Please Read Before Updating
Before installing any firmware version, be sure to make a backup of your configuration and read all release notes that apply to versions more recent than the one currently running on your system.
Do not manually reboot your system at any time during an upgrade, unless otherwise instructed by Barracuda Networks Technical Support. The update process typically takes only a few minutes after the update is applied. If the process takes longer, please contact Technical Support for further assistance.
Upgrading to Version 9.x
Only backups from version 7.1 and higher are accepted by version 9.0 and higher. If you have a backup from version 7.0.x or earlier, please contact Barracuda Technical Support for assistance.Upgrading to Version 8.0
After upgrading to version 8.0, you'll notice that some Hourly/Daily reports on the BASIC > Status (dashboard) page will initially show No Data Available until the first web request is made after the upgrade. All of the data required to run reports still exists on the Barracuda Web Security Gateway and new data will begin to appear on the default dashboard as the Barracuda Web Security Gateway begins to process traffic after the upgrade.Upgrading to Version 6.x and 7.x
- After upgrading to version 6.0, reverting back to the previous firmware version or to the factory installed version is not possible.
- Note that the BASIC > WebLog and BASIC > Application Log pages get cleared on updating from 6.0.0 to 6.0.1, but the log data is still intact and will still appear in reports.
- WARNING: If you are currently using port 8080 as a proxy port for your client connections, note that this port is no longer available to use for proxy connections with version 7.0 and higher. Please alter the port to 3128 on your clients by modifying your GPO or PAC file.
Firmware Version 10.0
What's New in Version 10.0
- User Interface
- The Barracuda Web Filter has been rebranded to the Barracuda Web Security Gateway.
- The BASIC > Dashboard page now shows Recent Flagged Terms instead of Recent Search Queries for the Barracuda Web Security Gateway 410. This reflects availability of the Web Application Monitoring feature on the 410 with this version.
- SSL Inspection
- The Barracuda Web Security Gateway 810 now supports specifying particular domains and/or categories with SSL Inspection. Configure on the ADVANCED > SSL Inspection page.
- The Barracuda Web Security Gateway 410 now supports Transparent Mode for SSL Inspection. If SSL Inspection is enabled on a Barracuda Web Security Gateway 410 before upgrading to version 10.0, then after upgrading, SSL Inspection will be enabled in Transparent Mode. Configure on the ADVANCED > SSL Inspection page. See Using SSL Inspection With the Barracuda Web Security Gateway for information about Transparent Mode.
- The 410 also now supports capture and archiving of suspicious content or sensitive data patterns in chat, email, and other social media communications. Configure on the BLOCK/ACCEPT > Web App Monitor page.
- The Barracuda Web Security Gateway 310 now supports SSL Inspection with either inline or forward proxy deployments for Safe Browsing and YouTube for Schools. Configure on the BLOCK/ACCEPT > Configuration page.
See How to Configure SSL Inspection Version 10 and Above for a chart of SSL Inspection features by model.
- Secure Administration
- Enhancement: Added the following certificates to SSL CA bundle -
- GeoTrust Global CA. [BNYF-10803]
- Thawte dv SSL CA - G2. [BNYF-10802]
- DigiCert SHA2 High Assurance Server CA. [BNYF-10828]
- Enhancement: Added the following certificates to SSL CA bundle -
- Virtualization
- Enhancement: On the Barracuda Web Security Gateway Vx, if Energize Updates are disabled, expired, or terminated, all traffic is allowed regardless of policy settings. [BNYF-10322].
Fixed in Version 10.0
- NIC drivers are updated to avoid packet loss in certain models of the Barracuda Web Security Gateway. [BNYF-10426]
- Scheduling backups or performing a Test Configuration of an SMB server for reporting works as expected if the username specified does not have access to the default WORKGROUP. [BNYF-8855]
- For Barracuda Web Security Gateways connected to Barracuda Appliance Control (BAC): the Unit Health section of the STATUS page in BAC displays correct information about the unit when the CPU Temperature in the BWSG Performance Statistics section on the DASHBOARD page shows 0.0 degrees Centigrade. [BNYF-9893]
- The BASIC > Application Log no longer shows the Destination IP in the Source IP column for certain applications. [BNYF-5333]
Version 10.0.0.018
- If you enabled the Barracuda Chromebook Security Extension while running version 9.1 or earlier, and then upgrade to version 10.0, the configuration for the extension is present as expected. [BNYF-11933]
- When synchronizing configuration changes across a cluster, the Barracuda Web Security Gateway does not reboot or re-load an older configuration. [BNYF-11930]
- Proper handling of null "x-forwarded-for" header. [BNYF-11873]
- Policy requests now time out, if necessary, rather than waiting a long time. [BNYF-11870]
- Improved management of WCS lookups when there are timeouts, resulting in fewer "timeout" messages in the WCS log. [BNYF-11844]
- Updates to CFDEF (category definitions) are enabled as expected when the WCS service is enabled. [BNYF-11832]
- DNS name "=*.yimg.com" should be added under "subject alternative names" by the Barracuda Web Security Gateway to be able to fully load https://www.yahoo.com when SSL inspection is enabled. [BNYF-11759]
- The Power button works as expected on older Barracuda Web Security Gateway appliances when upgrading to version 10.0. [BNYF-11749]
- Barracuda WSA users no longer get a block page when SSL inspection mode is set to Transparent and web-based email is blocked for un-authenticated users, but allowed for authenticated users. [BNYF-11647]
- Peer Proxy works as expected for HTTPS sites. [BNYF-11587]
- The Barracuda Web Security Gateway ensures that Proxy and Web Application Monitoring services do not use the same port when SSL Inspection is enabled in Transparent mode, avoiding issues on some higher models. [BNYF-11576]
- CFDEF updates are downloaded regularly even when the WCS service is enabled on the Barracuda Web Security Gateway. [BNYF-11558]
- The "Configuration updated" message is only displayed in the web interface when a configuration change is made. [BNYF-10947]
- Policy Lookup Only (PLO) mode supports Google Consumer Apps. [BNYF-10314]
Version 10.0.0.016
- This version addresses an issue in manufacturing newer Barracuda Web Security Gateways with upgraded hardware.
Firmware Version 9.1
What's New in Version 9.1
- Ability to block Google consumer accounts while allowing Google hosted organizational accounts to be accessed for a specified list of Google applications. See the BLOCK/ACCEPT > Web App Control page where you can select the Google Consumer Accounts category filter and set policy. See also Google Apps Control Over HTTPS for examples.
- Ability to categorize domains through a cloud service instead of on the Barracuda Web Security Gateway.
- New option on BASIC > Reports page that allows hiding custom categories on reports.
- The Barracuda Malware Removal Tool is no longer provided for version 9.1 and above.
Fixed in Version 9.1
- Enhancement: Content filtering performance. [BNYF-8228, BNYF-10294, BNYF-10274, BNYF-10175]
- Enhancement: Back-end improvements to the Barracuda policy engine, especially related to application blocking. [BNYF-10148, BNYF-10151, BNYF-10166, BNYF-10294]
- Enhancement: The Barracuda Web Security Gateway now uses the Web Categorization Service by default unless previously disabled. [BNYF-10601]
- Fix: Reporting issues related to data unavailability/inaccuracy. [BNYF-9248, BNYF-9448, BNYF-9705, BNYF-9842, BNYF-9984, BNYF-10132, BNYF-10210, BNYF-10246]
- Fix: When updating a Barracuda Web Security Gateway using Barracuda Cloud Control from version 9.0 to version 9.1, the Barracuda Web Security Gateway now remains connected to Barracuda Cloud Control. [BNYF-10663]
- Fix: On the BASIC > Application Log page, entries that erroneously displayed 'spysiteIN=br0' in the Details column now show correctly as 'Spyware Website'. [BNYF-10292]
- Fix: Reports with more than 10 records show all records in the table and a maximum of 10 records in the chart. [BNYF-9181]
- Fix: The Weekly Performance Summary report runs automatically as a Scheduled Report for version 9.1 and above. [BNYF-10521]
- Fix: Policy engine improvement during configuration reload. [BNYF-10645]
- Fix: The Barracuda Web Filter communication with the WCS lookup is contiguous without interruption. [BNYF-10764]
Firmware Version 9.0
What's New in Version 9.0
- New underlying application blocking engine - Version 1.0.130 or above of the
Application Definition Updates is required (See the ADVANCED > Energize Updates page). Consequences are:
- Improved performance of application blocking and strength of signature-based application detection, including service recognition, e.g. chat, video, voice and file-transfer.
- More accurate identification of applications, with frequent updates.
- Higher accuracy of real-time detection capabilities.
- Blocking of over 200 additional protocols and applications.
- Blocking of the following applications is no longer supported:
- ASProxy
- uTorrent
- Twitterrific
- Freegate
- HotspotShield
- IPShield
- Icecast (in Communications group). However, the IceCast app in the Multimedia group can still be blocked.
- The following apps will appear in the web interface with the associated name changes:
- Real Time Streaming Protocol will now display as RTSP.
- iChat AV, VoIP Stunt, and VoIP Buster will now display as SIP.
- Authentication
- Added support for Aerohive Wireless Access Point (WAP) authentication integration. Configure on the USERS/GROUPS > Configuration page.
- Energize Updates
- Added Access Point Definition Updates, released on a regular basis by Barracuda Central and for use with the Barracuda Web Security Gateway. Configure on the ADVANCED > Energize Updates page.
Fixed in Version 9.0
- Feature: The Barracuda Web Security Gateway can be configured to accept traffic on non-native tagged VLAN 1. See the ADVANCED > Advanced Networking page. [BNYF-6551]
- Fix: When the Captive Portal feature is enabled and an Allow exception is created for a set of users, those users now see the Captive Portal agreement page when visiting allowed sites. [BNYF-8662]
- Fix: A large scheduled report no longer fails to generate when you try to run the same report before the original report finishes. [BNYF-9688]
- Fix: If a group is added to an Active Directory OU, the Barracuda Web Security Gateway now detects updates to that group. [BNYF-9260]
- Fix: Scheduled Reports in HTML format to an SMB server (configured on the ADVANCED > External Servers page) now correctly organize sets of reports in a directory or folder as specified. [BNYF-9161]
- Fix: If custom categories are created and exceptions are created for those categories, and the Barracuda Web Security Gateway logs traffic for those categories, the captured Daily/Hourly statistics will continue to display on the BASIC > Dashboard page if those categories are then deleted. [BNYF-9063]
- Fix: When accessing the Barracuda Web Security Gateway web interface from the BCS, clicking on the Release Notes link on the BASIC > Dashboard page displays the notes as expected, and does not give a Temporarily Unavailable page. [BNYF-9394]
- Fix: When using Google Apps for Education with Chromebooks, it is necessary to NOT inspect specific Google subdomains in order to prevent certificate errors. These subdomains will not be ssl inspected in proxy mode if Chromebook Compatibility is enabled. [BNYF-8763]
- Fix: The YouTube For Schools feature now works when the Streaming Media category is set to Monitor. [BNYF-9090]
- Fix: Apple iOS7 users are now able to log in and proceed as Guest when the Captive Portal feature is enabled. [BNYF-8943]
- Fix: HTTPS redirection with WCCP deployments now works whether or not HTTPS Filtering is enabled. [BNYF-8902]
- Fix: Reports that contain spyware sites are no longer blocked by the Barracuda Spam Firewall because the reports no longer include actual URL links to the sites. [BNYF-4221]
- Fix: When the Clear Cache button is pressed in the Caching Options section of the ADVANCED > Caching page, the transaction is now logged in the Audit Log. [BNYF-3000]
- Fix: Active Directory Group lookup is successful when Kerberos is configured for Authentication. [BNYF-9378]
- Fix: If an OU name contains special characters, scheduled reports based on the OU execute successfully. [BNYF-9281]
- Fix: Policy rule checks now recognize upper case letters when testing entered URL or Domain against the domain black/whitelist on the ADVANCED > Troubleshooting page. [BNYF-9349]
Version 9.0.0.003
- Fix: Reverting to a factory firmware version on a Barracuda Web Security Gateway (Vx and appliance). [BNYF-8703]
- Fix: Accessing scholar.google.com with transparent SSL Inspection. [BNYF-10166]
Version 9.0.0.002
- Fix: Captive portal exclusion now works as expected for an IP subnet group when a user initiates a session by opening a phone application (before using the browser) that accesses a particular domain. [BNYF-9438]
- Fix: The Log In button on the Temporary Access portal page works as expected after a custom category that includes a comma (,) is created. [BNYF-9871]
- Fix: The user no longer encounters an error page when, after triggering a time-based quota exception, browses a Warn page. [BNYF-9880]
- Fix: Domains and subdomains added to Custom Categories are properly categorized. BNYF-9883]
- Fix: Resolved issue in which the user was unable to download a page in proxy mode if the DNS response had CNAME instead of IP address. [BNYF-9885]
- Fix: When using Google Chrome browser, inline traffic to all Google sites, including YouTube, is blocked or allowed as expected per policy. [BNYF-9889]
- Fix: Manual Backup to Local Destination as configured on the ADVANCED > Backups page works as expected. [BNYF-9997]
- Fix: Updated Trusted CA bundle with additional certificates. [BNYF-10018]
Firmware Version 8.1.0
What's New in Version 8.1.0
- Enable Port Auth Exemption - Allows exemption of traffic proxied to port 8080 from NTLM and Kerberos authentication. If you have a combination of a terminal server environment using either NTLM or Kerberos authentication and Windows desktop units using LDAP, for example, this feature enables a hybrid of authentication mechanisms. Windows desktop users can then authenticate via your LDAP server while terminal users can authenticate via NTLM or Kerberos in a forward proxy configuration. Make sure that LDAP and/or unauthenticated user traffic runs over port 8080.
Fixed in Version 8.1.0
- Data correctly displays in chronological order for the Web Requests Log report type in HTML, PDF, Text, or CSV formats. [BNYF-8973]
- When clustering two or more Barracuda Web Security Gateway Vx virtual machines, making a change in the configuration of one now propagates correctly to the other. [BNYF-8895]
- When the time zone is set within 30 minutes of GMT, performance statistics and charts on the BASIC > Dashboard page render correctly. [BNYF-8869]
- Creating exceptions based on Safe Search does not result in an error message. [BNYF-8831]
- Provisioning the Barracuda Safe Browser on a device with the Barracuda Web Security Gateway is successful when bookmarks configured on the ADVANCED > Remote filtering page contain special characters. [BNYF-8834]
- Scheduled reports with a large time frame complete correctly. [BNYF-8777]
- Editing the Custom Keyword Categories on the BLOCK/ACCEPT > Web App Monitor page saves modifications as expected. [BNYF-8694]
- With the Captive Portal feature enabled, when an Allow exception is created for a set of users, those users now receive the Captive Portal agreement page as expected when they try to visit the allowed sites. [BNYF-8662]
- Authenticated policy rules are no longer applied to Unauthenticated Captive Portal users. [BNYF-8483]
- On the ADVANCED > Backup page, the Cloud option is available for Scheduled Backups. [BNYF-8591]
- When multiple Barracuda Web Security Gateways are connected to Barracuda Appliance Control, reports generated from the Group Node view include data from all connected Barracuda Web Security Gateways. [BNYF-8578]
Version 8.1.0.005
- Fix: Updated OpenSSL to address CVE-2015-0204 (commonly known as "FREAK"), CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-0209, and CVE-2015-0288.
- Fix: Added CA certs for trust chain, additional checks with errors for self-signed certs, and expired certs. [BNYF-7863]
- Fix: YouTube Safe Search: When a user is logged into Google/YouTube, Safe Search can only be enforced when the user is browsing as 'guest'; this means that uploading and similar actions tied to a user account will not work with Safe Search. [BNYF-9323]
- Fix: Active Directory Group Lookup now works as expected when using Kerberos authentication. [BNYF-9378]
- Fix: Self-signed certificates created on the Barracuda Web Security Gateway 410 for use with SSL Inspection are now correctly created with an expiration date 3 years from date of creation. Self-signed certificates for all other Barracuda Web Security Gateway models expire in 1 year from date of creation. [BNYF-9362]
Version 8.1.0.003
- Feature: Automatic scheduling of the Performance Summary report when you upgrade to version 8.1.0.003. A PDF version of the report will run weekly and be delivered by email to the address entered in the System Alerts Email Address field on the BASIC > Administration page. To remove the report from the schedule, go to the BASIC > Reports page and remove it from or disable it in the Schedule Reports table.
