not valid}} no longer occurs when using SAML 2.0 authentication. [BNNGF-95548]

  • Reachable IPs now work as expected after sending changes in Firewall Admin. [BNNGF-95560]

  • Logging in with SSH now works as expected and no longer causes issues with multiple UIDs. [BNNGF-96362]

  • Authentication mismatches no longer occur in combination with DC agent. [BNNGF-96407]

Barracuda Firewall Admin

  • The context menu for SSL-VPN tunnels now works as expected. [BNNGF-95371]

  • Barracuda Firewall Admin no longer freezes in specific situations. [BNNGF-95765]

  • The Transport ID has been reintroduced for rulesets and FW Live for the ruleset feature level 9.0 and above. [BNNGF-95872]

  • {{::/0}} can now be used as a VPN peer IP network address. [BNNGF-96119]

  • The number of transports shown in the SD-WAN summary widget can now be adjusted. [BNNGF-96125]

  • Barracuda Firewall Admin no longer performs unresponsively in specific situations. [BNNGF-96127]

  • Barracuda Firewall Admin no longer crashes in the Network config node after updating Site Specific Addresses. [BNNGF-96196]

  • FW Admin no longer crashes in the VPN tab. [BNNGF-96408]

  • The Licensee's comment fields now keep their values as expected. [BNNGF-96409]

  • Role filters for the CC Admin tab now work as expected. [BNNGF-96814]

  • Barracuda Firewall Admin no longer crashes when closing the Firewall tab after looking at the local/special rules in the Live view. [BNNGF-97189]

  • The underscore character (‘_’) is now allowed in event notifications of Teams Webhook URLs. [BNNGF-97302]

  • Barracuda Firewall Admin no longer crashes when opening the URL Filter policy. [BNNGF-97779]

  • Barracuda Firewall Admin no longer mistakenly sets the priority in GTI setups with more than one transport per class. [BNNGF-97888]

  • The label Transport ID has been replaced by the new UI label Priority at several places in the UI. [BNNGF-97895],

    [BNNGF-97947]

  • When creating a site-to-site TINA tunnel for config version 8.3 in Firewall Admin, the transport class for BULK is now set correctly. [BNNGF-97899]

  • Potential inconsistencies in GTI TINA transports concerning either the newly introduced priority field (as of version 9.0) or the previously used transport ID will be automatically resolved. [BNNGF-97953]

  • Cluster migration is denied if a node or a sub-node in that cluster has been added, modified, or removed without an activation. [BNNGF-97960]

  • The option Allow Dynamic Mesh now works as expected in Barracuda Firewall Admin 9.0.5. [BNNGF-98185]

  • Barracuda Firewall Admin no longer crashes in specific situations. [BNNGF-98262]

Barracuda OS

  • Removing a group policy only affects objects that are not referenced by other policies and afterwards displays a notification about objects that have not been deleted because they are still in use. [BNNGF-66288]

  • The logging for NTP has been improved. [BNNGF-92032]

  • The assignment of licenses to multiple boxes no longer causes issues. [BNNGF-92606]

  • The logic for cleaning up licenses has been improved. [BNNGF-93063]

  • The size of SNMP buffers has been increased and no longer causes issues. [BNNGF-93414]

  • Macmon integration now works as expected. [BNNGF-94460]

  • A transfer network has been added as an additional network object into the BOX-LAN-2-INTERNET rule. [BNNGF-94624]

  • GRE tunnels with SharedIP allow configuring target networks. [BNNGF-94738]

  • Creating the system report works as expected. [BNNGF-94991]

  • The first event will now create a notification as expected even if the event has not been confirmed yet. [BNNGF-95079]

  • The MS Teams notification on the CGF now uses adaptive cards 1.5 and works with the new MS Teams workflow template Post to a channel when a webhook request is received. [BNNGF-95336]

  • Web logs now show all log entries correctly. [BNNGF-95339]

  • Error messaging has been improved for certificate CRL revocations. [BNNGF-95460]

  • Handling of TCP segmentation when parsing TLS client hellos now works as expected. [BNNGF-95553]

  • Reachable IPs now work as expected after sending changes in Firewall Admin. [BNNGF-95558]

  • Weblog streaming now works as expected. [BNNGF-95562]

  • System recovery now works as expected. [BNNGF-95571]

  • DNS Objects now have a maximum negative TTL of 30 seconds and use the last known good value if they are no longer resolvable [BNNGF-95675]

  • An issue related to kernel panic due to a NULL pointer dereference has been resolved. [BNNGF-95729]

  • The bond interface now switches the MAC as expected upon a failover if the bond interface is configured with VLAN as management interface and if more VLANs with shared IPs are active. [BNNGF-95730]

  • Shutting down a virtual appliance is now performed in the expected time. [BNNGF-95742]

  • The startup of specific services after unexpected failures has been massively improved by optimizing the handling of some system databases. [BNNGF-95769]

  • The system report now works as expected. [BNNGF-95777]

  • VMACs are now handled correctly on an F380B. [BNNGF-95786]

  • After enabling header reordering, the list Reference in CONFIGURATION > Box > Configuration Tree > Network > Interfaces now displays correct values. [BNNGF-95824]

  • SMTP passwords can now be longer than 56 characters. [BNNGF-95856]

  • The typo in the ruleset migration script has been fixed and no longer prevents the activation of new rules. [BNNGF-95908]

  • Reachable IPs now work as expected after sending changes in Firewall Admin. [BNNGF-95929]

  • Downloading PDF files works as expected when AV is disabled. [BNNGF-95934]

  • The name-length issue for boxname and servername has been fixed and no longer causes HA sync failures. [BNNGF-95944]

  • The service.conf file is no longer broken when the HA partner performs a hard reset. [BNNGF-96045]

  • For new VIP networks, the setting Enable IPv4 is now active by default. [BNNGF-96100]

  • Disabling a named admin no longer causes issues in specific situations. [BNNGF-96113]

  • Logging has been improved to reduce confusion if no admins are configured. [BNNGF-96116]

  • The ‘#’ character can now be used in PPPoE authentication. [BNNGF-96166]

  • When a box performs an update, the configured time zone is considered as expected. [BNNGF-96231]

  • A performance issue affecting local-out sessions over a bridge has been fixed. [BNNGF-96241]

  • When disabling the listen on port 443 parameter in the VPN service, the listener on UDP 443 is now removed as expected. [BNNGF-96460]

  • IPS no longer crashes in specific situations. [BNNGF-96472]

  • The URLs for Azure data centers have been updated and made configurable. [BNNGF-96496]

  • PPPoE no longer experiences accidental changes of route preferences in specific situations. [BNNGF-96517]

  • An issue that caused crashes in conjunction with the LAN-2-VPN firewall rule in the special ruleset has been fixed. [BNNGF-96572]

  • The network activation now works as expected after changing the MTU in the interface configuration. [BNNGF-96634]

  • Reading the routes on a box with REST now works as expected. [BNNGF-96647]

  • Regular time syncs now work as expected on Edge Service systems. [BNNGF-96682]

  • Using an IPv6 link local address for the gateway route now works as expected. [BNNGF-96688]

  • The automatic license download on standard hardware now works as expected. [BNNGF-96691]

  • The error handling for email notifications has been improved. [BNNGF-96815]

  • Extensive route introduction no longer causes reintroduction of existing routes. [BNNGF-96849]

  • To ensure that connecting to Firewall Insights continues working after September 23, 2005, the related certificate has been updated. [BNNGF-97011]

  • Statistics are stored in the correct folder as expected. [BNNGF-97061]

  • Log files are stored in the correct folder as expected. [BNNGF-97308]

  • TOTP bulk enrollment for multiple users now works as expected. [BNNGF-97441]

  • A fix to the kernel has been implemented to prevent potential crashes. [BNNGF-97595]

Cloud Azure

  • HA clusters no longer crash every 12-24 hours in specific situations. [BNNGF-96462]

  • The security log table now comprises all relevant fields. [BNNGF-97857]

Control Center

  • It is now possible to edit both local IPv4 and IPv6 networks for any tunnel in GTI. [BNNGF-95623]

  • Selected/configured Site-Specific Objects are now shown correctly on Connection Objects > Details. [BNNGF-95836]

  • When copying/moving a VPN service, updating names now works correctly. [BNNGF-95867]

  • High performance settings for UDP & TCP transports are not supported in GTI and are therefore made inaccessible in the site-to-site configuration. [BNNGF-96210]

  • Changes in the GTI editor are no longer reverted unexpectedly. [BNNGF-96213]

  • VPN status is now updated as expected in the CC status map. [BNNGF-96215]

  • GTI tunnels are no longer accidentally configured to use DES in rare cases. [BNNGF-96298]

  • The rule list for the host firewall rules now show inbound rules as expected. [BNNGF-96458]

  • ConfTemplates can now use Global Firewall Objects only for the CGF. [BNNGF-96556]

  • The lock status for Global Objects is now reported with the error code 409. [BNNGF-96569]

  • The warning for duplicate hosts is now triggered as expected for Global Objects in Control Centers. [BNNGF-96695]

  • On the Control Center, Firewall Objects no longer appear in the network settings after having been deleted. [BNNGF-96739]

  • Devel hotfixes now show up as expected in the CC firmware management view. [BNNGF-97009]

  • CC Admins with cluster-limited access now have access only to authorized Auth-Sync zones. [BNNGF-97301]

  • Admin users can now access the firewall as expected. [BNNGF-97992]

  • Adding a new SNMP service to a newly created box works as expected. [BNNGF-98083]

  • Editing the global ruleset now works as expected on a 10.0.0 CC. [BNNGF-98251]

  • TINA tunnels are no longer unexpectedly removed when invoking Send Changes in VPN. [BNNGF-98308]

DNS

  • The text for Forwarders Selection under Administrative Settings > Caching DNS Service > Forwarders Selection in Firewall Admin has been reworked. [BNNGF-95545]

  • Configurations are validated before they are applied. [BNNGF-96792]

  • Duplicate forwarded domain entries are no longer possible for the same domain. [BNNGF-96797]

Firewall

  • App block details are now reported correctly in the activity log related to its rule name. [BNNGF-93069]

  • GitHub domains have been added to main applications. [BNNGF-95808]

  • App Control no longer causes large download volumes in specific situations. [BNNGF-95933]

  • Application-based Provider Selection no longer advertises overly large MSS. [BNNGF-96305]

  • Specific HTTP traffic is now detected as correct app. [BNNGF-96354]

  • In rare cases the firewall crashed during FTP protocol evaluation. This issue has been fixed. [BNNGF-96680]

  • The AppID engine has been updated to version 25.05.09. [BNNGF-97208]

  • The FTP plugin now works as expected in combination with GRE IP tunnels. [BNNGF-97874]

  • If the forwarding firewall is run in policy mode, policy profile rules in the local and special ruleset are now correctly processed. [BNNGF-98021]

  • The SD-WAN ID has been added to the IPFIX flow. [BNNGF-98064]

  • The menu option for Measure Provider Performance is no longer available. [BNNGF-98124]

  • The Firewall Insights dynamic network object is now handled correctly. [BNNGF-98177]

HTTP Proxy

  • Rebuilding the forward proxy cache now works as expected. [BNNGF-94415]

  • The application rules are applied as expected after updating a firewall to 9.0.2, which runs an HTTP proxy. [BNNGF-95116]

  • Issues with ICAP timeouts in the reverse proxy no longer appear in specific situations. [BNNGF-95329]

  • The HTTP proxy no longer crashes on reconfigurations. [BNNGF-96627], [BNNGF-96628]

  • Processing entries in the HTTP Proxy ACL no longer causes invalid expressions. [BNNGF-97059]

REST

  • The REST API now supports converting netmasks into CIDR notation. [BNNGF-80190]

  • REST API requests now report consistent information. [BNNGF-92049]

  • Filenames may now contain the ‘-’ character. [BNNGF-95177]

