Barracuda NextGen Firewall F-Series

Advanced Security and Traffic Control for Distributed Enterprises

Free Trial


Advanced Threat Protection

While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, the Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.

The Barracuda ATP offers Administrators granular, file-type-based control including automatic quarantine and blacklisting features to maintain the highest level of protection for an organization’s network.

The Barracuda Advanced Threat Protection is an optional subscription.

Back to top

Application Control

The Barracuda NextGen Firewall F-Series combines Deep Packet Inspection (DPI) and behavioral traffic analysis to reliably detect and classify thousands of applications and sub-applications, regardless of advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic policies and facilitates establishing and enforcing access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:

  • Block unwanted applications for certain users or groups
  • Control and throttle acceptable traffic
  • Preserve bandwidth and speed-up business-critical applications to ensure business continuity
  • Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube Postings, or MSN file transfers)
  • Intercept SSL-encrypted application traffic

The Barracuda NextGen Firewall F-Series features advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value in addition to security by significantly improving network quality and availability, as well as reducing direct line cost due to bandwidth saved.

For rich reporting and drill-down capabilities, the F-Series comes with real-time and historical application visibility that shows application traffic on the corporate network, thus providing a basis for deciding which connections should be given bandwidth prioritization, crucial to QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.

For an up-to-date list of applications and sub-applications that are pre-loaded into Application Control, please check the Online Application Explorer.

Back to top

Deep Application Context

The deep application context analysis allows for deeper inspection of the application data stream by continually evaluating the actual intention of applications and the respective users. Administrators can thereby gain detailed insight into what a specific application was used for or if a user was trying to circumvent the corporate application usage policy.

Back to top

Personalized Application Control

In addition to the thousands of applications pre-loaded in Application Control, the Barracuda NextGen Firewall F-Series makes it easy for you to create your own application definitions tailored to your specific needs.

To view a complete list of applications and sub-applications that are included under Application Control, please check the Online Application Explorer.

Back to top

User Identity Awareness

Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to.

Barracuda NextGen Firewall F-Series are fully user-identity aware by linking a user to one or several IP addresses. Any role assignments that result from identity communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). F-Series firewalls support authentication of users and enforcement of user-aware firewall rules, web security gateway settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, as well as authentication with x.509 certificates.

Back to top


The Barracuda NextGen Report Creator is a free tool that allows administrators to collect and consolidate traffic and application usage statistics from multiple Barracuda NextGen Firewall F-Series units and to create easy-to-read reports in PDF format. Report tasks can be scheduled at various times during the day or week and distributed automatically via email. Besides predefined out-of-the-box reports such as Top Applications, Top Blocked URL Categories and Websites, Top Users by Bandwidth, as well as activity reports for specific users, the reporting engine provides customizable granular reports on user activity, activities during last day/week/month, etc.

Back to top

Intrusion Detection and Prevention

The Intrusion Detection and Prevention System (IDS/IPS) of the F-Series strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:

  • SQL injections and arbitrary code executions
  • Access control attempts and privilege escalations
  • Cross-Site Scripting and buffer overflows
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Directory traversal and probing and scanning attempts
  • Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware

Barracuda NextGen Firewall F-Series provides advanced attack and threat protection features such as:

  • stream segmentation and packet anomaly protection
  • TCP split handshake protection
  • IP and RPC defragmentation
  • FTP evasion protection
  • URL and HTML decoding

As a result, the Barracuda NextGen Firewall F-Series is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the Barracuda NextGen Firewall F-Series is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by the Barracuda F-Series Control Center.

Back to top

Denial of Service (DoS) and Distributed Denial of Service (DDoS) Protection

In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the Barracuda NextGen Firewall F-Series effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.

Additionally, the F-Series allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of the Barracuda NextGen Firewall F-Series diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.

Back to top

Web Filtering

The Web Security Gateway option of the F-Series firewall enables highly granular, real-time visibility into online activity broken down by individual users and applications, letting administrators create and enforce effective Internet content and access policies. It protects user productivity, blocks malware downloads and other web-based threats, and enables compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.

Back to top

Malware Protection

The Malware Protection built into the Barracuda NextGen Firewall F-Series shields the internal network from malicious content by scanning web content (HTTP and HTTPs), email (SMTP, POP3), and file transfers (FTP) via two fully integrated antivirus engines. Malware protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available. Barracuda F-Series Malware Protection covers viruses, worms, Trojans, malicious java applets, and programs using known exploits on PDF, picture and office documents, macro viruses, and many more, even when using stealth or morphing techniques for obfuscation.

Back to top

Application-Based Routing

A unique combination of next-generation security and adaptive WAN routing technology allows the Barracuda NextGen Firewall F-Series to dynamically assign available bandwidth, uplink, and routing information based not only on protocol, user, location, and content, but also on applications, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.

To view a complete list of applications and sub-applications that are covered by Application-Based Routing, please check the Online Application Explorer. Back to top

Traffic Shaping and Quality of Service

Limited network resources make bandwidth prioritization a necessity. The Barracuda NextGen Firewall F-Series provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications.

The F-Series provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.

Back to top

Failover and Link Balancing

To ensure unbeatable, cost-efficient connectivity, the Barracuda NextGen Firewall F-Series provides a wide range of built-in uplink options including unlimited leased lines, up to twelve DHCP uplinks, and up to four xDSL uplinks. By eliminating the need to purchase additional devices for link balancing, security-conscious customers have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed. In addition, traffic intelligence mechanisms ensure that the next-defined uplink is activated on the fly and that all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.

Back to top

WAN Optimization

The Barracuda NextGen Firewall F-Series can significantly enhance the WAN performance of distributed network environments by improving the availability, performance, and response time of business-critical applications by lowering throughput and transmission delays, affecting time-sensitive decisions and enterprise profitability. The next-generation networking concept of the F-Series provides a set of powerful features to efficiently reduce and offset the negative effects of high latencies and response times.

By implementing enterprise-grade WAN acceleration features such as data deduplication, traffic compression, and protocol optimization, the F-Series firewalls can significantly improve site-to-site WAN traffic and increase productivity by accelerating the delivery of business applications - at no extra charge. WAN traffic can be effectively compressed up to 95 percent, significantly reducing the bandwidth needed at remote locations while increasing network responsiveness.

Back to top

Microsoft Azure

As organizations have adopted virtualization for their server infrastructures, there has been a corresponding trend to extend the benefits of virtualization to the security layer.

Barracuda’s award-winning security solutions are available as virtual appliances to help organizations in Microsoft Azure for establishing site-to-site and/or client-to-site connections to Azure and creating a DMZ in Azure to implement an additional high-security layer.

Barracuda NextGen Firewall F-Series virtual appliances are complete solutions, eliminating the need for installing, configuring, and integrating disparate operating systems, databases, system management, and application software. In addition, Barracuda virtual appliances come “locked down” from a security perspective, built from the ground up on the Barracuda OS, a hardened Linux operating kernel and optimized to run seamlessly within virtualized environments.

Back to top

Amazon EC2

Besides VMware, KVM, and XenServer, the Barracuda NextGen Firewall F Series is fully compatible for use in Amazon Elastic Compute Cloud (EC2).

F-Series virtual appliances are complete solutions, eliminating the need for installing, configuring, and integrating disparate operating systems, databases, system management, and application software. In addition, Barracuda Networks virtual appliances come “locked down” from a security perspective, built from the ground up on the Barracuda OS, a hardened Linux operating kernel and optimized to run seamlessly within virtualization environments.

Back to top

BYOD (Bring Your Own Device)

The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss.

The Barracuda NextGen Firewall F-Series provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.

Back to top

Secure Remote Access

The Barracuda NextGen Firewall F-Series incorporates advanced site-to-site and client-to-site VPN capabilities, using both SSL and IPsec protocols to ensure remote users can easily and securely access network resources without complex client configuration and management. Every F-Series firewall unit supports an unlimited number of VPN clients at no extra cost.

The Barracuda VPN client also provides the ability to enforce Windows Security Center settings on client machines running Windows. This allows administrators to centrally enforce the usage of Windows Security settings on PCs. The enforced policies can include enabling the Microsoft Network Firewall, Windows Updates, Windows Virus Protection, Windows Spyware Protection, and Internet Security Settings.

Barracuda VPN Clients are available for Microsoft Windows, Mac OS, and various Linux systems.

Back to top

Network Access Control

The optional Advanced Remote Access subscription for the Barracuda NextGen Firewall F-Series adds a customizable and easy-to-use portal-based SSL VPN as well as sophisticated Network Access Control (NAC) functionality.

The Barracuda Network Access Client, when used with the F-Series firewall, provides centrally managed Network Access Control (NAC) and an advanced personal firewall. This allows enforcement of minimum Windows client security prerequisites before being allowed access to the network or access to a quarantine network. Security posture can be specified according to available Windows patch level, availability of antivirus and/or anti-spyware, and user ID. Access restrictions are enforced locally on the client by the centrally managed personal Windows firewall as well as at the gateway. Using existing Barracuda NextGen Firewall F-Series appliances, Barracuda Networks offers a ready-to-use Network Access Control framework without expensive investments into the basic network infrastructure. All Barracuda Network Access Clients as well as all Barracuda NextGen Firewall F-Series units acting as policy servers can be administered, monitored, and reviewed from a single Barracuda F-Series Control Center.

Back to top

Scalable Deployment

Managing the security issues in a widely distributed enterprise network can be painful and extremely time-consuming. Managing a system may take only 15 minutes per day. But having 20 firewall systems in place results in five hours per day – just to manage the existing system. With the Barracuda NextGen Control Center, managing mulitple Barracuda NextGen Firewall F-Seriess takes the same amount of time as managing one.

  • Create pre-configured templates for easy-rollout.
  • Have all information about the enterprise security deployment available in real time.
  • Create reports of either one or all Barracuda NextGen Firewall F-Seriess.
Back to top

Lifecycle Management

Scalable F-Series firewalls offer companies sustainable investment protection. Energize Updates automatically provide the latest firmware and threat definitions to keep the appliance up-to-date. With a maintained Instant Replacement subscription, organizations receive a new appliance with the latest specs every four years.

Back to top

Revision Control System, Audit, and Reporting

The integrated revision control system increases auditing ease for the infrastructure and cuts overhead. Additionally, the revision control system for all changes provides compliance with governmental and company policy requirements. Comprehensive reporting makes bandwidth usage and all other security-related information visible, reportable, and easy to read.

Back to top

Mobile Portal

Gain easy access to your organization’s applications via SSL VPN connections. Barracuda‘s Mobile Portal enables you to set up shortcuts on the home screen of devices such as smartphones or tablets. When accessing the portal via the web browser on a mobile device, users can browse apps, network folders and files as if they were connected to the office network.

The Mobile Portal supports most commonly used devices, e.g., Apple iOS, Android, and Blackberry devices.

Barracuda’s Mobile Portal is an optional feature included with the optional Advanced Remote Access subscription.

Back to top


Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of the Barracuda F-Series VPN engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:

  • Endpoint-to-Endpoint (not network-to-network) connectivity
  • NAT friendliness
  • Multiple physical transport paths for a logical tunnel
  • Multiple tunnels between two locations
  • HTTPS and SOCKS4/5 proxy compatibility
  • Dynamic Address Support
  • Tunnel heartbeat monitoring
Back to top


CudaLaunch is an application for Windows, macOS, iOS, and Android devices that provides mobile workers secure remote access through the Barracuda NextGen Firewall F-Series to their organization’s private cloud applications and other sensitive information. CudaLaunch provides several benefits over traditional browser-based SSL VPN remote access. As an app, it provides a familiar app store setup and install experience for end users.

Unlike browser-based remote access, CudaLaunch provides a more responsive look and feel that is unified across mobile platforms and avoids the idiosyncrasies of mobile browsers. Once an end user starts the app, a swipeable launchpad provides quick and easy access to internal applications, favorites, and TINA VPN connections (which securely connect the device to your corporate network). This richer VPN connection supports mobile apps that connect back to the corporate network (like remote desktop apps).

Designed to be completely self-configuring, CudaLaunch includes easy central management for large deployments and integrates with the powerful security features of the F-Series firewall. For IT administrators, the F-Series firewall provides one place to manage security policies for all types of remote access (CudaLaunch, SSL VPN, Barracuda Network Access Client, and standard IPsec). The end user experience is consistent across platforms and remote access types, making for ease of use and significantly lower support costs. The self-configuration and management of VPN connections eliminates the need to manually configure IPsec connections on Windows, macOS, iOS, and Android, making setup fast and easy.

More information on CudaLaunch is available here.

The app is available for free at:

Mac App Store (macOS)

Barracuda Cloud Control (Windows Universal Installer (32-bit / 64-bit))

(Also available as a standalone app that requires no installation; therefore, there are no local admin rights. This version is available on the Barracuda Cloud Control only for windows version.)

App Stores (iOS)

Google Play (Android)

Please note that CudaLaunch requires Barracuda NextGen Firewall F-Series firmware 6.1.1 and an active Advanced Remote Access subscription.

Back to top

Site-to-Site Connectivity

Create highly reliable and secure site-to-site connections between on-premises F-Series firewalls (both hardware and virtual appliances). Site-to-site connectivity also includes public cloud offerings like Amazon Web Services and Microsoft Azure. But it is not just about maintaining static site-to-site VPN tunnels. Having a hub-and-spoke VPN setup allows you to create tunnels automatically and on-demand between connected nodes in order to avoid the hub turning into a bottleneck. You thereby ensure low latency connections for VoIP applications, for example. As soon as the connection is no longer required, the VPN tunnel is automatically closed again. Administrators naturally have full real-time visibility into the dynamic mesh VPN setup.

Back to top

Botnet and Spyware Protection

Botnet and Spyware Protection guards against botnet infections by blocking access to malicious sites and servers, and detects potentially infected clients based on DNS Sinkholing technology. DNS Sinkholing blocks clients from accessing malicious domains by monitoring outbound DNS requests passing through the firewall. DNS requests to malicious domains are redirected to an internal sinkhole, thereby preventing data exfiltration and identifying the victim. Once an infected client is detected, it can be isolated automatically. An alert can also be created or reported by the Barracuda Report Creator.

Back to top

File Content Enforcement

The Barracuda NextGen Firewall F-Series includes true file-type detection and enforcement capabilities based not only on extension and MIME type, but also on sophisticated true file-type detection algorithms. Bypassing executable files by renaming or compressing is detected and blocked. In addition to blocking / allowing connections, the NextGen Firewall F-Series also lets admins change download priorities. If, for example, an ISO image started downloading with normal web traffic priority, the admin can increase or decrease the assigned bandwidth, even though the user started downloading via a regular web-browsing session.

Back to top


SD-WAN, short for Software Defined Wide Area Network, refers to a new category of devices that create secure pathways across both multiple WAN connections and multiple carriers without the involvement of typical high-management overhead. SD-WAN devices perform load sharing by using multiple WAN connections simultaneously, distribute encrypted VPN tunnels across multiple WAN connections, and increase available bandwidth via built-in compression, caching, and WAN optimization technology. The result is significant cost savings due to simplified management and the reduced need for high-quality lines.

The Barracuda NextGen Firewall F-Series is the only firewall with full, built-in next-generation security and SD-WAN capabilities. Organizations can thereby cut costs by reducing their need for expensive leased lines, consolidating multiple security solutions into a single device, and switching to a unified management framework.

Back to top

IoT & Machine-2-Machine connectivity

In the age of the Internet of Things, more and more companies need to securely and economically connect large numbers of remote devices like automated teller machines (ATMs), point-of-sale kiosks, wind power stations, networked industrial machines, or even very small offices. Managing and protecting network traffic among these remote machines is often a logistical nightmare involving many different firewalls, VPN software, and routing steps.

Barracuda NextGen Firewalls are available as ultra-small appliances, the Secure Connector appliance (FSC1), which reliably connect each remote device with multiple uplinks and even an automated failover in case one uplink fails.

The FSC1 provides zone-based firewalling, Wi-Fi, and full VPN connectivity for the connected device. The network traffic is then backhauled to a NextGen Firewall Secure Access Concentrator(FSAC), running at a central office or in the cloud, for inspection and other resource-intensive security tasks such as URL filtering, intrusion prevention (IPS), antivirus protection and application detection.

More on what Barracuda provides to protect your Internet of Things is available here.


Back to top