It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

Release Notes 6.8.X

  • Last updated on

Please Read Before Upgrading

Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that are more current than the version that is running on your system.

Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the process takes longer, please contact Barracuda Networks Technical Support for further assistance.

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.007

Barracuda NextGen Firewall X-Series version 6.8.3.007 is a maintenance release and contains no new features.

If you are using local antivirus scanning, Barracuda Networks recommends upgrading all Barracuda NextGen Firewall X-Series (versions 6.6X, 6.7X, and 6.8X) to this firmware version for uninterrupted antivirus security coverage. 

In order for the changes to take effect, please restart the Virus Protection service by performing the following actions:

  1. Go to Firewall > Settings
  2. In the Virus Protection section, set Enable Virus Protection to No.
  3. Click Save to apply the changes.
  4. Enable Virus Protection by setting Enable Virus Protection to Yes.
  5. Click Save to apply the changes.
Firmware Improvements
  • Updates the authorization key for the embedded Avira Anti-Virus engine (BNF-6577)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.006

Barracuda NextGen Firewall X-Series version 6.8.3.006 is a maintenance release and contains no new features.

To protect yourself against CVE-2016-0800 (DROWN) Barracuda Networks recommends to disable SSLv2 for all services. SSLv2 is disabled in the factory default settings. Check your SSLv2 settings in the following service configurations:

  • Firewall > Captive Portal > HTTPS CONFIGURATION > Encryption
  • VPN > SSL VPN > Server Settings
Firmware Improvements
  • Disabling SSLv2 disables the SSLv2 protocol not just SSLv2 ciphers for captive portal, URL Filter override and guest access web interfaces. (BNF-6267)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.004

Barracuda NextGen Firewall X-Series version 6.8.3.004 is a maintenance release and contains no new features.

Firmware Improvements
  • Updated glibc library to mitigate potential remote code executions via specially crafted DNS response messages.  (CVE-2015-7547)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.003

Barracuda NextGen Firewall X-Series version 6.8.3.003 is a maintenance release and contains no new features.

Firmware Improvements
  • Entering the certificate name and SUBALT name in the TS Agent authentication advanced settings now works as expected. (BNF-6061)
  • Entering data in the time dialogues using Firefox browsers now works as expected. (BNF-6054)
  • Updated online help for the HTTPS Configuration on the FIREWALL > Captive Portal page to match the UI. (BNF-6006)
  • Removing certificates assigned to the VPN service now works as expected. (BNF-5994) 
  • Accessing ADVANCED > Backup via Barracuda Cloud Control now works as expected. (BNF-5976)
  • Saving Balancing settings for DNAT access rules now works as expected. (BNF-5972)
  • The SIP proxy now passes the correct connection information to internal phones. (BNF-5962)
  • Saving health check probe IP addresses now works as expected. (BNF-5945)
  • Updated BIND to fix security vulnerability CVE-2015-8704 and CVE-2015-8705. (BNF-6139)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.2.009

Barracuda NextGen Firewall X-Series version 6.8.2.009 is a maintenance release and contains no new features.

Firmware Improvements
  • Updated glibc library to mitigate potential remote code executions via specially crafted DNS response messages.  (CVE-2015-7547)
  • Updated BIND to fix security vulnerability CVE-2015-8704 and CVE-2015-8705. (BNF-6139)
  • The SIP proxy now passes the correct connection information to internal phones. (BNF-5962)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.2.007

Barracuda NextGen Firewall X-Series version 6.8.2.007 is a maintenance release and contains no new features.

Firmware Improvements
  • Updated BIND to version 9.9.8P2 to fix the security vulnerability CVE-2015-8000.

What's New in Barracuda NextGen Firewall X-Series Version 6.8.2.005

URL Filter Override

WF_Override_UserGuide03.png

URL Filter Overrides grant temporary access to otherwise blocked URL categories. URL categories that are set to the override policy redirect the user to the customizable Override Block page. The override admin must grant the request for a specified time. After the request is granted, the user is automatically forwarded to the website. Overrides are always granted for the entire URL category.

For more information, see URL Filtering in the Firewall, How to Configure URL Filter Overrides and How to Grant URL Category Overrides - User Guide.

Wi-Fi AP Authentication

The Barracuda NextGen Firewall X-Series can authenticate users by using the authentication information from Aerohive, Aruba, and Ruckus wireless access points.

For more information, see How to Configure an External Authentication Service.

Release a DHCP Lease

dhcp_clear_lease_02.png

The Barracuda NextGen Firewall X-Series now supports clearing existing DHCP leases for inactive DHCP clients. The DHCP lease is then available for other DHCP clients.

For more information, see How to Configure the DHCP Server

Firmware Improvements
  • It is no longer possible to create static interfaces using main as the interface name. (BNF-5918)
  • Creating access rules no longer shows a warning in Firefox. (BNF-5910)
  • Disabling SSLv3 in ADVANCED > Secure Administration now works as expected. (BNF-5908)
  • Added option to use a VLAN interface for PPPoE connections. (BNF-5890)
  • Initiating a manual backup no longer changes the language of the web interface to the default language of the browser. (BNF-5855)
  • The Protect my Network wizard now shows the correct error message when configuring overlapping subnets. (BNF-5829)
  • Editing list-based application objects now works as expected. (BNF-5816)
  • Accessing the recovery console via directly attached VGA monitor and keyboard now works as expected. (BNF-5775, BNF-5813)
  • Enabling Barracuda Web Security Service now works as expected. (BNF-5798)
  • It is now possible to enter up to four DNS servers in the DHCP subnet configuration. (BNF-5763)
  • It is now possible to change the local certificate used for client-to-site VPN connections. (BNF-5749)
  • Newly created access rules are now displayed correctly in the ruleset. (BNF-5728)
  • Spotify on iOS devices is now detected correctly. (BNF-5554)
  • Updated OpenSSL to version 0.9.8zf to fix multiple vulnerabilities. (BNF-4718, BNSEC-5294)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.1.008

Barracuda NextGen Firewall X-Series version 6.8.1.008 is a maintenance release and contains no new features.

Firmware Improvements
  • Added option to configure VLAN ID for PPPoE connections. (BNF-5887)
  • Updated bootloader configuration. (BNF-5869)
  • Fixed a memory leak in the Firewall service. (BNF-5862)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.1.005

Barracuda NextGen Firewall X-Series version 6.8.1.005 is a maintenance release and contains no new features.

Firmware Improvements
  • It is now possible to set 0.0.0.0/0 as remote gateway IP address for IPsec VPN connections.
  • Barracuda NextGen Firewall X-Series now supports SHA256 and SHA512 as a choice for VPN site-to-site hash algorithms. 
  • Changed the Block Page editor font to be monospace instead of proportional. (BNF-5692)
  • Added a user authentication timeout to the Web Security Service settings so that customers can decide for how long the userid submitted to the Web Security Service should be considered valid. (BNF-5669)
  • Changed the default in the Certificate Manager for creation of new certificates. The check box: Disallow Private Key Download is now enabled per default for newly uploaded or created certs. (BNF-5731)
  • Log file rotation now works and starts as expected. (BNF-5759)
  • Fixed an issue where under heavy load the logs could fill up the log space before being automatically deleted. (BNF-5745)
  • Fix for CVE-2015-5477. (BNF-5753)
  • Fixed an issue where the VPN wizard created a certificate in the Certificate Manager that could not be deleted. (BNF-5744)
  • Fixed an issue where DHCP over a Wi-Fi interface that is also part of a bridge setup did not work correctly after box reboot. (BNF-5741)
  • Fixed an issue where the pop-up dialog for time and date in BASIC > Administration > TIME settings disappeared before the user could enter data. (BNF-5740)
  • Fixed an issue where the VPN CERTIFICATE POOL check failed when default was selected as certificate. (BNF-5715)
  • Fixed an issue where the Certificate Manager on model X100 showed SSL-VPN as usage although the X100 does not support SSL VPN. (BNF-5712)
  • Fixed an issue where it was not possible to add more than one SRV DNS record in the Authoritative DNS configuration. (BNf-5708)
  • Fixed an issue where the Summary screen of the Protect my network wizard contained incorrect information. (BNF-5700)
  • Fixed an issue where the weight values of network connection objects could not be changed. (BNF-5682)
  • Fixed an issue where the pop-ups in Advanced > Troubleshooting remained empty if the Barracuda NextGen Firewall X-Series was running for several days. (BNF-5671)
  • Fixed an issue where the CUSTOM FIREWALL ACCESS RULES window did not show a scroll bar. (BNF-5665)

What's New in Barracuda NextGen Firewall X-Series Version 6.8.0.007

Safe Search

Protect users behind a Barracuda NextGen Firewall X-Series from undesired content in search results by enabling Safe Search for the access rules handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL when the request is forwarded by the X-Series Firewall. Safe Search is supported for Google, Bing, and Yahoo search engines.

For more information, see How to Enforce SafeSearch in the Firewall.

YouTube For Schools

The Barracuda NextGen Firewall X-Series can transparently add YouTube for Schools restrictions for all connections the X-Series Firewall forwards to YouTube without the need to configure the clients. YouTube for Schools is configured directly in the access rules matching HTTP and HTTPS traffic connecting to YouTube.

For more information, see How to Enforce YouTube for Schools in the Firewall.

Custom Block Pages

virus_scanning_block_page_eicar.png

You can customize the block pages for Virus Scanner, URL Filter, Application Control, and SSL Inspection. Each page has a predefined list of placeholder objects that are replaced on-the-fly by the Barracuda NextGen Firewall X-Series when the block page is delivered to the client. HTTP connections blocked by a Block or Reset access rule can be redirected to an HTTP block page.

For more information, see Custom Block Pages.

Transparent Redirection

Transparent_Redirect.png

The Barracuda NextGen Firewall X-Series can transparently redirect all HTTP and HTTPS traffic to a Barracuda Web Filter or any other HTTP or HTTPS processing device. The Web Filter can then process the HTTP/HTTPS request using the original source and destination IP addresses. This allows the Web Filter to create meaningful statistics and connection information.

For more information, see How to Configure a Transparent Redirection to a Barracuda Web Security Gateway.

URL Filter Improvements

url_policy_warn_RN.png

In addition to Allow and Block, URL categories can now also be set to Warn or Alert. Warn allows the user to access the websites after clicking Continue on the URL Filter warning page. Alert silently logs that the user has accessed the website.

For more information, see URL Policy Objects.

Schedule Objects

Schedule objects are used as an additional matching criteria to restrict access and/or application rules to specific times and intervals. Schedule objects offer time granularity in minutes and completely replace time objects.  

For more information, see Schedule Objects.

Firmware Improvements
  • The Connection Object pop-over no longer displays the section title twice. (BNF-5622)
  • Setting encryption settings for the Captive Portal now works as expected. (BNF-5620)
  • It is now possible to create certificate signing requests (*.csr) with the Certificate Manager. (BNF-5598)
  • Added support for SHA256 and SHA512 to Phase 2 of the IPsec site-to-site configuration. (BNF-5595)
  • It is now possible to restart the authentication service on the ADVANCED > Expert Settings page. Append &expert=1 to the URL to enable expert mode. (BNF-5592)
  • Encapsulation for IPsec tunnels using NAT-T is now set correctly. (BNF-5571, BNF-5495)
  • Cloning Application Based Connection Objects now works as expected. (BNF-5559) 
  • Migrating SSL Interception certificates containing multiple (intermediate) certificates now works as expected. (BNF-5541) 
  • Alerts listed on the BASIC > Alerts page are now sorted from newest to oldest. (BNF-5536) 
  • The Directory browser now also works in combination with DC Agent authentication. (BNF-5513, BNF-5401)
  • It is now possible to use an @ in the SSID name. (BNF-5511)
  • Client-to-Site VPN traffic is no longer blocked if there is a MAC-based access rule. (BNF-5479)
  • Health check for external zones now works as expected. (BNF-5339)
  • Client-to-Site IPsec PSK connections no longer fill up the hard drive with excessive logging. (BNF-5241)
  • YouTube for Schools now works as expected when applying configuration changes to the unit. (BNF-5670)
Important Migration Steps
  • If the VPN Certificate Pool on the VPN > Settings page is set to default, make a dummy change to the VPN > Client-to-Site VPN configuration.

Known Issues and Limitations for 6.8
  • After saving an access rule or application policy for which you used the inline Create New feature, you must reload the page twice for the rule or policy to be displayed in the ruleset.
  • The Barracuda NextGen Firewall X-Series is designed to be used with a display resolution of 1280x1024 or higher. Use the browser zoom function to use the management interface on screens with a lower resolution.
  • When editing an access rule on a screen with a resolution of less than 1280x1024, the browser zoom function must be used to view the entire pop-over.

  • Safe Search cannot be enforced on Google Chrome browsers using the experimental QUIC protocol. Blocking UDP port 80 and 443 for clients using Google Chrome resolves this issue.
  • Smaller Barracuda NextGen Firewall X-Series models may take up to 10 minutes to verify the update package causing a browser timeout. Log in again to apply the update.

  • The SIP proxy cannot be used for external Barracuda Phone appliances. Use access rules to open the necessary ports instead.

  • If appending a port to the first target IP address of a DNAT access rule, the port is applied to all target IP addresses.

  • Barracuda NextGen Report Creator is only available for Windows 7, 8, and 8.1.

  • Inline editing or creation of connection objects is not possible for application-based connection objects.

  • Application-based connection objects cannot be renamed.

  • Application-based connection objects must be saved before adding link policy objects.