10.0.2 Release Notes

CudaLaunch

Installation of Firmware 10.0.1

Certificates

As of firmware version 9.0.5, certificates in chain with only CN are no longer working.

Encryption, Weak Ciphers

End-of-Life and End-of-Support Status

For information on which devices and services have reached EoL or EoS, see:

• Barracuda NextGen and CloudGen Firewall Appliances - EoS / EoL Definitions

• End-of-Support for CloudGen Firewall Firmware

Licensing

Naming of Shared IP v4/v6 Addresses

Firmware version 10.0.2 is a minor release.

Use the Appropriate Firewall Admin Release

Barracuda Networks recommends using the latest version of Firewall Admin for a new firmware release.

As of the public availability of firmware 10.0.2, Barracuda Networks recommends using at least Firewall Admin version 10.0.2. You can download this version here:
https://dlportal.barracudanetworks.com/#/packages/6499/FirewallAdmin_10.0.2-68.exe

Who Can Update to Firmware Release 10.0.2

Read the Migration Notes 10.0.2 before updating to firmware 10.0.2.

For more information on the migration process, see the 10.0.2 Migration Notes: https://documentation.campus.barracuda.com/wiki/spaces/NGFEOL/pages/551288854

While new requirements can result in adding new features, existing features can become obsolete over time. To keep the CloudGen Firewall up to date and performing properly, certain features will be removed completely, and others may be replaced with improved technology.

Features that Will Become Obsolete in an Upcoming Release (after 10.0.2)

CGA Proxy

The CGA Proxy will be phased out in an upcoming release.

CudaLaunch & SSL-VPN

CudaLaunch and SSL-VPN will be phased out in an upcoming release and will be replaced with SecureEdge Access.

Features that Are No Longer Included in this Version 10.0.2

SF Licensing

Old SF licensing is longer supported and has been phased out.

Cloud Deprecations

The following features are no longer part of the 10.0 firmware release:

• AutoVPN

• Metered billing

• Azure Security Center Support

ClamAV

ClamAV has been removed in firmware 10.0.

M30 Modem

The M30 modem is no longer supported.

OMS Agent, Azure Log Monitor Agent

The OMS Agent and the Azure Log Monitor Agent has been replaced with Azure Log API.

Branch Office Box VPN Compression

The “BoB” Branch Office Box VPN Compression is no longer supported by release 10.x.

Firmware 10.0.2 is a minor release. Although minor versions usually do not contain any new features, the following feature is contained in this firmware:

WCS 3.3 with New Categories

WCS 3.3 contains new categories. However, note that even if the new categories will be visible also on boxes that are below firmware version 10.0.2 if Barracuda Firewall Admin 10.0.2 is used, these categories should not be configured as they won’t match!

Do not configure the following URL categories:

• Artificial Intelligence - Simulation of human intelligence processed by machines.

• Cheating - Get info about actions to subvert or disobey rules in order to obtain unfair advantages.

• Code Repositories - Specialized storage systems to manage source code.

• Hosted Payment Gateways - Service for a payment transaction process, conducted on a payment gateway provider’s platform.

SD-WAN Priority Field

Authentication

• When TLS inspection encounters certificates with the OCSP stalpe extension, it no longer causes certificate validations to crash. [BNNGF-96575]

• TACACS+-CC Admin SSH login now works as expected an no longer fails on boxes with high latency. [BNNGF-98445]

• An issue was fixed where users sporadically lost access to their ZTNA resources. [BNNGF-98480]

• 10.0.0 Control Centers now read SAML IDP metadata correctly. [BNNGF-98588]

• Authentication packets no longer become lost in specific situations. [BNNGF-99183]

• RADIUS authentication with Cisco ISE now works as expected. [BNNGF-99473]

• The system now correctly maintains HA configurations and licenses of an HA setup. [BNNGF-99841]

• The TS-client now works as expected if multiple terminal servers start up in parallel. [BNNGF-99922]

Barracuda Firewall Admin

• ATP now provides just one option for downloading a summary report. [BNNGF-96516]

• The AS Translation Number is now also available for BGP IPv6 neighbors. [BNNGF-97795]

• Barracuda Firewall Admin no longer crashes when a user scrolls in CC logs. [BNNGF-98260]

• Barracuda Firewall Admin now starts with no delay on the latest MS Windows OS versions without Internet access. [BNNGF-99131]

• The speed of opening the ConfTemplates tab has been increased, especially if there are many big templates and a lot of instances present. [BNNGF-99150]

• Duplicate entries for Transport Source/Listening no longer occur in the GTI editor if the configuration is unlocked. [BNNGF-99172]

• The Explicit Transport Listening IP field in VPN GTI Settings now displays network addresses in CIDR instead of Phion notation. [BNNGF-99632]

• Switching between the Live and History view or between rendering VPN graphs no longer causes Firewall Admin to crash. [BNNGF-99837]

• The description for the URL Category Local Communities now contains the correct text description. [BNNGF-100111]

• Chacha20/Poly1305 can be used as of firmware 10.0.2 and higher. [BNNGF-100169]

• GTI no longer limits the number of services to be drawn. [BNNGF-100217]

• Firewall Admin no longer crashes when being in the BGP view of CONTROL. [BNNGF-100414]

• IPS version history is now correctly linked to the new Barracuda Campus URL. [BNNGF-100499]

• Firewall Admin no longer crashes when rules inside of a ruleset cascade are deleted or when switching between network objects and rule editing. [BNNGF-100586]

Barracuda OS

• The characters '.' and'-' are not allowed in names of SharedIP IPv4 and IPv6 addresses. [BNNGF-89810]

• SNMP only reports existing services running on the firewall. [BNNGF-90582]

• distd2 sessions are now closed and boxes now receive config updates as expected. [BNNGF-94218]

• A soft network activation no longer deletes source-based throw routes, and consequently routing failures no longer occur. [BNNGF-95077]

• CC Events from the CC box layer for port 811 now show the proper source IP. [BNNGF-95151]

• Sending events to the Apple Push Notification Service now works again correctly. [BNNGF-96167]

• A network soft activation no longer causes traffic interruptions in combination with source-based routes. [BNNGF-96515]

• Azure Log Streaming CEF via CGF Log Daemon now works as expected. [BNNGF-98002]

• The dashboard now displays correct information for fan and power supplies. [BNNGF-98284]

• Failsafe activation no longer leaves wild routes in the table. [BNNGF-98387]

• The installation of a hotfix now works as expected, and the status is displayed correctly in the CC's firmware management tab. [BNNGF-98880]

• The watchdog is now active when it is enabled. [BNNGF-98881]

• The GRE tunnel configuration no longer creates unexpectedly a wild route. [BNNGF-99031]

• SNMP has been extended by a new OID which reports the serial of an appliance. [BNNGF-99074]

• The configuration view for Multicast Routing now contains the Multipath Gateway field. [BNNGF-99094]

• Layer 2 monitoring no longer causes interfaces to remain down after a reboot in specific situations. [BNNGF-99095]

• As of firmware versions > 10.0.1, 10.5.0, the size of the /art partition will be preset to 6,144 GB for all fresh installed boxes. [BNNGF-99111]

• Segment faults no longer occur in specific situations. [BNNGF-99112]

• Crashes in the VPN statistics service (vpnstat3) no longer occurs in specific situations. [BNNGF-99113]

• Boxes no longer create an unnamed logfile containing BGP related log messages. [BNNGF-99283]

• Multicast Routing can be configured on a CC as expected. [BNNGF-99364]

• sysstat and btop tools have been added to the firmware. [BNNGF-99466]

• The IKEv2 tunnel status is shown correctly again in SNMP. [BNNGF-99475]

• Virtual VIP IPv6 is no longer required even if IPv6 is enabled [BNNGF-99517]

• Installing the SecureEdge minimal configuration via USB stick at boot now works as expected. [BNNGF-99526]

• Layer 3+4 Bond Hashing Policy description has been added to Barracuda Firewall Admin. [BNNGF-99564]

• The traceroute package is again part of the firmware. [BNNGF-99649]

• The list of telemetry keys has been updated and now includes new entries. [BNNGF-99678]

• IPMI login passwords may have a maximal length of 20 characters. [BNNGF-99935]

• The SNMP version setting was moved to the SNMP Settings group, and the configuration was updated to enable or disable Access Groups and SNMPv3 Users accordingly. [BNNGF-99972]

• Firewall Admin now allows to enter all syntactically correct IPv6 addresses. [BNNGF-100050]

• PPPoE no longer fails in specific situations and now works as expected. [BNNGF-100149]

• An issue has been fixed on spurious error messages about missing state files in the control daemon log when the VMAC feature is not enabled. [BNNGF-100193]

• Disabling logging in a firewall rule now also disables it in syslog streaming. [BNNGF-100350]

• Mounting CIFS shares now works as expected. [BNNGF-100371]

• Error messages about cloud configuration conflicts without being in a cloud no longer occur. [BNNGF-100429]

• Restoring backup daemon backups on managed boxes and secondary HA boxes is now supported via REST with Emergency Override.
  Warning: Restoring a backup on a CC managed box can lead to inconsistent configuration states; after the restore, a full config sync needs to be manually triggered for the box to ensure system consistency. [BNNGF-100473]

• Filesystem checks after updating now work as expected without user interaction. [BNNGF-100500]

• Using the management interface for direct internet access no longer causes a consistency error and now works as expected. [BNNGF-100601]

• Automatic HA pairing on SecureEdge now works as expected. [BNNGF-100720]

• IKEv2 (Charon) statistics files are now generated and displayed in VPN statistics as expected. [BNNGF-100753]

• Development hotfixes are now shown in the system report as expected. [BNNGF-100995]

Cloud Azure

• Updating to 10.0 no longer breaks PAYG licenses. [BNNGF-98883]

• The authentication URL and associated parameters are now configurable for the Azure public cloud. [BNNGF-100261]

Control Center

• RCS now works again as expected. [BNNGF-91160]

• Additional checks have been implemented for the CC Control service to only allow admins to run commands for boxes if they have the required permissions. [BNNGF-95710]

• An IPS profile can now be linked from a Repository or newly created 9.0 distributed firewall as expected. [BNNGF-96448]

• Updating the firmware of SC boxes with Firewall Admin version >=10.0.2 and Firewall Admin version >= 10.5.0 works as expected. [BNNGF-98020]

• The handling of large configlog.db files has been improved and nodes in the Control Center no longer become locked because of too large database files. [BNNGF-98143]

• If changes are made to a global reference remote network object and the object will be used by an HA cluster, the changes will now be updated on both instances of the HA pair as expected. [BNNGF-98201]

• The full history for RCS report entries is now displayed correctly. [BNNGF-98424]

• The RCS view no longer shows empty entries in specific situations. [BNNGF-98498]

• It's no longer necessary to specify NTP server when configuring DHCP subnets via a ConfUnit. It's no longer necessary to specify NTP server when configuring DHCP subnets via a ConfUnit. [BNNGF-98967]

• Importing .tld files in the ConfTemplate Editor now works as expected. [BNNGF-99010]

• A new endpoint for the ConfUnit has been added for interfaces. [BNNGF-99268]

• When deploying boxes via Control Center configuration templates, the recursive DNS lookup setting is now applied. [BNNGF-99312]

• Global DNS firewall objects now show IP addresses as expected. [BNNGF-99430]

• The RSC-SCP script now works as expected. [BNNGF-99498]

• Copy-Move-GTI VPN configurations no longer cause crashes in specific situations. [BNNGF-99792]

• The import of large archive.pgz files no longer fails. [BNNGF-99857]

• SAC/SC cluster are now removed from the Control Center configuration tree as expected and no longer causes a database reference error. [BNNGF-100065]

• For the F400c/F600d, the parameter Filemax is now set to 65536 when creating a box on the Control Center at Config > Create new Box. [BNNGF-100332]

• The Firmware tab in the Control Center can now be accessed as expected. [BNNGF-100533]

• Adding or removing instances to configuration templates after updating from 9.0.5 to 10.0.x now works as expected. [BNNGF-101347]

DHCP

• Stateless DHCPv6 now works as expected after an upgrade to firmware 9.x. [BNNGF-90412]

• In Advanced config mode, the field for vendor ID, ‘raw’ was removed and migrated to vendor ID, and Vendor ID conversion is set to raw. [BNNGF-98587]

• The reverse map entry for DHCP-DDNS is now sent correctly. [BNNGF-98876]

• The DHCP tab now shows all active leases as expected. [BNNGF-99736]

• REST API calls no longer causes high RAM usage in conjunction with the DHCP service. [BNNGF-100535]

Firewall

• The error message handling in the TLS inspection engine has been improved to provide clearer diagnostics when session errors occur. [BNNGF-81568]

• Activity log streaming is now more reliable and robust when the firewall is under high load. [BNNGF-94358]

• ICMP traffic is no longer blocked with an ACL mismatch error when policy profiles are enabled. [BNNGF-94559]

• TLS inspection now works for HTTP CONNECT tunnels as expected. [BNNGF-95666]

• Traffic shaping rate limits no longer fluctuate in specific situations. [BNNGF-96692]

• The firewall no longer sends unwanted ICMP redirect messages from VPN interfaces. [BNNGF-96741]

• To avoid long waiting times and occasional out-of-memory crashes, Firewall Admin does not load all history entries by default. [BNNGF-97037]

• In specific cases, like for certificate chain configurations, the root certifcate is removed when {{fwauthd}} presents the certicate to the clients. [BNNGF-98589]

• Verification checks of updated Trusted CA Bundles now work as expected if a proxy is configured. [BNNGF-98875]

• Some irrelevant kernel log messages have been removed. [BNNGF-99000]

• Some irrelevant kernel log messages have been removed. [BNNGF-99034]

• HTTP sessions with downloads no longer fail while the downloads are being SSL inspected. [BNNGF-99129]

• SD-WAN ID does not show Fail anymore for VPN transport sessions. [BNNGF-99348]

• The Viverse app is now detected correctly as a business app. [BNNGF-99384]

• If in an SD-WAN policy rule the action Pin to Group X or Prefer Group X is selected, then breakout traffic will now be balanced between all providers in the group. [BNNGF-99395]

• A script has been added to calculate the maximum number of session slots for the firewall service has been added. For more information, see {{/opt/phion/modules/server/firewall/bin/max-session-slot-estimate.sh}} [BNNGF-99418]

• The kernel no longer crashes when the URL filter blocked a website accessed through the HTTP proxy, thus no longer causing repeated reboots. [BNNGF-99488]

• Allow-listing of hosts in Virus Scanner Settings > Content Scanning does not lead to broken HTTP archive downloads any more if archive content scanning is enabled. [BNNGF-99497]

• DNS object references in Generic Objects now work as expected. [BNNGF-99712]

• Custom network applications are now detected as expected. [BNNGF-99739]

• Ipoque has been updated to version 25.12.19. [BNNGF-99777]

• URLCAT based exceptions from TLS inspections now work in application rulesets as expected. [BNNGF-99850]

• The cause leading to the output of an error message when using the command 'CustomExternalAddrImport' in firmware 10.0.1 has been fixed. [BNNGF-99916]

• IPS patterns for “Brickstorm” were built and delivered with common updates on 4th December 2025. [BNNGF-99970]

• Call traces no longer occur during outages. [BNNGF-100370]

• IKE tunnels are establishing again correctly and the error "Block Slot Creation Failed." is no longer shown. [BNNGF-100427]

• An issue has been fixed where the IPS engine could interfere with kernel cryptographic operations, potentially leading to file system corruption. [BNNGF-100566]

• Firewall rules with logging disabled no longer cause "Detect" entries in the firewall activity log. [BNNGF-100795]

• Administrators can now approve or deny override requests for the URL Admin page. [BNNGF-100806]

• "Do not inspect" SSL inspection rules are now correctly applied to inbound mail traffic and no longer causes certificate errors for senders. [BNNGF-100880]

HTTP Proxy

• The redirection to an ATP wait page for the 'Scan first' policy has been removed, so that the proxy now only supports 'Deliver first'. [BNNGF-99485]

REST

• The endpoint for REST/API licenses/status now works as expected. [BNNGF-99438]

• The MTU information is now returned for the the REST-API call "/rest/cc/v1/config/ranges/{range}/clusters/{cluster}/boxes/{box}/network/vlans/{name}". [BNNGF-100086]

SecureEdge

• SecureEdge integration no longer deletes the appliance configuration when the Cloud service temporarily returns an invalid response. [BNNGF-99674]

• The automatic cleanup of HA configuration has been removed when the SecureEdge cloud service returns an empty response, therefore preventing accidental disruption of working HA setups. [BNNGF-99864]

• The default values for the BGP service is now written correctly for SecureEdge. [BNNGF-100013]

VPN

• PPTP tunnels are now displayed as expected in the VPN > Client to Site tab. [BNNGF-91099]

• Improvements have been applied to the HSTS header configuration. [BNNGF-95951]

• Resolving DNS has been improved for IKEv1. [BNNGF-96089]

• A memory leak for IKEv2 was fixed [BNNGF-96332]

• In GTI, the active site now initiates a TINA tunnel as expected. [BNNGF-99141]

• GTI now uses correct addresses for transport source. [BNNGF-99306]

• An HA-sync issue has been solved and no longer causes failed key lookups for VPN tunnels. [BNNGF-99407]

• The Windows NAC-client X.509-user/pass authentication now works as expected with certificates from the Windows certificate store. [BNNGF-99534]

• Kernel leaks no longer occur in specific situations. [BNNGF-99609]

• The VPN service no longer crashes after an L2TP VPN client disconnect. C2S VPN connections now connect without a restart of the device. [BNNGF-99865]

• The compatibility issue to use SHA1 in parallel with AES128 has been fixed. [BNNGF-99936]

• IKEv1 no longer stops in specific situations and now works as expected. [BNNGF-100368]

• Memory leaks no longer occur in KTINA and in the Crypto-API. [BNNGF-100374]

• After adding a 30-second timeout to the handshake phase, the SSLVPN service is now responsive when clients open a connection without completing the SSL handshake. [BNNGF-100877]

• When IKEv2 tunnels with Universal Traffic Selectors are configured, TINA tunnels now work as expected when the option "Main Routing Table" is enabled. [BNNGF-101076]

• Kernel panics no longer occur in Site-to-Site VPN connections in conjunction with crypto context switching. [BNNGF-101302]

• SSL-VPN now works as expected after an update to 9.0.6. [BNNGF-101355]

All 10.0-Related Ticket Overview

As of firmware release 10.0.2, more than 2000 tickets have been resolved.

For more information, see List of Tickets Resolved through Release 10.0.2.

• Authentication – Barracuda-key uses wrong license in case of an HA setup. [BNNGF-99841]

• Authentication – MFA in combination with RADIUS is not working for CC admins. [BNNGF-100489]

• Barracuda Firewall Admin - The change of a password for a CC-Admin using an external authentication scheme does not work on the CC. [BNNGF-98450]

• Barracuda Firewall Admin – After importing an update package, the list of files on CC will not be updated. [BNNGF-98739]

• Barracuda Firewall Admin – Barracuda Firewall Admin 10 does not show the expiry date for intermediate and root cert in Control Center. [BNNGF-99472]

• Barracuda Firewall Admin – Calendar LogView to change months not working as intended. [BNNGF-100047]

• Barracuda OS – In rare circumstances, the SNMP value for active C2S connections can be incorrect. In such cases, the vpnstatus.db must be deleted once. [BNNGF-94918]

• Barracuda OS – GUI soft-activate causes fibre ports to go down. [BNNGF-98179]

• Barracuda OS – Using non-ASCII characters in Description fields of the Translated HA IP configuration might cause errors during firmware upgrade. [BNNGF-98494]

• Barracuda OS – On CGFs that are SE integrated, policies based on user groups are not matching for SE authenticated users. [BNNGF-98852]

• Barracuda OS – Bidirectional multicast is not working. [BNNGF-99392]

• Barracuda OS – In certain situations not all notification emails are sent for the same event ID. [BNNGF-99429]

• Barracuda OS – It is not possible to delete event notifications. [BNNGF-100049]

• Box Hardware – The IPMI periodically stops working after a few weeks. [BNNGF-99292]

• Control Center – If a DNS name is specified as peer for a GTI TINA tunnel on the CC, the firewall cannot establish a tunnel anymore. [BNNGF-99478]

• Control Center (Licensing) – Global CC Admin is unable to assign Range Pool licenses. [BNNGF-99838]

• CudaLaunch – iPad Pro devices with a MagicKeyboard cause issues. [BNNGF-95273], [BNNGS-4004]
  Workaround: The issue is caused by iOS 18.0.1 and can be resolved by upgrading iOS to its newest version.

• DNS – The DNS service is denying dynamic DNS updates from the DHCP service. [BNNGF-98877]

• Firewall – Inspecting traffic for QUIC/UDP 443 is currently not supported.    [BNNGF-74540]
  Workaround: Blocking UDP/443 makes clients fall back to TCP, and then that app can be inspected.

• Firewall – The firewall creates multiple sessions with the same source port. [BNNGF-100185]

• REST – Currently, the endpoints for rulesets are disabled for policy rulesets. [BNNGF-94123]

• REST – Changes to Shared Services Ruleset by REST API are not honored. [BNNGF-97993]

• REST – REST API write access for creating a REST-API admin role and assigning it to an admin does not work as expected. [BNNGF-98447]

• REST – The REST interface does not work for dynamic rules in cascades. [BNNGF-99332]

• REST - Calling the REST-API endpoint for interfaces frequently can report inconsistent interface metrics in specific situations. [BNNGF-100213]

• REST – REST API shows inconsistent firewall status compared to phionctrl CLI. [BNNGF-100248]

• SSL-VPN and Cuda-Launch – Shared folders and files are no longer accessible via CudaLaunch if the name of the shared folder or file contains a blank space.    [BNNGS-3970]
  Workaround: You can make the folder accessible if you share it yourself and replace any blank character with %20.

• VPN – GTI Editor displays either no priority ID or an incorrect one. [BNNGF-98585]

• VPN - Barracuda VPN CA Profile export fails to include Listening IP automatically. [BNNGF-99328]