We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall


  • Last updated on

Single licenses for the CloudGen Firewall are bound to the MAC address of the first network interface.

Licenses and subscription updates for the CloudGen Firewall Web Interface are provided by the Barracuda Online database. The Energize Update subscription is mandatory and gets installed automatically.

CloudGen Firewall Base Licenses

The CloudGen Firewall base license gives you a next-generation firewall with the following features:

  • Application Control reporting
  • SSL Interception (available on all models, except F10 and F100)
  • WAN Optimization (compression, Traffic Intelligence, QoS, data caching)
  • Unlimited number of VPN clients (client-to-site, TINA, and IPsec VPN)

The following license types are available for your Barracuda CloudGen Firewall:

Base license type Installed on License bound to
Hardware License CloudGen Firewall F-Series hardware appliance
  • MAC licenses
  • Pool licenses
Virtual License
  • VMware ESXi
  • Citrix XenServer
  • Xen
  • KVM
  • Microsoft Hyper-V
  • VMware vCloudAir
  • MAC licenses
  • Pool licenses
Cloud License - Azure
  • Microsoft Azure
  • MAC licenses (BYOL)
  • Pay-As-You-Go (PAYG) Hourly Rate
Cloud License - AWS
  • Amazon AWS
  • MAC licenses (BYOL)
  • Pay-As-You-Go Hourly Rate
Cloud License - Google Cloud
  • Google Compute Cloud
  • MAC licenses (BYOL)
Software License
(legacy phion customers only)
  • Standard Hardware
  • MAC licenses
  • Pool licenses
Hardware Appliances

A CloudGen Firewall hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit.

There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (Virus Scanner and Web Security Gateway) are included. SSL VPN and SSL Interception is included with every firewall, except for the F10, F100, and F101 models.

Virtual Systems

Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected firewall IPs, SSL VPN users, VPN users, and HTTP Proxy users (Virus Scanner and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (CloudGen Firewall VF10 - VF500). CloudGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your CloudGen Firewall Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired.

Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP Proxy service and client-to-site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for client-to-site VPN.

If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores. The following table displays the capacity and the number of CPU cores for each CloudGen Firewall Vx:

Model Capacity Licensed number of CPU cores
VF10 10 1
VF25 25 2
VF50 50 2
VF100 100 2
VF250 250 2
VF500 500 2
VF1000 unlimited 2
VF2000 unlimited 4
VF4000 unlimited 8
VF8000 unlimited


There might be limitations to the number of network interfaces you can connect to your virtual host, depending on the license of your virtualization platform. Please check with your platform vendor.

Public Cloud Systems

Firewalls deployed in the Amazon AWS, Microsoft Azure, or Google Compute public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription on other firewall models, the public cloud SSL VPN and NAC is also included for public cloud firewall BYOL licenses. And also in addition to the services and features included with the Energize Updates subscription on other firewall models, the SSL VPN browser portal and the Barracuda Network Access Client Windows Personal Firewall and Windows Health Check (via Access Control Service) is also included for public cloud firewall BYOL licenses.

Azure and AWS Pay-As-You-Go (PAYG) Licenses

You can choose to pay an hourly rate for your firewall in AWS or Azure. The PAYG license is generated and bound to the VM or instance on the first boot. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot is required. The PAYG license includes the following services:

  • Forwarding Firewall
  • VPN service
  • All services included in the Advanced Remote Access subscription
  • Mail Gateway
  • HTTP Proxy
  • SSH Proxy
  • DNS
  • SNMP
  • DHCP
  • DHCP Relay
  • FTP Gateway
  • Dynamic Routing
  • (If managed by a Control Center) Distributed Firewall

For more information, see Public Cloud Licensing.

Cold Spare Licensing

For redundancy, you can purchase a CloudGen Firewall without a license and use it as a cold spare replacement. If the production unit fails, call Barracuda Networks Technical Support to transfer the license to the spare unit and continue normal operations.

Subscription Licenses

In addition to the base license, you can add the following subscriptions to use your firewall to its fullest extent:

Barracuda Energize Updates

This license is mandatory for every firewall for the first year. The following features are included with Barracuda Energize Updates:

  • 24x5 technical support.
  • Application Control
  • Firmware updates
  • Application Control definition updates
  • IPS/IDS engine and signature updates
  • Barracuda Web Security Gateway
  • SSL VPN template updates

  • File Content definition updates
Malware Protection

Enables the Virus Scanner service. This license is available for all CloudGen Firewalls except F10 and VF10.

Advanced Threat Protection

Enables ATP. A malware subscription license is required. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATP Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply.

Model Burst limit (files/min) Files per month
F18, F80, F180, F200, F201, F300, F301 5 108 000
F280 10 216 000
F380 12 260 000
F400 15 324 000
F600 25 540 000
F800 35 750 000
F900 50 1 000 000
F1000 on request on request
AWS/Azure Level 2 5 108 000
AWS/Azure Level 4 10 216 000
AWS/Azure Level 6 15 324 000
AWS/Azure Level 8 35 750 000
VF25 2 43 200
VF50 5 108 000
VF100 10 216 000
VF250 15 324 000
VF500 20 432 000
VF1000 25 540 000
VF2000 30 648 000
VF4000 35 750 000
VF8000 50 1 000 000
Barracuda Advanced Remote Access

Enables the SSL VPN service and NAC support. Remote Access subscriptions are available for the CloudGen Firewall F80 or larger and all CloudGen Firewall Vx and public cloud models. For PAYG CloudGen Firewalls in AWS and Azure, this subscription is automatically included.

Included SSL VPN Features:

  • Browser-based access via desktop and mobile portals
  • SSL VPN-based, server-side NAC
  • VPN templates for SSL VPN

Included Network Access Client Features:

  • Windows Personal Firewall
  • Windows Health Check via Access Control Service


  • iOS, Android, Windows, and macOS support  
  • Central management of accessible resources and VPN provisioning

User Session Limits

  • Unlimited concurrent SSL VPN user sessions
  • Unlimited concurrent CudaLaunch sessions
  • Multiple concurrent client-to-site VPN sessions by the same user
Barracuda NG Web Filter

Enables the Barracuda NG Web Filter service, which can use both online and offline databases.

Barracuda NG Web Security

Enables the Barracuda URL Filter service, and can use both online and offline databases and the Virus Scanner service.

Instant Replacement Service

Instant Replacement service includes the following features:

  • Replacement unit shipped next business day
  • 24x7 technical support
  • Hardware refresh every four years
Barracuda Web Security Service

Firewall Control Center Licensing

Barracuda Firewall Control Center licenses scale by the number of firewalls that can be managed by the Control Center.

Edition Model System type Ranges (Configuration Groups) Clusters (Tenants) Number of managed firewalls HA license PKI Service Barracuda Earth
Standard C400 Hardware 1 1 Unlimited [Recommended: 20] Optional No No
VC400 Virtual 1 1 Unlimited [Recommended: 20] Optional No No
VCC400 Public Cloud 1 1 Unlimited [Recommended: 20] Optional No No
Enterprise C610 Hardware 1 Unlimited Unlimited [Recommended: 200] Optional Yes Yes
VC610 Virtual 1 Unlimited Unlimited [Recommended: hardware-dependent] Optional Yes Yes
VCC610 Public Cloud 1 Unlimited Unlimited [Recommended: cloud instance-dependent] Optional Yes Yes
Global VC820 Virtual 5 (additional ranges optionally available) Unlimited Unlimited [Recommended: hardware-dependent] Included Yes Yes

Next Steps

Last updated on