- Fix: Further mitigated risk of SSLv3 related POODLE vulnerability on the internal interface of the Barracuda Web Security Gateway. If you have a legacy browser or web client inside the organization that is being SSL inspected and supports only SSLv3 or below, you could possibly experience an outage. If that is the case, call Barracuda Technical Support to resolve this issue. Note that with this fix, the external interface of the Barracuda Web Security Gateway is not affected in any way. [BNYF-9355]
- Fix: SSLv3 is disabled when the Local Redirect IP address is configured to be the same as the System IP address. This is to mitigate CVE-2014-3566 (SSL POODLE). [BNYF-9333]
- Fix: Self-signed SSL certificates created on the ADVANCED > SSL Inspection page expire one year from date of creation, as expected. [BNYF-9362]
Version 8.1.0.002
- Enhancement: New Performance Summary report. Bundle of four reports summarizing user activities by TCP connections, system load, bandwidth and total unique clients.
- Fix: Port 3130 is reserved ONLY for HTTPS traffic through the Barracuda Web Security Gateway when the SSL Inspection feature is enabled. [BNYF-9082]
- Fix: When re-ordering policy exceptions on the BLOCK/ACCEPT > Exception page, exceptions with text patterns that include meta-characters now remain unaffected if they change order. [BNYF-9187]
- Fix: LDAP users are now able to log in using LDAP Proxy Authentication regardless of whether the Bind DN contains a backslash '\' . [BNYF-9165]
- Fix: When a user is removed from an LDAP group in Active Directory, automatic synchronization of group information with the Barracuda Web Security Gateway works as expected. [BNYF-8532]
- Fix: Exceptions for LDAP groups continue to be applied as expected after making changes to the exception when Aggregate All Active Directory Domains is also set to Yes on the USERS/GROUPS > Authentication page. [BNYF-9150]
Firmware Version 8.0
What's New in Version 8.0
- Authentication
- Proxy Authentication - The Proxy Authentication feature has been expanded to allow selection of LDAP groups for proxy authentication. Previously, only local users were supported. In version 8.0, administrators can apply LDAP authentication to remote/mobile users who are in the LDAP server, but are browsing outside of the network. This means that the Barracuda Web Security Gateway can be configured such that there are no unauthenticated users. See the USER/GROUPS > Configuration page and How to Configure Proxy Authentication for Chromebooks and Other Remote Users for more information.
- Wireless Access Point (WAP) Support - The WAP integration feature enables end users to surf as authenticated users via the Barracuda Web Security Gateway after authenticating against their WAP. This means that the user only needs to enter their credentials once as opposed to entering their credentials once for the WAP and then a second time to authenticate against the Barracuda Web Security Gateway. Each WAP can be configured to send its syslogs to the Barracuda Web Security Gateway on the network, which can then parse the logs for username and IP address of each authenticated user. This enables reporting on user browsing activity, bandwidth use, and more. See the USER/GROUPS > Configuration page and Wireless Access Point Integration for more information.
- User Interface
- Data Pattern Categorization - As data leaves the corporate network through a variety of web based applications, the network administrator can monitor data patterns for sensitive information to ensure compliance with corporate policies. This entails the monitoring and alerting of flagged specific data elements such as credit card numbers, social security numbers, privacy terms, and HIPAA compliance terms. See the BLOCK/ACCEPT > Web App Monitor page to configure and Data Pattern Categorization and the Barracuda Web Security Gateway for more information.
- Customizable Dashboards - In addition to the wealth of information available on the default dashboard (BASIC > Status page), the administrator can now also create multiple dashboards with summaries of just the information about web traffic and user activity that is of top priority. Choose from various reports showing specific user browsing, bandwidth and malware statistics in drag and drop layouts.
- Virtualization
- Support for Microsoft Hyper-V - See Hypervisor Compatibility and Deployment - VHD Package.
Fixed in Version 8.0
- YouTube Safety Mode operates per Google's new implementation of Safety Mode as of March 2014. [BNYF-8537]
- Log reports now show data in ascending order by date. [BNYF-8530]
- Reports can now be generated that include users found in nested organizational units (OU's) in the Active Directory structure. [BNYF-8379]
- Application Exceptions can now be set for specific IP groups. For example, FTP traffic can now be blocked based on the IP group of a particular user or set of users. [BNYF-8519]
- Temporary Access administrators can now log in to bypass block pages using their LDAP credentials even if the LDAP group they belong to is named with upper case letters. Previously, LDAP group names had to be in lower case. [BNYF-8504]
- Reports based on All Logged Users in the Limit Report field now return data. [BNYF-8458]
- Port 22 is no longer open for SSH access on the Barracuda Web Security Gateway. [BNYF-8175]
Version 8.0.0.004
- Limit Report To option for an Active Directory group limits based on Common Name (CN) as expected, instead of on sAMAccountName. [BNYF-8512]
- Overall improved reporting performance with larger data sets. [BNYF-8777]
- Web Log web interface improvements to display complete Category and Detail column information. [BNYF-8791]
- On the BASIC > Status page, in the Hourly Web Security Gateway Statistics section, the Top Blocked Requests graph no longer shows a No Data Available message if there are no blocked requests in the last hour. [BNYF-8811]
- On the BASIC > Reports page, the Exclude Days of Week option works as expected when multiple days are excluded. [BNYF-8828]
- Internal websites with short URLs resolve correctly by hostname and FQDNs are no longer needed. [BNYF-8832]
- The
Users By Requests report returns data for users with application logs, as expected. [BNYF-8862] - On the BASIC > Status page, dashboard data renders as expected when the customer's timezone is GMT :30 offset. [BNYF-8869]
- The BLOCK/ACCEPT > Exceptions page now lists users whose primary Group ID is not 513. [BNYF-8870]
- The reports Number of Sessions by Time of Day and Number of Sessions by Hour display as expected. [BNYF-8882]
- On the BASIC > Status page, the Top Users report runs and displays as expected for large numbers of users. [BNYF-8886]
- In the Barracuda Web Security Gateway Vx, synchronizing the configuration over a cluster of systems works as expected. [BNYF-8895]
Firmware Version 7.1.0
What's New in Version 7.1.0
- SSL Inspection
- The Barracuda Web Security Gateway 610 and 810 now support inline SSL Inspection. In previous releases, SSL Inspection was supported only in forward proxy deployments. Moreover, applications selected on the BLOCK/ACCEPT > Web App Control and Web App Monitor pages are now subject to SSL Inspection when the feature is enabled.
- The Barracuda Web Security Gateway 910, 1010, and 1011 now SSL inspects applications selected on the BLOCK/ACCEPT > Web App Control and Web App Monitor pages. Previously, only domains and categories (in forward proxy) were subject to SSL Inspection.
- The Barracuda Web Security Gateway 410 now supports SSL Inspection with inline or forward proxy deployments for Safe Browsing and YouTube for Schools.
- The Barracuda Web Security Agent (WSA) supports SSL Inspection in non-Policy Lookup Mode which inspects the traffic proxied by the agent.
Fixed in Version 7.1.0
- RAID status tools provide correct and consistent RAID status on the BASIC > Status page. [BNYF-8186]
- When a delegated admin is limited to a group, and that admin runs a report, the filter for Limit Access To (defined on the ADVANCED > Delegated Admin page) is correctly applied. [BNYF-7335]
- Exporting to a CSV file from the BASIC > Web Log page download process does not time out if the export takes more than 5 minutes. [BNYF-8178]
- The Manage and Monitor roles as defined on the ADVANCED > Delegated Admin page can create scheduled reports. [BNYF-8288]
- Backups created on older firmware will not work on the 7.1.0 release. The retrieval and backup works as expected as long as the backup files have been created with 7.1.0 release. [BNYF-8127]
Version 7.1.0.003
- Synchronized help page in web interface for ADVANCED > Temporary Access page. [BNYF-8425]
- Logging into the web interface with admin credentials, or getting redirected to a block page in a maximized IE8 browser does not cause the browser to crash. [BNYF-7982]
- The Warn block page triggered by a MIME type includes a Proceed button as expected. [BNYF-8450]
- The Windows Safari browser gets filtered as expected by the Barracuda WSA with the default option 'Filter Specified Applications And Allow All Others' configured on the ADVANCED > Remote Filtering page. [BNYF-8221]
- When a website is blocked for the reason of spyware, all buttons and the option to run the Barracuda Malware Removal Tool are present. [BNYF-8361]
Firmware Version 7.0.1
What's New in Version 7.0.1
- Captive Portal
See the BLOCK/ACCEPT > Configuration page for settings.- Option to apply Captive Portal to one or more IP Subnet/Groups (as defined on the USERS/GROUPS > IP Subnets/Groups page) as well as to unauthenticated users.
- Captive Portal access to the network can allow users to browse:
- Using their existing LDAP credentials to log in and be subject to Authenticated policies, OR
- Only as a Guest, OR
- Based on their choice, selecting either Guest or as Authenticated when presented with the Captive Portal splash/login page.
- Option to present a Logout button for the user on a block page that displays when a policy prevents the user from accessing a requested website or application. This allows for changing users/logins.
- Ability to exclude IP group(s) from Captive Portal.
- Temporary Access for Teachers, Students
- Admin has option to allow teachers to bypass block pages with login credentials instead of, or in addition to, using tokens to provide student access to requested websites. Teacher still has option to hand out tokens to students.
- Admin can designate entire LDAP groups as Temporary Access administrators. For example, the admin might create a group for the Science Dept. and assign all teachers in that group Temporary Access administrator rights.
- SSL inspection
Configure on ADVANCED > SSL Inspection page.- Ability to limit SSL Inspection of web traffic to specific users/groups. This new option provides 2 benefits:
- Enables the admin to better manage this resource-intensive feature.
- Prevents unauthenticated or guest users from getting certificate warnings when browsing over HTTPS because they do not have the root certificate installed in their browser. - Option to allow end users to download a root SSL certificate from their browsers. May also require authentication for certificate download. This option is useful if you choose to create a self-signed certificate on the Barracuda Web Security Gateway which needs to be pushed out to client browsers, instead of uploading a trusted certificate you buy from a certificate authority. Rather than pushing the self-signed certificate to browsers, you can enable users to download it.
- Ability to limit SSL Inspection of web traffic to specific users/groups. This new option provides 2 benefits:
- Reporting - Two new summary reports, aggregating existing reports for meaningful snapshots of network activity and Internet activity for the specified time frame.
Fixed in Version 7.0.1
- Significant performance improvement in rendering reports and statistics
- Faster reporting interface
- Faster rendering of statistics on the BASIC > Status page
- Faster log in to the web interface
- Status page
- Performance Statistics display and align properly. [BNYF-7742, BNYF-7750]
- Delay in page loading at Admin login fixed. [BNYF-7994]
- When Daily is selected in the Hourly Web Security Gateway Statistics section of the page, the list data is updated and displays the Top 10 records. [BNYF-7837, BNYF-7928]
- Reporting
- Network Activity Summary ad hoc report in PDF format loads and displays correctly. [BNYF-8004]
- Top Users by Requests to Spyware Sites ad hoc HTML report (Users by Spyware Requests report in version 6.0.1) shows accurate data when drilling down by Hour or Domains [BNYF-7771]
- Sessions by Users report is present. [BNYF-7747]
- Barracuda Cloud Control
When managing the Barracuda Web Security Gateway from Barracuda Appliance Control (BAC):- The Web Application Control page now displays blocked applications for both single and group view. [BNYF-7988]
- The BASIC > Status page correctly displays statistics. [BNYF-6233, BNYF-7295, BNYF-7413, BNYF-7412, BNYF-7750, BNYF-7795, BNYF-7837, BNYF-7876, BNYF-7874]
- The BASIC > Reports page aligns with the Barracuda Appliance Control display. [BNYF-7355, BNYF-7349, BNYF-7893]
- Ad hoc reports in HTML format display records correctly. [BNYF-7348]
- The User/Group Lookup button works properly on the BLOCK/ACCEPT > Exceptions page. [BNYF-6974]
- Policy remains as selected (either Unauthenticated or Authenticated) on BLOCK/ACCEPT > Web App Control page. [BNYF-7988]
- Miscellaneous
- Block page now renders with correct background color when user visits blocked websites. [BNYF-7993]
- Block page and log in process work properly with the IE8 browser. [BNYF-7982]
Firmware Version 7.0
What's New in Version 7.0
- User Interface
- New look and feel - The new Barracuda Web Security Gateway web interface is cleaner with a new color scheme, but is functionally the same with no changes to navigation.
- Enhanced Dashboard - View live feed of current TCP connections and graphs of blocked requests, user browse times and bandwidth usage for a quick picture of web traffic on your network.
- New controls for viewing logs and switching graph content type on-screen.
- Recent Flagged Terms - (Available on 610 and higher) This new section displays a list of the most used suspicious keyword terms in social media and search engine activities per settings on the BLOCK/ACCEPT > Web Application Monitor page. These terms are categorized in a suspicious keywords lexicon provided by Barracuda Networks and can be added to by creating a custom list on the BLOCK/ACCEPT > Web Application Monitor page.
- Improved reporting presentation tools as described below.
- Limited support for Barracuda Appliance Control (BAC). The new web interface includes several key enhancements, especially around the dashboard (BASIC > Status page). Future versions of the Barracuda Web Security Gateway firmware will fully support the new web interface. You can still join your Barracuda Web Security Gateway running version 7.0 to Barracuda Appliance Control, with limited feature support.
- Temporary Access for Teachers, Students - This feature replaces the Temporary Whitelist role. For research projects and other classroom needs, the Temporary Access Portal enables teachers to obtain student access, for a specified time period, to websites that are typically regulated by administrators. Administrators either create credentials for teachers, or teachers simply log into the portal via LDAP. From the portal teachers can request domains and/or categories of domains for temporary student access. The Temporary Access Portal issues a token for each request that the teacher can then give to students for bypassing block pages. See Temporary Access for Education in the Barracuda TechLibrary for details and workflow. To configure, see ADVANCED > Temporary Access. The BASIC > Temporary Access Requests log tracks activity by teachers who have been given credentials to request temporary access for their students. The log displays the status of tokens teachers create by username and date, including expiration date and time of tokens.
- Web Application Monitoring (Available on 610 and higher)
- Suspicious Keyword Alerts - Applies to terms categorized as related to cyberbullying, profanity, adult or terrorism in social media interactions. Barracuda Networks provides a lexicon of keywords you want the Barracuda Web Security Gateway to flag for generating email alerts when they appear in user social media interactions or search engine activities. You can add your own categories and lists of keywords as well. See the BLOCK/ACCEPT > Web App Monitor page for details and to configure. The BASIC > Status page includes a listing of the Recent Flagged Terms (Suspicious Keywords) identified in filtered traffic.
- New Web App Monitor Log page - This new page on the BASIC tab displays a log of all archived chat, email, user registrations and social media interaction traffic processed by the Barracuda Web Security Gateway. Configure which kinds of activities you want to capture on the BLOCK/ACCEPT > Web App Monitor page. Use the BASIC > Web App Monitor Log page to view these captured application interactions by date, source IP address, username and associated details.
- Enhanced HTTPS Filtering
- SSL Inspection - In addition to Forward Proxy deployments with the Barracuda Web Security Gateway 610 or higher, now also available for inline deployments on certain models. See Using SSL Inspection With the Barracuda Web Security Gateway or the ADVANCED > SSL Inspection page. Provides for granular control of web 2.0 applications over HTTPS as described above within Facebook, Google Apps, YouTube and more.
- HTTPS Block Page - A block page is presented when users attempt to visit a website over HTTPS that either poses a security risk, violates policy, or that falls under the Warn policy action. Using the HTTP block page template on the BLOCK/ACCEPT > Block Messages page, you can customize the text on the web page displayed by the Barracuda Web Security Gateway.
- Reporting
- New reporting engine with enhanced performance for fast response times.
- Enhanced PDF and HTML presentation with informative header, footer and easy-to-read layout.
- New report set - Organized for Productivity, Safety & Liability, Web Activity, Infection Activity and Administrative (Temporary Access Requests), including:
- Top Facebook Users by Browse Time
- Top Users by Bandwidth on Streaming Media Sites
- Top Gaming Domains by Requests
- Top Users by Requests to Spyware Sites
- Top Facebook Users by Browse Time
- Top Social Networking Domains by Requests
- Top Streaming Media Domains by Requests
- Top Streaming Media Domains by Bandwidth
- Top Users by Bandwidth on Gaming Sites
- Top Users by Blocked Requests
- Top Users by Browse Time on Gaming Sites
- Top Users by Browse Time on Streaming Media Sites
- Top Users by Browse Time on Social Networking Sites
- Top Users by Requests to Adult/Pornography/Nudity Sites
- Top Users by Requests to Anonymizer Sites
- Top Users by Requests to File Sharing/P2P Sites
- Top Users by Requests to Intolerance and Hate Sites
- Top Users by Requests to Weapons/Violence and Terrorism Sites
- Top Suspicious Keywords
- Suspicious Keywords by Users
- Top YouTube Users by Bandwidth
- Top YouTube Users by Browse Time
- Audit Log
- Temporary Access Request Log
- Categories By Temporary Access Requests
- Domains By Temporary Access Requests
- Users By Temporary Access Requests
- New Audit Log - The Barracuda Web Security Gateway maintains a log of events including logins/logouts and changes to configuration settings in conjunction with role-based administration. The new BASIC > Audit Log page lists these events including date, source IP address, username, role and associated details.
- Policy Rule Checking - From the ADVANCED > Troubleshooting page you can test policy rules applied to traffic on specified servers. You can verify access restrictions and exceptions that you define in the pages on the BLOCK/ACCEPT tab. The Policy Rule Check returns a list of all of the rules that would apply to traffic and actions (Monitor, Warn, or Deny) that would be taken based on the rule.
- Support for External ICAP servers - Ability to redirect traffic from the Barracuda Web Security Gateway to a 3rd party server. Select DLP, Antivirus, or other dedicated ICAP server on the ADVANCED > External Servers page. The Barracuda Web Security Gateway will first apply all configured policies to inbound or outbound traffic, and then forward the traffic to the specified ICAP server for DLP scanning, antivirus scanning or other processing.
Fixed in Version 7.0.0
Version 7.0.0.022
- Reordering of exceptions in the List of Exceptions table on the BLOCK/ACCEPT > Exceptions page works and displays properly. [BNYF-7940]
Version 7.0.0.021
- Improved performance by resolving issues with increased CPU usage. [BNYF-7678]
- Resolved issue with increased memory usage when running reports. [BNYF-7807]
Firmware Version 6.0.1
What's New in Version 6.0.1
- Safe Browsing and Remote User Access
- Barracuda Safe Browser Support - The Barracuda Safe Browser is a full-featured web browser, currently available for the iOS platform that is integrated with the Barracuda Web Security Gateway (as well as Barracuda Web Security Flex). Great for students and BYOD work environments, web requests made through the browser on a mobile device will automatically be filtered to block access to malicious web sites and to enforce compliance policies that you configure in the BLOCK/ACCEPT pages, just as you configure policies for any other traffic source.
- Web Security Agent - Version 4.2.3 of the Barracuda Web Security Agent supports Windows 8.
- Remote Devices - The Barracuda Web Security Gateway maintains a log of remote user and mobile device locations via the Barracuda Web Security Agent (WSA) and the Barracuda Safe Browser. Logged data includes the Username, Domain, Device Name, Device Type, IP Address, Location (link to Google Maps), and Last Seen date and time. This data is logged each time a remote user logs into the Barracuda WSA or the Barracuda Safe Browser, and when the mobile device synchronizes with Barracuda Web Security Gateway settings. See the ADVANCED > Remote Devices page to view.
- LDAP Authentication - New DC Agent
- DC Agent - The new DC Agent 6.0 provides the same integration as before of your domain controller with the Barracuda Web Security Gateway to enable use of single sign-on for your users. Except for remote installations (see below), the DC Agent requires Microsoft Windows Server 2003 with Service Pack 2 (SP2) or higher. See the USERS/GROUPS > Authentication page to configure.
- Windows Server 2012 support.
- New easy-to-use graphical interface.
- Improved stability and performance.
- Requires Microsoft .Net Framework 4.0 Client Profile.
- Remote installation requires Microsoft Windows 7 or higher. Also note that, for the remote installation of DC Agent, you MUST be a domain member to query the server.
- DC Agent - The new DC Agent 6.0 provides the same integration as before of your domain controller with the Barracuda Web Security Gateway to enable use of single sign-on for your users. Except for remote installations (see below), the DC Agent requires Microsoft Windows Server 2003 with Service Pack 2 (SP2) or higher. See the USERS/GROUPS > Authentication page to configure.
- Status page enhancement - The new Link Status section provides icons for LAN, WAN and AUX port connections where applicable. Hover the mouse over one of the port icons for a tool tip showing: eth1/eth2, IP Address, MAC Address, throughput, link Speed, duplex. Note that, for the Barracuda Web Security Gateway FX, only the LAN connection will be present.
- Creating Exceptions to Policy
From the BLOCK/ACCEPT > Exceptions page:
- HTTPS-based Policy - You can now create policy exceptions specific to HTTP traffic, HTTPS, or another legitimate URI scheme (e.g. SMB:\\) using the Protocol field. Note that Enable HTTPS Filtering must be enabled on the BLOCK/ACCEPT > Configuration page if HTTPS is selected.
- List of Exceptions table - New multiple-select capability allows for selecting and moving multiple items at one time to change order of precedence of exceptions.
- YouTube for Schools bypass - You can create an exception for a specific set of users to bypass the YouTube for Schools feature if it is enabled. This feature enables creation of a school account for access to YouTube EDU content as well as a customizable playlist of videos that will be viewable only within your own school network. You can learn more about what YouTube for Schools offers by visiting the YouTube for Schools website. For information about configuring this feature, see the Barracuda TechLibrary article How to Set Up YouTube for Schools.
Fixed in Version 6.0.1
Version 6.0.1.007:
- Enhancement: DC Agent version 6.0.0.32 now installs, if necessary, Microsoft .Net Framework 4.0 Client Profile.
- Enhancement: Download links for Web Security Agent are upgraded for better usability on the ADVANCED > Remote Filtering page.
