In these Release Notes:
Hotfixes included with Version 6.2.3
- Hotfix 818 – Control Center
- Hotfix 813 – DNS Server
- Hotfix 810 – SSL VPN
- Hotfix 805 – Cumulative Hotfix
- Hotfix 802 – HTTP Proxy
- Hotfix 800 – OpenSSL
What´s new in Version 18.104.22.168.3 is a maintenance release. No new features were added.
Improvements included in Version 6.2.3
Barracuda NextGen Admin
The FIREWALL > Monitor page now no longer crashes if an element is selected that is not supported by the firmware.
- Editing application rules with a large number of applications no longer causes NextGen Admin to crash. BNNGF-41417
- Firewall throughput exceeding 30 Gbps is now displayed correctly on the FIREWALL > Live page. BNNGF-36450
- Filtering IPv6 connections by their destination interface on the Firewall > Live and Firewall > History pages now works as expected. BNNGF-37137
- NextGen Admin is no longer supported for Windows Vista. BNNGF-41630
- NextGen Admin automatic session reconnection improvements. BNNGF-43601
- Available IPs in the Service Properties are now displayed correctly if the Secondary IP in the Server Properties is left empty. BNNGF-22643
- Full-screen command line apps are now displayed correctly in the NextGen Admin SSH tab. BNNGF-11234
- A warning is shown when connecting to a firewall running a newer firmware than is supported by this version of NextGen Admin. BNNGF-39095
- NextGen Admin dashboard stability improvements. BNNGF-42232
- IPv6 ICMP traffic no longer shows the ICMP identifier as the port on the FIREWALL > Live and FIREWALL > History pages. BNNGF-31417
- It is no longer possible to create or edit connection objects in the Host Firewall object viewer. BNNGF-29380
- Copying application rules using a custom application object to another ruleset now works as expected. BNNGF-39965
- The Max Entries setting on the FIREWALL > History page is now honored immediately without a manual refresh. BNNGF-41383
- The status icon of the CONTROL > Network page no longer displays an incorrect status after dynamic routing changes. BNNGF-30769
- NextGen Admin no longer cuts off the Phase 2 lifetimes in the site-to-site IPsec configuration dialog. BNNGF-42321
- Networks in the GTI Editor are no longer shown in phion (reverse CIDR) notation. BNNGF-41357
- The time stamp for the last successful IPS update is now displayed correctly. BNNGF-42374
- RDP clients using the Touch API to emulate the right-click now work as expected for NextGen Admin. BNNGF-27845
- When a service is restarted, the name of the service is now included in the log message. BNNGF-40650
- In the TINA VPN tunnel configuration dialog, the drop-down menu for the Compression parameter is now displayed correctly. BNNGF-41793
- The throughput of the network interfaces on CONTROL > Network is now shown in MBit instead of bps10. BNNGF-42329
- Updated the icon for the URL Filter policy action alert. BNNGF-43320
- IPS exception attributes are no longer replaced by wildcards when the IPS pattern for the exception has been removed by an IPS signature update. BNNGF-40600
- Sorting the user column in Grouped By User mode on the FIREWALL > User page now works as expected. BNNGF-39618
- Sorting the applications browser by risk now works as expected. BNNGF-42377
- If the user information is available, usernames are now displayed for firewall connection cache entries on the FIREWALL > History page. BNNGF-39617
- The error dialog warning stating that local changes have not been sent now includes the relevant configuration nodes. BNNGF-40010
Mitigated a hardware-related bug resulting in soft lockups on Barracuda Control Center C400. BNNGF-41683
- Updated OpenSSL to version 1.0.1u due to security vulnerability CVE-2016-6304.
Application Control statistics now work as expected when the Maximum sessions in the General Firewall Settings are set to a high value.
Time stamps in URL Filter log messages now use the configured time zone. BNNGF-40183
Virus Scanner and ATD
- Improved ATD file queue handling. BNNGF-40831
- Renaming executable files to file types not scanned by ATD no longer allows you to bypass the ATD scan. BNNGF-40350
- ClamAV freshclam fallback update method is now disabled by default. Legacy licensed firewalls must enable freshclam updates manually. BNNGF-42234
- Executable archives are now detected and handled correctly when scanned by ATD. BNNGF-41024
- It is now possible to add exceptions to the virus-scanned MIME types by entering the exempted MIME type with a prepended "!" in the Scanned MIME Types on the Security Policy page. E.g., !application/mapi-http BNNGF-43070
- The <factory-default-mime-types> now include all application/* MIME types. BNNGF-41376
- It is now possible to run the HTTP Proxy as a reverse proxy on a non-standard port in combination with the scan first, then deliver ATD policy. BNNGF-39655
- Manually deleting ATD files from the Scanned Files or Malicious Files tabs now marks them as deleted in the Top Threats dashboard element. BNNGF-39915
- It is no longer possible to manually quarantine mail attachments scanned by ATD to avoid the mail server IP address from being placed in quarantine. BNNGF-39476
- IPsec tunnel states are now correct in the box level SNMP service. BNNGF-40965
Mitigated a hardware-related bug resulting in soft lockups on Barracuda Control Center C400. BNNGF-41683
Added option to disable Replay Protection for IPsec IKEv1 site-to-site VPN tunnels by setting the Replay Window Size to -1. BNNGF-38991
- IKEv2 VPN tunnels configured on an older firmware version no longer break when the firmware is updated. BNNGF-40611
- Client-to-site VPN connections with the native Android IPsec VPN client now work as expected. BNNGF-36486
- Client-to-site certificate policies OID matching improvements. BNNGF-38545
- Renamed Server Key to Service key in the client-to-site personal license configuration dialog. BNNGF-42419
- The label of the Name column in the client-to-site VPN Clients Downloads section is now changed to Description to match the Upload dialog. BNNGF-43206
- It is now possible to click Send Changes without a dummy change when importing client-to-site profiles. BNNGF-42278
- Authenticating multiple users via NTLM for web forwards now works as expected. BNNGS-2356
- POST requests now work on WebApps that use SSO NTLM authentication. BNNGS-2609
- Updated HTTP Proxy to fix connection error handling.
- Multipath BGP routes handling improvements. BNNGF-43378
- The split-horizon parameter is now written to the RIP configuration file correctly. BNNGF-42843
- Routes learned via OSPF or BGP are now removed immediately if the associated interface goes down. BNNGF-40927
- Allow other interfaces in RIP filter configuration. BNNGF-35502
- Improved error handling for file and pattern updates of managed firewalls.
- Running multiple Wi-Fi services on Wi-Fi-enabled firewall models now works as expected. BNNGF-40173
- The BOOTP lease time is now handled correctly in the DHCP server configuration files. BNNGF-33394
- DHCP reservations can now use any IP address in the Used Subnet and no longer have to be outside of the DHCP pool range. BNNGF-40352
Public Cloud ( AWS/ Azure)
- XML parsing errors for IP Forward protection in Azure no longer occur. BNNGF-42117
- It is no longer possible to change the S-Series VIP network on the Secure Access Concentrator VPN service.
- After deleting and re-creating an S-Series VIP network, the correct CIDR network is used.
Issues resolved by hotfixes
The following hotfixes have been released for firmware version 6.2.3
Hotfix 849 - KRACK Attack
- Security fix for the WPA2 vulnerability.
- Web Security Gateway authentication schemes are currently not working. (BNNGF-45113)
- NextGen Firewall F10 Rev A: It is currently not possible to install a Barracuda NextGen Firewall F10 Rev A via F-Series Install. Install 6.2.2 and upgrade to 6.2.3 instead. (BNNGF-43579)
- In some cases Report Creator reports filtering for exactly one destination are empty.
- NextGen Admin: Activating a license can take up to 30 seconds, during which time the window seems unresponsive before the activation is completed. Use NextGen Admin version 7.0.0 or higher instead. (BNNGF-41343)
- NextGen Admin: It is possible to configure IPsec site-to-site tunnels on firewalls running 6.2.0 to use the ID type IPV4_ADDR_SUBNET (explicit), even though this is not supported. The IPsec tunnel cannot be established.
- IKEv2: When using a subnet as the remote gateway, you must configure an ID type.
- Azure: If the MAC address of the network interface changes between the time the firewall is deployed until it is licensed via Barracuda Activation in a Control Center, the wrong MAC address is used to activate the license.
- VMware: Network interfaces using the VMXNET3 driver do not send IPsec keepalive packets unless TX checksumming is disabled for the interface (ethtool -K INTERFACE tx off).
- URL Filter: F-Series Firewalls running 6.2.0 or higher that are managed by a Control Center using firmware 6.0.X or 6.1.X must complete a dummy change in the security policy whenever enabling/disabling the URL Filter in the General Firewall Settings.
Azure: After updating a firewall using Azure UDR via Azure Service Manager, the Deployment Type may be displayed incorrectly as y. This does not affect updating Azure UDR routes.
- SSL VPN: Some modern browsers such as Chrome and Firefox no longer support Java applets. Instead, use browsers with Java applet support, such as Internet Explorer or Safari.
- IKEv2: Disabling a site-to-site tunnel on the VPN > Site-to-Site page is not possible.
- IKEv2: Changing a setting for an IKEv2 tunnel disabled in the configuration causes all active IKEv2 tunnels to initiate a re-keying.
- IKEv2: Client certificate authentication for client-to-site IKEv2 IPsec VPNs requires X509 Certificate to be enabled in the VPN Settings. Enabling this setting requires all VPN group policies to use client certificate authentication.
IKEv2: After a restart, the Last Access and Last Duration time displayed for site-to-site IKEv2 IPsec tunnels is not reset.
- IKEv2: Using a hostname or subnets as Remote Gateway is currently not possible.
- IKEv2: Using pre-shared keys with IKEv2 client-to-site VPNs is not possible.
- IKEv2: Using X509 Subject Policy in a client-to-site Group VPN Settings is not possible.
- IKEv2: Changing client-to-site minimum and maximum lifetime values has no effect.
- IKEv2: Connecting to an IKEv2 IPsec client-to-site VPN using iOS or Android devices is not possible.
- IKEv2: You can only use MSAD authentication schemes for client-to-site IKEv2 IPsec VPNs.
- Azure Control Center: On first boot, "fatal" log messages may occur because master.conf is missing. These log messages can be ignored.
- IKEv1 IPsec: When using 0.0.0.0 as a local IKE Gateway, you must enable Use IPsec Dynamic IPs and restart the VPN service before a listener on 0.0.0.0 is created.
- HTTP Proxy: Custom block pages do not work for the HTTP Proxy when running on the same NextGen F-Series Firewall as the Firewall service. This issue does not occur when running the HTTP Proxy service on a second NextGen F-Series Firewall behind the NextGen F-Series Firewall running the Firewall service.
- SSL VPN: Favorites are not included in the PAR file.
- SSL VPN: Text fields do not accept the
- SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts.
- SSL VPN: User Attributes do not support UTF-8.
- SSL VPN: The allowed host filter path must be unique.
- Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account.
- Safe Search: If Safe Search is enabled, it is not possible to log into YouTube when cookies are disabled.
- VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NextGen Firewall F-Series via RIP, OSPF, or BGP, a duplicate routing entry is created and the route that was added last is used.
VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used.
HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations.
CC Wizard: The CC Wizard is currently not supported for Control Centers deployed using Barracuda F-Series Install.
ATD: Only the first URL in the Quarantine tab that leads to a quarantine entry is displayed, even if the user and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive.
Barracuda NextGen Admin: SPoE does not work if an IPv6 virtual server IP address is used.
Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually.
Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user.
Firmware Update: Log messages similar to
WARNING: /lib/modules/22.214.171.124-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hwmay appear while updating, but can be ignored.
Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system.
Application Control and Virus Scanning: Data trickling is only done while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files.
Application Control and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored.
Application Control and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall.
Application Control and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No.
Barracuda OS: Restoring units in default configuration with PAR files created on a Control Center may result in a corrupt virtual server. Instead, copy the PAR file to opt/phion/update/box.par and reboot the unit.
VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated.