Barracuda CloudGen Firewall

Get protection that goes beyond next-generation firewalls.


While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.

Barracuda ATP offers Administrators granular, file-type-based control including automatic quarantine and block-listing features to maintain the highest level of protection for an organization’s network.

Barracuda Advanced Threat Protection is an optional subscription.

Botnet and Spyware Protection guards against botnet infections by blocking access to malicious sites and servers, and detects potentially infected clients based on DNS Sinkholing technology. DNS Sinkholing blocks clients from accessing malicious domains by monitoring outbound DNS requests passing through the firewall. DNS requests to malicious domains are redirected to an internal sinkhole, thereby preventing data exfiltration and identifying the victim. Once an infected client is detected, it can be isolated automatically. An alert can also be created or reported by Barracuda Firewall Report Creator.

The Intrusion Detection and Prevention System (IDS/IPS) of Barracuda CloudGen Firewall strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:

  • SQL injections and arbitrary code executions
  • Access control attempts and privilege escalations
  • Cross-Site Scripting and buffer overflows
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Directory traversal and probing and scanning attempts
  • Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware

Barracuda CloudGen Firewall provides advanced attack and threat protection features such as:

  • Stream segmentation and packet anomaly protection
  • TCP split handshake protection
  • IP and RPC defragmentation
  • FTP evasion protection
  • URL and HTML decoding

As a result, Barracuda CloudGen Firewall is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

As part of Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that Barracuda CloudGen Firewall is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by Barracuda Firewall Control Center.

In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, Barracuda CloudGen Firewall effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.

Additionally, Barracuda CloudGen Firewall allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of Barracuda CloudGen Firewall diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.

The Malware Protection built into Barracuda CloudGen Firewall shields the internal network from malicious content by scanning web content (HTTP and HTTPs), email (SMTP, POP3), and file transfers (FTP) via two fully integrated antivirus engines. Barracuda Malware protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available. Barracuda Malware Protection covers viruses, worms, Trojans, malicious java applets, and programs using known exploits on PDF, picture and office documents, macro viruses, and many more, even when using stealth or morphing techniques for obfuscation.

All Barracuda CloudGen Firewall models can apply IPS, Virus Protection, Application Control, URL Filter and even Advanced Threat Protection to SSL encrypted web traffic using the standard ' trusted man-in-the-middle' approach. SSL Interception can be fine-tuned to exempt local networks, users/groups, URL Filter categories or custom defined domains from SSL Inspection.

At the heart of every Barracuda CloudGen Firewall is a high performance stateful deep packet inspection engine examining the header as well as the data part of every passing packet. Malformed packets are disregarded, protecting the infrastructure behind the Barracuda device against network level attacks. Protocol compliant packages are then checked to match any of the defined firewall rules.

Once a data packet is opened up for inspection by the Firewall, all other security inspection mechanisms like IPS/IDS, anti-virus are also applied to the packet or stream of consecutive packets. Security inspection is done in single pas mode without the need to hand over to a separate proxy.

Multi-factor authentication (MFA) has become the standard for preventing unauthorized access to company critical information. Barracuda CloudGen Firewall supports and enforces multi factor authentication methods for protected resources, SSL-VPN as well as VPN connections. This makes the need for purchasing an additional multi-factor authentication or identity access management (IAM) solution obsolete.

Time-based one-time passwords (TOTP) are commonly used for two-factor authentication and is today the de-facto standard for multi factor authentication methods as used by cloud application providers. Every Barracuda CloudGen Firewall includes an advanced multi-factor authentication function using the TOTP algorithm to protect company critical resources as well as SSL-VPN and VPN connections from unauthorized use.

Connectivity & SD-WAN

If Dynamic Bandwidth & Latency Detection indicates the measured bandwidth of an uplink is not sufficient to sustain the minimally required business critical traffic (e.g., VoIP), Barracuda CloudGen Firewall automatically shifts sessions for non-business critical traffic to secondary links to free up bandwidth for critical traffic.

