What´s New in Version 7.2.4
Firewall Admin
Firewall Admin has received some improvements that ease the workflow in the user interface. When working on access rules, the object viewer now provides the option of filtering objects for quicker search and selection. The display color for access rules has been adjusted for easier viewing in the list of access rules. And the display color for access rules can now be adjusted interactively by selecting the color from a color selector.
Barracuda Firewall Insights
With firmware release 7.2.4, support for the Barracuda Reporting Server will be replaced by support for Barracuda Firewall Insights. For more Information, see Firewall Insights.
Improvements Included in Version 7.2.4
Barracuda Firewall Admin
- In the Control Center, the status of pending SC configuration updates is now displayed correctly. BNNGF-47124
- The help-text explanation for the address notation in the user interface has been exchanged in order to use the CIDR notation in the Network Prefix edit field. BNNGF-50048
- When opening the object viewer in the access rule window in CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > Firewall > Forwarding Rules, the object viewer now provides options for filtering objects from the list area. BNNGF-51981
- On the Control Center in CONTROL -> Firmware Updates, deleted files are no longer displayed in the list of the tab Files on Control Center after their removal. BNNGF-54013
- In CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > OSPF-RIP-BGP Service > OSPF-RIP-BGP Settings > BGP Router Setup, the Edit field for BGP AS numbers now accepts 32-bit numbers in the private range (4200000000 - 4294967294). BNNGF-55796
- In Firewall Admin, it is possible to add more than 10 Named Networks again. BNNGF-56496
- The display color for access rules can now be adjusted interactively for easier viewing in the window CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. BNNGF-56630
- The display color for access rules has been adjusted for easier viewing in the window CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. BNNGF-56631
- Firewall Admin no longer crashes in certain situations after configuring a hostname as a global network object. BNNGF-56782
- In Firewall Admin, on the FIREWALL -> Live page, the column Idle no longer displays wrong time values. BNNGF-56840
- When configuring the VPN-Client in VPN-service > Client-to-Site > External > Group Policy > VPN Client Network page and setting the parameter Always on to Yes, users now are not able to disconnect from the VPN. BNNGF-56851
- Import private key from clipboard/file in Firewall Admin > Configuration > Configuration Tree > Virtual Servers > your virtual server > VPN-Service > VPN settings > Server Certificates now works as expected. BNNGF-57387, BNNGF-57921
- When cloning a template in the SC editor, dashes ('-') are now allowed to be used in the template name. BNNGF-57566
- If User: Not set for filter settings is selected in the USER element of the Firewall tab, information is now correctly displayed. BNNGF-57670
- Applying a user filter in Firewall Admin, on the FIREWALL > History page, now works as expected. BNNGF-58007
- Firewall Admin no longer displays mip for the Access IP in the Status Map of a managing Control Center for a subordinated Control Center. BNNGF-58013
- In VPN > Site-to-Site, the filter option for tunnels and transports now displays the correct filtering results depending on the grouped/ungrouped filter option in the context menu. BNNGF-58055
- The Refresh button in the Activation tab is displayed as expected. BNNGF-58073
- Firewall Admin no longer crashes during the migration of cluster configurations. BNNGF-58113
- On firewalls that support LTE, the LTE provider is now correctly shown at the bottom of the main display area in CONTROL > Network. BNNGF-58277
- When exporting VPN profiles for a VPN client, Firewall Admin no longer uses default ciphers. BNNGF-59018
- The Log Viewer's focus now sticks to the last selected line after a filter is deactivated. BNNGF-59251
- In the Control Center the columns File Transfer Status, Transfer Time and Transfer Info are now correctly filled if more than 1 firmware update file is transferred to a firewall. BNNGF-59530
- In Firewall Admin, when using Deliver First, then Scan as a global policy, scanned files now show the correct policy name in the list. BNNGF-59584
Barracuda OS
- When new AppID patterns are loaded on a Control Center for managed boxes, they are now also automatically applied on box level for a Control Center. BNNGF-48029
- Some F900/F1000 firewalls no longer experience lost bond interfaces and fail in triggering HA failovers in certain situations. BNNGF-52989
- Disabling or deleting neighbors no longer restarts the BGP service. BNNGF-54547
- User information in the firewall and in the authentication database are now in sync. BNNGF-54683
- x.509 client authentication is now provided for weblog streaming. BNNGF-54725
- The firewall now provides the correct information to SNMP for the VPN state of IKEv2 tunnels. BNNGF-54762
- IPv6 with delegation now works as expected on DHCP interfaces. BNNGF-54856
- Firewall history in system report now also works for VRF-enabled boxes. BNNGF-55658
- Group information is now processed correctly by the firewall if special delimiters are used between fields (e.g., name, surname) on an Active Directory. BNNGF-55718
- IPv6 box ACLs now work as expected with netmasks smaller than 64-bit. BNNGF-56060
- OSPF for IPv6 now starts up as expected. BNNGF-56114
- Sending syslog information to an IPFIX server over a longer period no longer terminates unexpectedly. BNNGF-56330
- LDAP CRL validation for certificates now works as expected for certificates using blank CRL Urls in the certificate. BNNGF-56401
- SNMP no longer causes memory leaks when initializing plugins. BNNGF-56448
- The M40 modem no longer becomes unstable on the F12 Firewall with USB3. BNNGF-56595
- VPN status for HA-paired boxes no longer flaps in CC Status Map. BNNGF-56936
- The CloudGen Firewall no longer produces memory leaks due to unreleased resources during the handling of rulesets. BNNGF-56999
- CPU statistics time (per CPU and percentage) and now calculated correctly on the firewall. BNNGF-57549
- The firewall no longer crashes in certain situations. BNNGF-57597
- Fixed an error using a DC/TS client not synchronizing to a trustzone in an HA configuration. BNNGF-57732
- SNMP configuration changes are now followed by an update of the ruleset for dynamic IPs that are then immediately used. BNNGF-57960
- In case of an SSL inbound connection, the firewall now correctly uses the server's cipher preferences. BNNGF-58014
- Fixed an error using pipe symbols in server-start and server-stop scripts. BNNGF-58356
- Auto-policy routes are now correctly adapted when clone wizard is used. BNNGF-58532
- When a firewall is cloned using the box-clone wizard, the server configuration of the HA partner is removed from the server during the cloning. BNNGF-58533
- Long-running sessions with a high traffic load no longer cause increasing memory consumption. BNNGF-58939
- Services no longer go down in certain situation during pool license updates. BNNGF-59000
- The REST API now sends complete responses to calls for URLs. BNNGF-59144
- On PAYG Cloud firewalls, the WCS service now uses the correct license base. BNNGF-59148
- The firewall models F12, F18, F80, F180, F183, F183R, and F280 now support up to 10 VRF instances. BNNGF-59396
- When using SMTP scanning, the connection to the client mail-server no longer runs into a timeout. BNNGF-59397
- HA takeovers no longer occur due to low memory situations with high data throughput. BNNGF-59553
- The firewall no longer crashes in certain situations. BNNGF-59653
Control Center
- When creating an RCS report in the Control Center by clicking Show Override Difference… on a linked repository entry with override setting, a Diff RCS failed error is no longer displayed. BNNGF-54118
- A Control Center-managed firewall now sends an event to the Control Center in case of an emergency override. BNNGF-54496
- On a Control Center, the Status Map now displays the network status icon in yellow in case an interface is down that is part of a bridge. BNNGF-54498
- A warning message is now displayed before disabling Own Firewall Objects on range or cluster level in Range/Cluster Properties > General in the Specific Settings section. BNNGF-55943
- When creating a repository for CONFIGURATION > Configuration Tree > Box > Network on an F82 Firewall, the section for Barracuda DSL Modem is now displayed as expected. BNNGF-56069
- Configuration changes in the Control Center on range level no longer freeze and are now processed as expected. BNNGF-56170
- If the configuration of a managed box differs from the respective configuration on the Control Center, the difference is now displayed as out of sync in the Status Map. BNNGF-56430
- In the Control Center, the firewall icon is now displayed as expected in the column Access IP of the Status Map in case a distributed firewall service is running on the respective firewall. BNNGF-57970
- Fixed an issue where connecting to a Control Center status map did not work. BNNGF-58021
- On a Control Center, repository settings for Firewall > Firewall Forwarding Settings can now be modified as expected. BNNGF-58060
- Migrating SC setups from firmware version 6.2 to 7.2 now works as expected. BNNGF-58135
- The list of external administrators can now be sorted individually using a numerical value in the field Priority in CONFIGURATION > Administrators > External Admins. BNNGF-58345
DHCP
- The DHCP service no longer causes memory leaks when discovering interfaces. BNNGF-56410
Firewall
- NTP traffic is now sent via VIP if the option Start NTPd is set to Yes. BNNGF-32753
- Link protection now correctly rewrites certain hyperlinks. BNNGF-53144
- Port protocol protection now drops all packets for unallowed protocols as expected. BNNGF-53593
- If an active session is terminated by Firewall Admin, it no longer causes stalled sessions on clients. Instead, it resets the session as expected. BNNGF-54500
- DNS now handles hostnames with a maximum length of 256 characters. BNNGF-54572
- When accessing a blocked URL on the Internet via the HTTP Proxy with Application Control, Access Block pages are now displayed correctly by the firewall. BNNGF-55949
- IPS events are now correctly sent via syslog streaming. BNNGF-56332
- When accessing a virus file on an SSL web server running on non-standard ports, the ATP block page now shows the correct URL. BNNGF-56383
- Firewalls in an HA cluster no longer crash after enabling session balancing on a tunnel. BNNGF-56497
- On the Control Center, a new service object has been added for SC default ports in the host firewall ruleset. BNNGF-56610
- MSAD authentication with TLS1.2 now works as expected. BNNGF-56717
- The firewall no longer experiences problems in certain situations when loading the forwarding ruleset. BNNGF-56768
- The firewall service no longer stops when processing an active access rule with an empty network object. BNNGF-56769
- When using traffic shaping (QoS), traffic is now correctly forwarded between different priority classes on virtual machines after priority adjustments. BNNGF-56790
- Transparent redirects and DNAT with multiple destinations in an access rule now work correctly when the policy is set to Cycle. BNNGF-56802
- The host firewall no longer generates its own log files when the respective setting in Access Rule -> Advanced -> Own Log File is set to No. BNNGF-56825
- The firewall no longer crashes in certain situations. BNNGF-58023
- When HTTP headers are parsed by the firewall, the response header is now forwarded completely. BNNGF-58314
- Fixed a problem with CRL checks where all HTTPs traffic was blocked. BNNGF-58506
- Fixed incorrect URLs on the download page when using ATP with Scan-First Deliver-Later. BNNGF-58543
- The firewall no longer crashes in certain situations. BNNGF-58573
- The firewall no longer reboots unexpectedly due to high loads. BNNGF-58593
- URLs for onedrive.live.com are now correctly categorized by the URL filter. BNNGF-58642
- The rule editor now supports selective blocking of IPv6 extension headers. BNNGF-59479
HTTP Proxy
- Service interruption time has been decreased when a proxy rule is changed. BNNGF-56184
Virus Scanner and ATP
- In Firewall Admin, ATP now accepts Excel macro files for file scanning. BNNGF-56466
- Block on error no longer blocks encrypted archives. BNNGF-56495
- Fixed incorrect URLs on the download page when using ATP with Scan-First Deliver-Later. BNNGF-58359
- Fixed fail-open and fail-close policy issues for SMTP scanning in combination with clamAV. BNNGF-58523
- The ATP Scan First option is now also available for file downloads from Cloud storages. BNNGF-58570
- The libmagic library has been updated in order to fix vulnerabilities. BNNGF-59071
VPN
- Establishing a site-to-site TINA tunnel after an HA failover no longer causes crypto errors and now works as expected. BNNGF-56143
- In Firewall Admin, entries in LOGS > VPN now show correct duration time in the correct format. BNNGF-56282
- IKEv2 tunnels now work correctly when One Tunnel per Subnet Pair is enabled. BNNGF-57241
- The IKE3 process no longer causes unwanted memory consumption in the background. BNNGF-58403
- Boxes using an M40 modem for dial-in now successfully re-establish an IKEv2 tunnel connection after a temporary tunnel shutdown due to 4G restarts or bad signals. BNNGF-58513
- Various improvements for SDWAN. BNNGF-59282
Web UI
- On the Web UI in the section Security Subscription Status, the firewall no longer displays the status Licensed : disabled for the Malware Protection subscription status if Malware Protection is licensed and running. BNNGF-56586
- In the Web UI, the subscription status now looks consistent for license-based services. BNNGF-59268
Zero Touch Deployment
- Zero Touch Deployments now signal the result for a successful and failed operation with an audio signal. BNNGF-59456
Current Known Issues - General
- Firewall – Copying access rules with enabled SSL Inspection from firewalls running firmware version 7.2.x to firewalls running firmware version 7.1.0 - 7.1.3 can have a negative impact on SSL Inspection on the destination system.
