In these Release Notes:
Hotfixes included with Barracuda NG Firewall version 6.0.6
The following previously released public hotfixes are included with this release:
- Hotfix 796 – Virscan Service
- Hotfix 778 – Firewall
What´s new in Barracuda NG Firewall version 6.0.6Barracuda NG Firewall firmware 6.0.6 is a maintenance release only. No new features were added.
Improvements included in Barracuda NG Firewall version 6.0.6
Barracuda NG Admin
- Configuring VPN firewall rulesets now works as expected. (BNNGF-38858)
- Added input validation to disallow pound signs ('#') in password fields. (BNNGF-37737)
- Added Shared Secret input validation to check for invalid characters in the IPsec site-to-site configuration dialog. (BNNGF-37984)
- Full-screen command line apps are now displayed correctly in the SSH tab. (BNNGF-11234)
- The firewall monitor now returns correct information when using a combination of URL Filter category and traffic type filters. (BNNGF-37563)
- Copying a connection object containing a network object now works as expected. (BNNGF-38459)
CC admins can now log in via SSH when TACPLUS authentication is used. (BNNGF-37442)
Updated 7zip to be able to extract v5 RAR files. (BNNGF-37391)
The primary firewall in a high availability cluster now successfully downloads the licenses for the secondary firewall. (BNNGF-24200)
- Rekeying for client-to-site IKEv1 IPsec VPN tunnels no longer results in a termination of the connection. (BNNGF-38976)
- Fixed race condition between the traffic shaping and routing subsystems. (BNNGF-38048)
- The IPS now works as expected when scanning SSL-intercepted traffic. (BNNGF-35440)
- In rare cases, traffic shaping caused a restart of the firewall. (BNNGF-36548)
- The feature level of the firewall service is now limited to the cluster version instead of the firmware version of the Control Center. (BNNGF-38254)
- Application detection now works as expected for Dropbox. (BNNGF-36366)
- A leading "/" in the URL Path of a custom application no longer causes the URL to not match. (BNNGF-40052)
- Resolving a large number of hostname network objects now works as expected. (BNNGF-35963)
- Improved interface state changes detection. (BNNGF-37510)
- OSPF routes that are denied by the area import filter are no longer learned. (BNNGF-36992)
- Updated dynamic routing daemon to include peergroup IPv6 issue and VU270232 fixes. (BNNGF-38500)
Added Learning Management Systems category to the URL Filter. (BNNGF-37457)
Virus Scanner and ATD
- Added support to scan RTF files with ATD. (BNNGF-38150)
- Added PUA configuration option for ClamAV virus scanning engine with exceptions for win32packer and Block OLE2 Macros. (BNNGF-37177)
- Update squid to version 3.5.19 due to the following security vulnerabilities: CVE-2016-4555, CVE-2016-4556, CVE-2016-4554, CVE-2016-4553 and SQUID-2016:3-9 (BNNGF-37828, BNNGF-38384, BNNGF-36855, BNNGF-38841)
- The default deny-all ACL is now also applied to the reverse proxy. (BNNGF-30773)
- URL filtering in the HTTP Proxy now works as expected. (BNNGF-36963)
- Statistics for HTTP Proxy now use correct destination entries. (BNNGF-36962)
- It is now possible to use Deny and redirect action for Access Control policy. (BNNGF-37908)
- The virus scanning block page now shows correct URL for FTP over HTTP Proxy connections. (BNNGF-38910)
- URL Fetching in the HTTP Proxy neighbor settings now works as expected. (BNNGF-37278)
- Added no-digest to the backend configuration for the reverse proxy. (BNNGF-36566)
- In the Advanced View of the Reverse Proxy Settings, it is now possible to manually set the SSL/TLS Version for the Backend. (BNNGF-39272)
- When creating a CC admin user with local authentication, entering a password is now required if the key-only authentication is not configured. (BNNGF-37040)
- The configurations in the Set area config on the File Updates configurations are now included in the archive.PAR file. (BNNGF-29061)
- RCS changelog messages now allow the "-" character. (BNNGF-37119)
- For Control Center high availability clusters, the syslog format no longer differs when the virtual server fails over the the secondary Control Center. (BNNGF- )
- It is no longer possible to add blank entries to the Additional CC IP addresses list. (BNNGF-37952)
- The Relay Interface list now shows the correct port names. (BNNGF-37057)
- Setting the Wi-Fi bit rate manually no longer results in poor throughput. (BNNGF-38395)
- Enabled 802.11n and removed Super G channel bonding for F80, F180, and F280 revision B. (BNNGF-35877)
- Setting a root password using extended ASCII characters during deployment now works as expected. (BNNGF-35994)
- NG Admin: Opening the Activation dialog on Windows 10 may cause NG Admin to be unresponsive for up to 20 seconds. Use NextGen Admin 7.0.0 or higher instead.
- IPsec: IPsec VPN tunnels using SHA512 between two F-Series Firewalls running firmware versions 6.0.5 and 6.0.6 fail.
- NG Admin: The IPsec ID-type parameter is displayed in the client-to-site VPN configuration dialog, even if it is not supported by the firmware running on the NG Firewall.
- NG Control Center: Peer IP Restrictions must include management IP address, Control Center IP address, VIP IP addresses or networks, client IP address, and MIP for local managed NG Firewalls.
- HTTP Proxy: It is not possible to use ClamAV in combination with the HTTP Proxy service on Barracuda NG Firewall F100 and F101 models.
- CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install.
- Firewall: Using SSL Interception in combination with URL filtering and category exemptions may result in degraded performance.
- ATD: Only the first URL in the Quarantine tab that leads to a quarantine entry is displayed, even if the user and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive.
- Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning are enabled in the matching access rule.
- SSL VPN Mobile Portal: Mobile Portal configurations and settings are currently not included in PAR files.
- Virus Scanner: On small firewall models with insufficient free memory the virus scanning service may stall during virus pattern updates.
- NG Admin: SPoE does not work if an IPv6 virtual server IP address is used.
- Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually.
- Terminal Server Agent: It is currently not possible to assign connections to Windows networks shares to the actual user.
- Firmware Update: Log messages similar to
WARNING: /lib/modules/22.214.171.124-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hwmay appear while updating, but can be ignored.
- Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system.
- Application Control 2.0 and Virus Scanning: Data trickling is done only while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files.
- Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored.
- Application Control 2.0 and Virus Scanning: It is currently not possible to perform virus scanning for chunked transfer-encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned.
- Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall.
- Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No.