Академический Документы
Профессиональный Документы
Культура Документы
...........................................................................3
1.1 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 How to Activate Network Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.3 Routing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.2.1 How to Change the Root Password and Management ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.2.2 How to Configure DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3 Virtual Servers and Services .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.3.1 How to Configure Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.3.2 Virtual Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3.3 How to Configure Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4 NG Firewall Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4.1 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.4.2 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.4.3 Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
1.4.4 Virrus Scanner . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
1.4.5 Wi-Fi . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
1.5 NG Control Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
1.5.1 NG Control Center Getting Started with the CC Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
1.5.2 NG Control Center Manually Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
1.5.3 Center Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
1.5.4 Barracuda NG Control Center Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
1.5.5 CC Eventing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . . . . 161
1.5.6 NG Control Center Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
1.6 Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
1.6.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
1.6.2 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
1.7 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 167
1.7.1 Updating Barracuda NG Firewalls and NG Control Centers. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
1.7.2 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Barracuda NG Firewall
The Barracuda NG Firewall is an enterprise-grade, next-generation firewall that was purpose-built for efficient deployment and operation within
dispersed, highly dynamic, and security-critical network environments. In addition to next-generation firewall protection, it provides
industry-leading operations efficiency and added business value by safeguarding network traffic against line outages and link quality degradation.
User identity and application awareness are used to select the best network path, traffic priority, and available bandwidth for business-critical
traffic. The Barracuda NG Firewall can transparently move traffic to alternative lines to keep traffic flowing.
Platform Flexibility
The Barracuda NG offers hardware and virtual models in various sizes, from branch offices up to headquarters and data centers. Virtual NG
Firewall and NG Control Center can run on a wide range of hypervisors, effortlessly integrating with your existing network and server
infrastructure. The Barracuda NG Firewall is designed for deployment across the entire enterprise, including environments using Microsoft Azure
and Amazon AWS public clouds.
NETWORK
WAN Connections
en
The Barracuda NG Firewall supports all commonly used WAN connection types. You can set up static, DHCP, xDSL, UMTS/3G, and ISDN WAN
connections to connect your network to the Internet. Link failover and balancing can be configured either on a per-access rule basis by using
custom connection objects or in a more basic configuration via route metrics. You can also select different Internet connections based on the
application type.
Static Internet Connections
If your ISP assigns a static IP address or network to your Internet connection, configure a static Internet connection to connect the Barracuda NG
Firewall to the Internet. You must add a route on box layer for the network port the ISP is connected to. The connection becomes active when the
assigned IP address or IP address within the assigned network is configured as virtual server IP address or if the unit is remote managed a
additional IP address is defined on box layer.
For more information, see How to Configure an ISP with Static IP Addresses.
xDSL Connections
The Barracuda NG Firewall supports xDSL connections using PPP, PPTP, and PPPoE. Because some xDSL providers periodically disconnect
xDSL modem from the network, xDSL link management automatically introduces and deactivates routes as required.
For more information, see How to Configure an ISP with xDSL. For more information, see How to Configure an ISP with ISDN.
Link Balancing and Failover
Configure link balancing and failover to optimize usage of two or more WAN connections. Use custom connection objects to select the optimal
connection for the traffic handled by that access rule. You can define multiple connection objects, each with a different failover or link balancing
policy. You can also use route metrics for basic link failover functionality.
In this article:
en
Before you Begin
Step 1. Add a Direct Route
Step 2. Network Activation
Step 3. Add the Static IP Address to a Virtual Server
Verify the Network Configuration
Before you Begin
Connect the network equipment installed by your provider to an unused port (not the management port) of your Barracuda NG Firewall.
Step 1. Add a Direct Route
Create a direct attached route entry to create the network on box level of the Barracuda NG Firewall. Be sure to create the route on the port the
ISP is plugged into.
1.
2.
3.
4.
5.
6. In the Target
7.
8.
9.
10.
11.
Network Address field, enter the IP address of the target network. E.g.,: 62.99.0.0/24
After you create or change basic network configurations such as routing, you must activate your new network configurations.
1. Go to CONTROL > Box.
2. In the left menu, expand the Network section and click Activate new network configuration.
3. Select Soft. The 'Soft Activation Succeeded' message is displayed after your new network configurations have been successfully
activated.
Your route is now displayed as a disabled route (grey "x" icon) in CONTROL > Network.
Step 3. Add the Static IP Address to a Virtual Server
Assign the individual WAN IP addresses you want to use to the virtual servers on the Barracuda NG Firewall. By introducing the external IP
addresses on the virtual server, you can use a high availability (HA) cluster to transfer the WAN address to the secondary unit and still be
reachable under the same IP address. In our example, you would enter 62.99.0.221 in the virtual Server Properties (CONFIGURATION >
Full Configuration > Virtual Servers > your virtual server) as the First-IP, Second-IP or Additional IP address.
For more information, see Virtual Servers and Services.
Verify the Network Configuration
Open the CONTROL > Network page to verify that all network routes have been introduced successfully. Verify the WAN IP addresses are
displayed with a green status icon and that the introduced routes are available in the tables Main and Default and that the default route is directing
traffic through your ISP connection.
To use Dynamic DNS, you must have an active account at www.dyndns.org. For more information on DynDNS, see http://dyn.com/dns/.
To use the xDSL connection as part of a PPP multilink bundle, your ISP must support PPP multilink connections.
If your ISP supports synchronous PPP mode, using it can result in higher PPP performance. The performance gain is achieved only in
some cases and depends on your and your ISPs setup.
Enabling synchronous PPP without support of the remote server causes an unstable connection and massive performance
loss.
Configure an xDSL connection using PPPoE or PPTP as the tunneling protocol, depending on your ISP:
How to Configure an ISP with xDSL using PPPoE
How to Configure an ISP with xDSL using PPTP
To avoid routing conflicts in multiprovider environments, be aware that every provider usually assigns the same gateway to a dynamically
assigned IP address. Do not configure multiple xDSL links managed by the same provider, unless you are sure that the assigned addresses stem
from distinctive IP pools and use clearly distinguishable gateways.
Connect the Ethernet port of the ISP modem to a free port of your Barracuda NG Firewall. Depending on the modem, a standard Ethernet cable
or a crossover cable must be used. Contact the ISP or vendor or the xDSL modem for more information.
Step 1. Configure Link Properties
Specify the properties for the DHCP link and define the transport protocol for PPP.
1. Go to CONFIGURATION > Configuration Tree > Box > Network.
2.
2.
3.
4.
5.
6.
7.
8.
9.
Most ISPs require authentication information to connect. These configuration settings are provided by your ISP. If no authentication is required,
set Authentication Method to NONE.
1.
2.
3.
4.
5.
6.
7.
8.
Configure whether to create a default route, dynamic routing, and the route metric.
1. Set Create Default Route to YES to automatically create a default route via this xDSL connection.
2. If you are using dynamic routing protocols like OSPF/RIP/BGP, enable Advertise Route.
3. Enter a Route Metric if multiple dynamic links are available. The link with the lowest route metric is automatically chosen if more than
one default route is available.
Step 5. Configure Connection Monitoring
Configure log settings and define target IP addresses that will be regularly pinged to monitor the availability of the connection. Each target IP
address is pinged every 20 seconds (2 ICMP packets each). If there is no response, the link is re-established.
1. In the Connection Monitoring section, select the Monitoring method:
LCP If ping fails, the dial-in daemon is probed directly via LCP.
ICMP The Barracuda NG Firewall probes the Reachable IPs and, if there is no response, the gateway.
StrictLCP No ICMP probing occurs.
2. Enter one or more Reachable IPs to monitor the availability of the connection. The target IP addresses should only be accessible via the
xDSL connection.
3. Select the Unreachable Action to be taken if the connection cannot be established. The following options are available:
Restart Restarts the xDSL connection.
Increase-Metric Changes the preference for xDSL routes until the probe succeeds.
4. Click OK.
5. Click Send Changes and Activate.
Step 6. Activate Network Changes
You must activate the network changes to bring up the xDSL connection.
1. Go to CONTROL > Box.
2. In the left menu, expand the Network section and click Activate new network configuration.
3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully
4. Click OK.
5. Click Send Changes and Activate.
Step 4. Activate Network Changes
You must activate the network changes to bring up the xDSL connection.
1. Go to CONTROL > Box.
2. In the left menu, expand the Network section and click Activate new network configuration.
3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully
activated.
Your ISDN connection is now active and the IP addresses assigned by your ISP are visible on the CONTROL > Network page. The status icons
next to the ISDN interface are green, indicating an active connection. If the ISDN connection is your primary uplink, the default route pointing to
the ISDN interface is also created. If more than one default route is present, the connection with the lowest route metric is used.
Operating an ISDN Link in Standby Mode
Enable Standby Mode in the ISDN configuration if you want to use the ISDN connection as a backup uplink. In standby mode, activation and
subsequent monitoring of the connection must be triggered externally. Standby mode also lets you combine HA setups for HA ISDN connections.
1. The ISDN routes are set to pending, and the Barracuda NG Firewall does not check whether they are established.
2. The configuration is completely run through but the connection is not yet established.
Standby connection can only be started by a command line script. Example usage:
connection start: /etc/phion/dynconf/network/isdnrestart &
connection stop: /etc/phion/dynconf/network/wipeisdn &
How to Configure Link Balancing and Failover for Multiple WAN Connections
en
If you are using two DHCP connections from the same carrier that is using the same remote network and gateway, see How to
Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway.
If your are using two or more ISP connections, you can use outbound link and load balancing to balance the traffic between the different Internet
connections. If one ISP goes down, the traffic will be routed over the remaining connection. Basic link failover functionality can be achieved by
using different route metrics. A better solution is to use custom connection objects to distribute the load and/or configure failover for different links.
Using custom connection objects allows you to decide on link balancing on a per-access rule basis. For this article, we assume we are using a
mix of one static and one dynamic (DHCP) Internet connection.
In this article:
en
Step 1. Configure the WAN Connections
Step 2. Add a Source Based Route
Step 3. Configure Link Monitoring
Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback)
Step 5. Apply the Connection Object
Step 6. (optional) Configure Notifications
IP Address
Gateway
Network Interface
ISP 1
62.99.0.69
62.99.0.254
port 3
ISP 2
dynamically assigned
dynamically assigned
dhcp
For WAN connections with dynamic address assignment (e.g. ,DHCP), verify that you enable the settings Own Routing Table, Use Assigned IP,
Create Default Route, and Clone Routes in the configuration.
Step 2. Add a Source Based Route
Configure the source routes for both connections to avoid IP packets from being sent
add the network for which the routing table is consulted., e.g., 62.99.0.0/24
Placement option.
Click OK.
For the dynamic Internet connection, configure link monitoring for both routes (default and source based) to monitor IP addresses beyond the
ISP gateway.
1.
2.
3.
4.
5.
7. Click OK.
8. Click Send Changes and Activate.
After you configure your routes, you must activate your new network configurations.
1. Go to CONTROL > Box.
2. In the left menu, expand Network and click Activate new network configuration.
3. Select Failsafe. A Network Configuration Reconfigured message will appear.
Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback)
The Barracuda NG Firewall can perform link failover and link cycling using multiple connections. The failover and load balancing policy used in the
custom connection object defines how the traffic is routed:
Link Balancing with Fallback Traffic is always routed over the primary uplink as long as it is available. If the main uplink fails, the
secondary uplink is used.
Random Link Balancing Sessions are distributed randomly according to the weight of the connections. If one of the connections fails,
traffic is routed through the other available connections as defined in the connection policy.
Sequential Link Balancing The Source IPs are sequentially cycled through, factoring in the weight defined for each uplink. The
Barracuda NG Firewall remembers the sources/destination of active sessions and will reuse the same connection if a similar connection
is established.
Create a custom connection object for link balancing and failover:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. In the left menu, click on Connections.
4. Right-click and select New. The Edit/Create a Connection Object window opens.
5. Enter a Name for the connection object. E.g., LBFailover
6. Select From Interface as the NAT Address.
7. In the Interface Name field, enter the port the ISP 1 is connected to. E.g. ,port3 or dhcp
8. In the Failover and Load Balancing section, select one load balancing/failover Policy:
a. FALLBACK (Fallback to alternative Source Addresses)
Select either Interface or source IP address for each Internet connection.
Enter the interface or source IP address for the connection.
b. SEQ (Sequentially cycle Source Addresses)
Select either Interface or source IP address for each Alternative connection.
Enter the interface or source IP address for each connection.
Enter the Weight factor. This value determines how the load is distributed between the different connections.
c. RAND (Random Source Addresses)
Select either Interface or source IP address for each Alternative connection.
Enter the interface or source IP address for each connection.
Enter the Weight factor. This value determines how the load is distributed between the different connections.
