It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

What steps are necessary for a seamless replacement (RMA / Hardware Refresh) or new setup of a Barracuda Web filter(s)?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00006850 

All Barracuda Web Filters, all Firmware versions.


Pertaining to:


1.       Replacing a dead unit, also if clustered.


2.       Replacing a Functional unit, also if clustered.


3.       Replacing an Older unit below serial range 180K as a very old build. (technicians can verify build from support tunnel)


4.       Replacing any unit with Backup file(s) saved.


5.       Replacing any unit Without Backup file(s) saved.


6.       Connection to BCC/BAC cloud portal access.


7.       Need of SSL cert if previously used.


Solutions below are not all inclusive of all concerns, but added for ease of assistance, You may need a solution not listed below !!

A dead or functional unit replacement details 

ITEMS to know before replacing the unit are. 

a.       Do you have a recent back up of unit settings and configuration saved?


b.      Some settings are not carried over, so you will still need to do some leg work. See Solution 6220

c.      Is this a dead unit replacement or functional unit still? A second unit can be setup side by side with a separate free IP set for page comparison setup.

d.      Is this in a cluster of units/Linked management or a separate unit only? In a cluster setup, there may be old data connecting the two units and may cause conflict if trying to re-connect the cluster without being sure the Good unit is not looking for the old serial number, per the bad units IP having a new serial number to associate it with get assistance from a support technician. See Solutions below for cluster concerns.

e.      Is this unit connected to BCC/BAC cloud portal access? We may need to clear out the old serial from the cloud, as an ID conflict can happen and fail with the new Serial and same IP. It is not creating a new key and does not match the key given to the older unit serial being checked. See solutions below for BCC/BAC.

f. Do you use SSL and a certificate that should be saved in a safe place already? if not then save it if the system is still accesible.


Best steps to replace a unit


Follow steps for previous unit, if operating still.


1.       Create a backup file set.


2.       Now also, you may create snapshots of each page to have a manually created visual backup of each page to refer to the setting you have presently. In case the backup fails in any way this is a benefit for detailed configurations that are more complicated, to re-configure easily when all else fails.


3.       NO data is transferable from the 6 months of logging archives saved on the web filter (you would have needed a syslog server doing that previously).


4.       If unit is clustered, move unit to standby and remove shared secret then delete other unit from each device. Now you should only see the local units serial number listed.



DO NOT RESTORE BACK-UP FILE ON NEW UNIT UNTIL LATER! To minimize any concerns of a backup file issue!

Please be advised, If a backup file was corrupted or failing to restore correctly, a re-image could be expected to start over cleanly.


Now to complete the setup


Follow steps needed, depending on the situation.


  1. Now setup the new devices LAN port to a switch with internet access and give it a usable IP address ( default is, net-mask range for accessing, a proper gateway, and two good DNS IPs. Proper gateway Solution number 4234

  2. On A Client PC within the accessible net-mask range of the web filter, Log into unit per setup instructions, see Barracuda Web Filter Quick Start Guide.

  3. Verify connectivity issues now with LAN and WAN, ports and cables used. Solution number 629. Concerns with DNS, gateway or link status may cause latency issues and functionality concerns, now or later.

  4. You may need to set static routes now for any users not on same subnet as the Web filters IP and subnet range in order to return traffic properly. Solution number 6041  also Best Practices of Web Filter Solution number 6370

  5. Now go to the Advanced tab> Energize updates page and click each definition update ( clicking category definitions may take about an hour to finalize, do not forget to update the rest of the page as needed, all the other definitions are maybe 10 minutes normally as a smaller definition size).

  6. Once tasks are finished, Now go to Basic tab> Administration page. Set your time zone to be correct (once all updates are finished!) this will reboot, upon saving changes immediately..

  7. Upon reboot, verify time zone is correct and the time, (if any traffic is proxied and hitting the web log from setup) verify the web log time is correct for recent traffic. If not, reboot again or call support to fix the time concernSolution numbers 2829 1508 5824 5886 6707

  8. Now verify the older units Firmware and be sure the new unit is equal to or greater than the firmware discovered on the older unit in production. From a backup file you may be able to edit or unzip and see the firmware version listed if unknown. Solution number 3989 and update accordingly.

  9. Once the unit has been brought to a stable point now and shows functional, you may either manually configure or restore your backup(s) now. Upon restoring you will be notified to reboot again to apply changes. Note: (IE may need compatibility mode set, or Firefox to see any popups or dialog information in order to continue restoring process, Chrome usually works well.) [13]Solution number 4283 there is also a newer solution on this concern.

  10. BCC/BAC connection concerns upon setting up again. Solution numbers to verify 6019 5453 5454 6478

  11. Clustering connection concerns upon setting up again. Solution numbers to verify 6564 6220 1492 6190 1871 5712

  12. SSL certificate to copy over to a new device from a previous unit (with SSL setup if previously) or if desired at this time. Solution number 6759

  13. For Authentication to function correctly again. Upon having LDAP with DC agents setup, the DC agents may need updating to properly function again. If it is already functioning, they may fail now unless updating each DC agent configuration (per LDAP solution below), so the DC Agent knows the temporary IP of the new Web filter (if the unit has already replaced the original IP used). The agent only knows what IP it should hand any log on events to, by adding it to the DC agent configuration (appliance page) on the DC server. LDAP and DC. Solution number 2865

SIDE NOTE: The best way to get all users back into the new filter (pre-deployment), is to setup with the DC agents talking to the IP of the filter. As the agent gets updated, all users seen via the DC, will be listed in the account view page by the time the system is re-deployed then, (then in the web log once traffic is seen), policy should now work as expected rather than blocking users as unauthenticated traffic - until a new event is created by the user.

Link to this page: