10.0.1 Release Notes

Installation of Firmware 10.0.1

Certificates

As of firmware version 9.0.5, certificates in chain with only CN are no longer working.

Encryption, Weak Ciphers

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

• Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions

• End-of-Support for CloudGen Firewall Firmware

Licensing

Firmware version 10.0.1 is a minor release.

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 10.0.1, Barracuda Networks recommends using at least Firewall Admin version 10.0.1. You can download this version here:
https://dlportal.barracudanetworks.com/#/packages/6288/FirewallAdmin_10.0.1-59.exe

Who Can Update to Firmware Release 10.0.1

Read the Migration Notes 10.0.1 before updating to firmware 10.0.1.

For more information on the migration process, see the 10.0.1 Migration Notes.

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Will Become Obsolete in an Upcoming Release (after 10.0.1)

CGA Proxy

The CGA Proxy will be phased out in an upcoming release.

CudaLaunch & SSL-VPN

CudaLaunch and SSL-VPN will be phased out in an upcoming release and will be replaced with SecureEdge Access.

Features that Are No Longer Included in this Version 10.0.1

SF Licensing

Old SF licensing is longer supported and has been phased out.

Cloud Deprecations

The following features are no longer part of the 10.0 firmware release:

• AutoVPN

• Metered billing

• Azure Security Center Support

ClamAV

ClamAV has been removed in firmware 10.0.

M30 Modem

The M30 modem is no longer supported.

OMS Agent, Azure Log Monitor Agent

The OMS Agent and the Azure Log Monitor Agent has been replaced with Azure Log API.

Branch Office Box VPN Compression

The “BoB” Branch Office Box VPN Compression is no longer supported by release 10.x.

Firmware 10.0.1 is a minor release. Although minor versions usually do not contain any new features, the following feature is contained in this firmware:

WCS 3.3 with New Categories

WCS 3.3 contains new categories. However, note that even if the new categories will be visible also on boxes that are below firmware version 10.0.1 if Barracuda Firewall Admin 10.0.1 is used, these categories should not be configured as they won’t match!

Do not configure the following URL categories:

• Artificial Intelligence - Simulation of human intelligence processed by machines.

• Cheating - Get info about actions to subvert or disobey rules in order to obtain unfair advantages.

• Code Repositories - Specialized storage systems to manage source code.

• Hosted Payment Gateways - Service for a payment transaction process, conducted on a payment gateway provider’s platform.

Authentication

• Parsing errors for SAML no longer occur. [BNNGF-94863]

• When some of many RADIUS servers become unavailable, requests to the remaining servers are now performed correctly. [BNNGF-95928]

• Mismatches of users in the authentication database no longer occur in specific situations. [BNNGF-96407]

• SAML no longer runs into errors in specific situations. [BNNGF-96557]

• The Message-Authenticator attribute in RADIUS authentication is now calculated correctly. [BNNGF-96737]

• Firewall authentication with SAML now works as expected. [BNNGF-97079]

• Parsing data for authentication purposes no longer fails in specific situations. [BNNGF-98408]

Barracuda Firewall Admin

• The Transport ID has been reintroduced for rulesets and FW Live for the ruleset feature level 9.0 and above. [BNNGF-95872]

• Empty fields in Firewall > Forwarding Rules no longer occur. [BNNGF-96693]

• The maximum size limit for compiled FW rulesets has been added to General Firewall Settings > Operational, section Ruleset Related Settings as the field Ruleset Size Limit Mode. [BNNGF-97496]

• Barracuda Firewall Admin no longer crashes when opening the URL Filter policy. [BNNGF-97779]

• Barracuda Firewall Admin no longer mistakenly sets the priority in GTI setups with more than one transport per class. [BNNGF-97888]

• Box level SNMPd now works as expected. [BNNGF-97889]

• The label Transport ID has been replaced by the new UI label Priority at several places in the UI. [BNNGF-97895], [BNNGF-97947]

• When creating a site-to-site TINA tunnel for config version 8.3 in Firewall Admin, the transport class for BULK is now set correctly. [BNNGF-97899]

• Potential inconsistencies in GTI TINA transports concerning either the newly introduced priority field (as of version 9.0) or the previously used transport ID will be automatically resolved. [BNNGF-97953]

• Cluster migration is denied if a node or a sub-node in that cluster has been added, modified, or removed without an activation. [BNNGF-97960]

• The handling of columns in the Live/History/Threat view and their visual organization has been improved. [BNNGF-97995]

• Barracuda Firewall Admin no longer crashes accidentally when clicking on a tab. [BNNGF-97996]

• Barracuda Firewall Admin now allows modifying user interface items only at places were it is officially allowed. [BNNGF-98031]

• Closing a tab with a right-button click now works as expected. [BNNGF-98041]

• Barracuda Firewall Admin no longer crashes upon startup when connecting to a firewall on box level. [BNNGF-98114]

• STARTTLS now works as expected when sending email test notifications. [BNNGF-98148]

• The option Allow Dynamic Mesh now works as expected in Barracuda Firewall Admin 9.0.5. [BNNGF-98185]

• Barracuda Firewall Admin no longer crashes in specific situations. [BNNGF-98262]

• Barracuda Firewall Admin no longer freezes when a VPN profile is exported. [BNNGF-98283]

• GTI will now draw up to 100 services at once again. [BNNGF-98504]

• The usage counter for Network Objects now works as expected. [BNNGF-98530]

• Teams webhook URLs now also accept the ‘&’ and ‘=’ characters. [BNNGF-98717]

• Barracuda Firewall Admin no longer crashes in specific situations. [BNNGF-98846]

• An authentication scheme with the name Other has been added for all CCs. [BNNGF-99025]

• The sorting for the column First Attempt at CONTROL > Remote Execution is now correct. [BNNGF-99103]

Barracuda OS

• Removing a group policy only affects objects that are not referenced by other policies and afterwards displays a notification about objects that have not been deleted because they are still in use. [BNNGF-66288]

• The Instant Replacement feature is now displayed for CloudGen Firewalls as expected. [BNNGF-84799]

• The logging for NTP has been improved. [BNNGF-92032]

• The assignment of licenses to multiple boxes no longer causes issues. [BNNGF-92606]

• The logic for cleaning up licenses has been improved. [BNNGF-93063]

• The size of SNMP buffers has been increased and no longer causes issues. [BNNGF-93414]

• WCS 3.3 contains new categories. See the section ‘New Features in Version 10.0.1’ of the 10.0.1 Release Notes. [BNNGF-95628]

• After enabling header reordering, the list Reference in CONFIGURATION > Box > Configuration Tree > Network > Interfaces now displays correct values. [BNNGF-95824]

• SMTP passwords can now be longer than 56 characters. [BNNGF-95856]

• Reachable IPs now work as expected after sending changes in Barracuda Firewall Admin. [BNNGF-95929]

• Logging has been improved to reduce confusion if no admins are configured. [BNNGF-96116]

• The network activation now works as expected after changing the MTU in the interface configuration. [BNNGF-96634]

• Unexpected errors no longer occur in the context of System Email Notifications. [BNNGF-96815]

• Statistics are stored in the correct folder as expected. [BNNGF-97061]

• Log files are stored in the correct folder as expected. [BNNGF-97308]

• TOTP bulk enrollment for multiple users now works as expected. [BNNGF-97441]

• A fix to the kernel has been implemented to prevent potential crashes. [BNNGF-97595]

• The upgrade process has been improved to perform a file system check before the upgraded box reboots. If an upgrade failure is detected, the box boots into the previous firmware, and the user must check manually. [BNNGF-97652]

• Box Recovery now downloads the correct ISO metadata as expected. [BNNGF-97961]

• STARTTLS now works as expected when sending email notifications. [BNNGF-98032]

• InstallUpdate no longer terminates unexpectedly when installing 10.0.0-0993 on 9.0.0-0511. [BNNGF-98039]

• Updates from firmware 9.0.4 to 10.0.0 can now be performed using the system scheduler. [BNNGF-98174]

• System report generation via Firewall Admin works as expected. [BNNGF-98263]

• Syslog streaming using TLS now works as expected with respect to the box key size. [BNNGF-98382]

• The eventS logfile is sent to XDR. [BNNGF-98437]

Cloud AWS

• Updating an AWS box from version 9.0.4 to 10.x now works as expected. [BNNGF-99006]

Cloud Azure

• The security log table now comprises all relevant fields. [BNNGF-97857]

• AWS EC2 appliances can now be updated to firmware 10.0.1 as expected. [BNNGF-97988]

Control Center

• It is now possible to edit both local IPv4 and IPv6 networks for any tunnel in GTI. [BNNGF-95623]

• Changes in the GTI editor are no longer reverted unexpectedly. [BNNGF-96213]

• The rule list for the host firewall rules now show inbound rules as expected. [BNNGF-96458]

• ConfTemplates can now use Global Firewall Objects only for the CGF. [BNNGF-96556]

• Firewalls no longer show up unexpectedly in CC events after having been removed from the list of boxes. [BNNGF-96578]

• The warning for duplicate hosts is now triggered as expected for Global Objects in Control Centers. [BNNGF-96695]

• On the Control Center, Firewall Objects no longer appear in the network settings after having been deleted. [BNNGF-96739]

• CC Admins with cluster-limited access now have access only to authorized Auth-Sync zones. [BNNGF-97301]

• Admin users can now access the firewall as expected. [BNNGF-97992]

• The firmware update tab in Barracuda Firewall Admin now displays boxes as expected. [BNNGF-98038], [BNNGF-98599]

• Adding a new SNMP service to a newly created box works as expected. [BNNGF-98083]

• If changes are made to a global reference remote network object and the object will be used by an HA cluster, the changes will now be updated on both instances of the HA pair as expected. [BNNGF-98201]

• Editing the global ruleset now works as expected on a 10.0.0 CC. [BNNGF-98251]

• TINA tunnels are no longer unexpectedly removed when invoking Send Changes in VPN. [BNNGF-98308]

• Service settings for AV of the related ConfUnit now write Explicit Listening IP correctly. [BNNGF-98991]

DNS

• The text for Forwarders Selection under Administrative Settings > Caching DNS Service > Forwarders Selection in Firewall Admin has been reworked. [BNNGF-95545]

Firewall

• URL filter match objects no longer lose their referencing after being activated. [BNNGF-95076]

• Memory usage now works as expected and no longer cause unexpected crashes of tap3. [BNNGF-96300]

• In very rare cases, HTTP1 Headers are no longer sent twice [BNNGF-97182]

• The FTP-plugin now works as expected in combination with GRE IP-tunnels. [BNNGF-97874]

• A potential race condition when the shaping configuration is being updated no longer occurs. [BNNGF-97991]

• If the forwarding firewall is run in policy mode, policy profile rules in the local and special ruleset are now correctly processed. [BNNGF-98021]

• Invoking web pages on iMacs using Chrome now show fast loading times if application control is active. [BNNGF-98175]

• Resolving DNS objects now works as expected. [BNNGF-98033]

• The SD-WAN ID has been added to the IPFIX flow [BNNGF-98064]

• The menu option for Measure Provider Performance is no longer available. [BNNGF-98124]

• DNAT with fallback now works as expected. [BNNGF-98176]

• The Firewall Insights dynamic network object is now handled correctly. [BNNGF-98177]

• DNAT with DNS objects no longer ends up in ‘Block local loop’ states. [BNNGF-98344]

• Malware policy evaluation has been implemented for SMTP and POP3. [BNNGF-98457]

• Terminated sessions are now removed as expected. [BNNGF-98534]

• A new CLI command has been implemented for an easy-to-use URL categorization lookup. [BNNGF-98537]

• The tap process no longer crashes in specific situations. [BNNGF-98594]

• The usage counter for policy profiles now works as expected. [BNNGF-98742]

• Custom network applications with multiple endpoints for the same domain now process all endpoints. [BNNGF-98884]

• The kernel no longer crashes in specific situations. [BNNGF-99006]

• IPS hits no longer cause the box to crash in specific situations. [BNNGF-99114]

• The firewall engine now starts as expected on an F1000 appliance. [BNNGF-99313]

HTTP Proxy

• Processing entries in the HTTP Proxy ACL no longer causes invalid expressions. [BNNGF-97059]

REST

• REST API requests now report consistent information. [BNNGF-92049]

• Filenames may now contain the ‘-’character. [BNNGF-95177]

• The option for reachable IPs is now available in the REST API as an endpoint. [BNNGF-96666]

• The restd no longer crashes when the block/unblock configuration updates endpoint is triggered. [BNNGF-98377]

• When locking a config node, the configuration data will be reloaded as expected and will prevent any bypassing by other sessions. [BNNGF-98434]

VPN

• Report Creator now displays the top user as expected. [BNNGF-71774]

• Resolving DNS has been improved for IKEv1. [BNNGF-96089]

• IKEv2 tunnel are now marked according to their real state. [BNNGF-96585]

• TINA transports are now established as they are configured. [BNNGF-97001]

• Old VPN tunnels are cleaned up as expected after renaming or moving the VPN service. [BNNGF-97052]

• Kernel logs now report transports with a tunnel name. [BNNGF-97856]

• TINA transports configured as Fallback and On Demand now work as expected. [BNNGF-97923]

• The label Transport ID has been replaced by the new UI label Priority at several places in the UI. [BNNGF-97965], [BNNGF-97986]

• The VPN service no longer crashes due to an expired certificate. [BNNGF-97997]

• Restricting a Client-to-Site VPN Group Policy to use only SHA512 now works as expected. [BNNGF-98013]

• Migrating tunnels from release 8.3 to 9.0 now works as expected. [BNNGF-98046]

• Client-to-Site disconnects no longer occur due to fixed issues on VPN compression. [BNNGF-98101]

• The VPN service no longer causes unexpected memory leaks. [BNNGF-98120]

• VPN dynamic high performance mode now works as expected. [BNNGF-98153]

• VPN throughput performance has been optimized. [BNNGF-98246], [BNNGF-98250]

• Configuring a provider in GTI now writes the provider to the correct site. [BNNGF-98256]

• VPN no longer crashes in specific situations after decompression. [BNNGF-98293]

• Forward Error Correction (FEC) in VPN TINA no longer causes kernel crashes under heavy load situations. [BNNGF-98336]

• Kernel issues have been solved and no longer cause malfunctioning VPN transports. [BNNGF-98607]

• Migrating from transports to priorities no longer causes issues. [BNNGF-98963]

• A box no longer crashes in specific situations when using VPN in hybrid mode. [BNNGF-99152]

All 10.0-Related Ticket Overview

As of firmware release 10.0.1, more than 2000 tickets have been resolved.

For more information, see List of Tickets Solved until Release 10.0.1.

• Barracuda Firewall Admin - The change of a password for a CC-Admin which is using an external authentication scheme does not work on the CC. [BNNGF-98450]

• Barracuda Firewall Admin – After importing an update package, the list of files on CC won't be updated. [BNNGF-98739]

• Barracuda Report Creator - Barracuda Report Creator does not work with users created in the CC > Admin tab. [BNNGF-98122]

• Barracuda OS – In rare circumstances, the SNMP value for active C2S connections can be wrong. In such cases, the vpnstatus.db must be deleted once. [BNNGF-94918]

• Barracuda OS – Updating appliances to firmware version 10.0 now works as expected if /boot is not the first partition. [BNNGF-97876]

• Barracuda OS – The Firewall Activity and Firewall Threat Logs cannot be sent correctly in CEF format to an Azure Analytics Workspace using the Azure Log Analytics daemon. [BNNGF-97924]

• Barracuda OS – The creation of an ART recovery backup fails. [BNNGF-98178]

• Barracuda OS – GUI soft-activate causes fibre ports to go down. [BNNGF-98179]

• Barracuda OS – Using non-ASCII characters in Description fields of the Translated HA IP configuration might cause errors during firmware upgrade. [BNNGF-98494]

• Barracuda OS – On CGFs which are SE integrated, policies based on user groups are not matching for SE authenticated users. [BNNGF-98852]

• Barracuda OS – The watchdog is inactive although it is enabled. [BNNGF-98881]

• Barracuda OS – Applying a developer hotfix in the CC firmware management tab can causes the firewall to disappear. [BNNGF-98880]

• Cloud Azure – Azure Log Streaming CEF via CGF Log Daemon does currently not work as expected. [BNNGF-98002]

• Cloud Azure – The update to firmware 10.0.0 may break PAYG licenses in specific situations. [BNNGF-98883]

• Control Center – Control Center 10.0.0 is unable to read SAML IDP metadata properly. [BNNGF-98588]

• CudaLaunch – iPad Pro devices with a MagicKeyboard cause issues. [BNNGF-95273], [BNNGS-4004]
  Workaround: The issue is caused by iOS 18.0.1 and can be resolved by upgrading iOS to its newest version.

• DNS - DynDNS updates from a client are not allowed. [BNNGF-98876]

• DNS – The DNS service is denying dynamic DNS updates from the DHCP service. [BNNGF-98877]

• Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]
  Workaround: Blocking UDP/443 makes clients fall back to TCP, and then that app can be inspected.

• Firewall – User agent apprule does not work as expected. [BNNGF-97989]

• Firewall – DNAT with DNS object as target causes ‘Block local loop’. [BNNGF-98387]

• REST – Currently, the endpoints for rulesets are disabled for policy rulesets. [BNNGF-94123]

• REST – Changes to Shared Services Ruleset by REST API are not honored. [BNNGF-97993]

• REST – REST API write access for creating a REST-API admin role and assigning it to an admin does not work as expected. [BNNGF-98447]

• SSL-VPN and Cuda-Launch – Shared folders and files are no longer accessible via CudaLaunch if the name of the shared folder or file contains a blank space.    [BNNGS-3970]
  Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

• VPN – GTI editor displays either no priority ID or an incorrect one. [BNNGF-98585]