/
10.5.0 Release Notes

10.5.0 Release Notes

May 06, 2026

As the CloudGen Firewall has evolved over the years with its increasing number of features, the Release Notes articles have grown accordingly. This, in turn, has also added greatly to the number of entries in the menu column.

To make the Release Notes articles easier to read, they are now equipped with support elements that provide a better overview of all sections contained while making it easier to navigate between and within these sections.

Each of these sections can be expanded and collapsed separately to show only what you are interested in. Simply click below a header line to expand or collapse a section.

 

 

 

 

 

Note that depending on a certain release, the sections can vary both in content and number. In addition, a headline may be appended with certain symbols with the following meaning:

Critical information to be considered.

Important information included in the section.

update_tiny.png Updated information available.

Product-related information, e.g., new features, resolved bugs.

Product-related information that relates to known bugs.

Note that regular information boxes in blue are not explicitly marked in the headline but may still appear in a section.

Each section can be expanded individually for informational or printing purposes.

yellow_warning_tiny.png

 

Important Announcements and Notes for Release 10.5.0

Read this section before you continue with the Release Notes below.

Installation of Firmware 10.5.0

IMPORTANT

Before updating to firmware 10.5.0, ensure that the box identity certificates and keys are updated to the length of 2048 bit!

 

After updating to release 10.0.0 from 8.3.x or 9.0.0, some files from the installation are not cleaned up as expected.
However, this doesn't have an impact on properly running firmware 10.5.0.

Updating from firmware >= 9.0.1 doesn’t cause this issue and works as expected!

Encryption, Weak Ciphers

NOTE:

As of firmware release 10.0, weak ciphers no longer support specific features for security reasons:

  • NTP peering no longer works with SHA1. [BNNGF-97461]

  • Syslog Streaming:

    • Syslog streaming accross TCP TLS connections no longer accept RSA public key sizes of 1024 bits or less. [BNNGF-97492]

    • TLS Protocol with SSLv3 is no longer supported by the newer OpenSSL versions and has been deprecated. [BNNGF-97493]

    • If you are using syslog streaming, you must take the following measures:

      • For every CGF-managed box, you must check the bit length used for syslog streaming.

      • For every CGF-managed box that sends logs to the CC via Syslog Streaming, you must change the TLS protocol at least to version TLS 1.2 and change the configuration for a larger bit length at Syslog Config > Trusted Clients.

For more information before migrating to 10.0.0, see 10.0.0 Migration Notes.

 

TLS inspection no longer supports hosts with SHA-1 signed certificates! (BNNGF-99949)

 

The Explicit Transport Listening IP field in VPN GTI Settings now displays network addresses in CIDR instead of Phion notation. [BNNGF-99632]

 

Access Rules and TLS

Access rules with a user agent policy must have TLS added as additional protocol so that the policy matches properly. [BNNGF-97989]

 

SNMP

NOTE:

The SNMP value for active C2S connections is wrong. [BNNGF-94918]
Removing the file vpnstatus.db will solve the issue.

 

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

Licensing

Virtual images are now distributed with the VFC model preset by default because the VF model is deprecated!

update_tiny.png

General and Maintenance Information for the 10.5.0 Release Notes 

Firmware version 10.5.0 is a major release.

Before installing the new firmware version:

Do not manually reboot your system at any time during the update unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes.

To keep our customers informed, the history of this Release Notes article, the "Known Issues" list (at the end of this article), and the release of hotfixes resolving these known issues are now updated regularly. If there are intermediate updates to this release, the corresponding notes can be found in this info box.

10.03.2025 – Release of firmware 10.5.0

18.3.2025 – Release of Hotfix 1160 - IPS FPU state handling for CGF/SE 10.0.1
For more information, see HF-1160 - IPS FPU State Handling for CGF/SE 10.0.1.

24.3.2026 – Release of Hotfix 1159 - FEC handling leads to system crash.
For more information, see FEC handling leads to system crash.

7.4.2026 – Release of update package including a fix for a reboot loop which occured in specific situations.