Barracuda CloudGen Firewall uses dynamic bandwidth and latency detection to automatically balance existing sessions inside logical VPN tunnels across all available uplinks. This real-time balancing optimizes network efficiency and bandwidth usage at any given moment.

A unique combination of next-generation security and adaptive WAN routing technology allows Barracuda CloudGen Firewall to dynamically assign available bandwidth, uplink, and routing information based not only on protocol, user, location, and content, but also on applications, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.

To view a complete list of applications and sub-applications that are covered by Application-Based Routing, please check the Online Application Explorer.

Barracuda CloudGen Firewall combines a comprehensive set of advanced security features with capabilities that support the Software-Defined Wide-Area Network (SD-WAN). SD-WAN capabilities allow CloudGen Firewalls to create secure pathways across both multiple WAN connections and multiple carriers, without the involvement of typical high-management overhead. Advanced load sharing lets you use multiple WAN connections simultaneously and distribute encrypted VPN tunnels across multiple WAN connections. Built-in compression, caching, and WAN optimization technologies significantly increase your available bandwidth. These capabilities reduce your need for expensive leased lines, consolidate multiple security functions into a single device, and create a unified management framework—all of which results in significant cost savings for your organization.

SD-WAN NSS Labs Recommendation

In order to achieve the best possible user experience across the Wide Area Network, all Barracuda CloudGen Firewall models pro-actively measure the available bandwidths and latency between VPN endpoints. The results are directly available to the firewall policy engine to select the best suitable uplink per application or disqualify an uplink if the bandwidth or latency fall outside of acceptable limits.

Barracuda CloudGen Firewall copies packets and sends them simultaneously through the selected primary and secondary VPN transports. Both packet streams are reassembled at the other end of the logical VPN tunnel. This significantly reduces packet loss for applications like VoIP or video streaming. It also provides instant failover—with no packets dropped—in case one VPN transport of a logical VPN tunnel goes down.

In order to achieve the best possible user experience across your WAN, all Barracuda CloudGen Firewall models are able to detect available bandwidths and latency between VPN endpoints in real time. The firewall policy engine is able to dynamically select the most suitable uplink for each application, or to disqualify an uplink if bandwidth or latency is outside defined limits. In addition, if the measured bandwidth of an uplink is not sufficient to sustain business-critical traffic (e.g., VoIP), the CloudGen Firewall automatically shifts sessions for non-critical traffic to secondary links, to free up high-quality bandwidth for critical traffic.

Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of Barracuda Firewall VPN Engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:

  • Endpoint-to-Endpoint (not network-to-network) connectivity
  • NAT friendliness
  • Multiple physical transport paths for a logical tunnel
  • Multiple tunnels between two locations
  • HTTPS and SOCKS4/5 proxy compatibility
  • Dynamic Address Support
  • Tunnel heartbeat monitoring

Create highly reliable and secure site-to-site connections between on-premises firewalls (both hardware and virtual appliances). Site-to-site connectivity also includes public cloud offerings like Amazon Web Services and Microsoft Azure. But it is not just about maintaining static site-to-site VPN tunnels. Having a hub-and-spoke VPN setup allows you to create tunnels automatically and on-demand between connected nodes in order to avoid the hub turning into a bottleneck. You thereby ensure low latency connections for VoIP applications, for example. As soon as the connection is no longer required, the VPN tunnel is automatically closed again. Administrators naturally have full real-time visibility into the dynamic mesh VPN setup.

To ensure unbeatable, cost-efficient connectivity, Barracuda CloudGen Firewall provides a wide range of built-in uplink options including unlimited leased lines, up to twelve DHCP uplinks, and up to four xDSL uplinks. By eliminating the need to purchase additional devices for link balancing, security-conscious customers have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed. In addition, traffic intelligence mechanisms ensure that the next-defined uplink is activated on the fly and that all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.

Limited network resources make bandwidth prioritization a necessity. Barracuda CloudGen Firewall provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications.

Barracuda CloudGen Firewall provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.

Barracuda CloudGen Firewall can significantly enhance the WAN performance of distributed network environments by improving the availability, performance, and response time of business-critical applications by lowering throughput and transmission delays, affecting time-sensitive decisions and enterprise profitability. The next-generation networking concept of Barracuda CloudGen Firewall provides a set of powerful features to efficiently reduce and offset the negative effects of high latencies and response times.

By implementing enterprise-grade WAN acceleration features such as data deduplication, traffic compression, and protocol optimization, Barracuda CloudGen Firewalls can significantly improve site-to-site WAN traffic and increase productivity by accelerating the delivery of business applications - at no extra charge. WAN traffic can be effectively compressed up to 95 percent, significantly reducing the bandwidth needed at remote locations while increasing network responsiveness.

With Azure Virtual WAN, Microsoft and Barracuda CloudGen Firewall automate the process of building secure, high-performance branch-to-branch and branch-to-cloud networks. Support for Azure Virtual WAN fully automates the creation of company-wide secure WANs using Azure’s high-performance fiber backbone. Every Barracuda CloudGen Firewall supports Azure vWAN, and Barracuda Firewall Control Center provides central orchestration, management, and maintenance.

By combining Azure vWAN and CloudGen Firewall, you get:

  • Fully automated rollout of branch-to-branch connectivity
  • Fully automated rollout of branch-to-Azure connectivity
  • Scalability to thousands of remote locations
  • Active-active IPsec VPN connections to Azure vWAN for uninterrupted connectivity
  • Azure Office 365 local breakout policy integration for optimized application performance
  • Optimized routing and minimal latency for branch-to-branch and branch-to-Azure connectivity
  • Unified network and security policy management across the company-wide WAN

About optimizing application traffic:

Azure vWAN Office 365 policies let you specify what type of application traffic to route through your paid subscription and what application traffic to optimize for direct internet breakouts. Barracuda CloudGen Firewall integrates to the Office 365 policy service provided by Azure, detects if the traffic falls in the “optimize” category, and routes traffic directly to the nearest Office 365 access points dynamically provided by the service. This ensure Office 365 traffic is always sent to the Office 365 service with the best possible round-trip time, resulting in the best possible user experience.

Secure VPN tunnels between Barracuda CloudGen Firewall appliances, regardless if in the cloud, across multiple clouds or on premises are created programmatically on demand via API or command line. This enables automation across the whole enterprise and automation of DevOps processes.

To extend the SASE service at line speed to every site device and overcome limitations introduced by traditional SD-WAN technology based on shared uplinks like broadband, CloudGen Firewall features uplink optimization technology with Forward Error Correction and self-healing traffic intelligence. This allows using the available physical bandwidth more effectively and expanding the benefits of SD-WAN to sites with single uplinks as well as optimized utilization of shared uplinks.

Adaptive Session Balancing technology ensures using the best available uplink for the application profile, for all encrypted tunnels across SD-WAN sites. If the health state of the initial uplink recovers, encrypted SD-WAN traffic transparently switches back to this uplink. Application-based routing, factoring in the results of Dynamic Bandwidth and Latency Detection, applies the same concept for outbound internet traffic, ensuring that SaaS applications like Office 365 are always leveraging the best available uplink, even when conditions change frequently.

Secure SD-WAN connections with Barracuda CloudGen Firewall are designed for high-speed networking across shared lossy lines such as internet broadband or 4G/5G. The underlying forward error correcting (FEC) technology to remediate packet loss is based on a new set of algorithms in the category of random linear network codes (RLNC). Algorithms based on RLNC codes react much faster to losses, remediate these faster on the fly, requiring fewer packet retransmissions and reducing overhead on the devices. This results in high quality voice and video calls even in high packet loss scenarios and with many subscribers on the shared line.

Intelligent Network Perimeters

Barracuda CloudGen Firewall combines Deep Packet Inspection (DPI) and behavioral traffic analysis to reliably detect and classify thousands of applications and sub-applications, regardless of advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic policies and facilitates establishing and enforcing access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:

  • Block unwanted applications for certain users or groups
  • Control and throttle acceptable traffic
  • Preserve bandwidth and speed-up business-critical applications to ensure business continuity
  • Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube Postings, or MSN file transfers)
  • Intercept SSL-encrypted application traffic

Barracuda CloudGen Firewall features advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value in addition to security by significantly improving network quality and availability, as well as reducing direct line cost due to bandwidth saved.

For rich reporting and drill-down capabilities, the CloudGen Firewall comes with real-time and historical application visibility that shows application traffic on the corporate network, thus providing a basis for deciding which connections should be given bandwidth prioritization, crucial to QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.

For an up-to-date list of applications and sub-applications that are pre-loaded into Application Control, please check the Online Application Explorer.

The deep application context analysis allows for deeper inspection of the application data stream by continually evaluating the actual intention of applications and the respective users. Administrators can thereby gain detailed insight into what a specific application was used for or if a user was trying to circumvent the corporate application usage policy.

Barracuda CloudGen Firewall includes true file-type detection and enforcement capabilities based not only on extension and MIME type, but also on sophisticated true file-type detection algorithms. Bypassing executable files by renaming or compressing is detected and blocked. In addition to blocking / allowing connections, the CloudGen Firewall also lets admins change download priorities. If, for example, an ISO image started downloading with normal web traffic priority, the admin can increase or decrease the assigned bandwidth, even though the user started downloading via a regular web-browsing session.

In addition to the thousands of applications pre-loaded in Application Control, Barracuda CloudGen Firewall makes it easy for you to create your own application definitions tailored to your specific needs.

To view a complete list of applications and sub-applications that are included under Application Control, please check the Online Application Explorer.

Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to.

Barracuda CloudGen Firewall are fully user-identity aware by linking a user to one or several IP addresses. Any role assignments that result from identity communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). CloudGen Firewalls support authentication of users and enforcement of user-aware firewall rules, web security gateway settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, as well as authentication with x.509 certificates.

The Web Security Gateway option of the CloudGen Firewall enables highly granular, real-time visibility into online activity broken down by individual users and applications, letting administrators create and enforce effective Internet content and access policies. It protects user productivity, blocks malware downloads and other web-based threats, and enables compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.

Every Barracuda CloudGen Firewall includes an Authoritative DNS server to allow intelligent responses to DNS requests by evaluating link state and source IP address before answering the DNS request. This allows e.g. to operate one or multiple web servers or web services protected by Barracuda CloudGen Firewall. By providing different answers to new DNS requests pointing towards alternate servers or links, an efficient server-based load balancing can be implemented without the need for additional hardware or service.

Every Barracuda CloudGen Firewall includes a DNS server to cache and speed up frequently requested DNS requests in the network. The DNS server can function as master, slave, forwarder or a simple cache. The DNS server supports multiple domains as well as DNS doctoring.

Remote Access

The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss.

Barracuda CloudGen Firewall provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.

Barracuda CloudGen Firewall incorporates advanced site-to-site and client-to-site VPN capabilities, using both SSL and IPsec protocols to ensure remote users can easily and securely access network resources without complex client configuration and management. Every CloudGen Firewall unit supports an unlimited number of VPN clients at no extra cost.

Barracuda VPN Client also provides the ability to enforce Windows Security Center settings on client machines running Windows. This allows administrators to centrally enforce the usage of Windows Security settings on PCs. The enforced policies can include enabling the Microsoft Network Firewall, Windows Updates, Windows Virus Protection, Windows Spyware Protection, and Internet Security Settings.

Barracuda VPN Clients are available for Microsoft Windows, Mac OS, and various Linux systems.

The optional Advanced Remote Access subscription for Barracuda CloudGen Firewall adds a customizable and easy-to-use portal-based SSL VPN as well as sophisticated Network Access Control (NAC) functionality.

Barracuda Network Access Client, when used with Barracuda CloudGen Firewall, provides centrally managed Network Access Control (NAC) and an advanced personal firewall. This allows enforcement of minimum Windows client security prerequisites before being allowed access to the network or access to a quarantine network. Security posture can be specified according to available Windows patch level, availability of antivirus and/or anti-spyware, and user ID. Access restrictions are enforced locally on the client by the centrally managed personal Windows firewall as well as at the gateway. Using existing Barracuda CloudGen Firewall appliances, Barracuda Networks offers a ready-to-use Network Access Control framework without expensive investments into the basic network infrastructure. All Barracuda Network Access Clients as well as all Barracuda CloudGen Firewall units acting as policy servers can be administered, monitored, and reviewed from a single Barracuda Firewall Control Center.

Gain easy access to your organization’s applications via SSL VPN connections. Barracuda‘s Mobile Portal enables you to set up shortcuts on the home screen of devices such as smartphones or tablets. When accessing the portal via the web browser on a mobile device, users can browse apps, network folders and files as if they were connected to the office network.

The Mobile Portal supports most commonly used devices, e.g., Apple iOS, Android, and Blackberry devices.

Barracuda’s Mobile Portal is an optional feature included with the optional Advanced Remote Access subscription.

CudaLaunch is an application for Windows, macOS, iOS, and Android devices that provides mobile workers secure remote access through Barracuda CloudGen Firewall to their organization’s private cloud applications and other sensitive information. CudaLaunch provides several benefits over traditional browser-based SSL VPN remote access. As an app, it provides a familiar app store setup and install experience for end users.

Unlike browser-based remote access, CudaLaunch provides a more responsive look and feel that is unified across mobile platforms and avoids the idiosyncrasies of mobile browsers. Once an end user starts the app, a swipeable launchpad provides quick and easy access to internal applications, favorites, and TINA VPN connections (which securely connect the device to your corporate network). This richer VPN connection supports mobile apps that connect back to the corporate network (like remote desktop apps).

Designed to be completely self-configuring, CudaLaunch includes easy central management for large deployments and integrates with the powerful security features of Barracuda CloudGen Firewall. For IT administrators, the firewall provides one place to manage security policies for all types of remote access (CudaLaunch, SSL VPN, Barracuda Network Access Client, and standard IPsec). The end user experience is consistent across platforms and remote access types, making for ease of use and significantly lower support costs. The self-configuration and management of VPN connections eliminates the need to manually configure IPsec connections on Windows, macOS, iOS, and Android, making setup fast and easy.

More information on CudaLaunch is available here.

The app is available for free at:

Mac App Store (macOS)

Windows Store (Windows)

(Also available as a standalone app that requires no installation; therefore, there are no local admin rights. This version is available on the Barracuda Cloud Control only for windows version.)

App Stores (iOS)

Google Play (Android)

Please note that CudaLaunch requires Barracuda CloudGen Firewall firmware 6.1.1 and an active Advanced Remote Access subscription.

Barracuda Secure Connector appliances are purpose-built ultra-compact edge devices for the Industrial Internet of Things and SoHo use cases. They are designed to provide edge compute capabilities and backhaul all traffic to CloudGen Firewall units (Appliance, Vx or Cloud) or dedicated Secure Access Controllers for scalability. CloudGen Firewall and Secure Access Controller units apply full security inspection.

More information on Secure Connector appliances is available here.

Management & Automation

Barracuda Firewall Control Center provides 100% central management of all CloudGen Firewall functions, regardless if configuration of security, content, traffic management, networking, access policies or software updates.

Barracuda Firewall Control Center helps reducing the cost associated with security & lifecycle management while providing enhanced troubleshooting and connectivity functionality, both centrally and locally, at the managed gateway.

Barracuda CloudGen Firewalls can automatically translate IP addresses and network addresses to a human-readable format. For example, “EMEA:UK:OXFORD:MARKETING:PRINTER” clearly indicates the location and the device in question at a glance.

