Single licenses for the CloudGen Firewall are bound to the MAC address of the first network interface.
CloudGen Firewall Base Licenses
The CloudGen Firewall base license gives you a next-generation firewall with the following features:
- Application Control reporting
- SSL Interception (available on all models, except F10 and F100)
- WAN Optimization (compression, Traffic Intelligence, QoS, data caching)
- Unlimited number of VPN clients (client-to-site, TINA, and IPsec VPN)
The following license types are available for your Barracuda CloudGen Firewall:
|Base license type||Installed on||License bound to|
|Hardware License||CloudGen Firewall F-Series hardware appliance||
|Cloud License - Azure
|Cloud License - AWS||
|Cloud License - Google Cloud||
(legacy phion customers only)
A CloudGen Firewall hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit.
There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (Virus Scanner and Web Security Gateway) are included. SSL VPN and SSL Interception is included with every firewall, except for the F10, F100, and F101 models.
Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected firewall IPs, SSL VPN users, VPN users, and HTTP Proxy users (Virus Scanner and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (CloudGen Firewall VF10 - VF500). CloudGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your CloudGen Firewall Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired.
Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP Proxy service and client-to-site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for client-to-site VPN.
If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores. The following table displays the capacity and the number of CPU cores for each CloudGen Firewall Vx:
|Model||Capacity||Licensed number of CPU cores|
Public Cloud Systems
Firewalls deployed in the Amazon AWS, Microsoft Azure, or Google Compute public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription on other firewall models, the public cloud SSL VPN and NAC is also included for public cloud firewall BYOL licenses. And also in addition to the services and features included with the Energize Updates subscription on other firewall models, the SSL VPN browser portal and the Barracuda Network Access Client Windows Personal Firewall and Windows Health Check (via Access Control Service) is also included for public cloud firewall BYOL licenses.
Azure and AWS Pay-As-You-Go (PAYG) Licenses
You can choose to pay an hourly rate for your firewall in AWS or Azure. The PAYG license is generated and bound to the VM or instance on the first boot. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot is required. The PAYG license includes the following services:
- Forwarding Firewall
- VPN service
- All services included in the Advanced Remote Access subscription
- Mail Gateway
- HTTP Proxy
- SSH Proxy
- DHCP Relay
- FTP Gateway
- Dynamic Routing
- (If managed by a Control Center) Distributed Firewall
For more information, see Public Cloud Licensing.
Cold Spare Licensing
For redundancy, you can purchase a CloudGen Firewall without a license and use it as a cold spare replacement. If the production unit fails, call to transfer the license to the spare unit and continue normal operations.
In addition to the base license, you can add the following subscriptions to use your firewall to its fullest extent:
Barracuda Energize Updates
This license is mandatory for every firewall for the first year. The following features are included with Barracuda Energize Updates:
- 24x5 technical support.
- Application Control
- Firmware updates
- Application Control definition updates
- IPS/IDS engine and signature updates
- Barracuda Web Security Gateway
SSL VPN template updates
- File Content definition updates
Enables the Virus Scanner service. This license is available for all CloudGen Firewalls except F10 and VF10.
Advanced Threat Protection
Enables ATP. A malware subscription license is required. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATP Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply.
|Model||Burst limit (files/min)||Files per month|
|F18, F80, F180, F200, F201, F300, F301||5||108 000|
|F900||50||1 000 000|
|F1000||on request||on request|
|AWS/Azure Level 2||5||108 000|
|AWS/Azure Level 4||10||216 000|
|AWS/Azure Level 6||15||324 000|
|AWS/Azure Level 8||35||750 000|
|VF8000||50||1 000 000|
Barracuda Advanced Remote Access
Enables the SSL VPN service and NAC support. Remote Access subscriptions are available for the CloudGen Firewall F80 or larger and all CloudGen Firewall Vx and public cloud models. For PAYG CloudGen Firewalls in AWS and Azure, this subscription is automatically included.
Included SSL VPN Features:
- Browser-based access via desktop and mobile portals
- SSL VPN-based, server-side NAC
- VPN templates for SSL VPN
Included Network Access Client Features:
- Windows Personal Firewall
- Windows Health Check via Access Control Service
- iOS, Android, Windows, and macOS support
- Central management of accessible resources and VPN provisioning
User Session Limits
- Unlimited concurrent SSL VPN user sessions
- Unlimited concurrent CudaLaunch sessions
- Multiple concurrent client-to-site VPN sessions by the same user
Barracuda NG Web Filter
Enables the Barracuda NG Web Filter service, which can use both online and offline databases.
Barracuda NG Web Security
Enables the Barracuda URL Filter service, and can use both online and offline databases and the Virus Scanner service.
Instant Replacement Service
Instant Replacement service includes the following features:
- Replacement unit shipped next business day
- 24x7 technical support
- Hardware refresh every four years
Barracuda Web Security Service
Firewall Control Center Licensing
Barracuda Firewall Control Center licenses scale by the number of firewalls that can be managed by the Control Center.
|Edition||Model||System type||Ranges (Configuration Groups)||Clusters (Tenants)||Number of managed firewalls||HA license||PKI Service||Barracuda Earth|
|Standard||C400||Hardware||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|VC400||Virtual||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|VCC400||Public Cloud||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|Enterprise||C610||Hardware||1||Unlimited||Unlimited [Recommended: 200]||Optional||Yes||Yes|
|VC610||Virtual||1||Unlimited||Unlimited [Recommended: hardware-dependent]||Optional||Yes||Yes|
|VCC610||Public Cloud||1||Unlimited||Unlimited [Recommended: cloud instance-dependent]||Optional||Yes||Yes|
|Global||VC820||Virtual||5 (additional ranges optionally available)||Unlimited||Unlimited [Recommended: hardware-dependent]||Included||Yes||Yes|