10.5.0 Migration Notes
Before You Begin
The information contained in this article applies insofar as it was not already taken into account in the 10.x migration notes.
The following instructions apply both to firewalls and Control Centers.
IMPORTANT
Before updating to firmware 10.5.0, ensure that the box identity certificates and keys are updated to the length of 2048 bit or more!
After updating from either 8.3.x or 9.0.0, some installation files are not cleaned up as expected.
However, this does not have an impact on the proper functioning of version 10.5.0.
Updating from firmware >= 9.0.1 does not cause this issue and works as expected!
TLS inspection no longer supports hosts with SHA-1 signed certificates! (BNNGF-99949)
IMPORTANT: FEC handling leads to a system crash. [BNNGF-100706]
You must disable FEC before updating to release 10.5.0 and must not re-enable it until the issue will be fixed!
Barracuda Firewall Admin
After updating a system, you must also download Firewall Admin with the same version. Firewall Admin is backward-compatible. That means you can manage 8.x and 9.x F-Series Firewalls and Control Centers with Firewall Admin 10.x.
Always use the latest version of Barracuda Firewall Admin!
For downloading Barracuda Firewall Admin for release 10.5.0, use this link: Barracuda Firewall Admin 10.5.0-213.
CC-Admin Permissions
Permissions for the CC Control service are now strictly enforced in accordance with the admin’s assigned roles for the administrative scope. Please verify that the administrative roles allow the expected level of CC Control access, otherwise managed boxes may no longer appear in the Control tab on the Control Center.
An admin’s assigned roles can be seen in the Admins tab on the Control Center. The role’s CC Control permissions can be seen in Configuration > Global Settings > Administrative Roles > Open the role > Show CC Control Permissions.
Syslog Streaming from Managed Boxes to the Control Center using TLS
As of firmware release 10.0, if you are using syslog streaming, you no longer can use SSLv3. You must use TLS 1.2 instead.
To continue syslog streaming from managed 8.x/9.x boxes to the Control Center, you must perform the following steps for each managed box:
Log into your Control Center at CC level.
Create a 2048-bit box certificate for every managed box that is using syslog streaming with TLS.
Copy the new box certificate to the clipboard.
Log into the Control Center at box level.
Go to CONFIGURATION > Config Tree > your range > your cluster > your box > Assigned Service > CC-Syslog-Service > CC Syslog Service > Trusted Data Reception.
Click Lock.
For TLS Protocol, select TLS 1.2 from the menu list.
For Trusted Clients, replace the old box certificate with the new one in your clipboard.
Click Send Changes/Activate.
Supported Models for Firmware Version 10.5
The following models are capable of running firmware version 10.5:
Barracuda CloudGen F-Series and Control Center Models | |
|---|---|
Hardware Systems | F12 Rev A, F18 Rev B, F80 Rev B, F82 Rev A, F93 Rev A, F180 Rev A/B, F183 Rev A, F183R Rev A, F193 Rev A, F280 Rev B/C, F380 Rev A/B, F400 Rev C, F600 Rev D, F800 Rev C/D, F900 Rev B/C, F1000 Rev A/B, F2000 Rev A |
Virtual Systems | VF10, VF25, VF50, VF100, VF250, VF500, VF1000, VF2000, VF4000, VF8000, VC400, VC610, VC820 |
Virtual and Cloud Systems | VFC1, VFC2, VFC4, VFC6, VFC8, VFC16, VFC48 (model number represents number of supported cores) |
WWAN USB Modems | M40, M41, M42 |
Secure Connectors | SC20a, SC21a, SC24a/b, SC25a/b, SC30a, SC31a, SC34a, SC35a FSC20A, FSC21A, FSC24B, FSC25B, FSC30A, FSC31A, FSC34A, FSC35A |
Public Cloud | AWS, Azure, Google Cloud |
Virtual Platforms | VM-Ware, Hyper-V, XEN, KVM (Proxmox running with KVM images) |
Standard Hardware Systems | ||
|---|---|---|
Standard Hardware | A standard hardware system is a Barracuda CloudGen Firewall F-Series running on 3rd-party server hardware using an SF license. Consult Barracuda Networks Technical Support to find out if your specific standard hardware is supported. | |
Disk Space Requirements
Upgrading to version 10.5.0 requires your disk partitions to have enough free disk space.
For your comfort, the re-partitioning of the hard disk layout is now done automated during the migration process!
You don’t have to do it manually.
Firmware 10.5.0 requires the following partition spaces:
Disk Space Requirements FIREWALL
Hard Drive Partition | Disk Space Required |
swap | 2 GB |
boot | 1 GB |
/ | 15 GB |
/phion0 | 4 GB |
/art | 3 GB |
Disk Space Requirements CONTROL CENTER
Hard Drive Partition | Disk Space Required |
swap | 2 GB |
boot | 1 GB |
/ | 15 GB |
/phion0 | 4 GB |
/art | 10 GB |
Migration Path to 10.5
Depending on your current firmware version, there are 2 options for migrating to firmware version 10.0.0:
Current Operating Firmware | Update via | Target Firmware |
|---|---|---|
8.x | 9.0.5 | 10.5 |
9.0.x | -> DIRECTLY -> | 10.5 |
10.0.0 | -> DIRECTLY -> | 10.5 |
Important Note before Upgrading to Release 10.5
The migration process to firmware version 10.5 will perform a large number of checks before the upgrade starts.
Migrating to firmware 10.5 will not be possible if one of the following conditions apply:
If the CPU does not support microarchitecture levels (i.e., x86-64-2), the upgrade is inhibited. For example, old ESXi versions lower than 6.7 will not be supported!
If the appliance is being managed by the Web UI, the upgrade is inhibited.
Unsupported hardware.
If the appliance is on legacy 3-layer architecture, the upgrade is inhibited.
If the appliance is on Azure and has a custom storage layout, the upgrade is inhibited.
If the appliance is on AWS EC2 and repartitioning is required, the upgrade is inhibited.
If the appliance is a CC, the upgrade is inhibited in the presence of:
Unsupported cluster releases <= 7.2
FW Audit Log service
PKI service
Updating will not be possible if keys with 1024 bit or less are present!
If any subsequent changes have been made to routes that were automatically generated from shared or static networks, those routes must be created manually after the update, and the automatically generated routes must be disabled!
Migration Instructions for 10.5
If Migrating from Version 8.x
First migrate your firmware to 9.0.5 according to 9.0.5 Migration Notes.
Afterwards, continue as follows:
Migrate to Version 10.5
Download the appropriate download file.
If Migrating from Version 9.0.5 to 10.5
Dear customer,
due to an unexpected issue, the download file has been withdrawn until the related issue will be solved!
We are already working on that.
We apologize for any inconveniences.
Thank you.
Workaround:
In urgent cases, perform the following steps:
Create a PAR file
Download the ISO file for a clean installation:
Barracuda CloudGen Firewall and Barracuda Firewall Control Center 10.5.0 ISO ImagePerform a clean install.
Restore the PAR file to your clean installation.
Note that due to the significant content updates in firmware version 10.5, the migration process will take at least 45 minutes for an F12!
Start the Update
You can now update the CloudGen Firewall or Control Center.
For more information, see Updating CloudGen Firewalls and Control Centers.