10.0.0 Release Notes

Encryption, Weak Ciphers

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

• Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions

• End-of-Support for CloudGen Firewall Firmware

Licensing

Firmware version 10.0.0 is a major release.

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 10.0.0, Barracuda Networks recommends using at least Firewall Admin version 10.0.0. You can download this version here:

Who Can Update to Firmware Release 10.0.0

Read the Migration Notes 10.0.0 before updating to firmware 10.0.0.

For more information on the migration process, see the 10.0.0 Migration Notes.

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Will Become Obsolete in an Upcoming Release (after 10.0.0)

CGA Proxy

The CGA Proxy will be phased out in an upcoming release.

CudaLaunch & SSL-VPN

CudaLaunch and SSL-VPN will be phased out in an upcoming release and will be replaced with SecureEdge Access.

Features that Are No Longer Included in this Version 10.0.0

SF Licensing

Old SF licensing is longer supported and has been phased out.

Cloud Deprecations

The following features are no longer part of the 10.0 firmware release:

• AutoVPN

• Metered billing

• Azure Security Center Support

ClamAV

ClamAV has been removed in firmware 10.0.

M30 Modem

The M30 modem is no longer supported.

OMS Agent, Azure Log Monitor Agent

The OMS Agent and the Azure Log Monitor Agent has been replaced with Azure Log API.

Branch Office Box VPN Compression

The “BoB” Branch Office Box VPN Compression is no longer supported by release 10.0.

As a major release, version 10.0.0 contains new features:

New Hardware

New hardware models F800 Rev. D and F900 Rev. C are now available.
For more information, see:

• F800 Revision D

• F900 Revision C

New Hardware Options for F1000

New services and scripts to mount/unmount an additional SSD to the F1000 have been incorporated.

If a new SSD is installed on an F1000, the state of the additional installed SSD is displayed with the label Additional SSD on the DASHBOARD.

Rocky Linux

The underlying operating system is now Rocky Linux. As of firmware release 10.0, Rocky Linux comes with Podman version 5.2.2 and provides out-of-the-box container support.

Edge Computing

Edge Computing is a new approach to increase edge security on the CloudGen Firewall by eliminating the need for additional infrastructure. For this, Edge Computing on the CGF allows you to run applications directly on the firewall while keeping communication latencies at a minimum and maintaining the overall security provided by the firewall.

The Barracuda CloudGen Edge Computing feature provides the option of running container technology to a certain extent on the firewall. For this, Edge Computing supports the Open Container Initiative (OCI) standard by allowing organizations to run almost any OCI-compliant application.

For more information, see Edge Computing.

Box Recovery - New Install (ART)

The new Box Recovery tool expands the present feature and is available as part of firmware version 10.0. It can be used on specific appliances starting with a certain serial number and lets you recover the firewall to a specific firmware version that has previously been backed up interactively as a ‘last known working firmware version’.

For more information, see Extended Options for the ART Recovery Technology.

Barracuda Firewall Admin

The Barracuda Firewall Admin user interface has been significantly improved to bring more clarity and comfort. These improvements include the following:

• Firewall Admin is now snappier and more responsive.

• The configuration tree has been reworked and now provides a new filter.

• On the Control Center, Barracuda Firewall Admin now shows the content of a configuration window to the right of the configuration tree as an alternative of replacing the configuration tree with the selected configuration view.

• Some features have been relocated to new positions in the tree, i.e., Certificate/Key Store.

• On a Control Center, the large list view to the right of the configuration tree now displays the tabs Boxes and Service. The tab Server is no longer available.

• The column names in some views have been consolidated based on their identical meaning.

• Some larger list views on the Control Center now contain columns showing specific states of certain features, e.g., Box Recovery.

• The DASHBOARD now shows new elements as a result of new features, e.g., Edge Computing.

Barracuda Cloud CGF

It is now possible to configure a provider on the management interface if this is the only interface configured on the CGF. This allows you to configure a TINA transport using the management interface on CGF appliances that have only one interface. This is often the case for CGF deployed in the cloud.

Certificate Store

The Certificate Store has been extended to a Certificate/Key Store. The Certificate and Key Store is available on unmanaged boxes and on the Control Center on the Global, Range, and Cluster level.

The REST API for Certificate/Key Store has been massively extended: certificates/keys can be added, updated, deleted, rotated:

• On a Control Center

  • GET /rest/cc/v1/config/ranges/{range}/store/certificates

  • POST /rest/cc/v1/config/ranges/{range}/store/certificates

  • GET /rest/cc/v1/config/ranges/{range}/store/certificates/{name}

  • PUT /rest/cc/v1/config/ranges/{range}/store/certificates/{name}

  • DELETE /rest/cc/v1/config/ranges/{range}/store/certificates/{name}

  • GET /rest/cc/v1/config/ranges/{range}/store/keys

  • POST /rest/cc/v1/config/ranges/{range}/store/keys

  • GET /rest/cc/v1/config/ranges/{range}/store/keys/{name}

  • PUT /rest/cc/v1/config/ranges/{range}/store/keys/{name}

  • DELETE /rest/cc/v1/config/ranges/{range}/store/keys/{name}

  • GET /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/certificates

  • POST /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/certificates

  • GET /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/certificates/{name}

  • PUT /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/certificates/{name}

  • DELETE /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/certificates/{name}

  • GET /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/keys

  • POST /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/keys

  • GET /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/keys/{name}

  • PUT /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/keys/{name}

  • DELETE /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/store/keys/{name}

  • deprecated API endpoints on Control Centers:

    • GET /rest/cc/v1/config/global/certificates

    • GET /rest/cc/v1/config/global/certificates/{name}

• On a single box:

  • GET /rest/config/v1/box/store/certificates

  • POST /rest/config/v1/box/store/certificates

  • GET /rest/config/v1/box/store/certificates/{name}

  • PUT /rest/config/v1/box/store/certificates/{name}

  • DELETE /rest/config/v1/box/store/certificates/{name}

  • GET /rest/config/v1/box/store/keys

  • POST /rest/config/v1/box/store/keys

  • GET /rest/config/v1/box/store/keys/{name}

  • PUT /rest/config/v1/box/store/keys/{name}

  • DELETE /rest/config/v1/box/store/keys/{name}

  • deprecated API endpoints on unmanaged firewalls:

    • GET /rest/config/v1/box/certificates

    • GET /rest/config/v1/box/certificates/{name}

• The Certificate/Key Store shows the date of the last certificate/key rotation.

• Event notifications can be configured for certificate/key rotation.

• Keys can be referenced as private or public key.

• If both keys of a site-to-site VPN tunnel are managed on the same Control Center, the keys of the tunnel can be rotated transparently in a bulk action.

Control Center

The Control Center now provides the option for using repository links for VPN Settings and VPN GTI Settings.

Firewall

GEO IP restrictions have been added as an additional option in the host firewall ruleset.

Multicast Routing

A new multicast daemon is now part of the OSPF-RIP-BGP service, thus showing up with the new service name OSPF-RIP-BGP-Multicast.

Multicast routing is provided to work with VPN TINA tunnels and with PIM-sparse mode support.

LLDP (Link Layer Discovery Protocol)

LLDP support for passive CGF monitoring has been implemented on the CGF’s feature set.

For more information, see How to Configure LLDP.

Box Licenses View

The Box Licenses view has been improved to be adjustable.

ConfTemplates

• As of firmware release 10.0, ConfUnit names are optional in ConfTemplates.

• It is now possible to create an HA box in the ConfTemplate editor.

• A configuration option for configuring more than one interface on virtual box models has been added.

• A configuration option has been added to the CoreConfUnit, which makes it possible to disable autopairing.

REST-API

The REST API has undergone many improvements, including the following:

• Watchdog settings, ConfUnit CGF Core, ConfUnit/REST-endpoint for log configuration, enabling dynamic DNS in the DHCP link ConfUnit, querying the number of active TCP sessions, disable Barracuda activation, multi-field line field support for remote server certificates, exposing of the REST API service ConfUnit as a general REST endpoint, ConfUnit for network interface cards, REST API endpoints to create/list/remove repositories and repository objects.

Telemetry Improvements

The telemetry system has been improved:

• On a Control Center, the configuration of telemetry data can now be done top-down, that is, inheriting the parameter settings from Global → Range → Cluster → Box.

• Telemetry data from managed boxes can be sent via the Control Center to Hubble. The forwarding of telemetry data works as a relay with the the options Never Relay, Relay as Fallback, or Always Relay in the case of a failure.

• It is no longer possible to completely disable sending telemetry data. Instead, starting with firmware 10.0.0, the default value for sending telemetry data will be set to sending all data.

Further Improvements

• DNS Sinkhole

  • DNS sinkhole events now support resolved hostnames.

• GeoIP Information

  • GeoIP information has been added to the Firewall and VPN logs next to IP addresses.

• IKEv2 Site-to-Site Improvements

  • HA State Synchronization (Transparent Failover)

  • Restart SA on close

• ACS/S2S/C2S Log Improvements

  • ACS, S2S and C2S logs now use consistent session IDs.

  • OS version, client version, and host have been added to ACS and C2S logs.

Licensing

The use of pool licenses (SC or CGF) can now be optionally related to range/cluster scopes.

Split Control Centers

• The REST API support for Split CCs has been improved.

• Split CC support to Firewall Admin Views (Firmware Update, Config Update, Pool Licensing, Zero Touch, Remote Execution, Config Update) has been added.

• General improvements to handle large setups on the Control Center have been made.

• It is now possible to use the same range on multiple Control Centers.

• It is now possible to forward REST API requests from the CC to managed boxes.

VPN

• VPN Performance – Critical parts of the ACPF engine have been improved (asynchronous encryption and decryption, packet processing) and now provide higher performance for VPN TINA connections.

Authentication

• After deleting a site-to-site tunnel, the authenticated tunnel users are removed from the authentication database. [BNNGF-82820]

• The shibd has been updated to 64 bit and no longer causes memory issues in SAML. [BNNGF-90627]

• The firewall authentication daemon now supports EC-signed certificates. [BNNGF-90864]

• TOTP works again for client-to-site VPN connections. [BNNGF-93153]

• If a VIP is entered in the remote management tunnel configuration, generating SAML metadata no longer sends traffic into the disabled tunnel. [BNNGF-93928]

• Checking domains now allows for alternative UPN -suffixes to be configured. [BNNGF-94420]

• The error construct null not valid no longer occurs when using SAML 2.0 authentication. [BNNGF-95548]

• Access to TCP ports 807 (FWAdmin) and 22 (SSH) is possible for source IPs configured over the support access function of the SecureEdge portal. [BNNGF-95560]

• Logging in with SSH now works as expected and no longer causes issues with multiple UIDs. [BNNGF-96362]

Barracuda Firewall Admin

• The IE-based HTML control has been replaced by the Edge-based WebView2 Control in Barracuda Firewall Admin. [BNNGF-69554]

• The DASHBOARD now shows correct positive values at relevant places. [BNNGF-71622]

• The user interface and documentation have been updated to reflect the endpoint www.dyndns.org [BNNGF-85609]

• The columns Org and Type in the Live, History, and Threat Scan view have been renamed to Origin. [BNNGF-92470]

• Subnets for Source, Destination, and Source/Destination can now be filtered with new options in the Live and History views. [BNNGF-93176]

• Jumping to a network object by typing keyboard letters at Firewall Rules > Network Objects now works as expected. [BNNGF-93181]

• Until version 9.0.x, the shortcut keys were simply <S> or <D>. However, starting from version 10.0.0, you must press <ctrl><S> or <ctrl><D> for these shortcuts to function properly. [BNNGF-93182]

• The edit field for the Current password is grayed out when entering a password for the first time. [BNNGF-93558]

• The configuration window for Service Objects now shows Max Ping per second instead of MinDelay. [BNNGF-93653]

• The <del> key now removes referenced list entries in the access rules. [BNNGF-93885]

• Deleting services in GTI no longer causes issues in specific situations. [BNNGF-94125]

• Custom Box Descriptors are now part of the Remote Execution view. [BNNGF-94226]

• Pressing the ESC key no longer deletes locked GTI configurations but only closes pop-up windows as expected. [BNNGF-94238]

• The certificate store now supports key rotation. [BNNGF-94475]

• The menu entry Disabled has been removed from the pop-up menu Share Telemetry Data from the bulk editor. [BNNGF-95302]

• The context menu for SSL-VPN tunnels now works as expected. [BNNGF-95371]

• Multi-selection is now allowed for licenses in Firewall Admin. [BNNGF-95522]

• Barracuda Firewall Admin now supports Microsoft’s webview2/edge technology. [BNNGF-95525]

• Barracuda Firewall Admin no longer freezes in specific situations. [BNNGF-95765]

• The usage of Network Objects is now enabled to be used for configuring DNS records. [BNNGF-95902]

• ::/0 can now be used as a VPN peer IP network address. [BNNGF-96119]

• The number of transports shown in the SD-WAN summary widget can now be adjusted. [BNNGF-96125]

• Barracuda Firewall Admin no longer performs unresponsively in specific situations. [BNNGF-96127]

• Barracuda Firewall Admin no longer crashes in the Network config node after updating Site Specific Addresses. [BNNGF-96196]

• The Licensees comment fields now keep their values as expected. [BNNGF-96409]

• Role filters for the CC Admin tab now work as expected. [BNNGF-96814]

• Barracuda Firewall Admin no longer crashes when closing the Firewall tab after looking at the local/special rules in the Live view. [BNNGF-97189]

• The underscore character (‘_’) is now allowed in event notifications of Teams Webhhook URLs. [BNNGF-97302]

• In setups with more than one transport per class, FW Admin now sets priority correctly. [BNNGF-97888]

Barracuda OS

• Cumulated logs are now written correctly. [BNNGF-70674]

• Extensive logging has been added related to triggering of events and sending notification emails. [BNNGF-82827]

• Firewall authentication no longer consumes 100% CPU. [BNNGF-86657]

• Timestamps are now processed with 64 bit at all relevant places in the firewall. [BNNGF-87020]

• Performing a rollback due to a timed-out network activation now sends correct output messages. [BNNGF-87981]

• The IPv6 prefix list filter has been updated and now shows all options correctly. [BNNGF-88385]

• It is now allowed to add route maps to the BGP service defined networks. [BNNGF-88703]

• Route maps are now allowed to be redistributed. [BNNGF-88705]

• GeoIP information is now included in the audit trail (including audit log, syslog, ipfix, etc.). [BNNGF-90370]

• It is now possible to use a certificate signed by an intermediate certificate. [BNNGF-90373]

• Automatic certificate and SSH key rotation for CC-managed boxes have been implemented. [BNNGF-90380]

• The default route is no longer disabled when the public IP address from the SecureEdge gateway is not reachable with ICMP. [BNNGF-90802]

• The parameters Workspace Count and Workspace Modified Timestamp have been added to the Telemetry system. [BNNGF-90983]

• SE TLS Inspection policies now use TLS 1.2 as the minimum version. [BNNGF-92514]

• The box serial on pool-licensed boxes with standard HW is written into the filebeat.yml config file as expected. [BNNGF-92974]

• LLDP (Link Layer Discovery Protocol) support for passive CGF monitoring has been implemented to the CGF’s feature set. [BNNGF-93217]

• The HA startup behavior can now be controlled by a new setting in Infrastructure Services > Control > Monitoring Policy > Active HA Partner Preference. [BNNGF-93506]

• The LLDP (Link Layer Discovery Protocol) daemon has been added to firmware release 10.0. [BNNGF-94155]

• The issue for reporting the incorrectly reported port number for cumulative entries has been fixed. [BNNGF-94170]

• The ipsecdyn.db no longer fills the root partition unexpectedly. [BNNGF-94199]

• Macmon integration now works as expected. [BNNGF-94460]

• Configured administrators are now notified before the high watermark for event entries in the CC is reached. [BNNGF-94540]

• A transfer network has been added as an additional network object into the BOX-LAN-2-INTERNET rule. [BNNGF-94624]

• GRE tunnels with SharedIP allow configuring target networks. [BNNGF-94738]

• DSA SSH keys are no longer supported. [BNNGF-94751]

• The TLS parser no longer runs into endless loop states in specific edge cases. [BNNGF-94819]

• The firmware update from 8.3.x to 9.0.2 no longer removes subdirectories and files from /var/phion/home/csadmin. [BNNGF-94829]

• Creating the system report works as expected. [BNNGF-94991]

• In the GRE config, it is now possible to set option Active to no, which will lead to ignoring the GRE configuration. [BNNGF-95000]

• The first event will now create a notification as expected even if the event has not been confirmed yet. [BNNGF-95079]

• OpenSSL has been updated to version 3.0.15. [BNNGF-95096]

• The application rules are applied as expected after updating a firewall to 9.0.2, which runs an HTTP proxy. [BNNGF-95116]

• OpenSSL no longer crashes when using (lock-free) VPN packet processing mode. [BNNGF-95179]

• The MS Teams notification on the CGF now uses adaptive cards 1.5 and works with the new MS Teams workflow template 'Post to a channel when a webhook request is received' [BNNGF-95336]

• Web logs now show all log entries correctly. [BNNGF-95339]

• The Notification Test function for System Email Notification at CONFIGURATION > Administrative Settings > Notifications now works as expected. [BNNGF-95447]

• Error messaging has been improved for certificate CRL revocations. [BNNGF-95460]

• Reachable IPs now work as expected after sending changes in Firewall Admin. [BNNGF-95558]

• System recovery now works as expected. [BNNGF-95571]

• The bond interface now switches the MAC as expected upon a failover if the bond interface is configured with VLAN as management interface and if more VLANs with shared IPs are active. [BNNGF-95730]

• The system report now works as expected. [BNNGF-95777]

• VMACs are now handled correctly on an F380B. [BNNGF-95786]

• The typo in the ruleset migration script has been fixed and no longer prevents the activation of new rules. [BNNGF-95908]

• Reachable IPs now work as expected after sending changes in Firewall Admin. [BNNGF-95929]

• Downloading PDF files works as expected when AV is disabled. [BNNGF-95934]

• The name-length issue for boxname and servername has been fixed and no longer causes HA sync failures. [BNNGF-95944]

• The service.conf file is no longer broken when the HA partner performs a hard reset. [BNNGF-96045]

• For new VIP networks, the setting Enable IPv4 is now active by default. [BNNGF-96100]

• Disabling a named admin no longer causes issues in specific situations. [BNNGF-96113]

• The ‘#’ character can now be used in PPPoE authentication. [BNNGF-96166]

• When a box performs an update, the configured time zone is considered as expected. [BNNGF-96231]

• A performance issue affecting local-out sessions over a bridge has been fixed. [BNNGF-96241]

• The TTL value for sinkholed DNS entries has been adjusted for a proper handling of client access to a DNS sinkholed address. [BNNGF-96299]

• The configuration and related scripts for the M30 modem have been removed. [BNNGF-96455]

• IPS no longer crashes in specific situations. [BNNGF-96472]

• The list of usable NICs has been updated. [BNNGF-96476]

• The URLs for Azure data centers have been updated and made configurable. [BNNGF-96496]

• PPPoE no longer experiences accidental changes of route preferences in specific situations. [BNNGF-96517]

• OMS is no longer supported and its support in the firmware has been removed. [BNNGF-96528]

• The support for the Azure Monitor Agent and its connected resources has been removed. [BNNGF-96529]

• The support for the Azure Monitor Agent and its connected resources has been removed. [BNNGF-96532]

• An issue that caused crashes in conjunction with the LAN-2-VPN firewall rule in the special ruleset has been fixed. [BNNGF-96572]

• Reading the routes on a box with REST now works as expected. [BNNGF-96647]

• Using an IPv6 link local address for the gateway route now works as expected. [BNNGF-96688]

• The automatic license download on standard hardware now works as expected. [BNNGF-96691]

• Extensive route introduction no longer causes reintroduction of existing routes. [BNNGF-96849]

Cloud Azure

• The OMS Agent has been replaced with the Azure Monitor. [BNNGF-89300]

• AutoVPN, metered billing, and the support for the Azure Security Center are no longer provided for the Cloud. [BNNGF-90224]

• The routes on the DHCP interfaces are now introduced correctly with a metric of 65533 and 65534. [BNNGF-94418]

• CEF stream logs are disabled by default. [BNNGF-95085]

• DNS now works again so that the OMS agent can now connect or stream as expected. [BNNGF-95310]

• The OMS agent no longer unexpectedly fails after updates. [BNNGF-95311]

• HA clusters no longer crash every 12-24 hours in specific situations. [BNNGF-96462]

Control Center

• Policy Profiles are functional as expected after migrating a cluster and all firewalls from 8.3. to 9.0.x. [BNNGF-93256]

• If a session is started in a CC parent-to-child setup, the session limit is adjusted accordingly. [BNNGF-93364]

• Site Specific Objects now work as expected. [BNNGF-93731]

• IPS pattern IDs are now displayed correctly on the Control Center. [BNNGF-94174]

• Cluster migration now works as expected when copying/moving boxes. [BNNGF-94730]

• The Control Center now supports configuration of telemetry for managed boxes. [BNNGF-95306]

• Selected/configured Site-Specific Objects are now shown correctly on Connection Objects > Details. [BNNGF-95836]

• When copying/moving a VPN service, updating names now works correctly. [BNNGF-95867]

• High performance settings for UDP & TCP transports are not supported in GTI and are therefore made inaccessible in the site-to-site configuration. [BNNGF-96210]

• VPN status is now updated as expected in the CC status map. [BNNGF-96215]

• The lock status for Global Objects is now reported with error code 409. [BNNGF-96569]

DHCP

• The DHCP service no longer fails in specific situations. [BNNGF-94815]

• The DHCP link is no longer torn down frequently. [BNNGF-94859]

DNS

• Dynamic DNS updates (RFC 2136) now work as expected with SecureEdge Access. [BNNGF-94891]

• Configurations are validated before they are applied. [BNNGF-96792]

• Duplicate forwarded domain entries are no longer possible for the same domain. [BNNGF-96797]

Edge Computing

• The CGF now supports running containers on the firewall. [BNNGF-55504]

• The Enabled/Disabled status for the new Edge Computing container service has been added to the minimal dataset for Telemetry Data. [BNNGF-94088]

Firewall

• App block details are now reported correctly in the activity log related to its rulename. [BNNGF-93069]

• SecureEdge Access can access resources behind SecureEdge Appliances as expected. [BNNGF-93086]

• When the connection goes down, no failover or connection cycling happens if the failover policy is set to None for a connection object. [BNNGF-93567]

• Multiple definitions have been added to web apps (YubiKey, outlook.com, Microsoft services, some TikTok hosts, some OCSP hosts). [BNNGF-94881]

• Custom network applications now prefer a more specific IP/network over a layer 4 protocol. [BNNGF-94900]

• LIN and App redirect traffic is now sent correctly to XDR. [BNNGF-95111]

• GitHub domains have been added to main applications. [BNNGF-95808]

• App Control no longer causes large download volumes in specific situations. [BNNGF-95933]

• Application-based Provider Selection no longer advertizes too large MSS. [BNNGF-96305]

• Specific HTTP traffic is now detected as correct app. [BNNGF-96354]

• In rare cases the firewall crashed during FTP protocol evaluation. This issue has been fixed. [BNNGF-96680]

• The action of the UserAgentDefault policy rule in the default ruleset has been changed from Block Nothing to Allow All. Affected rules will be migrated accordingly. [BNNGF-96998]

• The AppID engine has been updated to version 25.05.09. [BNNGF-97208]

Hardware

• New hardware models F800 Rev. D and F900 Rev. C are now available. [BNNGF-94905]
  For more information, see:
  - F800 Revision D
  - F900 Revision C

HTTP Proxy

• HTTP upgrade request protocols can now be configured in the user interface for the proxy. [BNNGF-94285]

• Rebuilding the proxy cache now works as expected. [BNNGF-94415]

• Issues with ICAP timeouts in the reverse proxy no longer appear in specific situations. [BNNGF-95329]

• The HTTP proxy has been updated to version 6.12. [BNNGF-95376]

• The HTTP proxy no longer crashes on reconfigurations. [BNNGF-96627]

Licensing

• CC-managed CGF appliances using a pool license can now be enrolled in SecureEdge. [BNNGF-95260]

REST

• The REST interface for .../box/net/interfaces now converts netmasks in CIDR notation as expected. [BNNGF-80190]

• The /live REST endpoint now returns the correct number of active TCP sessions. [BNNGF-82218]

• A new REST endpoint has been created as the ConfUnit. [BNNGF-82787]

• The length of service names for REST is limited to 40 characters. [BNNGF-93241]

• The vendor ID parameter has been added to the DHCP subnet ConfUnit. [BNNGF-94038]

• Explicit interface support for DHCP subnets in DHCP ConfUnits has been added. [BNNGF-94040]

• The ‘@’ character is now allowed in the login name field of the API for a firewall user object. [BNNGF-94653]

• Log query parameters correctly decode URL-encoded parameters. [BNNGF-95178]

• Handling the REST endpoint for Network Objects has sped up. [BNNGF-96092]

• The lock status for Global Objects is now reported with error code 409. [BNNGF-96093]

• REST API calls no longer cause firewall crashes in specific situations. [BNNGF-96755]

• The REST endpoint now also returns the secondary IPs as expected. [BNNGF-97190]

Virus Scanner

• Avira licensing has been updated. [BNNGF-91481]

• The virus scanner no longer causes issues in specific situations. [BNNGF-93159]

• ATP quarantine now works as expected (HTTP/2). [BNNGF-96122]

VPN

• VPN tunnels now work as expected after configuration changes for the VPN tunnel. [BNNGF-91332]

• Setting up a management tunnel with IPv6 works as expected. [BNNGF-92706]

• The VPN service no longer crashes unexpectedly in specific situations. [BNNGF-92711]

• IKEv2 state synchronization is now possible for HA boxes to support transparent failovers. [BNNGF-93505]

• The configuration lookup for the settings of dynmesh tunnels and high performance mode now works correctly after updating a Control Center to firmware 9.0.1 and migrating a cluster to 9.0. [BNNGF-93622]

• TINA transport classes can now be configured with policies. [BNNGF-93658]

• TINA site-to-site tunnels work now expected with UDP transports. [BNNGF-93769]

• Client-to-site connections with usernames containing the authentication scheme no longer crash IKE3. [BNNGF-93855]

• IKE3 no longer crashes when connecting with client-to-site after an update to 8.3.3. [BNNGF-94143]

• IKEv2 site-to-site tunnels are no longer unexpectedly removed in specific situations. [BNNGF-94399]

• The Linux VPN client no longer crashes with a buffer overflow in specific situations. [BNNGF-95164]

• When updating to firmware 9.0.4 or 10.0.0, the transport without a provider will remain in the state of the configuration. [BNNGF-95184]

• A conditional fallback for VPN to port 443 has been implemented. [BNNGF-95712]

• Transport Source from Device now prioritizes Shared IPs over other valid and active IP addresses suitable for bounding to VPN. [BNNGF-96132]

• An issue in the Access Control service has been fixed so that the health agent now recognizes BitLocker as part of WCS. [BNNGF-96169]

• SOCKS support for VPN is no longer provided. [BNNGF-96381]

• When configuring a TINA site-to-site tunnel, the Explicit option is allowed again. [BNNGF-96573]

• It is now possible to conditionally enable port 443 as a fallback for VPN. [BNNGF-96620]

• Packet chunking is now configurable for site-to-site VPN. [BNNGF-96744]

• The VPN server no longer causes unexpected memory issues in specific situations. [BNNGF-96816]

• An issue has been fixed where pre-allocated SPI structures in the VPN server were not being properly released due to incorrect error handling.

  [BNNGF-96820]

• TINA transports are now established as they are configured. [BNNGF-97001]

• Bulk transports no longer get removed on managed boxes in case of a GTI tunnel and multiple transports. [BNNGF-97261]

All 10.0-Related Ticket Overview

As of firmware release 10.0, more than 2000 tickets have been resolved.

For more information, see List of Tickets Solved until Release 10.0.0.

• Authentication – After the firmware update to 9.0.2, SAML authentication no longer works for C2S VPN. This is likely an issue when using Barracuda Firewall Admin 8.3.3 after migrating to release 9.0.2.
  Workaround: Select the check box Enable SAML support in the VPN Client to Site configuration. See https://campus.barracuda.com/doc/170820079/ [BNNGF-94611]

• Barracuda Firewall Admin – The configuration for TINA site-to-site transports is broken for 8.3 and older firmware versions. A hotfix for Firewall Admin 9.0.4 und 10.0 will be provided soon. [BNNGF-97899]

• Barracuda OS – After a new customer QoS profile has been created and assigned to a physical interface. This profile will be automatically overwritten by the simple QoS band when performing HA_Failover or deleting the VPN tunnel assigned to this physical interface. [BNNGF-90831]

• Barracuda OS – When using virtual MAC addresses and shared IPs on the management interface at the same time, an HA pair will run into a split brain issue after a reboot of the passive box. An EA version of a fix for 9.0.4 is available. [BNNGF-96724]

• Barracuda OS - SNMP does not currently indicate the issue if a power supply unit (PSU) is down. [BNNGF-95463]

• Barracuda OS – On a 9.0 cluster of a 10.0.0 Control Center, if a shared or static network is deactivated, the corresponding auto-created route is not deactivated automatically. It must be deactivated manually. [BNNGF-95929]

• Barracuda OS – The Firewall Activity and Firewall Threat Logs cannot be sent correctly in CEF format to an Azure Analytics Workspace using the Azure Log Analytics daemon. [BNNGF-97924]

• Barracuda OS – The ISO download does not work on unmanaged, updated boxes. [BNNGF-97961]

• CudaLaunch – iPad Pro devices with a MagicKeyboard cause issues. [BNNGF-95273], [BNNGS-4004]
  Workaround: The issue is caused by iOS 18.0.1 and can be resolved by upgrading iOS to its newest version.

• Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]
  Workaround: Blocking UDP/443 makes clients fall back to TCP, and then that app can be inspected.

• REST – Currently, the endpoints for rulesets are disabled for policy rulesets. [BNNGF-94123]

• SSL-VPN and Cuda-Launch – Shared folders and files are no longer accessible via CudaLaunch if the name of the shared folder or file contains a blank space.    [BNNGS-3970]
  Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

• VPN – A TINA transport configured as FallBack or OnDemand is kept up and connected to the peer permanently. [BNNGF-97923]