Advanced Threat Protection

While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, the Barracuda Advanced Threat Protection (ATP)implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.

The Barracuda ATP offers Administrators granular, file-type-based control including automatic quarantine and blacklisting features to maintain the highest level of protection for an organization’s network.

The Barracuda Advanced Threat Protection is an optional subscription.

Botnet and Spyware Protection

Botnet and Spyware Protection guards against botnet infections by blocking access to malicious sites and servers, and detects potentially infected clients based on DNS Sinkholing technology. DNS Sinkholing blocks clients from accessing malicious domains by monitoring outbound DNS requests passing through the firewall. DNS requests to malicious domains are redirected to an internal sinkhole, thereby preventing data exfiltration and identifying the victim. Once an infected client is detected, it can be isolated automatically. An alert can also be created or reported by the Barracuda Firewall Report Creator.

Intrusion Detection and Prevention

The Intrusion Detection and Prevention System (IDS/IPS) of the CloudGen Firewall strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:

  • SQL injections and arbitrary code executions
  • Access control attempts and privilege escalations
  • Cross-Site Scripting and buffer overflows
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Directory traversal and probing and scanning attempts
  • Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware

Barracuda CloudGen Firewall provides advanced attack and threat protection features such as:

  • stream segmentation and packet anomaly protection
  • TCP split handshake protection
  • IP and RPC defragmentation
  • FTP evasion protection
  • URL and HTML decoding

As a result, the Barracuda CloudGen Firewall is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the Barracuda CloudGen Firewall is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by the Barracuda Firewall Control Center.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) Protection

In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the Barracuda CloudGen Firewall effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.

Additionally, Barracuda CloudGen Firewall allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of the Barracuda CloudGen Firewall diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.

Malware Protection

The Malware Protection built into the Barracuda CloudGen Firewall shields the internal network from malicious content by scanning web content (HTTP and HTTPs), email (SMTP, POP3), and file transfers (FTP) via two fully integrated antivirus engines. Barracuda Malware protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available. Barracuda Malware Protection covers viruses, worms, Trojans, malicious java applets, and programs using known exploits on PDF, picture and office documents, macro viruses, and many more, even when using stealth or morphing techniques for obfuscation.

SSL Interception

All Barracuda CloudGen Firewall models can apply IPS, Virus Protection, Application Control, URL Filter and even Advanced Threat Protection to SSL encrypted web traffic using the standard ‘ trusted man-in-the-middle’ approach. SSL Interception can be fine-tuned to exempt local networks, users/groups, URL Filter categories or custom defined domains from SSL Inspection.

Stateful Deep Packet Inspection Firewall

At the heart of every Barracuda CloudGen Firewall is a high performance stateful deep packet inspection engine examining the header as well as the data part of every passing packet. Malformed packets are disregarded, protecting the infrastructure behind the Barracuda device against network level attacks. Protocol compliant packages are then checked to match any of the defined firewall rules.

Single Pass Architecture

Once a data packet is opened up for inspection by the Firewall, all other security inspection mechanisms like IPS/IDS, anti-virus are also applied to the packet or stream of consecutive packets. Security inspection is done in single pas mode without the need to hand over to a separate proxy.

Connectivity & SD-WAN

Adaptive Bandwidth Protection

If Dynamic Bandwidth & Latency Detection indicates the measured bandwidth of an uplink is not sufficient to sustain the minimally required business critical traffic (e.g., VoIP), the Barracuda CloudGen Firewall automatically shifts sessions for non-business critical traffic to secondary links to free up bandwidth for critical traffic.

Adaptive Session Balancing

The Barracuda CloudGen Firewall uses dynamic bandwidth and latency detection to automatically balance existing sessions inside logical VPN tunnels across all available uplinks. This real-time balancing optimizes network efficiency and bandwidth usage at any given moment.

Application-Based Routing

A unique combination of next-generation security and adaptive WAN routing technology allows Barracuda CloudGen Firewall to dynamically assign available bandwidth, uplink, and routing information based not only on protocol, user, location, and content, but also on applications, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.

To view a complete list of applications and sub-applications that are covered by Application-Based Routing, please check the Online Application Explorer.

Secure SD-WAN

The Barracuda CloudGen Firewall combines a comprehensive set of advanced security features with capabilities that support the Software-Defined Wide-Area Network (SD-WAN). SD-WAN capabilities allow CloudGen Firewalls to create secure pathways across both multiple WAN connections and multiple carriers, without the involvement of typical high-management overhead. Advanced load sharing lets you use multiple WAN connections simultaneously and distribute encrypted VPN tunnels across multiple WAN connections. Built-in compression, caching, and WAN optimization technologies significantly increase your available bandwidth. These capabilities reduce your need for expensive leased lines, consolidate multiple security functions into a single device, and create a unified management framework—all of which results in significant cost savings for your organization.

Dynamic Bandwidth & Latency Detection

In order to achieve the best possible user experience across the Wide Area Network, all Barracuda CloudGen Firewall models pro-actively measure the available bandwidths and latency between VPN endpoints. The results are directly available to the firewall policy engine to select the best suitable uplink per application or disqualify an uplink if the bandwidth or latency fall outside of acceptable limits.

Traffic Duplication

The Barracuda CloudGen Firewall copies packets and sends them simultaneously through the selected primary and secondary VPN transports. Both packet streams are reassembled at the other end of the logical VPN tunnel. This significantly reduces packet loss for applications like VoIP or video streaming. It also provides instant failover—with no packets dropped—in case one VPN transport of a logical VPN tunnel goes down.

Performance Based Transport Selection

In order to achieve the best possible user experience across your WAN, all Barracuda CloudGen Firewall models are able to detect available bandwidths and latency between VPN endpoints in real time. The firewall policy engine is able to dynamically select the most suitable uplink for each application, or to disqualify an uplink if bandwidth or latency is outside defined limits. In addition, if the measured bandwidth of an uplink is not sufficient to sustain business-critical traffic (e.g., VoIP), the CloudGen Firewall automatically shifts sessions for non-critical traffic to secondary links, to free up high-quality bandwidth for critical traffic.


Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of the Barracuda Firewall VPN Engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:

  • Endpoint-to-Endpoint (not network-to-network) connectivity
  • NAT friendliness
  • Multiple physical transport paths for a logical tunnel
  • Multiple tunnels between two locations
  • HTTPS and SOCKS4/5 proxy compatibility
  • Dynamic Address Support
  • Tunnel heartbeat monitoring

Site-to-Site Connectivity

Create highly reliable and secure site-to-site connections between on-premises firewalls (both hardware and virtual appliances). Site-to-site connectivity also includes public cloud offerings like Amazon Web Services and Microsoft Azure. But it is not just about maintaining static site-to-site VPN tunnels. Having a hub-and-spoke VPN setup allows you to create tunnels automatically and on-demand between connected nodes in order to avoid the hub turning into a bottleneck. You thereby ensure low latency connections for VoIP applications, for example. As soon as the connection is no longer required, the VPN tunnel is automatically closed again. Administrators naturally have full real-time visibility into the dynamic mesh VPN setup.

Failover and Link Balancing

To ensure unbeatable, cost-efficient connectivity, the Barracuda CloudGen Firewall provides a wide range of built-in uplink options including unlimited leased lines, up to twelve DHCP uplinks, and up to four xDSL uplinks. By eliminating the need to purchase additional devices for link balancing, security-conscious customers have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed. In addition, traffic intelligence mechanisms ensure that the next-defined uplink is activated on the fly and that all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.

Traffic Shaping and Quality of Service

Limited network resources make bandwidth prioritization a necessity. The Barracuda CloudGen Firewall provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications.

Barracuda CloudGen Firewall provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.

Intelligent Network Perimeters

Application Control

Barracuda CloudGen Firewall combines Deep Packet Inspection (DPI) and behavioral traffic analysis to reliably detect and classify thousands of applications and sub-applications, regardless of advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic policies and facilitates establishing and enforcing access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:

  • Block unwanted applications for certain users or groups
  • Control and throttle acceptable traffic
  • Preserve bandwidth and speed-up business-critical applications to ensure business continuity
  • Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube Postings, or MSN file transfers)
  • Intercept SSL-encrypted application traffic

Barracuda CloudGen Firewall features advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value in addition to security by significantly improving network quality and availability, as well as reducing direct line cost due to bandwidth saved.

