It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

9.0.2 Release Notes

  • Last updated on

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and inside these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.

Note that depending on a certain release, the sections can vary both in content and number.  In addition, a headline may be followed by certain symbols with the following meaning:

red_warning_tiny.png: Critical information to be considered.

yellow_warning_tiny.png: Important information included in the section.

update_tiny.png: Updated information available.

feature-related.png: Product-related information, e.g., new features, solved bugs.

know_issues_tiny.png: Product-related information that relates to known bugs.

Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section.

Each section can be expanded individually for informational or printing purposes.


Important Announcements and Notes for Release 9.0.2

Read this section before you continue with the Release Notes below.

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

CloudGen Access Proxy

When updating HA systems with the CloudGen Access Proxy enabled, you must reconfigure the proxy to generate a new enrollment URL. For more information, see CloudGen Access Proxy.

Using Special Characters when Creating a Section in the Forwarding Ruleset

After the update to 9.0.2, ‘-' is the only special character that is allowed to be used in firewall section names.

SAML Authentication

Updating to version 9.0.2 disables SAML authentication. SAML authentication needs to be re-enabled again if configured before the update. See


General and Maintenance Information for the 9.0.2 Release Notes 

Firmware version 9.0.2 is a minor release.

Before installing the new firmware version:

Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes.

To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box.

6.6.2024 – Release of firmware 9.0.2.

3.7.2024 – Release of Hotfix 1121 - Secure Edge Integration. For more information, see

8.7.2024 – Release of Hotfix 1120 - Firewall. The hotfix addresses compatibility issues in URL filtering, Application Detection and TLS Inspection, when using recent versions of Chrome and Firefox that use the Kyber TLS key encapsulation mechanism. For more information, see
See also the note in the Known Issues section at the end of this article.

8.7.2024 – Release of Hotfix 1123 - OpenSSH. The hotfixes fix the CVE-2024-6387 "regreSSHion" vulnerability. For more information, see

8.7.2024 – Release of patch GWAY-9.0.2-0230 - Alternatively to the hotfixes 1120 and 1123, and if you are running firmware 9.0.2, you can install a new patch package that includes HF1120, HF1121, and HF1123 in common. For more information, see
Installing the patch will overwrite previously installed hotfixes with the same contained number in the patch. Associated configurations from a previous installation of hotfixes 1120, 1121, and 1123 will not be touched.

Recommendations and Prerequisites for Running Firmware Release 9.0.2

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 9.0.2, Barracuda Networks recommends using at least Firewall Admin version 9.0.2. You can download this version here:

Unlike in firmware 9.0.0 where Firewall Admin 9.0 no longer displayed GTI for firmware versions earlier than 9.0, this limitation has been removed as of release 9.0.1. Firewall Admin now displays GTI for Control Centers < = 8.3.

However, because WANopt is no longer supported, note that Firewall Admin now ignores all WANopt settings from GTI regardless of the version.

Who Can Update to Firmware Release 9.0.2

Read the Migration Notes 9.0.2 before updating to firmware 9.0.2.

For more information on the migration process, see the article Migration Notes 9.0.2.


Update-Relevant Information for 9.0.2 

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Are No Longer Included as of this Version 9.0.2

If you require one of the listed features, do not update to this firmware version!

FW Audit

As of firmware 9.0.0, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead.


As of firmware 9.0.0, support for the Web-UI is being discontinued.


As of firmware 9.0.0, the SMSd is being discontinued.


As of firmware 9.0.0, WANopt is being discontinued.

Features that Will Become Obsolete in an Upcoming Release

If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative.

Currently, there are no features planned to be announced for removal. However, Barracuda Networks recommends checking for this again in the release notes 9.1.0.

New Features in Version 9.0.2 

As a minor release, version 9.0.2 contains important fixes.


Solved Bugs and Improvements in Release 9.0.2

  • TS Agent and DC Client users are now synced properly between HA partners.    [BNNGF-90958]

  • The authentication service now sends special characters correctly with the RADIUS authentication scheme.    [BNNGF-90980]

  • Template admins no longer experience issues in connection with different admin-handler daemons.    [BNNGF-90984]

Barracuda Firewall Admin
  • Barracuda Firewall Admin reads the authentication database as expected.    [BNNGF-92030]

  • Barracuda Firewall Admin is no longer slow to respond with multiple GTI tunnels.    [BNNGF-92048]

  • Disabling Force regular password change for CC Admins now works as expected.    [BNNGF-93020]

  • In-place edit of NAT mode or policy usage now works as expected.    [BNNGF-93161]

  • Firewall Admin no longer crashes when the VPN tab is opened.    [BNNGF-93497]

  • Several bugs causing memory issues in Firewall Admin have been solved.    [BNNGF-93602]

  • In the Control Center, the menu entries in the configuration tree for Show Back Links...  and Show Back Link Overrides are now displayed as expected.    [BNNGF-93816]

  • The preset value for transport classes for providers can now be overridden for site-to-site GTI transports.    [BNNGF-94054]

  • The DST criterion is now allowed to be used in the URLCat and FileContent policy list and in the URLCat in the dialog.    [BNNGF-94213]

Barracuda OS
  • Memory leaks no longer occur in certain situations.    [BNNGF-78803]

  • VRF now works on Bond with VLANs as expected.    [BNNGF-84386]

  • Error messages are no longer displayed if the kernel parameter is set to 'ACPI=off'.    [BNNGF-85369]

  • SNMP queries now work as expected.    [BNNGF-87467]

  • Unexpected HA failovers no longer occur in certain situations.    [BNNGF-88845]

  • SNMP memory leaks no longer occur in certain situations.    [BNNGF-90956]

  • The status display Neg.  for auto-negotiation of network interfaces now shows correct values.     [BNNGF-91050]

  • Sessions from dynamic rules are now correctly terminated when the dynamic rule expires or is disabled.    [BNNGF-91184]

  • Duplicate MAC addresses no longer occur after HA pairing. [BNNGF-91977]

  • The PPE config file is now applied as expected during a box installation.    [BNNGF-92437]

  • The cctool command line tool is now also available for boxes.    [BNNGF-92462]

  • Re-imaging boxes with ISO images now works as expected.    [BNNGF-92603]

  • The control daemon no longer crashes in certain situations.    [BNNGF-92694]

  • After an update via the DASHBOARD, all update/hotfix files will be removed from the filesystem as expected.    [BNNGF-92758]

Cloud General
  • The CLOUD-LB-PROBE rule is now included in the default FW ruleset again.    [BNNGF-94128]

Control Center
  • Force password change on next login for CC Admins now works as expected.    [BNNGF-78889]

  • The trustzone-sync no longer stops syncing information in certain situations.    [BNNGF-91358]

  • Performing a ccactivate on a Control Center now updates licenses correctly.    [BNNGF-91981]

  • After updating a Control Center to a firmware version greater than 9.0.x and rolling out a user for OTP, emails are now sent out as expected.    [BNNGF-92695]

  • The CONF service no longer crashes in certain situations, and GTI tunnels now remain functional in their configured ranges.    [BNNGF-93017]

  • Accessing/showing the Firmware Update tab no longer responds slowly.    [BNNGF-93152]

  • Multihoming no longer causes issues with relay agent IP addresses.    [BNNGF-90960]

  • DHCPv6 relay now forwards requests on all available interfaces.    [BNNGF-93780]

  • Replacing a single certificate after a whole certificate chain file was imported now works as expected.    [BNNGF-86558]

  • In case a box has a corrupt ruleset caused by a faulty object reference, an appropriate warning is displayed.    [BNNGF-90551]

  • SSL Inspection no longer fails for new connections after a longer period.    [BNNGF-91043]

  • Terminating existing sessions on scheduled objects now works as expected.    [BNNGF-91568]

  • Flood ping protection thresholds now work as expected.    [BNNGF-91605]

  • Binding the resolver connection to the DNS Caching service no longer blocks other services.    [BNNGF-91666]

  • Some affected ipoque applications now work as expected with app-based provider selection.    [BNNGF-91983]

  • CNA + CTA now honor port filters as expected.    [BNNGF-92511]

  • Reconfiguring the WSG bridge no longer breaks ARP negotiations.    [BNNGF-92703]

  • The custom user agent is matching for all described test scenarios and pages are blocked with a proper block page.    [BNNGF-92802]

  • Websites are now blocked correctly (URL filter, TLS encryption) on old browsers like Internet Explorer.    [BNNGF-92965]

  • Tickets can be created, edited, and saved as expected for the guest ticketing system.    [BNNGF-93071]

  • The web monitor "suspicious keyword" search has been adjusted to be appropriately sensitive.    [BNNGF-93236]

