Barracuda Networks Firewall Update: what’s new in Version 9.0.0?

Barracuda NextGen and CloudGen Firewall appliances remain rock solid for 10 years. Barracuda Networks continues to invest in necessary security firmware updates and upgrades. Find out what’s new in the latest firmware update in this blogpost!

 

VFC Models – Consolidation of Cloud/VF/SF

• VFC licenses can be used for cloud, Vx, or standard hardware installation.
• VFC models are pure service licenses without an unlimited appliance license.
• The VFC model number represents the supported number of cores (VFC1 = 1 core, VFC2 = 2 cores, … VFC48 = 48 cores). Each VFC model handles unlimited protected IPs.
• There are two new models: VFC16 and VFC48.

The Advanced Threat Protection subscription now also works without the Malware Protection subscription added to the Energize Updates subscription. For the ATP subscription, the AV service needs to be enabled and configured. VFC models are pure service licenses without an unlimited appliance license. The base license expires with the EU term.

 

Backup Daemon

The Backup Daemon is a new feature that adds to the existing options for creating and restoring backups for and from stand-alone and managed firewalls. Unlike backups stored in PAR files at a user’s request, the Backup Daemon can be configured to operate autonomously at a scheduled time without any further interference. The Backup Daemon operates on the box level of an unmanaged box, a CC-managed box, and a Control Center and must always be configured on the box level. The Backup Daemon can create backups of the firewall configurations on the box level, on the CC level, and box & CC levels.

 

RCS Improvements

The Revision Control System (RCS) has been improved and now considers GTI. The Configuration Templates framework now can read the differences between ConfTemplates and instances in the RCS. When jumping forth and back between revisions, certificate references are re-established as expected. Also, the RCS now fully supports the logging of all VPN parameters.

 

Virtual MAC Addresses

The availability of an HA pair of CloudGen Firewalls can be compromised in networks where switches block ARP packets or where industrial TCP/IP stacks cannot send ARP packets for service IP addresses. In order to be able to operate HA firewalls in such critical infrastructures, the application of virtual MAC addresses on an HA pair of CloudGen Firewalls now improves the overall availability.

Automated Security Updates

Automated Security Updates is a new feature that allows you to configure the execution of scheduled firmware updates and is already activated on firmware 9.0.0. The feature runs on Control Centers and managed and stand-alone firewalls. Running the feature on the box level of a Control Center is the same as running the feature on a stand-alone firewall.

When logging into a firewall or Control Center with firmware 9.0.0 for the first time, you will be presented with a notification window informing you that Automated Security Updates is enabled by default. The window also contains information on where to disable the feature and where to change the configuration settings depending on the type of appliance.

 

Web Categorization Services (WCS) – Changes for URL Filters

Due to WCS upgrades, some URL Filter categories have changed. Barracuda Networks recommends checking your configuration if you are using URL Filters. In addition to improved efficacy, WCS 3.2 provides more categories that allow you to configure and refine even more granular URL policies.

 

Installation of Firmware Updates Using SSH

Manually updating a new firmware version via SSH now requires explicitly passing the path to the package.

 

New Fields for the BGP Router Service

New configuration fields have been added to the BGP configuration window at CONFIGURATION > Configuration Tree > Assigned Services > OSPF/RIP/BGP Settings > Neighbor Setup IPv4, window Neighbors, section BGP Parameters.

The field Allow AS-in has been added to the BGP configuration in order to allow neighbors to inject routes when AS (Autonomous System) numbers are identical. The field ttl-security enforces the Generalized TTL Security Mechanism (GTSM), as specified in RFC 5082. Only neighbors that are the specified number of hops away will be allowed to become neighbors. This command is mutually exclusive with EGBP-multihop.

These fields are accessible in Firewall Admin only in Advanced mode.

 

HTTP/2 for CloudGen Firewall

The CloudGen Firewall fully supports HTTP/2 data streams. The following firewall features now cover the HTTP/2 standard:

• Application Control
• SSL Inspection
• URL filtering
• Virus scanning
• Content detection
• Archive scanning
• Google account control
• Search string logging
• Safe search

Note that the firewall currently only supports “Deliver first, then scan” for HTTP/2.

 

Clone Wizard Improvements

An appliance can now be cloned into another target cluster while considering certain ‘names’ configured by the user.

 

RSA-ACE SecurID Authentication

The configuration method and the related user interface for RSA-ACE SecurID Authentication have been reworked.

 

ConfTemplates Improvements

The configuration templates have been improved and include multiple new ConfTemplate units. For example, these new ConfTemplate units not only support among many others configuring networks, routes, VLANs, or authentication but now also cover new features developed for release 9.0.0 like Automated Security Updates or the Backup Daemon. Also, a new pool object has been created to support the automated allocation of VIPs and MIPs in conjunction with ConfTemplates.

 

CGF Policy Profiles

As of Barracuda CloudGen Firewall release 9.0.0, it is possible to enable Policy Profiles for rule sets on the Distributed Firewall. When switching to Policy Profiles, all local and special rule sets are set to use policies as well.

Have any questions? Feel free to contact us at [email protected]!