In these Release Notes:
GPL Compliance Statement
This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. A certain number of the included open source components underlie the GPL or LGPL or other similar license conditions that require the respective modified or unmodified source code to be made freely available to the general public. This source code is available on http://source.barracuda.com.
Hotfixes Included with Barracuda NG Firewall Version 6.0.3
The following previously released public hotfixes are included with this release:
- Hotfix 692: NTP 2015 Leap Second Update
- Hotfix 703: TKEY queries in bind
What´s New in Barracuda NG Firewall Version 6.0.3Barracuda NG Firewall firmware 6.0.3 is a maintenance release only. No new features were added.
Improvements Included in Barracuda NG Firewall Version 6.0.3
Barracuda NG Admin
- Change message is now included in the RCS report. (BNNGF-30981)
- Changed input validation for Site Specific Objects to allow all characters also allowed for Forwarding Firewall Objects. (BNNGF-31040)
- The access rule dialog now displays larger system text sizes correctly. (BNNGF-31068)
- Removing all referenced objects when deleting a Client-to-Site VPN Group policy now works as expected. (BNNGF-31778)
- Using range regular expressions for filtering in NG Admin now works as expected. (BNNGF-20283)
- Renamed use OSPF to advertise Route in GTI Site-to-Site configuration. (BNNGF-29802)
- NG Admin no longer freezes if large amount of FW Audit data is requested. (BNNGF-31774)
- Leap seconds are now handled gracefully. (BNNGF-30660)
- DC Client authentication now works as expected. (BNNGF- )
- Changing duplex settings for natsemi.ko drivers now works as expected. (BNNGF-31973)
- When no interface used for the DHCP server subnets is available, the DHCP server now attempts to restart the service three times every time an interface changes its state. (BNNGF-31946)
NG Control Center
- Pool license reassignment now also works for legacy units and standard hardware (SF). (BNNGF-31535)
- No longer logging "Dead loop on virtual device vpn0. Fix it urgently!" when using VPN in combination with traffic shaping. (BNNGF-31331)
- L2TP tunnels now work as expected when a referenced firewall object is used for the static IP address of the user. (BNNGF-31052)
- To avoid excessive logging, the default Log Level for WAN Optimization is now set to 0. (BNNGF-30784)
- Fixed a memory leak in the firewall service. (BNNGF-31555)
- Connections to the same destination IP address using NAT or PAT are no longer assigned already used source ports. (BNNGF-32386)
- Firewall authentication no longer causes system crashes. (BNNGF-30356)
- Sessions handled by a firewall plugin are no longer terminated when a change to the firewall ruleset is made. (BNNGF-25686)
- Updated Application Control definitions. (BNNGF-28831)
- The FTP plugin now handles EPRT ftp commands correctly. (BNNGF-30323)
- Internal access rules not accessible for the user no longer generate events. (BNNGF-26014)
- The number of network objects that can contain hostnames is no longer limited to 383. (BNNGF-30590)
- Global, range, and cluster objects now work as expected when used in combination with the Distributed Firewall service. (BNNGF-31431)
- Custom IPS policy now works as expected in the Global Rules ruleset. (BNNGF-23221)
- URL filter categories are now handled correctly. (BNNGF-31127)
- Licenses now stay valid even if the MAC address of the underlying EC2 Instance changes. (BNNGF-23708)
- NG Admin: The IPsec ID-type parameter is displayed in the Client-to-Site VPN configuration dialog, even if it is not supported by the firmware running on the NG Firewall.
- NG Control Center: Peer IP Restrictions must include Management IP address, Control Center IP address, VIP IP addresses or networks, client IP address, and MIP for local managed NG Firewalls.
- NG Control Center: It is currently not possible to use, create, or link to Network repositories. Use version 6.0.2 repository entries instead.
- HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations.
- HTTP Proxy: It is not possible to use ClamAV in combination with the HTTP Proxy service on Barracuda NG Firewall F100 and F101 models.
- CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install.
- Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance.
- ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive.
- Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule.
- SSL VPN Mobile Portal: Mobile Portal configurations and settings are currently not included in PAR files.
- Virus Scanner: The virus scanning service stalls during virus pattern updates.
- NG Admin: SPoE does not work if an IPv6 virtual server IP address is used.
- NG Admin: Product activation does not work with Internet Explorer 11.
- Barracuda OS: HA sync is not possible if Force RCS Change Message is enabled.
- Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually.
- Terminal Server Agent: It is currently not possible to assign connections to Windows networks shares to the actual user.
- Firmware Update: Log messages similar to
WARNING: /lib/modules/18.104.22.168-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hwmay appear while updating, but can be ignored.
- Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system.
- Application Control 2.0 and Virus Scanning: Data Trickling is done only while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files.
- Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored.
- Application Control 2.0 and Virus Scanning: It is currently not possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned.
- Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall.
- Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No.
- High Availability: IPv6 network sessions might not be established correctly after an HA failover.
- Barracuda OS: Restoring units in default configuration with par files created on an NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit.
VPN: Rekeying currently does not work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated.