In these Release Notes:
GPL Compliance Statement
This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. Some of the open source components included underlie either the GPL or LGPL, or other similar licensing, which require all modified or unmodified source code to be made freely available to the public. This source code is available on http://source.barracuda.com.
Hotfixes Included with Barracuda NG Firewall Version 6.1
- Hotfix 663: Security Fix for GHOST Vulnerability
- Hotfix 678: Barracuda URLfilter Service Timeouts
- Hotfix 679: BGP Fixes
- Hotfix 670: HTTP/HTTPS Stability and Performance Improvements and AV Performance on Barracuda NG Firewall F100/F101.
What´s New in Barracuda NG Firewall Version 6.1
Dynamic Mesh VPN
A Dynamic Mesh VPN network allows you to use the advantages of a fully meshed network without having to provide the resources needed for the large number of static VPN tunnels on every unit. Dynamic tunnels between remote Barracuda NG Firewalls are triggered when traffic is relayed by the VPN hub. If the dynamic tunnel is idle, it is automatically terminated. This whole process is completely transparent to the user.
For more information, see Dynamic Mesh VPN Networks.
Add VPN Routes to Main Routing Table
You can now configure the VPN service to add the VPN routes to the main routing table.
Enforcing Safe Search in the Firewall
Protect users behind a Barracuda NG Firewall from undesired content in search results by enabling Safe Search for the access rules handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL when the request is forwarded by the Barracuda NG Firewall. Safe Search is supported for Google, Bing, and Yahoo search engines.
For more information, see How to Enforce Safe Search in the Firewall.
Enforcing YouTube for Schools in the Firewall
The Barracuda NG Firewall can transparently add YouTube for Schools restrictions for all connections the Barracuda NG Firewall forwards to YouTube without the need to configure the clients. YouTube for Schools is configured directly in the access rules matching HTTP and HTTPS traffic connecting to YouTube.
For more information, see How to Enforce YouTube for Schools in the Firewall.
Custom Block Pages
You can customize the block pages for Virus Scanner, URL Filter, Application Control 2.0, and SSL Interception when used in combination with the Forwarding Firewall Service. Each page has a predefined list of placeholder objects that are replaced on-the-fly by the Barracuda NG Firewall when the block page is delivered to the client. HTTP connections blocked by a Deny or Block access rule can be redirected to a HTTP block page. The same feature can also be used to redirect users in the ATD quarantine to the new quarantine page.
URL Filter Warn and Continue
Each URL category in the URL Policy object can be configured to redirect the user to the customizable URL Filter Warning page. After clicking Continue the user is allowed to view the website. This action is logged.
For more information, see How to Create an URL Filter Policy Object.
WiFi AP Authentication
The Barracuda NG Firewall can authenticate users by using the authentication information from Aerohive and Ruckus wireless access points.
For more information, see How to Configure WiFi AP Authentication.
Schedule objects are used as an additional matching criteria to restrict access rules to specific times and intervals . Schedule objects can be used in host, access, and application rules and provide time granularity in minutes.
For more information, see Schedule Objects.
SSL VPN Web Forwards Improvements
Create Web Forwards to allow SSL VPN users to access web-based internal applications. There are predefined web forward types for Outlook Web Access and SharePoint servers as well as generic settings that allow you full control over how the web content is rewritten.
For more information, see How to Configure a Generic Web Forward, How to Configure an Outlook Web Access Web Forward and How to Configure a SharePoint Web Forward.
SSL VPN User Attributes
User attributes are placeholder variables used to personalize Web Forwards or to configure single-sign-on authentication. They are created by the admin and filled in by the end user in either the desktop or mobile portal.
For more information, see How to Use and Create Attributes
Single Sign On for Web Forwards
For more information, see How to Configure Single Sign On for Web Forwards.
SSL VPN Self-Provisioning for VPN Templates
The NG SSL VPN service allows the end users to self-provision their VPN client on Windows, OS X or iOS devices. To automatically download and install the configuration, the user must log into one of the NG SSL VPN portals and click the VPN Template provisioning link. VPN Templates can be created for all group policy based Client-to-Site VPN configurations.
For more information, see How to Configure VPN Templates in the SSL VPN.
Barracuda NG Remote App
The Barracuda NG Remote application for Apple iOS provides easy remote access to your Barracuda NG Firewalls and Barracuda NG Control Centers from any place at any time. With the Barracuda NG Remote Application you can:
- Connect via VPN to a Barracuda Networks demo environment to try/test the application.
- Create a connection to one or more Barracuda NG Firewall units via a Barracuda NG Control Center.
- View a Barracuda NG Admin style status map for NG Control Centers and NG Firewalls.
- View general details for a unit (including uptime, license state, activation state, firmware version, and model and serial number).
