It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

7.2.4 Migration Notes

  • Last updated on

Migration Path to 7.2.4

You can upgrade to firmware 7.2.4 from the following firmware versions:

Current VersionTarget Version
 7.2.4
6.0.0 - 6.0.7 Yes
6.1.0 - 6.1.3 Yes
6.2.0 - 6.2.4 Yes
7.0.0 - 7.0.4

Yes

7.1.0 EA - 7.1.5 Yes
7.2.0 EA1
Yes
7.2.1 EA2 Yes
7.2.2 Yes
7.2.3 Yes

Direct updating from firmware 5.x to 7.2.x is not possible. For more information, see Migrating from 5.4.x to 6.0.x .

Read the Release Notes, especially the Known Issues section, for the firmware version that you want to update to.

For more information, see  7.2.4 Release Notes .

Support for Barracuda Reporting Server

With firmware release 7.2.4, support for the Barracuda Reporting Server will be replaced by support for Barracuda Firewall Insights. For more Information, see Firewall Insights.

Review Upgrade Requirements 

Verify that your CloudGen Firewall or Control Center meets the upgrade requirements, and read the release notes for the firmware version.

Supported Models

You can upgrade the following CloudGen Firewall models to 7.2.4:

Barracuda CloudGen F-Series and Control Center Models

Hardware Systems

F10 Rev B, F12 Rev A, F15 Rev A/B, F18 Rev A, F80 Rev A/B, F82 Rev A, F100 Rev B, F101 Rev B, F180 Rev A, F183 Rev A, F183R Rev A, F200 Rev C, F201 Rev C, F280 Rev A/B, F300 Rev B, F301 Rev B, F380 Rev A, F400 Rev B, F600 Rev C, F600 Rev D, F800 Rev B/C, F900 Rev A/B, F1000 Rev A, C400, C610

Virtual Systems

VF10, VF25, VF50, VF100, VF250, VF500, VF1000, VF2000, VF4000, VF8000, VC400, VC610, VC820, VFAC400, VFAC610, VFAC820

Public CloudAWS, Azure, Google Cloud

Standard Hardware Systems

Standard Hardware

A standard hardware system is a Barracuda CloudGen Firewall F-Series running on 3rd-party server hardware using an SF license. Consult the Barracuda Networks Technical Support to find out if your specific standard hardware is supported.

Disk Space Requirements

To upgrade a system to version 7.2.4, you must have at least 50 MB of free space in the /boot/ partition and at lea st 2.1 GB in the / (root) partition. If you are upgrading an F10 Rev B, F100 Rev B, F101 Rev B, verify that enough disk space is available:

flash_free_disk_space.png

To free up disk space, download the following cleanup script, and apply it via remote execution to centrally managed firewalls. For stand-alone firewalls, the script can be executed locally on firewall.

Upgrading One Firewall in a High Availability Cluster

If you are upgrading a firewall in a high availability (HA) cluster without upgrading its partner, you must re-synchronize the firewalls: 

  1. Go to FIREWALL > Live > Show Proc.
  2. Select the Sync Handler process and select Kill Selected.
    The process is automatically restarted after a couple of seconds, and the primary and secondary firewalls automatically synchronize their sessions.
Barracuda Firewall Admin

After updating a system, you must also download Firewall Admin with the same version. Firewall Admin is backward-compatible. That means you can manage 5.2.x, 5.4.x, 6.x and 7.x F-Series Firewalls and Control Centers with Firewall Admin 7.2.4.

Always use the latest version of Barracuda Firewall Admin.

Migration Instructions for 7.2.4

When upgrading according to the migration path above, you must complete the migration steps listed below:

Change to List of Available Ports for Barracuda Download Servers

Barracuda Networks download servers no longer provide downloads on port 8000. Instead, downloads are delivered only through ports 80 and 443.

For more information, see Best Practice - Hostname List for Barracuda Online Services.

Source-Based VPN Routing Table Entries

If you are using source-based VPN routing tables, you have the option of moving the entries to the main routing table. For this, you must set the switch Add VPN Routes to Main Routing Table (Single Routing Table) to yes in CONFIGURATION > Configuration Tree > your virtual server > VPN > VPN Settings > Server Settings.

Unlike before, entries with identical destination addresses in the main routing table are now aggregated regardless of their source address to save valuable memory for even more routing entries. You must be aware that when moving source-based VPN routing entries to the main routing table, the source address of a VPN routing entry will be ignored. Therefore, if you want to route VPN traffic based on a special source address, it is recommended not to use the option as described above.

Firewall Activity Log

When updating a box to 7.2.4, logging of the actions Drop/Remove is disabled by default.

In case the log policy Activity Log Data is set to Log-Info-Text, the setting needs to re-configured after the update to 7.2.4. The update will introduce the default value Log-Info-Code.

Update for SNMP, PHION-MIB.txt File

A new PHION-MIB.txt file is provided that solves an issue where throughput data now can exceed the limit of a 32-bit integer. If your CloudGen Firewall is also part of your SNMP, you should download this new file version. For more information, see PHION-MIB Field Descriptions.

Transfer and Reassign Certificates

In case you are running a stand-alone firewall and want to manage it in a Control Center, all certificates stored in the local Certificate Store must be saved on the stand-alone firewall, imported to the Certificate Store on the Control Center, and reassigned at their appropriate location of usage. For more information, see How to Import an Existing CloudGen Firewall into a Control Center.

SSL VPN, NAC, and SSL VPN Authentication

SSL VPN authentication and NAC are automatically migrated into the default access control policy.

For more information, see How to Configure Access Control Policies for Multi-Factor and Multi-Policy Authentication.

ECDSA SSH Key

Depending on the cipher preferred by the SSH client, you may be prompted to accept the new ECSDA key.

authentication_check.png

Rename SSL Interception

SSL Interception has been renamed to SSL Inspection.

Initial Grace Period for Default Password

When licensing a hardware appliance or a virtual firewall, the initial default password must be immediately changed to a new password after logging in. The new password will be valid even after the license has expired.

Start the Update

You can now update the CloudGen Firewall or Control Center.

For more information, see Updating CloudGen Firewalls and Control Centers.