6.2.3 Release Notes

In these Release Notes:

• Hotfix 818 – Control Center

• Hotfix 813 – DNS Server

• Hotfix 810 – SSL VPN

• Hotfix 805 – Cumulative Hotfix

• Hotfix 802 – HTTP Proxy

• Hotfix 800 – OpenSSL

6.2.3 is a maintenance release. No new features were added.

• The FIREWALL > Monitor page now no longer crashes if an element is selected that is not supported by the firmware. BNNGF-40884

• Editing application rules with a large number of applications no longer causes NextGen Admin to crash. BNNGF-41417

• Firewall throughput exceeding 30 Gbps is now displayed correctly on the FIREWALL > Live page. BNNGF-36450

• Filtering IPv6 connections by their destination interface on the Firewall > Live and Firewall > History pages now works as expected. BNNGF-37137

• NextGen Admin is no longer supported for Windows Vista. BNNGF-41630

• NextGen Admin automatic session reconnection improvements. BNNGF-43601

• Available IPs in the Service Properties are now displayed correctly if the Secondary IP in the Server Properties is left empty. BNNGF-22643

• Full-screen command line apps are now displayed correctly in the NextGen Admin SSH tab. BNNGF-11234

• A warning is shown when connecting to a firewall running a newer firmware than is supported by this version of NextGen Admin. BNNGF-39095

• NextGen Admin dashboard stability improvements. BNNGF-42232

• IPv6 ICMP traffic no longer shows the ICMP identifier as the port on the FIREWALL > Live and FIREWALL > History pages. BNNGF-31417

• It is no longer possible to create or edit connection objects in the Host Firewall object viewer. BNNGF-29380

• Copying application rules using a custom application object to another ruleset now works as expected. BNNGF-39965

• The Max Entries setting on the FIREWALL > History page is now honored immediately without a manual refresh. BNNGF-41383

• The status icon of the CONTROL > Network page no longer displays an incorrect status after dynamic routing changes. BNNGF-30769

• NextGen Admin no longer cuts off the Phase 2 lifetimes in the site-to-site IPsec configuration dialog. BNNGF-42321

• Networks in the GTI Editor are no longer shown in phion (reverse CIDR) notation. BNNGF-41357

• The time stamp for the last successful IPS update is now displayed correctly. BNNGF-42374

• RDP clients using the Touch API to emulate the right-click now work as expected for NextGen Admin. BNNGF-27845

• When a service is restarted, the name of the service is now included in the log message. BNNGF-40650

• In the TINA VPN tunnel configuration dialog, the drop-down menu for the Compression parameter is now displayed correctly. BNNGF-41793

• The throughput of the network interfaces on CONTROL > Network is now shown in MBit instead of bps10. BNNGF-42329

• Updated the icon for the URL Filter policy action alert. BNNGF-43320

• IPS exception attributes are no longer replaced by wildcards when the IPS pattern for the exception has been removed by an IPS signature update. BNNGF-40600

• Sorting the user column in Grouped By User mode on the FIREWALL > User page now works as expected. BNNGF-39618

• Sorting the applications browser by risk now works as expected. BNNGF-42377

• If the user information is available, usernames are now displayed for firewall connection cache entries on the FIREWALL > History page. BNNGF-39617

• The error dialog warning stating that local changes have not been sent now includes the relevant configuration nodes. BNNGF-40010

• Mitigated a hardware-related bug resulting in soft lockups on Barracuda Control Center C400. BNNGF-41683

• Updated OpenSSL to version 1.0.1u due to security vulnerability CVE-2016-6304. BNNGF-41828

• Updated Wi-Fi kernel module to fix security vulnerability CVE-2014-2672. BNNGF-40703
  

• Firewalls and Control Centers using legacy phion licenses no longer receive IPS pattern updates. BNNGF-42195

• Firewall session sync between firewalls running 5.4 and 6.0 now works as expected. BNNGF-40900

• IPv6 router advertisements and link local address computation now work as expected. BNNGF-38442

• Updated libCURL to fix several security vulnerabilities. BNNGF-42747

• A rare case where the authentication service causes system crashes is fixed. BNNGF-43285

• Updated BIND to version 9.9.9-P4 due to security vulnerability CVE-2016-8864. BNNGF-43010

• Event 2045 Entering Grace mode is now triggered correctly when the license enters Grace mode. BNNGF-41064

• Web Log streaming now works as expected for HTTPS sessions when no additional Application Control features are enabled in the access rule. BNNGF-41274

• Kernel memory management improvements. BNNGF-39854

• Session sync in a high availability cluster no longer blocks services starting after a failover. BNNGF-40050

• F-Series Install can now use encrypted PAR (PCA) files. BNNGF-40064

• It is no longer required to restart the authentication service when configuring DC agent / DC client authentication. BNNGF-41689

• It is now possible to enter a hostname as the NTP server. BNNGF-38950

• The default ruleset now includes a service object and rule for Barracuda ScreenConnect. BNNGF-40180

• Added support for the Aruba Instant Wi-Fi access points to the Wi-Fi authentication scheme. BNNGF-37349

• Corrected the portmapping for the Barracuda NextGen Firewall F1000. BNNGF-42285

• Changed naming for RSA ACE authentication prompts to match official naming for SecurID. BNNGF-36838

• Logging into the ART menu via SSH key now works as expected. BNNGF-30782

• Modified help text to state that user authentication objects using NTLM/ MS-CHAP authentication must enter the username as follows – DOMAIN\user. BNNGF-41070

• The trust level for the Additional IPs is added to the respective network objects as expected. BNNGF-30560
  

• Application Control statistics now work as expected when the Maximum sessions in the General Firewall Settings are set to a high value. BNNGF-39474

• Improved session handling of the firewall service to fix random system crash. BNNGF-38163

• In rare cases, virus scanning FTP traffic caused a firewall lockup. This no longer occurs. BNNGF-41082

• Schedule objects with a large number of objects (>128) now work as expected. BNNGF-40857

• Inline firewall authentication now uses a browser authentication pop-up window by sending 401 unauthorized, and no longer redirects to the login page. BNNGF-40979

• Firewall ruleset re-evaluations no longer terminate sessions matching rules using hostname network objects. BNNGF-40353

• SSL Interception now works as expected for clients using the TLS certificate status request extension (OCSP stapling). BNNGF-41451, BNNGF-41093, BNNGF-41413

• Memory consumption improvements in the Firewall service request handler. BNNGF-36793

• A system crash caused while evaluating a session in the Firewall service no longer occurs. BNNGF-32923

• SSL Interception now works as expected when a TCP window update is sent after the TCP handshake. BNNGF-37275

• Using the skinny firewall plugin in a high availability cluster no longer causes a system crash. BNNGF-42090

• Custom block pages no longer cause package flooding when blocking services that reuse the same source and port for multiple destinations. BNNGF-42472

• DHCP requests are no longer intermittently dropped when sent over a bridged interface. BNNGF-40262

• Improved user agent detection for browsers on Android devices. BNNGF-40067

• It is now possible to use transparent redirect in combination with Application Control features. BNNGF-40384

• The firewall no longer crashes when manually terminating sessions using WAN Optimization via command line interface. BNNGF-39730

• Unusual HTTP trailing header fields are now handled correctly. BNNGF-40200

• For layer2 bridges it is now possible to disable decrementing the ICMP TTL in the advanced access rule settings. By default, the ICMP TTL is decremented when passing through the layer2 bridge and a ICMP type 11 reply sent if the TTL equals zero. BNNGF-41220
  

• Using same port in a connection object using the translated source IP from the DHCP interface now works as expected. BNNGF-38814

• Handling and matching for user objects containing users in many different groups is improved. This no longer causes the access rule to not match. BNNGF-43511

• Internet Explorer 11 on Windows 10 is now detected by User Agent Filtering. BNNGF-40690