- ATP – The "Scan first, then Deliver" option and SMTP-AUTH is not yet supported. [BNNGF-52992]
- ATP – The "Scan first, then Deliver" option and using an MUA (eMail client) - NGFW - MTA is currently not supported. [BNNGF-52992]
- ATP – The "Scan first, then Deliver" option and using BDAT (e.g., Microsoft Exchange servers may use that) is not yet supported. [BNNGF-52992]
- ATP – The "Scan first, then Deliver" option with SMTP and VRF is not yet supported. [BNNGF-52992]
- AWS-Cloud – Deploying AWS Auto Scaling clusters in the US-East-1 region currently fails to create an S3 bucket automatically. Create the bucket manually instead.
- Certificate Store – When referencing certificates in the Certificate Store from services like SSL Inspection, the reference counter in the Ref By column still shows 0. [BNNGF-50666]
- Control Center – When a tunnel is deleted on a CC, the GTI tunnel is not automatically removed from the configuration. To work around this issue, perform a change in the VPN configuration on the affected firewall unit and activate the changes. The tunnel will then be removed along with the change. [BNNGF-54752]
- Control Center – Phion Legacy Pool Licenses are no longer shown on a Control Center in the Floating Licenses / Pool Licenses tab. [BNNGF- 52971]
- Firewall Admin – Copy and paste of an access rule with explicit Named Network does not copy the Named Network structure. [BNNGF-48588]
- Firewall Insights – Firewall Insights licenses are currently shown as "Generic". [BNNGF-60536]
- Network – Transferring data over VLAN interfaces configured on the switch port of CloudGen Firewall F180a or F280b fails due to inability of changing the MTU size. [BNNGF-46289]
- Network – OSPFv3 is currently not working as expected.
- Virtual Routing and Forwarding (VRF) – Actively sending unsolicited ARP messages does not work with VRF. [BNNGF-52654]
- Virtual Routing and Forwarding (VRF) – Changing the ID of an active virtual router instance to another ID is currently not supported. Instead, see How to Delete a Virtual Router Instance and How to Configure and Activate a Virtual Router Instance with Hardware, Virtual, VLAN, or Bundled Interfaces.
- Virtual Routing and Forwarding (VRF) – Changing the MTU size for VR instances is currently not working as expected. [BNNGF-53208]
- Virtual Routing and Forwarding (VRF) – Configuration files for VR instances are currently not considered when moving PAR files between boxes. [BNNGF-53390]
Current Known Issues Related to the Web Interface
- Web User Interface does not work with installation of firmware 7.2.4 on model F18.
Current Known Issues Related to the Web Interface for Cloud
- Azure Cloud – In Azure, after switching from Firewall Admin to the web interface, the connection can become very slow or even time out. [BNNGF-49960]
- Backup/Restore – For cloud instances, restoring configuration backups only works on model VFC8 model with BYOL.
- SSL VPN – SSL VPN on public cloud instances is currently not supported.