9.0.6 Release Notes

CudaLaunch

Certificates

As of firmware version 9.x, certificates in chain with only CN are no longer working.

SSH DSA-Keys

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

• Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions

• End-of-Support for CloudGen Firewall Firmware

CloudGen Access Proxy

Using Special Characters when Creating a Section in the Forwarding Ruleset

Creating a section in the forwarding ruleset now supports entering the characters: / ( ) , ; . : - _ # + *

SAML Authentication

Updating to the preceding firmware version 9.0.3 disables SAML authentication. SAML authentication needs to be re-enabled again if configured before the update. See https://campus.barracuda.com/doc/170820079/

Firmware version 9.0.6 is a minor release.

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 9.0.6, Barracuda Networks recommends using at least Firewall Admin version 9.0.6. You can download this version here: https://dlportal.barracudanetworks.com/#/packages/6437/FirewallAdmin_9.0.6-33.exe

Who Can Update to Firmware Release 9.0.6

Read the Migration Notes 9.0.6 before updating to firmware 9.0.6.

For more information on the migration process, see the article 9.0.6 Migration Notes.

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Are No Longer Included as of this Version 9.0.6

FW Audit

As of firmware 9.0.0, FW Audit is being discontinued. If you have been using FW Audit for reporting in the past, Barracuda Networks recommends using Barracuda Firewall Insights for advanced reporting instead.

Web-UI

As of firmware 9.0.0, support for the Web-UI is being discontinued.

SMSd

As of firmware 9.0.0, the SMSd is being discontinued.

WANopt

As of firmware 9.0.0, WANopt is being discontinued.

Features that Will Become Obsolete in an Upcoming Release

If you are currently using one of the features listed below, consider planning to switch to an appropriate alternative.

As a minor release, version 9.0.6 contains important fixes.

SD-WAN Priority Field

Telemetry

The list of telemetry has been updated with new parameters:

For more information, see Telemetry Data.

Authentication

• SAML no longer runs into errors in specific situations. [BNNGF-96557]

• The Message-Authenticator attribute in RADIUS authentication is now calculated correctly. [BNNGF-96737]

• TACACS+-CC Admin SSH login now works as expected an no longer fails on boxes with high latency. [BNNGF-98445]

• An issue was fixed where users sporadically lost access to their ZTNA resources. [BNNGF-98480]

• Logging has been extended to track edge cases with authentication timeouts. [BNNGF-99183]

• Authentication auto-logout now works as expected. [BNNGF-99262]

• RADIUS authentication with Cisco ISE now works as expected. [BNNGF-99473]

• The system now correctly maintains HA configurations and licenses of an HA setup. [BNNGF-99841]

• The TS-client now works as expected if multiple terminal servers start up in parallel. [BNNGF-99922]

Barracuda Firewall Admin

• The AS Translation Number is now also available for BGP IPv6 neighbors. [BNNGF-97795]

• STARTTLS now works as expected when sending email test notifications. [BNNGF-98148]

• Barracuda Firewall Admin no longer crashes when a user scrolls in CC logs. [BNNGF-98260]

• Teams webhook URLs now also accept the ‘&’ and ‘=’ characters. [BNNGF-98717]

• Barracuda Firewall Admin no longer crashes in specific situations. [BNNGF-98846]

• The sorting for the column First Attempt at CONTROL > Remote Execution is now correct. [BNNGF-99103]

• Barracuda Firewall Admin now starts with no delay on the latest MS Windows OS versions without Internet access. [BNNGF-99131]

• Duplicate entries for Transport Source/Listening no longer occur in the GTI editor if the configuration is unlocked. [BNNGF-99172]

• The Explicit Transport Listening IP field in VPN GTI Settings now displays network addresses in CIDR instead of Phion notation. [BNNGF-99632]

• The description for the URL category Local Communities now contains the correct text description. [BNNGF-100111]

Barracuda OS

• The Instant Replacement feature is now displayed for CloudGen firewalls as expected. [BNNGF-84799]

• CC Events from the CC box layer for port 811 now show the proper source IP. [BNNGF-95151]

• Sending events to the Apple Push Notification Service now works again correctly [BNNGF-96167]

• Firewall authentication with SAML now works as expected. [BNNGF-97079]

• Azure Log Streaming CEF via CGF Log Daemon now works as expected. [BNNGF-98002]

• STARTTLS now works as expected when sending email notifications. [BNNGF-98032]

• System report generation via Firewall Admin works as expected. [BNNGF-98263]

• Parsing data for authentication purposes no longer fails in specific situations. [BNNGF-98408]

• The watchdog is now active when it is enabled. [BNNGF-98881]

• The GRE tunnel configuration no longer creates unexpectedly a wild route. [BNNGF-99031]

• Layer 2 monitoring no longer causes interfaces to remain down after a reboot in specific situations. [BNNGF-99095]

• Boxes no longer create an unnamed logfile containing BGP related log messages. [BNNGF-99283]

• Virtual VIP IPv6 is no longer required even if IPv6 is enabled [BNNGF-99517]

• Layer 3+4 Bond Hashing Policy description has been added to Barracuda Firewall Admin. [BNNGF-99564]

• The list of telemetry keys has been updated and now includes new entries. [BNNGF-99678]

• IPMI login passwords may have a maximal length of 20 characters. [BNNGF-99935]

• Firewall Admin now allows to enter all syntactically correct IPv6 addresses. [BNNGF-100050]

• Error messages about cloud configuration conflicts without being in a cloud no longer occur. [BNNGF-100429]

Cloud Azure

• The authentication URL and associated parameters are now configurable for the Azure public cloud. [BNNGF-100261]

Control Center

• RCS now works again as expected. [BNNGF-91160]

• Additional checks have been implemented for the CC Control service to only allow admins to run commands for boxes if they have the required permissions. [BNNGF-95710]

• If changes are made to a global reference remote network object and the object will be used by an HA cluster, the changes will now be updated on both instances of the HA pair as expected. [BNNGF-98201]

• The RCS view no longer shows empty entries in specific situations. [BNNGF-98498]

• It's no longer necessary to specify NTP server when configuring DHCP subnets via a ConfUnit. [BNNGF-98967]

• Service settings for AV of the related ConfUnit now write Explicit Listening IP correctly. [BNNGF-98991]

• A new endpoint for the ConfUnit has been added for interfaces. [BNNGF-99268]

• The RSC-SCP script now works as expected. [BNNGF-99498]

• Copy-Move-GTI VPN configurations no longer cause crashes in specific situations. [BNNGF-99792]

• For the F400c/F600d, the parameter Filemax is now set to 65536 when creating a box on the Control Center at Config > Create new Box. [BNNGF-100332]

DHCP

• Stateless DHCPv6 now works as expected after an upgrade to firmware 9.x. [BNNGF-90412]

• In Advanced config mode, the field for vendor ID, ‘raw’ was removed and migrated to vendor ID, and Vendor ID conversion is set to raw. [BNNGF-98587]

• The reverse map entry for DHCP-DDNS is now sent correctly. [BNNGF-98876]

• The DHCP tab now shows all active leases as expected. [BNNGF-99736]

DNS

• Measures have been taken to counteract the impact of CVE-2025-40778 and CVE-2025-40780. [BNNGF-99468]

Firewall

• The field Usage Count in Firewall > Forwarding Rules no longer displays negative values and stays empty if the counter is 0. [BNNGF-96693]

• The firewall no longer sends ICMP redirect-#4 messages from the vpn0 interface. [BNNGF-96741]

• HTTP/1.1 sessions with Connection: close and without Content-Length or Transfer-Encoding are now handled correctly. [BNNGF-97182]

• The handling of DNS resolution has been improved, and the DNS object state now shows correct information. [BNNGF-97834]

• Invoking web pages on iMacs using Chrome now show fast loading times if application control is active. [BNNGF-98175]

• Malware policy evaluation has been implemented for SMTP and POP3. [BNNGF-98457]

• In specific cases, like for certificate chain configurations, the root certifcate is removed when {{fwauthd}} presents the certificate to the clients. [BNNGF-98589]

• The usage counter for policy profiles now works as expected. [BNNGF-98742]

• Some irrelevant kernel log messages have been removed. [BNNGF-99000], [BNNGF-99034]

• The kernel no longer crashes in specific situations. [BNNGF-99035]

• IPS hits no longer cause the box to crash in specific situations. [BNNGF-99114]

• The feature level of firewall rulesets is no longer overwritten by /opt/phion/bin/external-netobj-tool. [BNNGF-99126]

• HTTP sessions with downloads no longer fail while the downloads are being SSL inspected. [BNNGF-99129]

• The firewall engine now starts as expected on an F1000 appliance. [BNNGF-99313]

• SD-WAN ID does not show Fail anymore for VPN transport sessions. [BNNGF-99348]

• The Viverse app is now detected correctly as a business app. [BNNGF-99384]

• Proxy connect now works for all private IPv4 source addresses, not just for the configured subnet. [BNNGF-99404]

• A script has been added to calculate the maximum number of session slots for the firewall service has been added.
  For more information, see /opt/phion/modules/server/firewall/bin/max-session-slot-estimate.sh [BNNGF-99418]

• Allow-listing of hosts in Virus Scanner Settings > Content Scanning does not lead to broken HTTP archive downloads any more if archive content scanning is enabled. [BNNGF-99497]

• Custom network applications are now detected as expected. [BNNGF-99739]

• Ipoque has been updated to version 25.12.19. [BNNGF-99777]

HTTP Proxy

• The HTTP proxy no longer crashes on re-configurations. [BNNGF-96627]

• The HTTP proxy now shows only relevant information in error pages. [BNNGF-99397]

REST

• After adding ‘&’ and ‘_’ to the set of allowed characters for licenses, the box no longer returns the error code when invoking the node for <https://<your_box>>:8443/rest/control/v1/box/licenses. [BNNGF-96288]

• When locking a config node, the configuration data will be reloaded as expected and will prevent any bypassing by other sessions. [BNNGF-98434]

• The MTU information is now returned for the the REST-API call /rest/cc/v1/config/ranges/{range}/clusters/{cluster}/boxes/{box}/network/vlans/{name}. [BNNGF-100086]

VPN

• Improvements have been applied to the HSTS header configuration [BNNGF-95951]

• Resolving DNS has been improved for IKEv1. [BNNGF-96089]

• Old VPN tunnels are cleaned up as expected after renaming or moving the VPN service. [BNNGF-97052]

• Kernel issues have been resolved and no longer cause malfunctioning VPN transports. [BNNGF-98607]

• Migrating from transports to priorities no longer causes issues. [BNNGF-98963]

• In GTI, the active site now initiates a TINA tunnel as expected. [BNNGF-99141]

• GTI is no longer using incorrect addresses for transport source. [BNNGF-99306]

• An HA-sync issue has been solved and no longer causes failed key lookups for VPN tunnels. [BNNGF-99407]

• Kernel leaks no longer occur in specific situations. [BNNGF-99609]

• Memory handling has been improved for the VPN service. [BNNGF-99695]

• IKEv1 no longer stops in specific situations and now works as expected. [BNNGF-100368]

• Authentication – MFA in combination with RADIUS is not working for CC admins. [BNNGF-100489]

• Barracuda Firewall Admin – The usage counter of the firewall rules works on the rules and the service objects,
  but network objects will only show the last time it matched correctly. [BNNGF-98530]

• Barracuda Firewall Admin – After importing an update package, the list of files on CC won't be updated. [BNNGF-98739]

• Barracuda Firewall Admin – The multipath gateway field is missing. [BNNGF-99094]

• Barracuda Firewall Admin – Barracuda Firewall Admin does not show the virtual IPv6 address of VPN clients in the Client-to-Site tab. [BNNGF-99326]

• Barracuda OS – Writing firewall log/syslog unexpectedly stops in specific situations. [BNNGF-94358]

• Barracuda OS – In rare circumstances, the SNMP value for active C2S connections can be incorrect. In such cases, the vpnstatus.db must be deleted once. [BNNGF-94918]

• Barracuda OS – After changing the route metric and doing a failsafe activation, old entries are still available as a 'wild route'. [BNNGF-98387]

• Barracuda OS – Using non-ASCII characters in Description fields of the Translated HA IP configuration might cause errors during firmware upgrade. [BNNGF-98494]

• Barracuda OS – On CGFs which are SE integrated, policies based on user groups are not matching for SE authenticated users. [BNNGF-98852]

• Barracuda OS – The F800d/F900c firewalls experiences sensor issues related to IPMI. [BNNGF-99151]

• Barracuda OS – In certain situations not all notification emails are sent for the same event ID. [BNNGF-99429]

• Barracuda OS – Unreachable NTP services lead to long startup delays for controld. [BNNGF-99813]

• Barracuda OS – Disabling logging in firewall rule does not also disable it in syslog stream (data is still sent). [BNNGF-100350]

• Box Hardware – The IPMI periodically stops working after some weeks. [BNNGF-99292]

• Control Center – Syncing of configuration nodes between split Control Centers requires establishing a Split-CC setup before making changes to any configuration. [BNNGF-96817]

• Control Center – Under very rare circumstances, a configuration update can fail with an error "masterpub file is empty" if the secondary Control Center is active. Make sure that a complete master par sync has been performed via the primary box prior to doing configuration updates via the secondary one. [BNNGF-98536]

• Control Center (ConfTemplates) – When creating a firewall via the configuration template, the DNS configuration for recursive lookup is not being set to true when deployed. [BNNGF-99312]

• Control Center – On a Control Center, HA boxes are not being displayed for CC-managed clusters. [BNNGF-99265]

• Control Center – If a DNS name is specified as peer for a GTI TINA tunnel on the CC, the firewall cannot establish a tunnel anymore. [BNNGF-99478]

• Control Center (Licensing) – Global CC Admin is unable to assign Range Pool licenses. [BNNGF-99838]

• Control Center – The import of large archive.pgz fails. [BNNGF-99857]
  A workaround is to unpack the pgz with the zcat command and then import the par file.

• CudaLaunch – iPad OS 18 with MagicKeyboard cause crashes. This can be resolved by updating to iPad OS 18.2 or later. [BNNGF-95273]

• DNS – The DNS service denies Dynamic DNS updates from DHCP clients in the same network or an external DHCP server. [BNNGF-98877]

• Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]

• Firewall – The YouTube search filter custom application is now obsolete due to changes in YouTube. Use Google Search instead. [BNNGF-95926]

• Firewall – If a CC tries to access the internet via a proxy, the trusted CA bundle is not verified as expected. [BNNGF-98875]

• Firewall – The firewall creates multiple sessions with the same source port. [BNNGF-100185]

• REST – Policy profile rulesets are currently not supported by the REST API. [BNNGF-94123]

• REST – Changes to Shared Services Ruleset by REST API are not honored. [BNNGF-97993]

• REST – The REST interface does not work for dynamic rules in cascades. [BNNGF-99332]

• REST - Calling the REST-API endpoint for interfaces frequently can report inconsistent interface metrics in specific situations. [BNNGF-100213]

• REST – REST API shows inconsistent firewall status compared to phionctrl CLI. [BNNGF-100248]

• REST – REST API calls cause increase in RAM for DHCP service. [BNNGF-100535]

• SSL-VPN and Cuda-Launch – Shared folders and files are no longer accessible via CudaLaunch if the name of the shared folder or file contains a blank space.    [BNNGS-3970]
  Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

• VPN – Faulty cleanups of obsolete dynmesh tunnels cause routing issues and traffic drops. [BNNGF-95678]

• VPN – GTI editor displays either no priority ID or an incorrect one. [BNNGF-98585]

• VPN – Certificates in chain with only CN are no longer working with 9.0.x. [BNNGF-98952]

• VPN – If the URL path contains “special characters” such as ‘(' and ')’, the CRL cannot be downloaded. [BNNGF-99167]

• VPN - Barracuda VPN CA Profile export fails to include Listening IP automatically. [BNNGF-99328]