Single licenses for the NextGen Firewall F-Series and Control Center are bound to the MAC address of the first network interface.
NextGen Firewall F-Series Base Licenses
The F-Series Firewall base license gives you a next-generation firewall with the following features:
- Application Control reporting
- SSL Interception (available on all models, except F10 and F100)
- WAN Optimization (compression, Traffic Intelligence, QoS, data caching)
- Unlimited number of VPN clients (client-to-site, TINA, and IPsec VPN)
The following license types are available for your Barracuda NextGen Firewall:
|Base license type||Installed on||License bound to|
|Hardware License||NextGen Firewall F-Series hardware appliance|
|Virtual License |
|Cloud License - Azure |
|Cloud License - AWS|
|Cloud License - Google Cloud|
|Software License |
(legacy phion customers only)
A NextGen F-Series Firewall or Control Center hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit.
There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (Virus Scanner and Web Security Gateway) are included. SSL VPN and SSL Interception is included with every F-Series Firewall, except for the F10, F100, and F101 models.
Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected firewall IPs, SSL VPN users, VPN users, and HTTP Proxy users (Virus Scanner and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (NextGen Firewall VF10 - VF500). NextGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your NextGen Firewall or Control Center Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired.
Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP Proxy service and client-to-site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for client-to-site VPN.
If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores. For more information on how to configure the bootloader, see How to Configure the Bootloader. The following table displays the capacity and the number of CPU cores for each NextGen Firewall Vx:
|Model||Capacity||Licensed number of CPU cores|
Public Cloud Systems
F-Series Firewalls deployed in the Amazon AWS, Microsoft Azure, or Google Compute public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription on other firewall models, the public cloud SSL VPN and NAC is also included for public cloud firewall BYOL licenses. And also in addition to the services and features included with the Energize Updates subscription on other firewall models, the SSL VPN browser portal and the Barracuda Network Access Client Windows Personal Firewall and Windows Health Check (via Access Control Service) is also included for public cloud firewall BYOL licenses.
Azure and AWS Pay-As-You-Go (PAYG) Licenses
You can choose to pay an hourly rate for your firewall in AWS or Azure. The PAYG license is generated and bound to the VM or instance on the first boot. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot is required. The PAYG license includes the following services:
- Forwarding Firewall
- VPN service
- All services included in the Advanced Remote Access subscription
- Mail Gateway
- HTTP Proxy
- SSH Proxy
- DHCP Relay
- FTP Gateway
- Dynamic Routing
- (If managed by a Control Center) Distributed Firewall
Public cloud license sizes:
- Level 2 – 1 core
- Level 4 – 2 cores
- Level 6 – 4 cores
- Level 8 – 8 cores
For more information, see Public Cloud Licensing Types.
Cold Spare Licensing
For redundancy, you can purchase an F-Series Firewall without a license and use it as a cold spare replacement. If the production unit fails, call Contacting Barracuda Networks Technical Support to transfer the license to the spare unit and continue normal operations.
In addition to the base license, you can add the following subscriptions to use your firewall to its fullest extent:
Barracuda Energize Updates
This license is mandatory for every F-Series Firewall for the first year. The following features are included with Barracuda Energize Updates:
- 24x5 technical support.
- Application Control
- Firmware updates
- Application Control definition updates
- IPS/IDS engine and signature updates
- Barracuda Web Security Gateway
SSL VPN template updates
- File Content definition updates
Enables the Virus Scanner service. This license is available for all F-Series Firewalls except F10 and VF10.
Advanced Threat Protection
Enables ATP. A malware subscription license is required. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATP Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply.
|Model||Burst limit (files/min)||Files per month|
|F18, F80, F180, F200, F201, F300, F301||5||108 000|
|F900||50||1 000 000|
|F1000||on request||on request|
|AWS/Azure Level 2||5||108 000|
|AWS/Azure Level 4||10||216 000|
|AWS/Azure Level 6||15||324 000|
|AWS/Azure Level 8||35||750 000|
|VF8000||50||1 000 000|
Barracuda Advanced Remote Access
Enables the SSL VPN service and NAC support. Remote Access subscriptions are available for the NextGen Firewall F18 or larger and all NextGen Firewall Vx and public cloud models. For PAYG F-Series Firewalls in AWS and Azure, this subscription is automatically included.
Included SSL VPN Features:
- Browser-based access via desktop and mobile portals
- SSL VPN-based, server-side NAC
- VPN templates for SSL VPN
Included Network Access Client Features:
- Windows Personal Firewall
- Windows Health Check via Access Control Service
- iOS, Android, Windows, and macOS support
- Central management of accessible resources and VPN provisioning
User Session Limits
- Unlimited concurrent SSL VPN user sessions
- Unlimited concurrent CudaLaunch sessions
- Multiple concurrent client-to-site VPN sessions by the same user when using VPN Group Policies
Barracuda NG Web Filter
Enables the Barracuda NG Web Filter service, which can use both online and offline databases.
Barracuda NG Web Security
Enables the Barracuda URL Filter service, and can use both online and offline databases and the Virus Scanner service.
Instant Replacement Service
Instant Replacement service includes the following features:
- Replacement unit shipped next business day
- 24x7 technical support
- Hardware refresh every four years
Barracuda Web Security Service
NextGen Control Center Licensing
Barracuda NextGen Control Center licenses scale by the number of F-Series Firewalls that can be managed by the Control Center.
|Edition||Model||System type||Ranges (Configuration Groups)||Clusters (Tenants)||Number of managed firewalls||HA license||PKI Service||Barracuda Earth|
|Standard||C400||Hardware||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|VC400||Virtual||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|VCC400||Public Cloud||1||1||Unlimited [Recommended: 20]||Optional||No||No|
|Enterprise||C610||Hardware||1||Unlimited||Unlimited [Recommended: 200]||Optional||Yes||Yes|
|VC610||Virtual||1||Unlimited||Unlimited [Recommended: hardware-dependent]||Optional||Yes||Yes|
|VCC610||Public Cloud||1||Unlimited||Unlimited [Recommended: cloud instance-dependent]||Optional||Yes||Yes|
|Global||VC820||Virtual||5 (additional ranges optionally available)||Unlimited||Unlimited [Recommended: hardware-dependent]||Included||Yes||Yes|