5.5.2026 - Release of Hotfix 1168 - Cumulative for CGF 10.5.0
For more information, see https://dlportal.barracudanetworks.com/#/packages/6497/cumulative-1168-10.5.0-277548623.tgz.

 

Recommendations and Prerequisites for Running Firmware Release 10.5.0

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 10.5.0, Barracuda Networks recommends using at least Firewall Admin version 10.5.0. You can download this version here: Barracuda Firewall Admin 10.5.0-213.

Who Can Update to Firmware Release 10.5.0

Read the Migration Notes 10.5.0 before updating to firmware 10.5.0.

For more information on the migration process, see the 10.5.0 Migration Notes.

yellow_warning_tiny.png

 

Update Information for 10.5.0 

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Will Become Obsolete in an Upcoming Release (after 10.5)

CGA Proxy

The CGA Proxy will be phased out in an upcoming release.

CudaLaunch & SSL-VPN

CudaLaunch and SSL-VPN will be phased out in an upcoming release and will be replaced with SecureEdge Access.

 

Features that Are No Longer Included in this Version 10.5

If you require one of the listed features, do not update to this firmware version!

SF Licensing

Old SF licensing is longer supported and has been phased out.

Cloud Deprecations

The following features are no longer part of the 10.0 firmware release:

  • AutoVPN

  • Metered billing

  • Azure Security Center Support

ClamAV

ClamAV has been removed in firmware 10.0.

M30 Modem

The M30 modem is no longer supported.

OMS Agent, Azure Log Monitor Agent

The OMS Agent and the Azure Log Monitor Agent has been replaced with Azure Log API.

Branch Office Box VPN Compression

The “BoB” Branch Office Box VPN Compression is no longer supported by release 10.0.

New Features in Version 10.5.0 

Firmware 10.5.0 is a major release.

Hardware

A new hardware appliance is now available under the label F2000 Rev. A.

For more information, see F2000 Revision A.

 

Authentication

Security Group Tags

The CloudGen Firewall now supports Security Group Tags to control the flow of information in an Cisco Trusted Network in conjunction with a Identity Service Engine running pxGrid 2.0.

For more information, see How to Configure Security Group Tags (SGTs).

Besides the main configuration, the SGT feature will show up at different locations in the user interface:

  • User ObjectsCONFIGURATION > Config Tree > Signed Services > Firewall > Forwarding Rules > Firewall Objects > User and Groups, main view: New… window Edit/Create User Object > New…, right view Policy Patterns, button Add SGT… .

  • Create New Policy – CONFIGURATION > Config Tree > Signed Services > Firewall > Policy Profiles > Applications,

    main view: Add Policy, window Create New Policy, section Criteria, menu list for Users:

sgt_create_new_policy_users.png

  • Access RuleCONFIGURATION > Config Tree > Signed Services > Firewall > Forwarding Rules > Access rules:

sgt_access_rule_authenticated_user_menu_list.png

 

OAuth2 Authentication

“Open Authorization” as an open standard for access delegation has been added as a new feature to the list of authentication schemes.

For more information, see How to Configure OAuth2.0 Authentication.

Reporting Enhancements - Extended Firewall History

As of this firmware release 10.5.0, the user is provided the option of writing the firewall’s history in extended form into a dedicated database. If this option is activated, a related button will be displayed in FIREWALL > History.

For more information, see General Firewall Configuration.

SMTP-Authentication for Notifications

Notifications now also supports SMTP via OAuth2 (Azure Entra).

For more information, see

Authentication Test

You can now perform authentication test for newly configured authentication schemes. Basically, you must first configure the authentication scheme and can then test it with real user data to be entered in the test view.

You can invoke the test page at CONTROL > Box, left menu column, Authentication Test.

authentication_test_window.png

If a new scheme is available, it will indicated by the entry Do Authentication Test. In the dialog window presented next, enter you credentials in the related input fields and click Do Test.

 

Barracuda Firewall Admin

Single Sign On

As of firmware release 10.5.0, Barracuda Firewall Admin now supports Single Sign On (SSO) into the firewall.

FWA_SSO_dialog.png

This option is available after enabling it explicitly.

For more information, see How to Enable Single Sign On (SSO) for Logging into Barracuda Firewall Admin.

Firewall Admin Settings

The option for Always use Session Password (recommended) has been removed at Firewall settings, Client Settings > Authentication.

Extended Firewall History

The firewall history view at CONFIGURATION > FIREWALL > History now provides the option of writing the view’s entries into a history database.

For more information, see General Firewall Configuration.

Auto-Lock for Service Tabs

Double-clicking on a service tab in the configuration tree while keeping the CTRL-button pressed will open the related service label in the ribbon bar and immediately put the service node into locked mode.

Switching from a CC User Interface Item directly to a Related Box

Being logged in a Control Center in the view EVENTS and being presented a full list view of events from managed boxes, you can now switch directly from an event entry to the related box:

CC_events_log_into_box_screenshot_small.png

The entry is based on the template “Log in to Box <yourbox>”.

 

VPN-GTI Editor

A new filter system has been implemented for the VPN GTI Editor.

You can access and configure this filter by invoking the VPI GTI Editor on the required level (global, range, or cluster),
and the bring the Services tab to the front.

gti_editor_new_filter_system_overview.png

When clicking the down-arrow on the upper-right corner, you can invoke a help-page that describes the various options of how to feed the edit line to set up a correct filter.

 

External Feeds

The Control Center now provides an additional option for file updates: External Feeds.

External Feeds provide the option of importing IP addresses and networks into Global Firewall Objects which can then be forwarded to managed firewalls to be considered in an access rule.

For more information, see https://documentation.campus.barracuda.com/wiki/spaces/CGFv105/pages/379094774.

 

Configuration Origins

Creating a new configuration for a Control Center or a CloudGen Firewall is usually done interactively by an administrator in Barracuda Firewall Admin. However, configurations can also be created automated by the ConfTemplate framework or by another mastering instance like in SecureEdge.

The Configuration Origins feature has been implemented to enable an administrator/user to distinguish between which source controls the parameter in question.

There are three sources a parameter can be configured/modified/deleted:

  • Manually by a user

  • Through the ConfTemplates framework

  • By a SecureEdge instance

Indicator for Source of Control

If a parameter is controlled by manual editing, a ‘pencil’ symbol left to the edit field will indicate this in the related configuration view. If such a parameter will be controlled by ConfTemplates, the user will see an ‘eye’ symbol instead indicating that the ConfTemplate controlled parameter is for a manual modification now in ‘read only’ mode. The same applies for a ConfTemplate managed parameter if a parameter is controlled by a SecureEdge instance.

In short, the following list of priorities apples:

  1. SecureEdge (highest)

  2. ConfTemplate

  3. Manual (lowest)

 

REST

The REST framework has been improved at several places.

Sharing Explicit Policy Profiles

Shared Policies can now be created, updated, deleted, listed, and shared:

https://<REST-API-IP>:8443/rest/cc/v1/config/ranges/<range>/clusters/<cluster>/boxes/b1/service-container/<service>/firewall/policies/<policyType>/config

The policyType can be one of the following:

  • fileContent

  • malwareProtection

  • urlFiltering

  • userAgent

  • ips

  • tlsInsepction

  • applications

  • sdwan

 

It then can be referenced on a global, range, or cluster level:

https://<REST-API-IP>:8443/rest/cc/v1/config/ranges/<range>/clusters/<cluster>/boxes/b1/service-container/<service>/firewall/policies/<policyType>/mode

 

Custom Applications

REST API endpoints were added to create, update, delete, list and read custom applications according to these two application types:

custom_application_types.png
Node Locking

Before these improvements, it was necessary to lock the whole box node for editing/modification a box' subnode. As of firmware 10.5.0, now the affected node can now be locked via its REST endpoint without preventing other administrators accessing another node on the same node level of the box.

RCS Messages for ConfTemplates

RCS commit messages can now be specified in the ConfTemplates REST API endpoints.

Access Rules

ConfUnits have been updated and now support access rules.

 

Resetting a ConfTemplates Instance to its Originating ConfTemplate

Sometimes it can happen that a user wants to reset a specific ConfTemplate instance to its originating ConfTemplate. His can now performed by using the following REST API command:

curl --request POST \ --url <https://<REST-API-IP>>:8443/rest/cc/v1/ranges/<range>/clusters/<cluster>/boxes/<box>/ resetToConfTemplate \ --header 'Authorization: Basic cm9vdDphOjphYWM3NzQ0M2RmNzdmNDRkMjJmZmNhMWY1ZDJiODdjMA=='

 

ConfTemplates Improvements

ConfTemplates Accessibility via Tab

The Configuration Templates window is now being displayed as part of a ‘Tab’ in the ribbon bar. This provides a higher degree of flexibility during configuration processes so that a user can switch from the ConfTemplates view to another view related to a another tab.

cc_conftemplates_as_tab_view.png

 

Simplification of ConfTemplates Configuration

In the Configuration Units view, the parameter Configuration Unit Condition has been removed. Existing ConfTemplates will not be affected, the parameter will be continued to be evaluated. However, as of firmware 10.5.0, it is no longer necessary to configure this parameter.

The Template Binding parameter has been removed because its relevance has been replaced by the new Configuration Origins feature.

 

Telemetry

The list of telemetry has been updated with new parameters:

For more information, see https://documentation.campus.barracuda.com/wiki/spaces/CGFv105/pages/379094195.

 

 

Resolved Bugs and Improvements in Release 10.5.0

Box Installations, Installer Update

  • An installer script no longer terminates unexpectedly before the end of the update procedure. [BNNGF-98039]

  • Filesystem checks after updating now work as expected without user interaction. [BNNGF-100500]

Authentication

  • Parsing errors for SAML no longer occur. [BNNGF-94863]

  • When some of many RADIUS servers become unavailable, requests to the remaining servers are now performed correctly. [BNNGF-95928]

  • Mismatches of users in the authentication database no longer occur in specific situations. [BNNGF-96407]

  • SAML no longer runs into errors in specific situations. [BNNGF-96557]

  • The Message-Authenticator attribute in RADIUS authentication is now calculated correctly. [BNNGF-96737]

  • Firewall authentication with SAML now works as expected. [BNNGF-97079]

  • Parsing data for authentication purposes no longer fails in specific situations. [BNNGF-98408]

  • An issue was fixed where users sporadically lost access to their ZTNA resources. [BNNGF-98480]

  • 10.0.0 Control Centers now read SAML IDP metadata correctly. [BNNGF-98588]

  • RADIUS authentication with Cisco ISE now works as expected. [BNNGF-99473]

  • The system now correctly maintains HA configurations and licenses of an HA setup. [BNNGF-99841]

  • The TS-client now works as expected if multiple terminal servers start up in parallel. [BNNGF-99922]

Barracuda Firewall Admin

  • The space character is now allowed to be used in Admin Password. [BNNGF-74733]

  • The new parameter Terminate Session on Interface Change has been added to the rule editor in the section Dynamic Interface Handling. [BNNGF-81936]

  • A new Authentication Test feature has been added to the CloudGen firewall. [BNNGF-94035]

  • The Priority (fka Transport ID) has been reintroduced for rulesets and FW Live for the ruleset feature level 9.0 and above. [BNNGF-95872]

  • The field Usage Count in Firewall > Forwarding Rules no longer displays negative values and stays empty if the counter is 0. [BNNGF-96693]

  • To avoid long waiting times and occasional out-of-memory crashes, Firewall Admin does not load all history entries by default. [BNNGF-97037]

  • The maximum size limit for compiled FW rulesets has been added to General Firewall Settings > Operational, section Ruleset Related Settings as the field Ruleset Size Limit Mode. [BNNGF-97496]

  • Barracuda Firewall Admin no longer crashes when opening the URL Filter policy. [BNNGF-97779]

  • Barracuda Firewall Admin no longer mistakenly sets the priority in GTI setups with more than one transport per class. [BNNGF-97888]

  • The label Transport ID has been replaced by the new UI label Priority at several places in the UI. [BNNGF-97895]

  • When creating a site-to-site TINA tunnel for config version 8.3 in Firewall Admin, the transport class for BULK is now set correctly. [BNNGF-97899]

