In these Release Notes:
GPL Compliance Statement
This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. Some of the open source components included underlie either the GPL or LGPL, or other similar licensing, which requires all modified or unmodified source code to be made freely available to the public. This source code is available at http://source.barracuda.com.
Hotfixes Included with Barracuda NG Firewall Version 6.1.2
- Hotfix 702: TKEY Queries in bind
- Hotfix 706: VPN Profiles for SSL VPN
- Hotfix 708: SSL Interception (included in Hotfix 711)
- Hotfix 711: Cumulative Firewall Hotfix
- Hotfix 716: DC Client Authentication
What´s New in Barracuda NG Firewall Version 6.1.2
Wi-Fi Access Point Authentication for Aruba AP
It is now possible to collect authentication information by configuring the Barracuda NG Firewall as a logging server for your Aruba Access Points.
For more information, see How to Configure WiFi AP Authentication and WiFi AP Authentication Aruba Configuration
Improvements Included in Barracuda NG Firewall Version 6.1.2
Barracuda NG Admin
- Exporting, Importing, and Merging box licenses from and to the clipboard now works as expected. (BNNGF-30523)
- Re-enabled option to link the Network configuration to a repository entry. (BNNGF-33037)
- VPN tunnel status is now displayed correctly on the Status Map. (BNNGF-32645)
- Exporting, Importing, and Merging HTTP Proxy ACL entries from and to the clipboard now works as expected. (BNNGF-23121)
- Disabled routes are now displayed in red. (BNNGF-33226)
- It is now possible to set the IPsec-ID for IPsec tunnels created with the GTI editor. (BNNGF-32705)
- When restoring from a PAR file, NG Admin no longer locks up when the PAR file is unavailable. (BNNGF-32514)
- Removing Client-to-Site VPN group policies now works as expected. (BNNGF-31778)
- Values in the FIREWALL > Audit Log duration columns are now displayed correctly. (BNNGF-32189)
- In the NG Control Center, active tunnels in CONTROL > Geo Maps are now displayed in green to be consistent with the Status Map. (BNNGF-30904)
- Reputation search for IP addresses in FIREWALL > Live and FIREWALL > History now works as expected. (BNNGF-33440)
- In the NG Control Center, Reset to Cluster Default now requires a configuration lock. (BNNGF-31851)
- NG Admin no longer freezes if a large amount of FW Audit data is requested. (BNNGF-31774)
- HA sync no longer causes soft lockups if the HA-partner is unavailable. (BNNGF-31427
- Updated HP smart array drivers (hspa) to version 3.4.10. (BNNGF-32068)
- The DC Client now correctly interprets user group information sent by the DC Agent. (BNNGF-33146)
- DHCP with multiple encapsulated options now works as expected. (BNNGF-32895)
- Restoring PAR files larger than two GB now works as expected. (BNNGF-31879)
- The virtual server monitoring state is no longer listed on the CONTROL > Server page if IP Monitoring Policy is set to No. (BNNGF-24160)
- Updated LSI megaraid driver (megaraid_sas) to version 6.808.12. (BNNGF-32585)
- Changing duplex settings for interfaces using the netsemi.ko driver now works as expected. (BNNGF-31973)
- Added source and destination IP address to the box level eventS.log logfile. (BNNGF-32438)
- The Firewall service no longer causes a kernel panic due to a race condition in the source object allocation. (BNNGF-32484)
- Disabling ping for management or service addresses now works as expected. (BNNGF-33169)
- Parsing compressed HTML pages by IPS now works as expected. (BNNGF-25552)
- The DNS plug-in now works correctly and no longer crashes. (BNNGF-32456)
- The Firewall service now correctly processes NAT/PAT operations to address issues with website loading and connection drops in general. (BNNGF-32386)
- Updated OpenSSL version used for SSL Interception to enable elliptic curve ciphers. (BNNGF-26180)
- Fixed a memory leak related to delivery of Application Control 2.0 Block Pages. (BNNGF-32838)
- SSL Interception now works with all imported root certificates. (BNNGF-32771)
- The Firewall activity log now correctly displays denied and blocked IPv6 sessions. (BNNGF-31750)
- It is now possible to select custom IPS policies for rules in the Global Rules ruleset. (BNNGF-23221)
- Configuration changes no longer deactivate OSPF on vpnr interfaces. (BNNGF-31309)
- L2TP Client-to-Site VPN now works as expected for Android and iOS devices. (BNNGF-31289)
- Dynamic Mesh tunnels can now be triggered without a source or destination network if a routed VPN is used. (BNNGF-31213)
- Added Prevent Tunnel Timeout option to the TI settings of the connection object to be able to choose if the matching traffic is used as a criteria for terminating the dynamic tunnel (BNNGF-32854, BNNGF-21214)
- Added MD160, SHA256, and SHA512 to the supported hash algorithms for IPsec VPNs. (BNNGF-32702, BNNGF-30929)
- Fix for a dead loop on the virtual device vpn0 that caused issues when enabling QoS on VPN tunnels. (BNNGF-31717)
- Dynamic Mesh Tunnels no longer cause an error when a tunnel is destroyed while still in the initiation phase. (BNNGF-32835)
- IPsec ID Type is now configurable for IPsec Site-to-Site VPN tunnels. (BNNGF-17248)
- TKEY queries are now handled correctly. This fixes security vulnerability CVE-2015-5477. (BNNGF-32391)
- Added aes-128-ctr to the allowed cipher list. (BNNGF-32327)
- It is no longer possible to use SSL Interception and the download progress bar in the HTTP Proxy service. (BNNGF-31364)
NG Control Center
- Reassigning pool licenses for phion-legacy and SF-licensed units now works as expected. (BNNGF-31535)
- Enable Product Tips now shows the correct state on freshly installed NG Control Centers. (BBNNGF-32410)
- Added Message column to RCS report. (BNNGF-30981)
- CC Admins using peer IP restrictions and SPoE can now successfully authenticate. (BNNGF-27515)
- NG Control Center: Network > Azure Advanced Networking is displayed in a 6.1. cluster even if the managed NG Firewall is running version 6.1.1 or 6.1.0 that does not support this feature.
- After importing a PAR file singed by the NG Control Center on a managed NG Firewall a soft network activation is automatically executed. Restart the active network configuration on the CONTROL > Box page to finish the network activation.
- When a license is changed an automatic soft network activation is executed.
- Opensource Xen HVM: Opensource (Linux) Xen HVM images are currently not supported for firmware 6.1.2.
- Firewall Plugin: The DCERPC firewall plugin module is disabled.
- Azure: During the update to 6.1.2, the ssh key is regenerated and replaces the existing ssh key.
- Application Control 2.0: The URL Category Search Engine may not be set to override when URL Filtering is used in combination with SafeSearch.
- HTTP Proxy: Custom block pages do not work for the HTTP Proxy when running on the same NG Firewall as the Firewall service. This issue does not occur when running the HTTP proxy service on a second NG Firewall behind the NG Firewall running the Firewall service.
- SSL VPN: Favorites are not included in the PAR file.
- SSL VPN: Text fields do not accept the
- SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts.
- SSL VPN: User Attributes do not support UTF-8.
- SSL VPN: The allowed host filter path must be unique.
- Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account.
- Safe Search: If Safe Search is enabled, it is not possible to log into YouTube when cookies are disabled.
- Safe Search: Safe Search is not enforced by Bing when using HTTP.
- VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NG Firewall via RIP, OSPF or BGP, a duplicate routing entry is created and the route that was added last is used.
VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used.
- HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations.
- CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install.
- ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive.
- Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule.
- Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance.
- NG Admin: SPoE does not work if an IPv6 virtual server IP address is used.
- Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually.
- Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user.
- Firmware Update: Log messages similar to
WARNING: /lib/modules/18.104.22.168-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hwmay appear while updating, but can be ignored.
- Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system.
- Application Control 2.0 and Virus Scanning: Data Trickling is done only while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files.
- Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored.
- Application Control 2.0 and Virus Scanning: It is not currently possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned.
- Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall.
- Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No.
- High Availability: IPv6 network sessions might not be established correctly after an HA failover.
- Barracuda OS: Restoring units in default configuration with par files created on an NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit.
VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated.