The Barracuda CloudGen Firewall supports various platforms. Licensing differs according to the platform the firewall is deployed on. Single licenses for the CloudGen Firewall and Control Center are bound to the MAC address of the first network interface.
Deployment Options: Which products are available on which platform?
The Barracuda CloudGen Firewall offers different kinds of deployment:
|Platform||CloudGen Firewall (F)||Control Center (CC)||Secure Access Controller (AC)||Secure Connector (SC)||License Type|
Barracuda Hardware Appliance (e.g., F380a)
|F||-||-||FSCA||F, TSF||Fp, TSFp|
|Virtual Appliance (e.g., VF500)||VF||VC||VFAC||-||VF||VFp|
|Standard Hardware Appliance (e.g., TSF1000)||TSF*||-||-||-||TSF||TSFp|
|Public Cloud Instance (Microsoft Azure, Amazon Web Services, Google Cloud Platform) – BYOL / PAYG||VFC||VCC||VACC||-||VFC||VFCp|
*TSF (termed SF) is the successor license to SF, which is end-of-sales.
In general, each deployment option has its individual license type. However, Barracuda hardware also accepts termed software licenses. The functionality and performance of the Barracuda hardware depends on the limits of the TSF license (maximum IPs, supported cores).
Base Licensing and Subscriptions
The CloudGen Firewall base license gives you a next-generation firewall with the following features:
- Application Control reporting
- SSL Inspection (available on all models, except F10 and F100)
- WAN Optimization (compression, Traffic Intelligence, QoS, data caching)
- Unlimited number of VPN clients (client-to-site, TINA, and IPsec VPN)
For more information, see Base Licenses.
In addition to the base license, you can add subscriptions for features such as Malware Protection, Advanced Threat Protection, and Remote Access. Feature sets and available add-on subscriptions may differ from product type or platform. For more information, see Subscriptions.
Management Options: How to manage licenses?
You can manage your Barracuda CloudGen Firewall individually as a stand-alone box or centrally via a Firewall Control Center (CC). There are two different kinds of license management concepts available:
- Single Licensing (F, VF, TSF, VFC) – Per-box license: This license is bound to the serial number or MAC address of the hardware. A 'non-managed, stand-alone box' is always single licensed. But single-licensed boxes can also be managed via a CC. Nevertheless, each license belongs specifically to one appliance. We refer to this as a 'managed, single-licensed box'.
- Enterprise Licensing (Fp, VFp, TSFp, VFCp) - a.k.a. Pool Licensing – Enterprise license (pool or float license): This license lets you centrally license and manage multiple boxes with one master license. Enterprise licensing can therefore only be used in conjunction with a Firewall Control Center. The pool license is bound to the customer account number and the CC’s ID (i.e., CC Master ID). A box licensed in this way is referred to as a 'managed, pool-licensed box'. For more information, see Enterprise Licensing (Pool).
Each kind of deployment has its own license type:
|Deployment||License Type||Single Licensed||Enterprise Licensed|
|Barracuda Hardware||Barracuda Hardware License (F, FSC)||Serial number||CC Master ID|
|Virtual Appliance||Virtual Appliance License (VF)||MAC Address||CC Master ID|
|Standard Hardware||Termed Software License (TSF)||MAC Address||CC Master ID|
|Cloud Instance||Cloud Instance License (VFC)||MAC Address||CC Master ID|
A CloudGen Firewall hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit. There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (Virus Scanner and Web Security Gateway) are included. SSL VPN and SSL Inspection is included with every CloudGen Firewall, except for the F10, F100, and F101 models.
Virtual and Software Models
Virtual systems are classified by a 'capacity' number in the model name, which defines the number of protected firewall IPs, SSL VPN users, VPN users, and HTTP Proxy users (Virus Scanner). This number is enforced for all smaller models of the virtual appliance (CloudGen Firewall VF10 - VF500). CloudGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your CloudGen Firewall or Control Center Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired.
Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP Proxy service and client-to-site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for client-to-site VPN.
If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores.
The following table displays the capacity and the number of CPU cores for each CloudGen Firewall Vx:
|Model||Capacity (Protected IPs)||Number of Supported CPU Cores|
* Number of protected FW IPs, SSL VPN users, VPN users, and proxy users (AV + Web Filter)
Public Cloud Systems
Barracuda CloudGen Firewalls for the public cloud are licensed as BYOL (Bring-Your-Own-License) or as PAYG (Pay-As-You-Go). For BYOL, you need to purchase licenses directly from Barracuda Networks. After installing the cloud instance, the licenses can be downloaded via an online token and activated. Cloud instances with PAYG licensing are purchased directly at the cloud vendor’s marketplace. In this case, licenses are installed automatically in the background. Public cloud performance limitations are defined by level.
For more information, see Public Cloud Licensing.
Firewall Control Center
The Firewall Control Center license is installed on the box layer and the management interface of the Control Center. The Control Center manages, assigns, and updates VF and SF pool licenses for managed firewalls and can also automatically activate licenses.
Firewall Control Center licenses scale by the number of firewalls that can be managed by the Control Center.
|Edition||Model||System Type||Ranges (Configuration Groups)||Clusters (Tenants)||Number of Managed Firewalls||HA License||PKI Service||Barracuda Earth|
|Standard||VC400||Virtual||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|VCC400||Public Cloud||1 (additional ranges optionally available)||1||Unlimited [Recommended: 20]||Optional||No||No|
|Enterprise||VC610||Virtual||1||Unlimited||Unlimited [Recommended: hardware-dependent]||Optional||Yes||Yes|
|VCC610||Public Cloud||2 (additional ranges optionally available)||Unlimited||Unlimited [Recommended: cloud instance-dependent]||Optional||Yes||Yes|
|Global||VC820||Virtual||5 (additional ranges optionally available)||Unlimited||Unlimited [Recommended: hardware-dependent]||Included||Yes||Yes|
In case of highly distributed environments (i.e., multiple firewalls) where a Control Center for central management is in use, Barracuda offers an enterprise licensing model, also known as pool licensing.
For more information, see Enterprise Licensing (Pool).
Cold Spare Licensing
For redundancy, you can purchase a CloudGen Firewall without a license and use it as a cold spare replacement. If the production unit fails, call to transfer the license to the spare unit and continue normal operations.