  • VPN site-to-site configurations no longer cause issues when they are transferred between different firmware versions via import/export/RCS. [BNNGF-97947]

  • Potential inconsistencies in GTI TINA transports concerning either the newly introduced priority field (as of version 9.0) or the previously used transport ID will be automatically resolved. [BNNGF-97953]

  • Cluster migration is denied if a node or a sub-node in that cluster has been added, modified, or removed without an activation. [BNNGF-97960]

  • The handling of columns in the Live/History/Threat view and their visual organization has been improved. [BNNGF-97995]

  • Barracuda Firewall Admin no longer crashes accidentally when clicking on a tab. [BNNGF-97996]

  • Barracuda Firewall Admin now allows modifying user interface items only at places were it is officially allowed. [BNNGF-98031]

  • Closing a tab with a right-button click now works as expected. [BNNGF-98041]

  • Barracuda Firewall Admin no longer crashes upon startup when connecting to a firewall on box level. [BNNGF-98114]

  • STARTTLS now works as expected when sending email test notifications. [BNNGF-98148]

  • The option Allow Dynamic Mesh now works as expected in Barracuda Firewall Admin 9.0.5. [BNNGF-98185]

  • Barracuda Firewall Admin no longer crashes when a user scrolls in CC logs. [BNNGF-98260]

  • Barracuda Firewall Admin no longer crashes in specific situations. [BNNGF-98262]

  • Barracuda Firewall Admin no longer freezes when a VPN profile is exported. [BNNGF-98283]

  • GTI will now draw up to 100 services at once again. [BNNGF-98504]

  • The usage counter for Network Objects now works as expected. [BNNGF-98530]

  • Teams webhook URLs now also accept the ‘&’ and ‘=’ characters. [BNNGF-98717]

  • Barracuda Firewall Admin no longer crashes in specific situations. [BNNGF-98846]

  • A filter for finding relevant GTI tunnels has been added. [BNNGF-98936]

  • An authentication scheme with the name ‘Other’ has been added for all CCs. [BNNGF-99025]

  • The sorting for the column First Attempt at CONTROL > Remote Execution is now correct. [BNNGF-99103]

  • Barracuda Firewall Admin now starts with no delay on the latest MS Windows OS versions without Internet access. [BNNGF-99131]

  • The speed of opening the ConfTemplates tab has been increased, especially if there are many big templates and a lot of instances present. [BNNGF-99150]

  • Barracuda Firewall Admin now provides the option to lock and open a node in the configuration tree. [BNNGF-99160]

  • Barracuda Firewall Admin now indicates with a lock symbol if a config tab is locked. [BNNGF-99161]

  • You can now connect to any box from a menu list in the CC eventing view. [BNNGF-99165]

  • Duplicate entries for Transport Source/Listening no longer occur in the GTI editor if the configuration is unlocked. [BNNGF-99172]

  • A new setting for limiting the number of network objects to be displayed in the UI at according places has been added the the Barracuda Firewall Admin Settings in the section FW Rule Editor. [BNNGF-99521]

  • As of firmware 10.5, Barracuda Firewall Admin offers the option to login with a session password. [BNNGF-99523]

  • The Explicit Transport Listening IP field in VPN GTI Settings now displays network addresses in CIDR instead of Phion notation. [BNNGF-99632]

  • The description for the URL Category "Local Communities" now contains the correct text description. [BNNGF-100111]

  • GTI no longer limits the number of services to be drawn. [BNNGF-100217]

Barracuda OS

  • Removing a group policy only affects objects that are not referenced by other policies and afterwards displays a notification about objects that have not been deleted because they are still in use. [BNNGF-66288]

  • The Instant Replacement feature is now displayed for CloudGen Firewalls as expected. [BNNGF-84799]

  • The logging for NTP has been improved. [BNNGF-92032]

  • The assignment of licenses to multiple boxes no longer causes issues. [BNNGF-92606]

  • The logic for cleaning up licenses has been improved. [BNNGF-93063]

  • The size of SNMP buffers has been increased and no longer causes issues. [BNNGF-93414]

  • Activity log streaming is now more reliable and robust when the firewall is under high load. [BNNGF-94358]

  • WCS 3.3 contains new categories. See the section New Features in Version 10.0.1 of the 10.0.1 Release Notes. [BNNGF-95628]

  • After enabling header reordering, the list Reference in CONFIGURATION > Box > Configuration Tree > Network > Interfaces now displays correct values. [BNNGF-95824]

  • SMTP passwords can now be longer than 56 characters. [BNNGF-95856]

  • Reachable IPs now work as expected after sending changes in Firewall Admin. [BNNGF-95929]

  • Logging has been improved to reduce confusion if no admins are configured. [BNNGF-96116]

  • The network activation now works as expected after changing the MTU in the interface configuration. [BNNGF-96634]

  • Connection failures no longer occur when rebooting a primary or secondary HA box with VMAC enabled. [BNNGF-96724]

  • Unexpected errors no longer occur in the context of System Email Notifications. [BNNGF-96815]

  • Statistics are stored in the correct folder as expected. [BNNGF-97061]

  • Log files are stored in the correct folder as expected. [BNNGF-97308]

  • TOTP bulk enrollment for multiple users now works as expected. [BNNGF-97441]

  • A fix to the kernel has been implemented to prevent potential crashes. [BNNGF-97595]

  • The upgrade process has been improved to perform a file system check before the upgraded box reboots. If an upgrade failure is detected, the box boots into the previous firmware, and the user must check manually. [BNNGF-97652]

  • Box level SNMPd now works as expected. [BNNGF-97889]

  • The ISO download now works as expected on unmanaged, updated boxes. [BNNGF-97961]

  • STARTTLS now works as expected when sending email notifications. [BNNGF-98032]

  • Updates from firmware 9.0.4 to 10.0.0 can now be performed using the system scheduler. [BNNGF-98174]

  • System report generation via Firewall Admin works as expected. [BNNGF-98263]

  • Syslog streaming using TLS now works as expected with respect to the box key size. [BNNGF-98382]

  • The eventS logfile is sent to XDR. [BNNGF-98437]

  • Watchdog CPU load limits have been recomputed based on the new hardware specifications. If the default values are not set and the feature is enabled, a logic now calculates the CPU load limits based on the hardware. [BNNGF-98497]

  • The installation of a hotfix now works as expected, and the status is displayed correctly in the CC's firmware management tab. [BNNGF-98880]

  • The watchdog is now active when it is enabled. [BNNGF-98881]

  • The GRE tunnel configuration no longer creates unexpectedly a wild route. [BNNGF-99031]

  • The configuration view for Multicast Routing now contains the Multipath Gateway field. [BNNGF-99094]

  • Segmentation faults caused by cstatd no longer occur in specific situations. [BNNGF-99155]

  • Boxes no longer create an unnamed logfile containing BGP related log messages. [BNNGF-99283]

  • Trying to upgrade to 10.5.0 with an RSA box key <2048 bits will not be allowed. The box-key needs to be generated before the update can take place. [BNNGF-99346]

  • Multicast Routing can be configured on a CC as expected. [BNNGF-99364]

  • Azure Log Streaming CEF via CGF Log Daemon now works as expected. [BNNGF-99374]

  • Sysstat and btop tools have been added to the firmware. [BNNGF-99466]

  • The IKEv2 tunnel status is shown correctly again in SNMP. [BNNGF-99475]

  • Virtual VIP IPv6 is no longer required even if IPv6 is enabled. [BNNGF-99517]

  • Layer 3+4 Bond Hashing Policy description has been added to Barracuda Firewall Admin. [BNNGF-99564]

  • Translated ports are also logged in the activity log. [BNNGF-99567]

  • The traceroute package is again part of the firmware. [BNNGF-99649]

  • IPMI login passwords may have a maximal length of 20 characters. [BNNGF-99935]

  • Error messages that there are cloud configuration conflicts without being in a cloud no longer occur. [BNNGF-100429]

Cloud AWS

  • The CloudGen firewall now supports the more secure IMDSv2 for retrieving AWS instance metadata. [BNNGF-93721]

  • AWS EC2 appliances can now update to firmware 10.0 as expected. [BNNGF-97988]

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.