For rich reporting and drill-down capabilities, the CloudGen Firewall comes with real-time and historical application visibility that shows application traffic on the corporate network, thus providing a basis for deciding which connections should be given bandwidth prioritization, crucial to QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.

For an up-to-date list of applications and sub-applications that are pre-loaded into Application Control, please check the Online Application Explorer.

Deep Application Context

The deep application context analysis allows for deeper inspection of the application data stream by continually evaluating the actual intention of applications and the respective users. Administrators can thereby gain detailed insight into what a specific application was used for or if a user was trying to circumvent the corporate application usage policy.

File Content Enforcement

Barracuda CloudGen Firewall includes true file-type detection and enforcement capabilities based not only on extension and MIME type, but also on sophisticated true file-type detection algorithms. Bypassing executable files by renaming or compressing is detected and blocked. In addition to blocking / allowing connections, the CloudGen Firewall also lets admins change download priorities. If, for example, an ISO image started downloading with normal web traffic priority, the admin can increase or decrease the assigned bandwidth, even though the user started downloading via a regular web-browsing session.

Custom Application Definitions

In addition to the thousands of applications pre-loaded in Application Control, Barracuda CloudGen Firewall makes it easy for you to create your own application definitions tailored to your specific needs.

To view a complete list of applications and sub-applications that are included under Application Control, please check the Online Application Explorer.

User Identity Awareness

Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to.

Barracuda CloudGen Firewall are fully user-identity aware by linking a user to one or several IP addresses. Any role assignments that result from identity communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). CloudGen Firewalls support authentication of users and enforcement of user-aware firewall rules, web security gateway settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, as well as authentication with x.509 certificates.

Web Filtering

The Web Security Gateway option of the CloudGen Firewall enables highly granular, real-time visibility into online activity broken down by individual users and applications, letting administrators create and enforce effective Internet content and access policies. It protects user productivity, blocks malware downloads and other web-based threats, and enables compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.

Remote Access

BYOD (Bring Your Own Device)

The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss.

Barracuda CloudGen Firewall provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.

Secure Remote Access

Barracuda CloudGen Firewall incorporates advanced site-to-site and client-to-site VPN capabilities, using both SSL and IPsec protocols to ensure remote users can easily and securely access network resources without complex client configuration and management. Every CloudGen Firewall unit supports an unlimited number of VPN clients at no extra cost.

The Barracuda VPN Client also provides the ability to enforce Windows Security Center settings on client machines running Windows. This allows administrators to centrally enforce the usage of Windows Security settings on PCs. The enforced policies can include enabling the Microsoft Network Firewall, Windows Updates, Windows Virus Protection, Windows Spyware Protection, and Internet Security Settings.

Barracuda VPN Clients are available for Microsoft Windows, Mac OS, and various Linux systems.

Network Access Control

The optional Advanced Remote Access subscription for Barracuda CloudGen Firewall adds a customizable and easy-to-use portal-based SSL VPN as well as sophisticated Network Access Control (NAC) functionality.

The Barracuda Network Access Client, when used with the CloudGen Firewall, provides centrally managed Network Access Control (NAC) and an advanced personal firewall. This allows enforcement of minimum Windows client security prerequisites before being allowed access to the network or access to a quarantine network. Security posture can be specified according to available Windows patch level, availability of antivirus and/or anti-spyware, and user ID. Access restrictions are enforced locally on the client by the centrally managed personal Windows firewall as well as at the gateway. Using existing Barracuda CloudGen Firewall appliances, Barracuda Networks offers a ready-to-use Network Access Control framework without expensive investments into the basic network infrastructure. All Barracuda Network Access Clients as well as all Barracuda CloudGen Firewall units acting as policy servers can be administered, monitored, and reviewed from a single Barracuda Firewall Control Center.

Mobile Portal

Gain easy access to your organization’s applications via SSL VPN connections. Barracuda‘s Mobile Portal enables you to set up shortcuts on the home screen of devices such as smartphones or tablets. When accessing the portal via the web browser on a mobile device, users can browse apps, network folders and files as if they were connected to the office network.

The Mobile Portal supports most commonly used devices, e.g., Apple iOS, Android, and Blackberry devices.

Barracuda’s Mobile Portal is an optional feature included with the optional Advanced Remote Access subscription.


CudaLaunch is an application for Windows, macOS, iOS, and Android devices that provides mobile workers secure remote access through the Barracuda CloudGen Firewall to their organization’s private cloud applications and other sensitive information. CudaLaunch provides several benefits over traditional browser-based SSL VPN remote access. As an app, it provides a familiar app store setup and install experience for end users.

Unlike browser-based remote access, CudaLaunch provides a more responsive look and feel that is unified across mobile platforms and avoids the idiosyncrasies of mobile browsers. Once an end user starts the app, a swipeable launchpad provides quick and easy access to internal applications, favorites, and TINA VPN connections (which securely connect the device to your corporate network). This richer VPN connection supports mobile apps that connect back to the corporate network (like remote desktop apps).

Designed to be completely self-configuring, CudaLaunch includes easy central management for large deployments and integrates with the powerful security features of the CloudGen Firewall. For IT administrators, the firewall provides one place to manage security policies for all types of remote access (CudaLaunch, SSL VPN, Barracuda Network Access Client, and standard IPsec). The end user experience is consistent across platforms and remote access types, making for ease of use and significantly lower support costs. The self-configuration and management of VPN connections eliminates the need to manually configure IPsec connections on Windows, macOS, iOS, and Android, making setup fast and easy.

More information on CudaLaunch is available here.

The app is available for free at:

Mac App Store (macOS)

Windows Store (Windows)

(Also available as a standalone app that requires no installation; therefore, there are no local admin rights. This version is available on the Barracuda Cloud Control only for windows version.)

App Stores (iOS)

Google Play (Android)

Please note that CudaLaunch requires Barracuda CloudGen Firewall firmware 6.1.1 and an active Advanced Remote Access subscription.

Central Management

100% Scalability

Barracuda Firewall Control Center provides 100% central management of all CloudGen Firewall functions, regardless if configuration of security, content, traffic management, networking, access policies or software updates.

The Barracuda Firewall Control Center helps reducing the cost associated with security & lifecycle management while providing enhanced troubleshooting and connectivity functionality, both centrally and locally, at the managed gateway.

IP-Less Networking

Barracuda CloudGen Firewalls can automatically translate IP addresses and network addresses to a human-readable format. For example, “EMEA:UK:OXFORD:MARKETING:PRINTER” clearly indicates the location and the device in question at a glance.

Object-Based Management

Barracuda Firewall Control Center allows you to create re-usable objects for any configuration entry imaginable: IP address, networks, ranges, DNS names, content security policies, network security policies etc.

These objects can be created once and reused in subsequent configurations nodes. For example, if there is an object Internal_Network_Branchname as a network object, it can be referenced in the network settings, firewall rules, and VPN settings. If the object needs to be changed, it only needs to be changed once, preferably on the Firewall Control Center. Then, the changes will be automatically applied at every location where the object is referenced. This provides a faster, easier, and more convenient method of changing configuration services across multiple units.


When configuring multiple CloudGen Firewalls across the WAN, there will always be components that the firewall have in common, such as domain names, DNS servers, NTP servers, application security configurations, URL filter configurations, and so on. The Barracuda Firewall Control Center collects all of these in a repository (global configuration node) linked to multiple Barracuda CloudGen Firewalls. Using repositories on the Firewall Control Center, an administrator can update thousands of firewalls with just a single change in the repository.

Repositories still provide the flexibility to override specific settings on specific firewalls. For example, if one location uses a different DNS server than the others, you can create an explicit overwrite for just this setting on this single firewall.

Centralized Software Updates

The Barracuda Firewall Control Center provides centralized software updates for all centrally managed CloudGen Firewall units. Updates can be scheduled for a specific time and even just for specific subsets of remote CloudGen Firewall units. In case a software updates is not successful, it is automatically rolled back and reported.

Multi-Administrator Login

Just like on the CloudGen Firewall , the Barracuda Firewall Control Center allows simultaneous login of multiple administrators in “writing mode”. This is useful in MSSP and multi-admin environments where there is a greater likelihood of administrators managing systems in teams. Once a change needs to be made, only the dedicated configuration node needs to be locked for changing by the admin actually performing the change. All other settings outside of this locked configuration node are still viewable and modifiable by other admins logged on to the system.

Role-Based Admin Capabilities

Barracuda Firewall Control Center provides extensive role-based administration benefits. Administrators can be assigned specific roles such as: – MSSP Admin – Customer Admin – Log Viewer – Auditor – Content Filter Admin In addition, custom roles for special needs with special privileges can also be created. For example, you can define services to delegate specific tasks to a dedicated team or end user. If one team or end user wants to be able to change firewall rules, a specific customer administrator role can be created that is allowed only to change this particular portion of the configuration. The admin may then review all other configurations, but will not be allowed to change anything else.


Barracuda Firewall Control Center units C610/VC610 and higher provide special handling for multi-tenant management, allowing for a MSSP to be able to easily manage multiple customers on the same Barracuda Firewall Control Center . For example, administrators of Customer 1 will not be able to see anything from Customer 2 and vice versa. There is no limit to how many customers can be administered with one Barracuda Firewall Control Center .

Status Map

The default screen for every Barracuda Firewall Control Center displays a status overview of all centrally managed Barracuda CloudGen Firewall units. The status is visualized via a traffic light concept (red, yellow, green) and is provided for individual units, clusters, and whole tenant installations (called “Ranges”). The “worst” status always wins, effectively allowing the administrator to have a centralized view of the overall status and to be able to dig deeper with only a few mouse clicks.

Distributed Firewall

Barracuda Firewall Control Center allows the creation of a global firewall ruleset that is installed on all machines it is applied to. In addition, local and special rule sets can be be installed on specific boxes only. For example: The MSSP has a Network Operation Center (NOC) to monitor all services provided to a customer. In this environment, there are global firewall rules that allow every kind of monitoring connection and local firewall rules specific to a customer. The MSSP can determine whether global or local rules take precedent depending on the customer. This provides an added level of granularity for configuration because there are special rules defined for each customer to allow traffic to pass through the firewall. With this feature, the MSSP can be sure that there is a reliable monitoring and log flow. This is required for providing as well as demonstrating proof of service level agreements to customers.

Multi-Revision Management

The security landscape just never stop changing. That is why Barracuda Networks constantly introduces and releases new exciting features and improved security functionalities for all its CloudGen Firewalls through its Energize Updates certified technicians subscription. But when you have dozens or even thousands of devices managed in a company’s WAN network, some devices, networks, or even branches will inevitably run older firmware versions level than certain devices that require the most up-to-date technology. Fortunately, the Barracuda Firewall Control Center is backwards compatible to older firmware versions deployed for at least three years, effectively easing the process of needing to upgrade across the organization.

Revision Control System (RCS)

On both Barracuda Firewall Control Center and all Barracuda CloudGen Firewall units, all administrator actions can be logged and changes can be selectively rolled back if required. In case a rollback is required, the administrator has the option to rollback all changes or only specific ones (such as firewall rules) while leaving the network settings untouched.

Drag & Drop VPN GTI Editor

The Barracuda Firewall Control Center VPN Graphical Tunnel Interface (GTI) provides a graphical interface to create and manage VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. But since the GTI Editor eliminates many of these redundant steps, you can configure VPN tunnels more quickly and with less errors.

With a pool license, the license of Barracuda CloudGen Firewall is tied to the Firewall Control Center, not to the serial number and hardware combination. So in case of hardware failure, a new appliance can be deployed without being relicensed. This is great for managed security services providers because they can optimize license usage.

For more details, please refer to the White Paper Barracuda Enterprise and Service Provider Licensing.

Zero Touch Deployment (ZTD)

Zero Touch Deployment lets you deploy appliance units directly from the factory to the desired remote location without requiring on-site IT personnel. Simply connect the unit and power it up, and it will automatically select the suitable uplink to the internet and retrieve the appropriate configuration from the Firewall Control Center . With no need for manual configuration on-site, zero-touch deployment allows you to deploy CloudGen Firewalls across widely distributed organizations at very low cost.