Barracuda Firewall Control Center allows you to create re-usable objects for any configuration entry imaginable: IP address, networks, ranges, DNS names, content security policies, network security policies etc.

These objects can be created once and reused in subsequent configurations nodes. For example, if there is an object Internal_Network_Branchname as a network object, it can be referenced in the network settings, firewall rules, and VPN settings. If the object needs to be changed, it only needs to be changed once, preferably on the Firewall Control Center. Then, the changes will be automatically applied at every location where the object is referenced. This provides a faster, easier, and more convenient method of changing configuration services across multiple units.

When configuring multiple CloudGen Firewalls across the WAN, there will always be components that the firewall have in common, such as domain names, DNS servers, NTP servers, application security configurations, URL filter configurations, and so on. Barracuda Firewall Control Center collects all of these in a repository (global configuration node) linked to multiple Barracuda CloudGen Firewalls. Using repositories on the Firewall Control Center, an administrator can update thousands of firewalls with just a single change in the repository.

Repositories still provide the flexibility to override specific settings on specific firewalls. For example, if one location uses a different DNS server than the others, you can create an explicit overwrite for just this setting on this single firewall.

Barracuda Firewall Control Center provides centralized software updates for all centrally managed CloudGen Firewall units. Updates can be scheduled for a specific time and even just for specific subsets of remote CloudGen Firewall units. In case a software updates is not successful, it is automatically rolled back and reported.

Just like on Barracuda CloudGen Firewall, Barracuda Firewall Control Center allows simultaneous login of multiple administrators in “writing mode”. This is useful in MSSP and multi-admin environments where there is a greater likelihood of administrators managing systems in teams. Once a change needs to be made, only the dedicated configuration node needs to be locked for changing by the admin actually performing the change. All other settings outside of this locked configuration node are still viewable and modifiable by other admins logged on to the system.

Barracuda Firewall Control Center provides extensive role-based administration benefits. Administrators can be assigned specific roles such as: - MSSP Admin - Customer Admin - Log Viewer - Auditor - Content Filter Admin In addition, custom roles for special needs with special privileges can also be created. For example, you can define services to delegate specific tasks to a dedicated team or end user. If one team or end user wants to be able to change firewall rules, a specific customer administrator role can be created that is allowed only to change this particular portion of the configuration. The admin may then review all other configurations, but will not be allowed to change anything else.

Barracuda Firewall Control Center units C610/VC610 and higher provide special handling for multi-tenant management, allowing for a MSSP to be able to easily manage multiple customers on the same Barracuda Firewall Control Center . For example, administrators of Customer 1 will not be able to see anything from Customer 2 and vice versa. There is no limit to how many customers can be administered with one Barracuda Firewall Control Center .

The default screen for every Barracuda Firewall Control Center displays a status overview of all centrally managed Barracuda CloudGen Firewall units. The status is visualized via a traffic light concept (red, yellow, green) and is provided for individual units, clusters, and whole tenant installations (called “Ranges”). The “worst” status always wins, effectively allowing the administrator to have a centralized view of the overall status and to be able to dig deeper with only a few mouse clicks.

Barracuda Firewall Control Center allows the creation of a global firewall ruleset that is installed on all machines it is applied to. In addition, local and special rule sets can be be installed on specific boxes only. For example: The MSSP has a Network Operation Center (NOC) to monitor all services provided to a customer. In this environment, there are global firewall rules that allow every kind of monitoring connection and local firewall rules specific to a customer. The MSSP can determine whether global or local rules take precedent depending on the customer. This provides an added level of granularity for configuration because there are special rules defined for each customer to allow traffic to pass through the firewall. With this feature, the MSSP can be sure that there is a reliable monitoring and log flow. This is required for providing as well as demonstrating proof of service level agreements to customers.

The security landscape just never stop changing. That is why Barracuda Networks constantly introduces and releases new exciting features and improved security functionalities for all its CloudGen Firewalls through its Energize Updates subscription. But when you have dozens or even thousands of devices managed in a company’s WAN network, some devices, networks, or even branches will inevitably run older firmware versions level than certain devices that require the most up-to-date technology. Fortunately, Barracuda Firewall Control Center is backwards compatible to older firmware versions deployed for at least three years, effectively easing the process of needing to upgrade across the organization.

On both Barracuda Firewall Control Center and all Barracuda CloudGen Firewall units, all administrator actions can be logged and changes can be selectively rolled back if required. In case a rollback is required, the administrator has the option to rollback all changes or only specific ones (such as firewall rules) while leaving the network settings untouched.

Barracuda Firewall Control Center VPN Graphical Tunnel Interface (GTI) provides a graphical interface to create and manage VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. But since the GTI Editor eliminates many of these redundant steps, you can configure VPN tunnels more quickly and with less errors.

With a pool license, the license of Barracuda CloudGen Firewall is tied to the Firewall Control Center, not to the serial number and hardware combination. So in case of hardware failure, a new appliance can be deployed without being relicensed. This is great for managed security services providers because they can optimize license usage.

For more details, please refer to the White Paper Barracuda Enterprise and Service Provider Licensing.

Zero Touch Deployment lets you deploy appliance units directly from the factory to the desired remote location without requiring on-site IT personnel. Simply connect the unit and power it up, and it will automatically select the suitable uplink to the internet and retrieve the appropriate configuration from the Firewall Control Center . With no need for manual configuration on-site, zero-touch deployment allows you to deploy CloudGen Firewalls across widely distributed organizations at very low cost.

Barracuda CloudGen Firewall features a full set of well-documented automation APIs. The Automation APIs included with every CloudGen Firewall allow endusers as well as service partners to automate the management of their devices, across the complete lifecycle. This enables faster deployment, enhanced consistency in management and more rapid adoption of configuration changes for on-premises, virtual as well as cloud-hosted devices.


For on-the-fly reporting and drill-down capabilities, Barracuda CloudGen Firewall comes with real-time and historical application visibility that show live and recent application traffic on the corporate network. These can be interactively filtered and drilled down for more details. This helps admins to decide which application connections should be given bandwidth prioritization and who is currently violating acceptable use policies.

Barracuda Firewall Report Creator is a standalone application recommended for reporting on a single appliance or up to few dozen appliances of Barracuda CloudGen Firewall. This free tool creates customized reports using statistics and logs collected directly from the deployed firewalls.

Configuration allows each report to analyze multiple appliances, using custom or predefined report data templates, and a customizable layout and delivery method. Custom reports can include the following information:

  • User activity reports – include information on traffic caused by individual users, IP addresses or networks, or active directory user groups.
  • Address activity reports – include information for accessed URL categories per source IP address or source network.
  • URL category reports – include information on which URLs out of a specific category were accessed based on source IP address or source network.
  • Application category reports – include information on detected application categories.
  • Application property reports – include information on top blocked or allowed application properties.
  • Applications reports – include information on detected applications in a specific application category per source IP address or source network.
  • Security reports – include IPS patterns, virus scanner engine, and ATP threat reports.
  • VPN usage reports – include information on usage of TINA client-to-site and site-to-site tunnels.

Firewall Report creator is included in the CloudGen Firewall base license.

Please go to for the free-of-charge download.

Barracuda CloudGen Firewall allows leveraging Tufin SecureTrack to view, search and track changes in the corporate security infrastructure, and detect misconfigurations, such as rule permissiveness, shadowing, and more. This vendor-agnostic management platform gives the visibility and control needed to ensure seamless protection, availability of applications and data, and excellent user experience in heterogeneous, multi-vendor, and multi-platform infrastructures.

About Tufin

With over 2,000 customers since its inception, Tufin’s network security automation enables enterprises to implement changes in minutes instead of days, while improving their security posture and business agility. Learn more at