  • Handling the REST endpoint for Network Objects has sped up. [BNNGF-96092]

  • The lock status for Global Objects is now reported with error code 409. [BNNGF-96093]

  • The option for Reachable IPs is now available in the REST API as an endpoint. [BNNGF-96666]

  • REST API calls no longer cause firewall crashes in specific situations. [BNNGF-96755]

  • The REST endpoint now also returns the secondary IP as expected. [BNNGF-97190]

Virus Scanner

  • ATP quarantine now works as expected (HTTP/2). [BNNGF-96122]

VPN

  • Resolving DNS has been improved for IKEv1. [BNNGF-96089]

  • Transport Source from Device now prioritizes Shared IPs over other valid and active IP addresses suitable for bounding to VPN. [BNNGF-96132]

  • An issue in the Access Control service has been fixed so that the health agent now recognizes BitLocker as part of WCS. [BNNGF-96169]

  • The VPN server no longer crashes in specific situations. [BNNGF-96535]

  • When configuring a TINA site-to-site tunnel, the Explicit option is allowed again. [BNNGF-96573]

  • The VPN server no longer causes unexpected memory issues in specific situations. [BNNGF-96816]

  • An issue has been fixed where pre-allocated SPI structures in the VPN server were not being properly released due to incorrect error handling. [BNNGF-96820]

  • TINA transports are now established as they are configured. [BNNGF-97001]

  • The label Transport ID has been replaced by the new UI label Priority at several places in the UI. [BNNGF-97965], [BNNGF-97968]

Resolved CVE’s

For more information on CVEs, see CVE Overview for Barracuda CloudGen Firewall.

know_issues_tiny.png

Known Issues in Release 9.0.5

  • Authentication – After the firmware update to 9.0.2, SAML authentication no longer works for C2S VPN.
    Workaround: Select the check box Enable SAML support in the VPN Client to Site configuration. See https://campus.barracuda.com/doc/170820079/ [BNNGF-94611]

  • Barracuda Firewall Admin – The usage counter of the firewall rules works on the rules and the service objects,
    but network objects will only show the last time it matched correctly. [BNNGF-98530]

  • Barracuda OS – If a QoS profile has been created and assigned to a physical interface, this profile will be automatically overwritten by the simple QoS band when performing an HA failover or deleting the VPN tunnel assigned to this physical interface.    [BNNGF-90831]

  • Barracuda OS – The SNMP value for active C2S connections is wrong. [BNNGF-94918]

  • Barracuda OS - SNMP does not currently indicate the issue if a power supply unit (PSU) is down. [BNNGF-95463]

  • Barracuda OS – When using virtual MAC addresses and shared IPs on the management interface at the same time, an HA pair will run into a split brain issue after a reboot of the passive box. An EA version of a fix for 9.0.4 is available. [BNNGF-96724]

  • Barracuda OS – Using non-ASCII characters in Description fields of the Translated HA IP configuration might cause errors during firmware upgrade. [BNNGF-98494]

  • Cloud Azure – Azure Log Streaming CEF via CGF Log Daemon does currently not work as expected. [BNNGF-98002]

  • Control Center – Syncing of configuration nodes between split Control Centers currently does not work. [BNNGF-96817]

  • CudaLaunch – iPad Pro devices with a MagicKeyboard cause issues. [BNNGF-95273]

  • Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]

  • Firewall – The YouTube search filter custom application is now obsolete due to changes in YouTube. Use Google Search instead. [BNNGF-95926]

  • Firewall – The user agent app rule does not work as expected. [BNNGF-97989]

  • REST – Policy profile rulesets are currently not supported by the REST API. [BNNGF-94123]

  • REST – Changes to Shared Services Ruleset by REST API are not honored. [BNNGF-97993]

  • SSL-VPN and Cuda-Launch – Shared folders and files are no longer accessible via CudaLaunch if the name of the shared folder or file contains a blank space.    [BNNGS-3970]
    Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

  • VPN – GTI editor displays either no priority ID or an incorrect one. [BNNGF-98585]