- Fix: Barracuda Cloud Control no longer displays links from within the Barracuda Web Security Gateway view to download the Barracuda Web Security Agent or the Barracuda DC Agent. These agents must be downloaded via the local web interface of each Barracuda Web Security Gateway. [BNYF-6272]
- Fix: Improved policy engine stability. [BNYF-6257]
- Fix: The Barracuda Web Security Gateway properly re-categorizes domains when many custom categories are present, resulting in proper policy enforcement. [BNYF-6239]
- Fix: Web Log updates and filters as expected. [BNYF-6244], [BNYF-6282], [BNYF-6256]
- Fix: Web Application Monitor notifications are sent out as expected. [BNYF-6294]
- Fix: HTTPS access to the web interface (ADVANCED > Secure Administration page) works as expected. [BNYF-6233]
Version 6.0.1.001:
- Fix: Source IP blocking in Inline Mode works as expected. [BNYF-5802]
- Fix: Source IP exemptions in Forward Proxy Mode work as expected. [BNYF-5368]
- Fix: Login override through spyportal block page now works as expected with valid credentials. [BNYF-5582]
Firmware Version 6.0
What's New in Version 6.0
- User Interface
- Improved applications filtering interface. The BLOCK/ACCEPT > Applications page now provides block and allow actions for specific application traffic that is not browser-based. For example: Skype, Pandora, Adobe Acrobat, FTP. You can select from a pre-defined list of non-HTTP Web applications as well as submit a suggestion of an application that the Barracuda Web Security Gateway should block.
- Revised layout for ADVANCED > Remote Filtering page Barracuda Web Security Agent settings. Includes new support for Mac OS-X with the Barracuda Web Security Agent.
- Web Application Control
- Provides block and allow actions for web-based applications such as Facebook, MySpace, Twitter and others. You can, for example, allow users in the organization to log into Facebook to view and make status updates and use chat, while blocking games, shares and other Facebook apps to protect your network from viruses and malware. Couple this functionality with the powerful Web Application Monitor feature, which allows you to capture these social media interactions for archiving. Configure from the new BLOCK/ACCEPT > Web App. Control page.
- Web Application Monitoring
- Enables the capture of chat, email, user registrations and social media interactions on social media portals for the purpose of archiving and searching by source or content. The archiving repository can be your Barracuda Message Archiver, your Microsoft Exchange Server journaling tool or, for example, a system administrator email address. Configure from the BLOCK/ACCEPT > Web App. Monitor page.
Specify a Notification Email Address for archiving selected actions and associated content. The Barracuda Web Security Gateway will package each interaction as an SMTP message and email it to this address, which can then be marked for archiving. Use the Barracuda Message Archiver or other archiving solution to index messages for searching by source or content. Alerts can then be generated per policy you set in your archiving solution. Available on the Barracuda Web Security Gateway 610 and higher.
- Enables the capture of chat, email, user registrations and social media interactions on social media portals for the purpose of archiving and searching by source or content. The archiving repository can be your Barracuda Message Archiver, your Microsoft Exchange Server journaling tool or, for example, a system administrator email address. Configure from the BLOCK/ACCEPT > Web App. Monitor page.
- Enhanced HTTPS Filtering
- Support for HTTPS with WCCP deployment. HTTPS traffic will be filtered in WCCP deployment mode if Enable HTTPS Filtering is enabled from the BLOCK/ACCEPT > Configuration page.
- SSL Inspection. The Barracuda Web Security Gateway can decrypt HTTPS traffic at the URL level and apply policy accordingly. For Forward Proxy deployments only, this feature is configurable from the BLOCK/ACCEPT > Configuration page. To use SSL Inspection, you must also either upload a trusted or create a self-signed root certificate to install on all client browsers and other Barracuda Web Security Gateways (when using linked management). Configure SSL Inspection certs from the ADVANCED > SSL Inspection page. Available on the Barracuda Web Security Gateway 610 and higher.
Firmware Version 5.0
What's New in Version 5.0
- New role-based administration, configurable from the ADVANCED > Delegated Admin page
- Safe Browsing YouTube for Schools support. Create a YouTube for Schools account, then enable on the BLOCK/ACCEPT > Content Filter page.
- Ability to grant specific LDAP users access to the Barracuda Web Security Gateway Web interface
- LDAP OU (organizational unit) based policy and reporting
- Reporting enhancements
- Temporary whitelisting feature enabling an authorized user to temporarily allow content blocked by policy
- New email alerts summarizing policy violations
- Pre-population of Applications to Filter on the ADVANCED > Remote Filtering page
- Support for scheduling reports in non-English languages
- Improved DNS resolution
- Support for the IE9 browser for Web interface log pages
- Feature: Ability to configure Open Directory specifically
- Block page now supports more than 10 Existing Authentication Services
- Improved alignment for text based reports
- Added Web Security Agent (WSA) features:
- Support for Policy Lookup Only Mode
- Ability to synchronize configuration via a non-default HTTPS port
- Support for NTLM Authentication with Windows 2008 R2 Server
- Ability to use a non-standard SMB port for External Servers
- Backward Compatibility Support for OSX 10.5
- Use of the HH:MM:SS time format for logs exported to CSV file
- Support of PDF report format for the IE7 browser
- Support for export of filtered Web Logs to CSV format for IE8 and Firefox browsers
- The Calendar picker on BASIC > Reports page is compatible with Chrome browsers
- The Safe Mode setting has been removed as it is now handled automatically
- Some reports renamed for consistency and readability.
Fixed in Version 5.0.0
Version 5.0.0.016:
- Enhancement: Improved reporting performance.
- Fix: Improved web interface performance at high system loads.
Version 5.0.0.014:
- Enhancement: Support for YouTube for Schools tool (sign up at www.youtube.com/schools) as part of the Safe Browsing category. To use this feature, you must update your Category Definition version to 2.0.136 or newer on the ADVANCED > Energize Update page in the web interface AFTER you apply this firmware version.
Version 5.0.0.012:
- Fix: Application rule for day-based exceptions works as expected.
- Fix: When the timezone is set to be Eastern Time, traffic graphs are in sync instead of showing Pacific Time.
- Fix: 'WARN' traffic is logged correctly and the WARN activity report shows correct data.