  • The OP-SRV-VPN-DYNIF rule now works correctly if xDSL is used.    [BNNGF-93253]

  • After a reboot, the firewall no longer writes call traces to the logs that are related to the offloading settings in Azure boxes. Warnings, errors, and other information are written to the log as expected.    [BNNGF-93282]

  • Improvements have been made to shaping performance.    [BNNGF-93377]

  • HTTPS traffic is now detected as expected for Internet Explorer. [BNNGF-93486]

  • A new user agent was added that matches the Microsoft CryptoAPI.    [BNNGF-93822]

  • The detection of MS Office files has been improved.    [BNNGF-93824]

  • The memory handling for uports in the SIPS proxy no longer causes out-of-bounds errors and now works as expected.    [BNNGF-93859]

  • Some REST-related incompatibilities have been successfully removed.    [BNNGF-93155]

  • The site-specific object confunit now works for cluster firewall services.    [BNNGF-93734]

  • The underscore character ( _ ) is now allowed for site-specific objects.    [BNNGF-94051]

HTTP Proxy
  • Exchange authentication over the reverse proxy now works as expected.    [BNNGF-90426]

  • Error pages are now located at their appropriate place.    [BNNGF-93482]

Virus Scanner
  • Timeouts of the AV no longer occur.    [BNNGF-92968]

  • Wi-Fi traffic is moved into a VPN tunnel as expected.    [BNNGF-90957]

  • The firewall no longer experiences unexpected high CPU loads with a large number of VPN tunnels.    [BNNGF-91223]

  • Changes to a GTI transport configuration no longer cause secondary transports to be terminated on all tunnels.    [BNNGF-91452]

  • IPSec/IKEv2 PSK authentication has been added to support Android.    [BNNGF-92321]

  • Client-to-site VPN with RADIUS MFA now works as expected.    [BNNGF-92696]

  • Dynamic High-Performance mode now contains the 3 new options for configuration: Auto mode, No mode, and Dynamic mode.    [BNNGF-92810]

  • SSL VPN License Count now works as expected.    [BNNGF-92964]

  • Changes to Log Level For Proxy no longer require a manual restart so that a client can connect.    [BNNGF-93428]

  • GTI no longer causes Firewall Admin to crash during connections to 8.3 Control Centers.    [BNNGF-93434]

  • The configuration for VPN/IKEv2 is loaded correctly.    [BNNGF-93779]


Known Issues in Release 9.0.2

  • Authentication – After the firmware update to 9.0.2, SAML authentication no longer works for C2S VPN.
    Workaround: Select the check box Enable SAML support in the VPN Client to Site configuration. See [BNNGF-94611]

  • Barracuda OS – If a QoS profile has been created and assigned to a physical interface, this profile will be automatically overwritten by the simple QoS band when performing an HA failover or deleting the VPN tunnel assigned to this physical interface.    [BNNGF-90831]

  • Control CenterAutomated Security Update parameters are broken. [BNNGF-94678]

  • Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]

  • Firewall - App Detection – Initially failing app detection or invalid TLS certificate due to large Client Hello.
    Certain browsers force the use of Kyber, a post-quantum key agreement algorithm, in TLS. In turn, the Client Hello gets unusually large and initially might cause app detection to fail or an invalid TLS certificate for TLS inspection. After a page refresh in the browser, the app is detected correctly and the TLS certificate is valid.     [BNNGF-93365]

    Workaround: Install hotfix HF-1120. The hotfix addresses compatibility issues in URL filtering, Application Detection, and TLS Inspection when using recent versions of Chrome and Firefox that use the Kyber TLS key encapsulation mechanism. For more information, see
    The upcoming firmwares 9.0.3 and 9.1.0 will include the hotfix HF-1120 and officially solve the issue.

  • Licensing – If the pool license is renewed, the permission scope for pool licenses is reset.    [BNNGF-94610]

  • SSL-VPN and Cuda-Launch – Shared folders are no longer accessible via CudaLaunch if the name of the shared folder contains a blank space.    [BNNGS-3970]

    Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

  • Telemetry – For managed firewalls note that settings displayed in the UI on the Control Center and the managed box can differ depending on the cluster and firmware version.    [BNNGF-89044]

  • VPN – Dynmesh tunnels do not get established when both sites are behind a NAT after updating to 9.0.0.    [BNNGF-90377]