- View the status of a unit (including server/service control, CPU load, system, network control, events, and licenses).
- View graphics for Box resource usage by memory, data disk usage, and system disk usage.
- View dynamic graphs for allowed sessions, blocked sessions, and bit/sec throughput.
- Perform a unit reboot, services restart, network reconnect, and management tunnel rebuild as remote actions.
- Use full Terminal Access (SSH).
- Enable and disable dynamic access rules (for example, to provide temporary access to a blocked web application).
For more information, see Barracuda NG Firewall Remote.
Upcoming Azure and AWS Pay-As-You-Go Images
In addition to the BYOL image, Azure and AWS pay-as-you-go images will soon be available via the Azure and AWS Marketplaces. This allows you to pay for your NG Firewall on an hourly basis.
For more information, see Licensing.
Barracuda Networks can now inform customers of important issues such as security vulnerabilities or other important messages for your Barracuda NG Firewall. These notifications are displayed in the Message Board element on the Dashboard. Go to Box > Advanced Configuration > Message Board to enable Product Tips.
A new Dashboard element contains all available Hotfixes, Firmware and NG Admin updates for your individual NG Firewall. The element displays dependencies and installed updates and hotfixes as well as detailed information for each download. Go to CONFIGURATION > Configuration Tree > Advanced Configuration > Firmware Update to enable the UPDATES element.
For more information, see DASHBOARD General Page and How to Update the Barracuda NG Firewall or NG Control Center using NG Admin.
Multi-Filter Custom Reports
The newest version of the Barracuda Report Creator added support for multiple entries in the filter element of a custom report. This allows you to create custom report data for multiple users, IP addresses, applications, and URL and Application Categories.
For more information, see How to Create Custom Reports.
Improvements Included in Barracuda NG Firewall Version 6.1
Barracuda NG Admin
- NG Admin no longer shows a pop-up every 5 seconds when port 806 is not accessible on an NG Control Center. (BNNGF-29355)
- Entries in the Entries column for connection objects are now displayed in CIDR notation. (BNNGF-29143)
- NG Admin no longer crashes when opening a trace record. (BNNGF-27752)
- HA firewall session sync no longer causes soft-lockups. (BNNGF-27977)
- Updated OpenSSL to fix several security vulnerabilities (BNNGF-29257)
- Authentication service (phibs) no longer crashes when a large number of file descriptors are used. (BNNGF-28877)
- Updated glibc due to security vulnerability CVE-2015-0235. (BNNGF-28018)
- Updated NTP due to security vulnerabilities CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. (BNNGF-27518)
- Fixed legacy Management Centers download of OPSWAT pattern updates. (BNNGF-29191)
- Added disk monitoring to the box level SNMP service. (BNNGF-28202)
- Added power supply information to the box level SNMP service. (BNNGF-27808)
- The DC client logout timeout is now in hours instead of days and the default timeout is changed to 24h. (BNNGF-28023)
- Updated curl and libcurl due to security vulnerabilities CVE-2014-8150 and CVE-2014-8151. (BNNGF-27645)
- TS client now listens on every box IP address. (BNNGF-29175)
- SSL encrypted syslog streaming now works as expected. (BNNGF-27957)
The SIP Proxy now reacts gracefully when failing to open additional dynamic ports. (BNNGF-29131)
- Updated IP addresses of the URL filter databases in the Barracuda Cloud. (BNNGF-28080)
- Barracuda NG Web Filter updated with new categories. (BNNGF-28811)
- Added a new event to be triggered when the number of DHCP leases is exhausted. (BNNGF-27931)
Dynamic Routing Service
- Propagating additional static VPN routes via OSPF when multiple VPN routes are already propagated now works as expected. (BNNGF-29214)
- Removing the primary route of two redundant BGP routes using special routing tables now works. (BNNGF-29205)
- Fixed various filtering issues for access lists. (BNNGF-28145)
- IPS no longer drops traffic for out-of-window TCP ACKs when in report-only mode. (BNNGF-29062)
- Enabled virus scanning in the firewall for Barracuda NG Firewall F100 and F101. (BNNGF-28909)
- Websites now load as expected when TCP Stream Reassembly is disabled and Virus Scanning in the Firewall is enabled. (BNNGF-27649)
- SSL Interception now works for connections using a one-character CN in its certificate. (BNNGF-27923)
- Updated OpenSSL version used by the HTTP service to fix several security vulnerabilities (BNNGF-29261)
- Virus scanning in the HTTP Proxy now works in combination with the download progress bar. (BNNGF-27136)
- Removed HTTP Proxy service from the default configuration for all Barracuda NG Firewall F100 and F101 models. (BNNGF-28930)
- It is no longer possible to add a certificate that does not match the private key when configuring a reverse proxy with Use SSL set to yes. (BNNGF-27679)
- Entries in the Excluded Domains for SSL Interception now when both the domain with and without pretended dot (.).(BNNGF-28858)
- Source routes for the remote networks are now created as expected on the VPN hub. (BNNGF-29053)
- L2TP clients behind the same NAT device now work as expected. (BNNGF-29476)
- IPsec Site-to-Site connections using NAT traversal no longer drop when a configuration change is made. (BNNGF-27422)
- AES encryption with 192bit key length for TINA tunnel no longer cause kernel panic. (BNNGF-27421)
- Client-to-Site MSAD and OTP (via RADIUS) authentication now work as expected. (BNNGF-29282)
- Removed legacy WANOpt Master VPN setting. (BNNGF-29719)
- Retrieving ATD results now subtracts the time zone correctly. (BNNGF-28326)
- Fixed potential path traversal exploit for files with a malicious folder structure. (BNNGF-27814)
- Added a new X-ALERT-DESCRIPTION header. (BNNGF-29287)
- Disabled and removed ClamAV virus scanning engine for Barracuda NG Firewall F100 and F101. The Avira virus scanning engine is automatically started with the default configuration as a replacement. (BNNGF-28526)
- Activate Content Rewrite is removed from NG Admin and enabled by default for all Web Forwards. (BNNGF-708)
- Web Resources were renamed to Web Forwards. (BNNGS-696)
- Web Forwards with Allowed Hosts now work as expected. (BNNGS-675)
- Mobile Portal Bar Exemptions now checks only for paths in the URL. (BNNGS-673)
- Certificate authentication now works as expected. (BNNGS-671)
- The mobile portal now correctly appends the Launch Path when launching a Web Forward. (BNNGS-615)
- Fixed connectivity issues for Outlook Web Access 2007 Web Forwards. (BNNGS-605)
- Logging into the desktop portal using Safari now works as expected. (BNNGS-536)
- The Settings menu on the desktop and mobile portal is displayed only when needed. (BNNGS-391)
- VPN connections via the Transparent Agent now work as expected when using Barracuda license files. (BNNGF-25705)
- The ticketing database is now synced to the HA partner. (BNNGF-27390)
- Creating a ruleset now works as expected. (BNNGF-29091)
NG Control Center
- Added configuration update icon column to the status page of the NG Control Center. (BNNGF-25426)
Amazon AWS/Microsoft Azure: Installing hotfixes or updates via SSH or NG Control Center is currently not possible. Update directly on the unit over NG Admin instead.
- Virus Scanning in the Firewall: The default MIME types scanned differ for HTTP and HTTPS. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Security Policy and add
application/*to the Scanned MIME Types to scan the same MIME types for HTTP and HTTPS.
- Virus Scanning in the Firewall: File trickling currently does not work for downloads over HTTP.
- Xen HVM: Updating or Installing Xen HVM virtual NG Firewalls or NG Control Centers to version 6.1 is currently not supported.
- SSL VPN: Favorites are not included in the PAR file.
- SSL VPN: Text fields do not accept the
- SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts.
- SSL VPN: User Attributes do not support UTF-8.
- SSL VPN: The allowed host filter path must be unique.
- WiFi Authentication: In some cases the IP address may be incorrect (0.0.0.0) for the first login of a user. Subsequent logins use the correct IP address.
- Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account.
- Safe Search: If safe search is enabled, it is not possible to log in to YouTube when cookies are disabled.
- Safe Search: Safe search is not enforced by Bing when using HTTPS.
- Custom Block Pages: Even though access to a blocked website is properly denied, Application or URL Filter block pages are not displayed on the first request for a website blocked by a URL policy object when SSL Interception is enabled.
- NG Admin: Links from dashboard elements are always opened in Internet Explorer and not in the default browser.
- VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NG Firewall via RIP, OSPF or BGP, a duplicate routing entry is created and the route that was added last is used.
VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used.
- HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations.
- CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install.
- ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive.
- Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule.
- Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance.
- NG Admin: SPoE does not work if an IPv6 virtual server IP address is used.
- Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually.
- Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user.
- Firmware Update: Log messages similar to
WARNING: /lib/modules/18.104.22.168-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hwmay appear while updating, but can be ignored.
- Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system.
- Application Control 2.0 and Virus Scanning: Data Trickling is only done while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files.
- Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored.
- Application Control 2.0 and Virus Scanning: It is not currently possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned.
- Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, small amount of traffic may already have passed through the firewall.
- Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No.
- High Availability: IPv6 network sessions might not be established correctly after an HA failover.
- Barracuda OS: Restoring units in default configuration with par files created on a NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit.
VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated.