It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

9.0.2 Release Notes

  • Last updated on

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and inside these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.

Note that depending on a certain release, the sections can vary both in content and number.  In addition, a headline may be followed by certain symbols with the following meaning:

red_warning_tiny.png: Critical information to be considered.

yellow_warning_tiny.png: Important information included in the section.

feature-related.png: Product-related information, e.g., new features, solved bugs.

know_issues_tiny.png: Product-related information that relates to known bugs.

Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section.

Each section can be expanded individually for informational or printing purposes.


Important Announcements and Notes for Release 9.0.2

Read this section before you continue with the Release Notes below.

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

CloudGen Access Proxy

When updating HA systems with the CloudGen Access Proxy enabled, you must reconfigure the proxy to generate a new enrollment URL. For more information, see CloudGen Access Proxy.

General and Maintenance Information for the 9.0.2 Release Notes 

Firmware version 9.0.2 is a minor release.

Before installing the new firmware version:

Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes.

To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box.

6.6.2024 – Release of firmware 9.0.2.

Recommendations and Prerequisites for Running Firmware Release 9.0.2

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 9.0.2, Barracuda Networks recommends using at least Firewall Admin version 9.0.2. You can download this version here:

Unlike in firmware 9.0.0 where Firewall Admin 9.0 no longer displayed GTI for firmware versions earlier than 9.0, this limitation has been removed as of release 9.0.1. Firewall Admin now displays GTI for Control Centers < = 8.3.

However, because WANopt is no longer supported, note that Firewall Admin now ignores all WANopt settings from GTI regardless of the version.

Who Can Update to Firmware Release 9.0.2

Read the Migration Notes 9.0.2 before updating to firmware 9.0.2.

For more information on the migration process, see the article Migration Notes 9.0.2.


Update-Relevant Information for 9.0.2 

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Are No Longer Included as of this Version 9.0.2

If you require one of the listed features, do not update to this firmware version!

FW Audit

As of firmware 9.0.0, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead.


As of firmware 9.0.0, support for the Web-UI is being discontinued.


As of firmware 9.0.0, the SMSd is being discontinued.


As of firmware 9.0.0, WANopt is being discontinued.

Features that Will Become Obsolete in an Upcoming Release

If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative.

Currently, there are no features planned to be announced for removal. However, Barracuda Networks recommends checking for this again in the release notes 9.1.0.

New Features in Version 9.0.2 

As a minor release, version 9.0.2 contains important fixes.


Solved Bugs and Improvements in Release 9.0.2

  • TS Agent and DC Client users are now synced properly between HA partners.    [BNNGF-90958]

  • The authentication service now sends special characters correctly with the RADIUS authentication scheme.    [BNNGF-90980]

  • Template admins no longer experience issues in connection with different admin-handler daemons.    [BNNGF-90984]

Barracuda Firewall Admin
  • Barracuda Firewall Admin reads the authentication database as expected.    [BNNGF-92030]

  • Barracuda Firewall Admin is no longer slow to respond with multiple GTI tunnels.    [BNNGF-92048]

  • Disabling Force regular password change for CC Admins now works as expected.    [BNNGF-93020]

  • In-place edit of NAT mode or policy usage now works as expected.    [BNNGF-93161]

  • Firewall Admin no longer crashes when the VPN tab is opened.    [BNNGF-93497]

  • Several bugs causing memory issues in Firewall Admin have been solved.    [BNNGF-93602]

  • In the Control Center, the menu entries in the configuration tree for Show Back Links...  and Show Back Link Overrides are now displayed as expected.    [BNNGF-93816]

  • The preset value for transport classes for providers can now be overridden for site-to-site GTI transports.    [BNNGF-94054]

  • The DST criterion is now allowed to be used in the URLCat and FileContent policy list and in the URLCat in the dialog.    [BNNGF-94213]

Barracuda OS
  • Memory leaks no longer occur in certain situations.    [BNNGF-78803]

  • VRF now works on Bond with VLANs as expected.    [BNNGF-84386]

  • Error messages are no longer displayed if the kernel parameter is set to 'ACPI=off'.    [BNNGF-85369]

  • SNMP queries now work as expected.    [BNNGF-87467]

  • Unexpected HA failovers no longer occur in certain situations.    [BNNGF-88845]

  • SNMP memory leaks no longer occur in certain situations.    [BNNGF-90956]

  • The status display Neg.  for auto-negotiation of network interfaces now shows correct values.     [BNNGF-91050]

  • Sessions from dynamic rules are now correctly terminated when the dynamic rule expires or is disabled.    [BNNGF-91184]

  • The PPE config file is now applied as expected during a box installation.    [BNNGF-92437]

  • The cctool command line tool is now also available for boxes.    [BNNGF-92462]

  • Re-imaging boxes with ISO images now works as expected.    [BNNGF-92603]

  • The control daemon no longer crashes in certain situations.    [BNNGF-92694]

  • After an update via the DASHBOARD, all update/hotfix files will be removed from the filesystem as expected.    [BNNGF-92758]

Cloud General
  • The CLOUD-LB-PROBE rule is now included in the default FW ruleset again.    [BNNGF-94128]

Control Center
  • Force password change on next login for CC Admins now works as expected.    [BNNGF-78889]

  • The trustzone-sync no longer stops syncing information in certain situations.    [BNNGF-91358]

  • Performing a ccactivate on a Control Center now updates licenses correctly.    [BNNGF-91981]

  • After updating a Control Center to a firmware version greater than 9.0.x and rolling out a user for OTP, emails are now sent out as expected.    [BNNGF-92695]

  • The CONF service no longer crashes in certain situations, and GTI tunnels now remain functional in their configured ranges.    [BNNGF-93017]

  • Accessing/showing the Firmware Update tab no longer responds slowly.    [BNNGF-93152]

  • Multihoming no longer causes issues with relay agent IP addresses.    [BNNGF-90960]

  • DHCPv6 relay now forwards requests on all available interfaces.    [BNNGF-93780]

  • Replacing a single certificate after a whole certificate chain file was imported now works as expected.    [BNNGF-86558]

  • In case a box has a corrupt ruleset caused by a faulty object reference, an appropriate warning is displayed.    [BNNGF-90551]

  • SSL Inspection no longer fails for new connections after a longer period.    [BNNGF-91043]

  • Terminating existing sessions on scheduled objects now works as expected.    [BNNGF-91568]

  • Flood ping protection thresholds now work as expected.    [BNNGF-91605]

  • Binding the resolver connection to the DNS Caching service no longer blocks other services.    [BNNGF-91666]

  • Some affected ipoque applications now work as expected with app-based provider selection.    [BNNGF-91983]

  • CNA + CTA now honor port filters as expected.    [BNNGF-92511]

  • Reconfiguring the WSG bridge no longer breaks ARP negotiations.    [BNNGF-92703]

  • The custom user agent is matching for all described test scenarios and pages are blocked with a proper block page.    [BNNGF-92802]

  • Websites are now blocked correctly (URL filter, TLS encryption) on old browsers like Internet Explorer.    [BNNGF-92965]

  • Tickets can be created, edited, and saved as expected for the guest ticketing system.    [BNNGF-93071]

  • The web monitor "suspicious keyword" search has been adjusted to be appropriately sensitive.    [BNNGF-93236]

  • The OP-SRV-VPN-DYNIF rule now works correctly if xDSL is used.    [BNNGF-93253]

  • After a reboot, the firewall no longer writes call traces to the logs that are related to the offloading settings in Azure boxes. Warnings, errors, and other information are written to the log as expected.    [BNNGF-93282]

  • Improvements have been made to shaping performance.    [BNNGF-93377]

  • A new user agent was added that matches the Microsoft CryptoAPI.    [BNNGF-93822]

  • The detection of MS Office files has been improved.    [BNNGF-93824]

  • The memory handling for uports in the SIPS proxy no longer causes out-of-bounds errors and now works as expected.    [BNNGF-93859]

  • Some REST-related incompatibilities have been successfully removed.    [BNNGF-93155]

  • The site-specific object confunit now works for cluster firewall services.    [BNNGF-93734]

  • The underscore character ( _ ) is now allowed for site-specific objects.    [BNNGF-94051]

HTTP Proxy
  • Exchange authentication over the reverse proxy now works as expected.    [BNNGF-90426]

  • Error pages are now located at their appropriate place.    [BNNGF-93482]

Virus Scanner
  • Timeouts of the AV no longer occur.    [BNNGF-92968]

  • Wi-Fi traffic is moved into a VPN tunnel as expected.    [BNNGF-90957]

  • The firewall no longer experiences unexpected high CPU loads with a large number of VPN tunnels.    [BNNGF-91223]

  • Changes to a GTI transport configuration no longer cause secondary transports to be terminated on all tunnels.    [BNNGF-91452]

  • IPSec/IKEv2 PSK authentication has been added to support Android.    [BNNGF-92321]

  • Client-to-site VPN with RADIUS MFA now works as expected.    [BNNGF-92696]

  • Dynamic High-Performance mode now contains the 3 new options for configuration: Auto mode, No mode, and Dynamic mode.    [BNNGF-92810]

  • SSL VPN License Count now works as expected.    [BNNGF-92964]

  • Changes to Log Level For Proxy no longer require a manual restart so that a client can connect.    [BNNGF-93428]

  • GTI no longer causes Firewall Admin to crash during connections to 8.3 Control Centers.    [BNNGF-93434]

  • The configuration for VPN/IKEv2 is loaded correctly.    [BNNGF-93779]


Known Issues in Release 9.0.2

  • Barracuda OS – If a QoS profile has been created and assigned to a physical interface, this profile will be automatically overwritten by the simple QoS band when performing an HA failover or deleting the VPN tunnel assigned to this physical interface.    [BNNGF-90831]

  • Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]

  • Firewall - App Detection – Initially failing app detection or invalid TLS certificate due to large Client Hello.
    Certain browsers force the use of Kyber, a post-quantum key agreement algorithm, in TLS. In turn, the Client Hello gets unusually large and initially might cause app detection to fail or an invalid TLS certificate for TLS inspection. After a page refresh in the browser, the app is detected correctly and the TLS certificate is valid.     [BNNGF-93365]

    Workaround: A workaround is to disable the flag "TLS 1.3 hybridized Kyber support" / X25519Kyber768 in Google Chrome (chrome://flags/), Microsoft Edge (edge://flags/), and "security.tls.enable_kyber" in Firefox (about:config).
    For Google Chrome and Chrome OS there is also a policy that can alternatively be used to control this flag. See

  • SSL-VPN and Cuda-Launch – Shared folders are no longer accessible via CudaLaunch if the name of the shared folder contains a blank space.    [BNNGS-3970]

    Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

  • Telemetry – For managed firewalls note that settings displayed in the UI on the Control Center and the managed box can differ depending on the cluster and firmware version.    [BNNGF-89044]

  • VPN – Dynmesh tunnels do not get established when both sites are behind a NAT after updating to 9.0.0.    [BNNGF-90377]