• A leading / (forward slash) in the URL path of a custom application object no longer causes the URL to not match. BNNGF-40052

• The Portmapper service object now uses the ONRPC firewall plugin. BNNGF-36160

• It is now possible to use numbers in the name of a Trusted root certificate in the SSL Interception configuration. BNNGF-32428

• The default connection object names are renamed to match the Translated IP policy names. BNNGF-39803

• It is now possible to edit the IPS or Traffic Shaping settings of multiple access rules at once. BNNGF-38788

• Cloned custom application objects now have a unique name. BNNGF-40051

• Block page delivery improvements. BNNGF-41440

• The firewall loopback traffic on port 9023 is no longer sent out on a different interface. BNNGF-40381

• Application Control HTTP parses improvements to be able to detect Facebook file transfers. BNNGF-38975

• Broad-Multicast rules no longer use Application Control. BNNGF-29188

• Hostname network objects not using an FQDN are now resolved correctly. BNNGF-35815

• Traffic Shaping for bi-directional access rules using QoS Band (Reply) set to Like-Fwd now works as expected. BNNGF-36372

• Firewall statistics for UDP traffic now work as expected. BNNGF-42153

• Custom connection objects can now use the same port in combination with load balancing or failover settings. BNNGF-32672

• Local networks configured as direct attached routes and with a virtual server IP address are now added to the local network network object. BNNGF-36290

• Updated list of DCERPC codes. BNNGF-39881

• For access rules matching on the VPN username, the user is now displayed in the FIREWALL > Live and History pages as well as in the firewall logs. BNNGF-29581

• Kaspersky Endpoint Security pattern updates are now detected correctly by Application Control. BNNGF-41071
  

• Time stamps in URL Filter log messages now use the configured time zone. BNNGF-40183

• Improved ATD file queue handling. BNNGF-40831

• Renaming executable files to file types not scanned by ATD no longer allows you to bypass the ATD scan. BNNGF-40350

• ClamAV freshclam fallback update method is now disabled by default. Legacy licensed firewalls must enable freshclam updates manually. BNNGF-42234

• Executable archives are now detected and handled correctly when scanned by ATD. BNNGF-41024

• It is now possible to add exceptions to the virus-scanned MIME types by entering the exempted MIME type with a prepended "!" in the Scanned MIME Types on the Security Policy page. E.g., !application/mapi-http BNNGF-43070

• The <factory-default-mime-types> now include all application/* MIME types. BNNGF-41376

• It is now possible to run the HTTP Proxy as a reverse proxy on a non-standard port in combination with the scan first, then deliver ATD policy. BNNGF-39655

• Manually deleting ATD files from the Scanned Files or Malicious Files tabs now marks them as deleted in the Top Threats dashboard element. BNNGF-39915

• It is no longer possible to manually quarantine mail attachments scanned by ATD to avoid the mail server IP address from being placed in quarantine. BNNGF-39476

• IPsec tunnel states are now correct in the box level SNMP service. BNNGF-40965

• Mitigated a hardware-related bug resulting in soft lockups on Barracuda Control Center C400. BNNGF-41683
  

• The WAN Optimization deduplication process no longer crashes if a large number of sessions are using WAN Optimization. BNNGF-39729

• Increased the maximum number of sessions for WAN Optimization. BNNGF-40787

• Added option to disable Replay Protection for IPsec IKEv1 site-to-site VPN tunnels by setting the Replay Window Size to -1. BNNGF-38991

• IKEv2 VPN tunnels configured on an older firmware version no longer break when the firmware is updated. BNNGF-40611

• Client-to-site VPN connections with the native Android IPsec VPN client now work as expected. BNNGF-36486

• Client-to-site certificate policies OID matching improvements. BNNGF-38545

• Renamed Server Key to Service key in the client-to-site personal license configuration dialog. BNNGF-42419

• The label of the Name column in the client-to-site VPN Clients Downloads section is now changed to Description to match the Upload dialog. BNNGF-43206

• It is now possible to click Send Changes without a dummy change when importing client-to-site profiles. BNNGF-42278

• Authenticating multiple users via NTLM for web forwards now works as expected. BNNGS-2356

• POST requests now work on WebApps that use SSO NTLM authentication. BNNGS-2609

• Updated HTTP Proxy to fix connection error handling. BNNGF-41846

• Kerberos authentication now works as expected with the HTTP Proxy service. BNNGF-41625  

• It is no longer possible to enter the Visible Hostname as an Additional Backend domains entry. BNNGF-39874

• Protected IP addresses for the HTTP Proxy in Reverse Proxy mode are now counted correctly. BNNGF-31773

• ssl_bump server-first is now replaced by peek-n-splice in the HTTP Proxy. BNNGF-37732
  

• Multipath BGP routes handling improvements. BNNGF-43378

• The split-horizon parameter is now written to the RIP configuration file correctly. BNNGF-42843

• Routes learned via OSPF or BGP are now removed immediately if the associated interface goes down. BNNGF-40927

• Allow other interfaces in RIP filter configuration. BNNGF-35502

• Improved error handling for file and pattern updates of managed firewalls. BNNGF-42756

• Updating patterns and definitions for a large number of managed firewalls no longer overloads the Control Center. BNNGF-42828

• Deleting a managed firewall on the Control Center while it is still referenced by a virtual server now displays an error message. BNNGF-40378

• CC VPN service memory consumption improvements. BNNGF-43392

• CC Admins can no longer see file updates for firewalls out of their administrative scope. BNNGF-38799

• Non-local references for global, range, and cluster network objects are no longer removed when the object is renamed. BNNGF-40370

• Site-specific single IP address network objects now work as expected in the distributed firewall service. BNNGF-39118

• CC-Data-Receiver (mdist2) service stability improvements. BNNGF-37964

• Pattern updates for ranges where all managed firewalls use the distributed firewall service now work as expected. BNNGF-42907

• Enabling the URL Filter is now shown correctly in RCS. BNNGF-40534

• A new range is now displayed immediately in the configuration tree before activating the changes. BNNGF-26668

• Deleting an Update Task after the transfer has been completed now also removes the file from the firewall. BNNGF-38906

• File content, user agent, and schedule objects can now be configured as global, range, and cluster objects. BNNGF-36850

• It is no longer possible to select NG Control Center as the platform when creating a new managed firewall on the Control Center. BNNGF-32353

• A new cluster is now displayed immediately in the configuration tree when creating a new cluster with an activation template. BNNGF-38703
  

• For Control Center high availability clusters, the syslog format no longer differs when the virtual server fails over the the secondary Control Center. BNNGF-39917

• Corrected the UI text to be displayed when no product tips are available. BNNGF-42129

• The Wi-Fi configuration is now included in the Box Network Repository entry. BNNGF-39824

• Running multiple Wi-Fi services on Wi-Fi-enabled firewall models now works as expected. BNNGF-40173

• The BOOTP lease time is now handled correctly in the DHCP server configuration files. BNNGF-33394

• DHCP reservations can now use any IP address in the Used Subnet and no longer have to be outside of the DHCP pool range. BNNGF-40352

• XML parsing errors for IP Forward protection in Azure no longer occur. BNNGF-42117

• It is no longer possible to change the S-Series VIP network on the Secure Access Concentrator VPN service. BNNGF-39936

• After deleting and re-creating an S-Series VIP network, the correct CIDR network is used. BNNGF-40348
  

• It is no longer possible to unlock the SC Editor before activating changes. BNNGF-39910

• Removed DES and NONE, and set the default encryption to AES256 for SC VPN. BNNGF-40435

• Deleting a cluster now also removes the configuration for the SCs in the cluster. BNNGF-40654

• It is now possible to explicitly set the Wi-Fi channel used by the SC. BNNGF-40062

• Attempting to create an invalid S-Series VIP network no longer results in a disconnect. BNNGF-41208