We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall F


  • Last updated on

If you are licensing a NextGen Control Center, a managed F-Series Firewall, or are using pool licenses, see Licensing F-Series Firewalls in the Control Center.

Single licenses for the NextGen Firewall F-Series and Control Center are bound to the MAC address of the first network interface.

NextGen Firewall F-Series Base Licenses

The F-Series Firewall base license gives you a next-generation firewall with the following features:

  • Application Control reporting
  • SSL Interception (available on all models, except F10 and F100)
  • WAN Optimization (compression, Traffic Intelligence, QoS, data caching)
  • Unlimited number of VPN clients (client-to-site, TINA, and IPsec VPN)

The following license types are available for your Barracuda NextGen Firewall:

Base license typeInstalled onLicense bound to
Hardware LicenseNextGen Firewall F-Series hardware appliance
  • MAC licenses
  • Pool licenses
Virtual License
  • VMware ESXi
  • Citrix XenServer
  • Xen
  • KVM
  • Microsoft Hyper-V
  • VMware vCloudAir
  • MAC licenses
  • Pool licenses
Cloud License - Azure
  • Microsoft Azure
  • MAC licenses (BYOL)
  • Pay-As-You-Go (PAYG) Hourly Rate
Cloud License - AWS
  • Amazon AWS
  • MAC licenses (BYOL)
  • Pay-As-You-Go Hourly Rate
Cloud License - Google Cloud
  • Google Compute Cloud
  • MAC licenses (BYOL)
Software License
(legacy phion customers only)
  • Standard Hardware
  • MAC licenses
  • Pool licenses
Hardware Appliances

A NextGen F-Series Firewall or Control Center hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit.

There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (Virus Scanner and Web Security Gateway) are included. SSL VPN and SSL Interception is included with every F-Series Firewall, except for the F10, F100, and F101 models.

Virtual Systems

Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected firewall IPs, SSL VPN users, VPN users, and HTTP Proxy users (Virus Scanner and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (NextGen Firewall VF10 - VF500). NextGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your NextGen Firewall or Control Center Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired.

Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP Proxy service and client-to-site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for client-to-site VPN.

If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores. For more information on how to configure the bootloader, see How to Configure the Bootloader. The following table displays the capacity and the number of CPU cores for each NextGen Firewall Vx:

ModelCapacityLicensed number of CPU cores


There might be limitations to the number of network interfaces you can connect to your virtual host, depending on the license of your virtualization platform. Please check with your platform vendor.

Public Cloud Systems

F-Series Firewalls deployed in the Amazon AWS, Microsoft Azure, or Google Compute public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription on other firewall models, the public cloud SSL VPN and NAC is also included for public cloud firewall BYOL licenses. And also in addition to the services and features included with the Energize Updates subscription on other firewall models, the SSL VPN browser portal and the Barracuda Network Access Client Windows Personal Firewall and Windows Health Check (via Access Control Service) is also included for public cloud firewall BYOL licenses.

Azure and AWS Pay-As-You-Go (PAYG) Licenses

You can choose to pay an hourly rate for your firewall in AWS or Azure. The PAYG license is generated and bound to the VM or instance on the first boot. For the license to be generated, DNS resolution and access to the Barracuda licensing servers on first boot is required. The PAYG license includes the following services:

  • Forwarding Firewall
  • VPN service
  • All services included in the Advanced Remote Access subscription
  • Mail Gateway
  • HTTP Proxy
  • SSH Proxy
  • DNS
  • SNMP
  • DHCP
  • DHCP Relay
  • FTP Gateway
  • Dynamic Routing
  • (If managed by a Control Center) Distributed Firewall

Public cloud license sizes:

  • Level 2 – 1 core
  • Level 4 – 2 cores
  • Level 6 – 4 cores
  • Level 8 – 8 cores

For more information, see Public Cloud Licensing Types.

Cold Spare Licensing

For redundancy, you can purchase an F-Series Firewall without a license and use it as a cold spare replacement. If the production unit fails, call Contacting Barracuda Networks Technical Support to transfer the license to the spare unit and continue normal operations.

Subscription Licenses

In addition to the base license, you can add the following subscriptions to use your firewall to its fullest extent:

Barracuda Energize Updates

This license is mandatory for every F-Series Firewall for the first year. The following features are included with Barracuda Energize Updates:

  • 24x5 technical support.
  • Application Control
  • Firmware updates
  • Application Control definition updates
  • IPS/IDS engine and signature updates
  • Barracuda Web Security Gateway
  • SSL VPN template updates

  • File Content definition updates
Malware Protection

Enables the Virus Scanner service. This license is available for all F-Series Firewalls except F10 and VF10.

Advanced Threat Protection

Enables ATP. A malware subscription license is required. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATP Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply.

ModelBurst limit (files/min)Files per month
F18, F80, F180, F200, F201, F300, F3015108 000
F28010216 000
F38012260 000
F40015324 000
F60025540 000
F80035750 000
F900501 000 000
F1000on requeston request
AWS/Azure Level 25108 000
AWS/Azure Level 410216 000
AWS/Azure Level 615324 000
AWS/Azure Level 835750 000
VF25243 200
VF505108 000
VF10010216 000
VF25015324 000
VF50020432 000
VF100025540 000
VF200030648 000
VF400035750 000
VF8000501 000 000
Barracuda Advanced Remote Access

Enables the SSL VPN service and NAC support. Remote Access subscriptions are available for the NextGen Firewall F18 or larger and all NextGen Firewall Vx and public cloud models. For PAYG F-Series Firewalls in AWS and Azure, this subscription is automatically included.

Included SSL VPN Features:

  • Browser-based access via desktop and mobile portals
  • SSL VPN-based, server-side NAC
  • VPN templates for SSL VPN

Included Network Access Client Features:

  • Windows Personal Firewall
  • Windows Health Check via Access Control Service


  • iOS, Android, Windows, and macOS support  
  • Central management of accessible resources and VPN provisioning

User Session Limits

  • Unlimited concurrent SSL VPN user sessions
  • Unlimited concurrent CudaLaunch sessions
  • Multiple concurrent client-to-site VPN sessions by the same user when using VPN Group Policies
Barracuda NG Web Filter

Enables the Barracuda NG Web Filter service, which can use both online and offline databases.

Barracuda NG Web Security

Enables the Barracuda URL Filter service, and can use both online and offline databases and the Virus Scanner service.

Instant Replacement Service

Instant Replacement service includes the following features:

  • Replacement unit shipped next business day
  • 24x7 technical support
  • Hardware refresh every four years
Barracuda Web Security Service

NextGen Control Center Licensing

Barracuda NextGen Control Center licenses scale by the number of F-Series Firewalls that can be managed by the Control Center.

EditionModelSystem typeRanges (Configuration Groups)Clusters (Tenants)Number of managed firewallsHA licensePKI ServiceBarracuda Earth
StandardC400Hardware11Unlimited [Recommended: 20]OptionalNoNo
VC400Virtual11Unlimited [Recommended: 20]OptionalNoNo
VCC400Public Cloud11Unlimited [Recommended: 20]OptionalNoNo
EnterpriseC610Hardware1UnlimitedUnlimited [Recommended: 200]OptionalYesYes
VC610Virtual1UnlimitedUnlimited [Recommended: hardware-dependent]OptionalYesYes
VCC610Public Cloud1UnlimitedUnlimited [Recommended: cloud instance-dependent]OptionalYesYes
GlobalVC820Virtual5 (additional ranges optionally available)UnlimitedUnlimited [Recommended: hardware-dependent]IncludedYesYes

Next Steps

Last updated on