In these Release Notes:
GPL Compliance Statement
This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. A certain number of the included open source components underlie the GPL or LGPL or other similar license conditions that require the respective modified or unmodified source code to be made freely available to the general public. This source code is available on http://source.barracuda.com.
Hotfixes Included with Barracuda NG Firewall Version 6.0.2
The following previously released public hotfixes are included with this release:
- Hotfix 678: Barracuda Web Filter Service Timeouts
- Hotfix 679: BGP Issues
- Hotfix 670: HTTP/HTTPS Stability Improvements and Virus Scanning in the Firewall for F100/F101
- Hotfix 681: Fix for managing 6.1 NG Firewalls on a NG Control Center running 6.0
What´s New in Barracuda NG Firewall Version 6.0.2Barracuda Firewall firmware 6.0.2 is a maintenance release only. No new features were added.
Improvements Included in Barracuda NG Firewall Version 6.0.2
Barracuda NG Admin
- Files scanned by ATD are now sorted to place newest results first. (BNNGF-29975, BNNGF-29745)
- NG Admin no longer shows password change enforcement popup for users that do not have permission to access the configuration node and no password enforcement is set. (BNNGF-27960)
- Filtering for users in FIREWALL > Live now works as expected. (BNNGF-29666)
- Setting the update interval of dashboard elements to
0now works as expected. (BNNGF-29620)
- Adapted time filter options in FIREWALL > Monitor to match the scope of the log files. (BNNGF-29615)
- NG Admin now works as expected on Windows Vista SP2. (BNNGF-30496)
- Licenses that are about to expire are now displayed in yellow on the CONTROL > Licenses page. (BNNGF-29814)
- Renamed use OSPF to advertise Route in the GTI tunnel configuration window. (BNNGF-29802)
- Disables navigating via ALT key and Simple config by default. (BNNGF-29763)
- The Sync Filter button is now available immediately when using a filter on the FIREWALL > Live page. (BNNGF-29751)
- The Status Map now covers the event service. (BNNGF-29675)
- NG Admin no longer crashes when opening a trace record. (BNNGF-27756)
- Changed description for Site-to-Site Remote Peer IP Addresses to include the possibility of using a FQDN. (BNNGF-30099)
- Pressing the Delete key no longer removes list entries when the page is not locked. (BNNGF-30090)
- Removed option to export root certificates on the Security Policy page to the clipboard. (BNNGF-29937)
- Rate-Max for inbound traffic shaping rates larger than 2047 Mbit on the FIREWALL > Shaping page are now displayed correctly. (BNNGF-29880)
- Icons in the CONTROL > Network > ARP are now displayed correctly. (BNNGF-27839)
- Changing the welcome message for the Access Control Service now works as expected. (BNNGF-29599)
- When terminating a large number of sessions, only one popup is shown when two or more sessions cannot be terminated. (BNNGF-29376)
- Improved navigating FIREWALL > Live by keyboard. (BNNGF-27750)
- License state is now reported correctly. (BNNGF-20061)
- Updated OpenSSL to fix several security vulnerabilities. (BNNGF-29258)
- Authentication service (phibs) no longer crashes when a large number of file descriptors are used. (BNNGF-28878)
- Events occurring outside the defined Thresholds now trigger a new event and are no longer counted toward the threshold. (BNNGF-30588)
- Fixed issue leading to the DC Agent authentication causing high load on the system. (BNNGF-29971)
- Fixed legacy Management Centers download of OPSWAT pattern updates. (BNNGF-29190)
- Barracuda NG Firewall F100 and F101 no longer include the HTTP Proxy service in the default configuration. (BNNGF-28932)
- Disk space is now reported via SNMP. (BNNGF-28203)
- The updateserver process no longer causes high CPU load. (BNNGF-30281)
- Restoring the Network > UMTS/3G setting via RCS now works as expected. (BNNGF-29735)
- The TSClient now listens on every box IP address. (BNNGF-29176)
- SSL encrypted syslog streaming now works as expected. (BNNGF-27958)
- It is now possible to migrate virtual servers to VF2000 or higher. (BNNGF-30579)
- Removed option to use wildcards in the pre-authentication value patterns. (BNNGF-26436)
- The control daemon now automatically monitors and restarts ntpd. (BNNGF-29703)
- ClamAV updates are no longer downloaded when the ClamAV virus scanner engine is disabled. (BNNGF-28464)
NG Control Center
- An NG Control Center running firmware 6.0.0 or 6.0.1 can now send configuration updates to a 6.1.0 NG Firewall as expected. (BNNGF-29556)
- Added Encapsulation Mode Auto Detection to IPsec tunnel configuration in the GTI Editor. (BNNGF-30243)
- It is no longer possible to create two GTI groups with the same name. (BNNGF-30432)
- Retrieving ATD results now subtracts the time zone correctly. (BNNGF-28327)
- Fixed memory leak in Virus scanning service. (BNNGF-30338)
- Using legacy phion pool licenses in combination with Avira now works as expected. (BNNGF-30316)
- The ClamAV virus scanner engine is longer available on the Barracuda NG Firewall F100 and F101. Avira is automatically started as a replacement. (BNNGF-28524)
- Creating an ATD summary report for archives now works as expected. (BNNGF-29953)
- Parallel file transfers now work as expected. (BNNGF-29821)
- Creating a ruleset now works as expected. (BNNGF-29092)
- IPS no longer drops traffic for out-of-window TCP ACKs when in report-only mode. (BNNGF-29063)
- Websites now load as expected when TCP Stream Reassembly is disabled and Virus Scanning in the Firewall is enabled. (BNNGF-28037)
- Encapsulation for IPsec tunnels using NAT-T is now set correctly. (BNNGF-29756)
- Added Encapsulation Mode Auto Detection to Site-to-Site IPsec tunnel configuration. (BNNGF-30053)
- Client-to-Site MSAD and OTP (via RADIUS) authentication now work as expected. (BNNGF-29283)
- Setting the Site-to-Site VPN tunnel bandwidth policy to Fixed Bandwidth or Assign QoS Profile in combination with interface shaping now works as expected. (BNNGF-28487)
- The SIP Proxy now reacts gracefully when failing to open additional dynamic ports. (BNNGF-29133)
- Updated OpenSSL version used for the HTTP proxy to fix CVE-2015-0204. (BNNGF-28885)
- It is no longer possible to add a certificate that does not match the private key when configuring a reverse proxy with Use SSL set to yes. (BNNGF-27680)
- Using HTTP Proxy authentication via the Firewall Login now displays the username correctly. (BNNGF-29671)
- Repropagating static routes to OSPF now works as expected. (BNNGF-29216)
- Removing the primary route of two redundant BGP routes using special routing tables now works. (BNNGF-29208)
- BGP weight settings now take effect without restarting the service. (BNNGF-30031)
- Improved filter verification. (BNNGF-30114)
- The Barracuda Web Filter now uses the best available server. (BNNGF-28413)
- Barracuda NG Web Filter updated with new categories. (BNNGF-28812)
- Added a new event to be triggered when the number of DHCP leases is exhausted. (BNNGF-27937)
No new known issues found in 6.0.2
- HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations.
- HTTP Proxy: It is not possible to use ClamAV in combination with the HTTP Proxy service on Barracuda NG Firewall F100 and F101 models.
- CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install.
- Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance.
- ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive.
- Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule.
- SSL VPN Mobile Portal: Mobile Portal configurations and settings are currently not included in PAR files.
- Virus Scanner: The virus scanning service stalls during virus pattern updates.
- NG Admin: SPoE does not work if an IPv6 virtual server IP address is used.
- NG Admin: Product activation does not work with Internet Explorer 11.
- Barracuda OS: HA sync is not possible if Force RCS Change Message is enabled.
- Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually.
- Terminal Server Agent: It is currently not possible to assign connections to Windows networks shares to the actual user.
- Firmware Update: Log messages similar to
WARNING: /lib/modules/184.108.40.206-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hwmay appear while updating, but can be ignored.
- Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system.
- Application Control 2.0 and Virus Scanning: Data Trickling is only done while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files.
- Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored.
- Application Control 2.0 and Virus Scanning: It is currently not possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned.
- Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, small amount of traffic may already have passed through the firewall.
- Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No.
- High Availability: IPv6 network sessions might not be established correctly after an HA failover.
- Barracuda OS: Restoring units in default configuration with par files created on a NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit.
VPN: Rekeying currently does not work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated.