Single licenses for the NextGen Firewall F-Series and Control Center are bound to the MAC address of the first network interface.
In this article:
Barracuda NextGen Firewall F-Series Base Licenses
The F-Series Firewall base license gives you a next-generation firewall with the following features:
- Application Control reporting
- SSL Interception (available on all models, except F10 and F100)
- WAN optimizations (compression, Traffic Intelligence, QoS, Data Caching)
- Unlimited number of VPN clients (Client-to-Site Barracuda TINA and IPsec VPN)
You can purchase the F-Series Firewall in three different versions:
| Base License Type | Installed On | License Bound to |
|---|---|---|
| Hardware License | NextGen Firewall F-Series hardware appliance |
|
| Virtual License |
|
|
| Cloud License - Azure |
|
|
| Cloud License - AWS |
|
|
| Software License (legacy phion customers only) | Standard Hardware |
|
Hardware Appliances
A NextGen F-Series Firewall or Control Center hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit.
There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (AV+Webfilter) are included. SSL VPN and SSL Interception is included with every F-Series Firewall, except for the F10, VF10, F100, and F101 models.
Virtual Systems
Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected Firewall IPs, SSL-VPN users, VPN users, and HTTP Proxy users (Virus scanning and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (NextGen Firewall VF10 - VF500). NextGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your NextGen Firewall or Control Center Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired.
Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP proxy service and Client-to-Site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for Client-to-Site VPN.
If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores. For more information on how to configure the bootloader, see How to Configure the Bootloader. The following table displays the capacity and the number of CPU cores for each NextGen Firewall Vx:
| Model | Capacity | Licensed Number of CPU Cores |
|---|---|---|
| VF10 | 10 | 1 |
| VF25 | 25 | 2 |
| VF50 | 50 | 2 |
| VF100 | 100 | 2 |
| VF250 | 250 | 2 |
| VF500 | 500 | 2 |
| VF1000 | unlimited | 2 |
| VF2000 | unlimited | 4 |
| VF4000 | unlimited | 8 |
| VF8000 | unlimited | 16 |
Public Cloud Systems
F-Series Firewalls deployed in the Amazon AWS or Microsoft Azure public clouds are not restricted to a capacity. Performance is only limited by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription.
Microsoft Azure and Amazon AWS Pay-As-You-Go Licenses
You can choose to pay an hourly rate for the public cloud F-Series Firewall. The pay-as-you-go license is generated and bound to the VM or Instance on the first boot. The Pay-As-You-Go license includes the following services:
- Forwarding Firewall
- VPN Service
- All services included in the Basic Remote Access Subscription
- All services included in the Premium Remote Access Subscription
- SSH Proxy
- DNS
- DHCP
- DHCP Relay
- FTP Gateway
- Dynamic Routing
- (If managed by a Control Center) Distributed Firewall
Microsoft Azure Instance sizes:
- Level 2 – Small (1 core, 1.75GB memory)
- Level 4 – Medium (2 cores, 3.5GB memory)
- Level 6 – Large (4 cores, 7GB memory)
- Level 8 – Extra Large (8 cores, 14GB memory)
Amazon AWS Instances sizes
- Level 2 – m1.small (1 vCPU core)
- Level 4 – c1.medium (2 vCPU cores)
- Level 6 – m1.xlarge (4 vCPU cores)
- Level 8 – c1.xlarge (8 vCPU cores)
Cold Standby Licensing
For redundancy, you can purchase an F-Series Firewall without a license and use it as a cold standby replacement. If the production unit fails, call Contacting Barracuda Networks Technical Support to transfer the license to the stand-by unit and continue normal operations.
Subscription Licenses
In addition to the base license, you can add the following subscriptions to use your firewall to its fullest extent.
Barracuda Energize Updates
This license is mandatory for the first year, for every F-Series Firewall. The following features are included with Barracuda Energize Updates:
- 24x5 technical support.
- Application Control 2.0
- Firmware updates
- Application Control 2.0 definition updates
- IPS/IDS engine and signature updates
- Barracuda Web Filter
SSL-VPN Web Forward template updates
- File Content definition updates
Malware Protection
Enables the Virus scanner service.This license is available for all F-Series Firewalls except F10 and VF10.
Advanced Threat Detection
Enables ATD. A malware subscription license is required. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATD Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply.
| Model | Burst Limit (files/min) | Files per Month |
|---|---|---|
| F18, F80, F180, F200, F201, F300, F301 | 5 | 108 000 |
| F280 | 10 | 216 000 |
| F380 | 12 | 260 000 |
| F400 | 15 | 324 000 |
| F600 | 25 | 540 000 |
| F800 | 35 | 750 000 |
| F900 | 50 | 1 000 000 |
| AWS/Azure Level 2 | 5 | 108 000 |
| AWS/Azure Level 4 | 10 | 216 000 |
| AWS/Azure Level 6 | 15 | 324 000 |
| AWS/Azure Level 8 | 35 | 750 000 |
| VF25 | 2 | 43 200 |
| VF50 | 5 | 108 000 |
| VF100 | 10 | 216 000 |
| VF250 | 15 | 324 000 |
| VF500 | 20 | 432 000 |
| VF1000 | 25 | 540 000 |
| VF2000 | 30 | 648 000 |
| VF4000 | 35 | 750 000 |
| VF8000 | 50 | 1 000 000 |
Legacy SSL VPN and Access-Control-Server-Based NAC
Enables the SSL VPN and classic policy-server-based NAC service. Includes unlimited concurrent SSL VPN sessions and one CudaLaunch session.
Barracuda Remote Access Basic
Enables the SSL VPN service and NAC support. For F-Series Firewalls deployed in Azure/AWS, this subscription is included in the Energize Updates subscription. Remote Access subscriptions are available for NextGen Firewall F80 and larger as well as all NextGen Firewall Vx models.
Included SSL-VPN Features
- Browser based access via desktop and mobile portals.
- SSL-VPN-based server-side NAC
- VPN Templates for SSL VPN
Included Network Access Client Features
- Windows Personal FW
- Windows Health Check via Access Control Service.
User Session Limits
- Unlimited concurrent SSL VPN user sessions.
- One concurrent Client-to-Site VPN session by the same user.
- One CudaLaunch session.
Barracuda Remote Access Premium
A Remote Access Basic Subscription is included in the Remote Access Premium subscription. Remote Access subscriptions are available for NextGen Firewall F80 and larger as well as all NextGen Firewall Vx and public cloud models. For PAYG F-Series Firewalls in AWS and Azure, this subscription is automatically included.
Included SSL-VPN Features
- Browser based access via desktop and mobile portals.
- SSL-VPN-based server-side NAC
- VPN Templates for SSL VPN
Included Network Access Client Features
- Windows Personal FW
- Windows Health Check via Access Control Service.
CudaLaunch
- iOS
- Android
- Central Management of accessible resources and VPN provisioning
User Session Limits
- Unlimited concurrent SSL VPN user sessions.
- Unlimited concurrent CudaLaunch sessions.
- Multiple concurrent Client-to-Site VPN sessions by the same user.
Barracuda NG Web Filter
Enables the Barracuda NG Web Filter service, which can use both online and offline databases.
Barracuda NG Web Security
Enables the Barracuda URL Filter service, and can use both online and offline databases and the antivirus service.
Instant Replacement Service
Instant replacement service includes the following features:
- Replacement unit shipped next business day.
- 24x7 technical support.
- Hardware refresh every four years.
Barracuda Web Security Service
To use Barracuda Web Security Service, an additional subscription is required. For more information, see How to Configure the Barracuda Web Security Service.
NextGen Control Center Licensing
Barracuda NextGen Control Center licenses scale by the number of F-Series Firewalls that can be managed by the Control Center. The High Availability license is included with the VC820 Global Edition model and can be purchased as an add-on for all other models.
| Model | System Type | Number of Managed Firewalls | Tenants (Ranges) | Configuration Groupings (Clusters) | HA License | Additional Tenants |
|---|---|---|---|---|---|---|
| C400 | Hardware | Recommendation: 20 | 1 | 1 | Optional | n/a |
| VC400 | Virtual | Recommendation: 20 | 1 | 1 | Optional | n/a |
| C610 | Hardware | Recommendation: 200 | 1 | No limit | Optional | n/a |
| VC610 | Virtual | Recommendation: 200 | 1 | No limit | Optional | n/a |
| VC820 | Virtual | Recommendation 1000+ only limited by hardware | 5 (additional tenants optionally available) | No limit | Included | Optional |
Next Steps
To install the NextGen Firewall F-Series or Control Center licenses, see: