It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

8.2.1 Release Notes

  • Last updated on

Before installing the new firmware version:

Do not manually reboot your system at any time while the update is in process unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes.

Changelog

To keep our customers informed, the "Known Issues" list and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes will be found in this info box.

Version 8.2.1 is a minor update firmware release.

What's New in Version 8.2.1

HA Auto-Pairing

You can activate the HA auto-pairing feature to turn two separate firewalls into an HA pair with a minimum effort in configuration.

For more information, see HA Auto-Pairing.

Consolidated Menu for Importing Certificates

All UI buttons with a context menu for importing certificates with the file ending .cer, .crt, and .pem have been consolidated into a single, common context menu item. The format conversions will be handled automatically in the background by Firewall Admin.

Improvements Included in Version 8.2.1

Authentication
  • HA clusters in conjunction with RSA servers now work as expected in case of a failover.    [BNNGF-32212]
  • The authentication service no longer causes issues in certain situations.     [BNNGF-72944]
Barracuda Firewall Admin
  • VPN site-to-site tunnels via port 443 or different ports can now be configured in the GTI Editor.    [BNNGF-52150]
  • IP addresses can now be filtered to display routing tables at CONTROL > Network, table Routing Tables.    [BNNGF-55577]
  • It is now possible to log into a cloud box from Firewall Admin and also to connect to SSH without first connecting to the firewall, in both cases using a username and a key.    [BNNGF-55828]
  • It is now possible to configure up to 128 networks in the settings for IPsec tunnels.    [BNNGF-59686]
  • The configuration field High Performance settings in the GTI Editor is only selectable for TINA UDP transports.    [BNNGF-62477]
  • It is now possible to open the configuration of a firewall from the parent Control Center that has been set on a child Control Center.    [BNNGF-63289]
  • Creating certificates in Firewall Admin now forces the key length to be a multiple of 8 characters and ensures the creation process to succeed.    [BNNGF-65515]
  • Entries for the record type other are now handled correctly.    [BNNGF-67112]
  • The asterisk character is no longer displayed in red when it is actually allowed.    [BNNGF-69228]
  • The routing table now also displays the name for a VPN tunnel in CONTROL > Network > Routing Table, column Name.    [BNNGF-69599]
  • The list view at CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > VPN Settings > Root Certificates now displays the issuer of the certificate in the column Issued By.    [BNNGF-71701]
  • The licenses status for SD-WAN is now displayed in the DASHBOARD.    [BNNGF-73118]
  • An option for adding a CRL Issuer Certificate has been added to the VPN GTI Editor at VPN Settings > Root Certificates.    [BNNGF-73473]
  • It is now possible to enable bulk assignment for pool licenses.    [BNNGF-74287]
  • Session reconnects are now much more responsive.    [BNNGF-74644]
  • Migrating clusters to 8.2 only works for clusters greater than 8.0.    [BNNGF-74729]
  • In Firewall Admin, filtering strings in columns now also works with strings in quotation marks.    [BNNGF-74785]
  • It is now possible to change the telemetry setting with bulk configuration.    [BNNGF-74967]
  • Telemetry settings are now displayed in a list to the right of the configuration tree.    [BNNGF-74998]
  • The maximum number of tunnels is now displayed as expected in the VPN Settings.    [BNNGF-75379]
  • Firewall Admin no longer displays 3-layer server-service nodes for boxes running with the 2-layer assigned services node in certain situations.    [BNNGF-75611]
  • The High Performance setting is also available in the group configuration for TINA tunnels.    [BNNGF-75736]
  • Firewall Admin now works as expected if a large ruleset contains large network objects.    [BNNGF-75803]
  • Firewall Admin no longer reports Energize Update is missing or an unknown license status on CCs for newly issued licenses.    [BNNGF-76090]
  • When entering matching criteria in the new list view for licenses, the view will scroll to the matching entry.    [BNNGF-76209]
  • Bulk operations for pool licenses now work as expected for revision models.    [BNNGF-76287]
  • In FIREWALL > Live, <ctrl>-double-clicking a session now opens details for big sessions.    [BNNGF-76302]
  • The UI option for importing a certificate has been consolidated and is now displayed with the text Import Certificate from File… at its current place in the UI.    [BNNGF-76877]
  • On a Control Center, it is possible to enter pattern-based entries for cluster links in ADMINS > my admin > Administrator Scopes > Global linked >Administrative Scope > Links.    [BNNGF-76899]
  • Creating certificates with PCs located in the US no longer causes issues.    [BNNGF-76958]
  • Before re-assigning licenses, a warning will be displayed.    [BNNGF-77652]
  • Repository nodes can now contain the '-' character.    [BNNGF-78196]
  • When creating a certificate, it is now possible to enter an asterisk (*) into the CF field.    [BNNGF-78483]
  • Pasting data from the clipboard into a txt record now works as expected.    [BNNGF-78797]
Barracuda OS
  • The IPFIX daemon now works as expected.    [BNNGF-70064]
  • Connecting to a box via GUI no longer fails in certain situations.    [BNNGF-70271]
  • The F93 and F193 now support dual PSUs.    [BNNGF-70644]
  • Firewalls running in an HA cluster now also support pool licenses even if there is only one license in the pool available.    [BNNGF-70645]
  • Importing a PEM file now writes the certificate chain correctly to the related configuration file.    [BNNGF-70649]
  • The firewall no longer terminates sessions after receiving an RST with sequence numbers that are too old.    [BNNGF-70685]
  • The firewall now collects load statistics per CPU.    [BNNGF-71137]
  • The boot status LED now works as expected.    [BNNGF-71629]
  • Admin templates that contain the underscore ('_') character no longer cause issues with AD users.    [BNNGF-72146]
  • Group caching for authentication now works as expected.    [BNNGF-73209]
  • SNMP walk for determining the percentage of disk fill now works as expected.    [BNNGF-73290]
  • The release check on the firewall no longer fails in certain situations.    [BNNGF-73812]
  • Enabling acpfctrl to monitor portX on the firewall no longer eats up memory.    [BNNGF-74046]
  • The command /opt/phion/bin/external-netobj-tool create -s parameter now works as expected.    [BNNGF-74047]
  • SLACK notifications for eventing now work as expected.    [BNNGF-74358]
  • ART system recovery for encrypted boxes now works as expected.    [BNNGF-74493]
  • After updating from firmware version 7.2.6 to 8.0.5/8.2.1 or higher, routes are introduced as expected for GRE tunnels.    [BNNGF-74692]
  • The DHCP Client now also requests and installs static routes.    [BNNGF-75146]
  • When upgrading a box to the new 2-layer service architecture, correct warnings will be displayed for all cases where server IPs are configured without routes.    [BNNGF-75453]
  • It is now possible to mark certificates as trusted in the certificate store.    [BNNGF-75492]
  • Default routes are now provided to DHCP clients as expected.    [BNNGF-75691]
  • Creating a new private key now updates the hash of the box certificate as expected.    [BNNGF-76206]
  • Event notification now works as expected.    [BNNGF-76327]
  • The firewall no longer experiences high CPU loads in certain situations due to optimizations of the systemd process.    [BNNGF-76401]
  • It is now possible for Firewall Insights to stream data to Logstash.    [BNNGF-76503]
  • Filebeat clients now report through the management tunnel as expected.    [BNNGF-78034]
  • The upper limits for 'max open files' and 'max process' are now applied correctly after controld is started.    [BNNGF-78048]
  • The back end now reports correct values to the UI for the state of /phion0 volumes on firewalls with very large disks.    [BNNGF-78086]
  • The cstatd log files no longer get flooded and the phion0 partition no longer runs out of space.    [BNNGF-78865]
Cloud General
  • PAYG licenses now use the private key from the Barracuda Order System (BOS).    [BNNGF-75203]
  • The provider name is set for LAN interfaces.    [BNNGF-79182]
Control Center
  • The Control Center no longer sends a complete update after a preceding update is successfully finished.    [BNNGF-48636]
  • When a box with a GTI service tunnel is moved in the Control Center, the GTI tunnel is now moved together with the box as expected.    [BNNGF-65484]
  • Handling of locks during minimal PAR-file generation works as expected for zero-touch deployments (ZTD).    [BNNGF-68061]
  • Discontinued/outdated licenses are ignored when a valid license subscription is activated in the Control Center.    [BNNGF-71216]
  • The Control Center creates an event entry File or Pattern Update Failed if a file update to a box fails.    [BNNGF-72198]
  • Pool licenses can now also be removed during an update of other pool licenses.    [BNNGF-72989]
  • The CLI command cctool has been extended to support functionality for importing managed boxes on the CC and enabling/disabling managed boxes.    [BNNGF-73098]
  • If the auto-reassignment of an updated pool license to the managed firewalls fails at the first attempt, it will be retried.    [BNNGF-73301]
  • The CC event service now sends emails to multiple recipients as expected.    [BNNGF-73745]
  • Control Centers operating firmware 8.2.0 or higher display only supported cluster versions.    [BNNGF-74486]
  • In case of an HA failover, the Control Center now sends correct PAR files to the firewall.    [BNNGF-74628]
  • SSH login for CC administrators works as expected.    [BNNGF-74737]
  • A dynamic network object is present in the host firewall for parent-to-child Control Centers (split CC).    [BNNGF-75153]
  • A CC admin for a new range will no longer see other ranges in the SD-WAN tab.    [BNNGF-75190]
  • Migrating distributed firewalls with similar server names to the 2-layer service architecture no longer leads to incorrect allocations of the rulesets in the firewalls.    [BNNGF-76328]
  • The CC clone wizard now adds the correct name to the new target box.    [BNNGF-76336]
  • Dynamic loading of the CC configuration tree has been improved.    [BNNGF-76495]
  • Dynamic loading of the CC configuration tree has been improved.    [BNNGF-76612]
  • On a Control Center, it is possible to enter pattern-based entries for cluster links in ADMINS > my admin > Administrator Scopes > Global linked > Administrative Scope > Links.    [BNNGF-76870]
  • Box descriptor fields now accept strings with a maximum length of 100 characters.    [BNNGF-78146]

  • A bug has been fixed where locking the FSC editor in Cluster Settings caused the FSC communication daemon to crash.    [BNNGF-79090]

  • Changes in the configuration tree of the Control Center are now responsive as expected.    [BNNGF-79160]

DHCP
  • After a firmware update, DHCP now starts up as expected.    [BNNGF-78040]
DNS
  • When a new record is opened for DNS, the value of 3600 is inserted into the TTL field by default. If records are changed, the TTL field remains untouched if it was empty before.    [BNNGF-67109]
  • When changing a value for a domain, the related serial is updated only for the affected domain, and serials for all other domains remain untouched.    [BNNGF-68137]
  • At CONFIGURATION > Configuration Tree > Administrative Settings > Caching DNS Service, the label for forwarders for DNS zones has been renamed to Forwarders for DNS Zones.    [BNNGF-69590]
  • Conditional forwarding for DNS now works as expected.    [BNNGF-69838]
  • The option to enter the forward source-ip for outgoing DNS queries has been added to the DNS settings.    [BNNGF-71995]
  • The BIND system has been updated to fix CVE-2021-25215.    [BNNGF-74781]
Firewall
  • Non-TOR applications no longer get flagged as false-positive TOR applications by the firewall.    [BNNGF-71962]
  • The minimum version for TLS has been set to 1.2.    [BNNGF-73183]
  • Firewall authentication is now restricted to groups instead of individual users.    [BNNGF-73708]
  • HTTPS is now included again in the All HTTP protocol object.    [BNNGF-74942]
  • TCP resets are no longer dropped, and sessions are now terminated correctly on ports 443 and 445.    [BNNGF-76268]
  • Improvements have been made to reduce waiting time in sessions when receiving resets in the TCP protocol.    [BNNGF-76724]
  • The categorization of URLs for URL filters now works as expected.    [BNNGF-78381]
HTTP Proxy
REST
  • Starting with release 8.2.1, SC confunits are now prefixed with 'fsc', and CGF confunits are prefixed with 'cgf'.    [BNNGF-74599], [BNNGF-78506]
  • Replacing a large network object no longer fails in certain situations.    [BNNGF-75758]
  • The REST API call for determining the usage of memory now considers disk space usage in a dedicated diskState field.    [BNNGF-76335]
  • The minimum value for time to live at CONFIGURATION > Configuration Tree > Infrastructure Service > REST API Service > Access Tokens is limited to 1.    [BNNGF-76647]
SSLVPN
  • When configuring a launch path for SSLVPN, the path may now also contain the '#' character.    [BNNGF-70950]
VPN
  • When enabling/disabling a B0 transport, the user is asked whether all associated transports should be enabled/disabled as well.     [BNNGF-20482]
  • In Control Center > Configuration Tree > VPN GTI Editor > Tunnel Properties > Advanced, it is now possible to configure the lifetime value for the Phase 2 of IKEv1 tunnels (Phase 2 Lifetime Adjust [sec]).    [BNNGF-54150]
  • The import of PFX files into VPN settings now works as expected.    [BNNGF-69741]
  • After an ISP outage, VPN tunnels are re-established and now work as expected.    [BNNGF-73584]
  • VPN client-to-site connections no longer experience dropouts when an HA pair of boxes performs a failover.    [BNNGF-74302]
  • Logging enhancements have been made for the IKEv1/v2 log.    [BNNGF-75690]
  • If the CPU is not supported, an entry will be created in the VPN log.    [BNNGF-75760]
  • New CRL settings are now enabled in the GTI Editor.    [BNNGF-76253]
  • Using MSAD + RSAACE for personal licenses no longer causes authentication errors.    [BNNGF-76332]

 

Known Issues

  • Azure – OMS is currently not supported on CC-managed boxes.
  • Currently, no RCS information is logged for Named Networks.    [BNNGF-47097]
  • Barracuda Firewall Admin – FW Admin 8.x fails to configure DNS 7.x correctly.    [BNNGF-77636]
  • The learn-only mode for OSPF is not working as expected.    [BNNGF-65299]
  • Control Center – After configuration and activation of the SAML/ADFS authentication, the SP metadata is not set on the Control Center.     [BNNGF-76521]
    As a workaround, complete the following steps: 1. Connect to the box.  2. Configure SAML doing an Emergency Override.
  • Firewall – Inspecting traffic for QUIC / UDP 443 is currently not supported.    [BNNGF-74540]
  • SSLVPN – RDP connections can terminate after an unspecified amount of time and need to be re-established by the user. In some cases, connections cannot be re-established at all.
    For a workaround, manually restart the service on the CLI via killall sslvpnsrv To periodically restart via a cron job and/or script, use /usr/bin/killall sslvpnsrv For questions on how to implement automatic restart procedures, contact Barracuda Networks Technical Support for assistance.    [BNNGS-3761]

 

Previous Article Next Article