9. Click OK.
10. Click Send Changes and Activate.
Step 5. Apply the Connection Object
Use the object for all access rules handling outgoing traffic.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Edit an access rule handling outgoing traffic. E.g., LAN-2-INTERNET
4. Select the custom connection object created in Step 4 from the Connection Method list.
5. Click OK.
6. Click Send Changes and Activate.
Step 6. (optional) Configure Notifications
You can configure the Barracuda NG Firewall to send SNMP traps or email notifications in case one of the ISP connections fails. Depending on
what kind of notification you want to send, change the notification ID for:
62 (Route Changed)
64 (Route Disabled)
For more information, see Events.
You are now load balancing and/or using failover for all outgoing connections, which are handled by access rules using the custom connection
object. If needed, you can define multiple custom connection objects and use them to control which ISP connections are used by a specific
network or IP address.
After activation, the network may briefly show an error state until all connections are established.
Routing
en
Routing tables are used to store the best path to a remote network. The Barracuda NG Firewall uses the routing tables to forward traffic to the
correct interfaces, next hop gateways, or VPN tunnels. Routes are first evaluated by destination, route metric (preference) and. optionally, source
address of an IP packet and then by the scope (network size) to determine which routes matches. Two routes of the same scope (e.g., /24) and
metric can not be created. The Management IP address always uses a preference of 0.
If two routes with different preferences exist, the route with the lower preference is chosen. E.g., 10.0.10.0/25 (preference 10) is preferred
over 10.0.10.0/25 (preference 100)
If two routes with the same preference exist to a destination the route with the smaller subnet mask is used. E.g., 10.0.10.0/24 is
preferred over 10.0.0.0/16
VPN routes are source-based routes by default. If single routing table is enabled in the VPN Settings, VPN routes are inserted with a
preference of 10. For more information
en
Directly Attached Network Routes (Direct Routing)
Gateway Routes (Next Hop Routing)
Multipath Routing
Source-Based Routes (Policy Based Routing)
icon in CONTROL > Network and are not active. When an suitable source network address (virtual server IP or additional IP address
on box level) has been introduced, the route becomes active and the
In the example above, you must create a direct route for the ISP issued 62.99.0.0/24. To reach the Internet, a gateway route (see below) must be
created. If you enter the optional gateway IP address when creating the direct attached route, the default gateway route is created automatically.
You do not need to create a directly attached route for the network the management IP address is in. This route is created automatically when the
management IP address is configured.
For setup instructions, see How to Configure Direct Routes.
After adding the gateway route, you must initiate a Soft network activation for the route to become active (
n CONTROL > Network)
Multipath Routing
The Barracuda NG Firewall supports standard Linux multipath routing and Firewall-assisted multipath routing. Standard Linux multipath routing
balances does not offer dead next hop detection or session packet balancing. Simple redundancy by next hop detection can be provided by
adding multiple routing entries with different route preference numbers. Firewall-assisted multipath routing supports per packet balancing between
next hops and dead next peer detection and is configured in the Forwarding Firewall service.
For setup instructions, see:
How to Configure Multipath Routing
How to Configure Linux Standard Multipath Routing
In this article:
en
Before you Begin
Step 1. Configure a Direct Route
Step 2. Activate the Network Configuration
Next Steps
Before you Begin
Connect the network to a port of the Barracuda NG Firewall. Do not use the management port.
Step 1. Configure a Direct Route
After you have configured the network route, you must activate your new network configuration.
1. Go to CONTROL > Box.
2. In the left menu, expand Network and click Activate new network configuration.
3. Select Soft. The Soft Activation Succeeded message is displayed after your new network configurations have been successfully
activated.
The direct attached route is now displayed as pending on the CONTROL > Network page. To make the route active, you must use one of the IP
addresses in the network as a virtual server IP address (default) or as an additional IP address (remote units).
Next Steps
Default: You must use at least one IP address from the network as a virtual server IP address. If you are using a high availability setup,
these virtual server IP addresses will be transferred to the secondary NG Firewall in case of a failure.
In case of remote access: If you are using the Barracuda NG Firewall via remote management tunnel, add the IP address to the Additi
onal IP addresses (CONFIGURATION > Configuration Tree > Box > Network). IP addresses assigned on box level are not synced to
the HA partner. When using the IP address on box level, the route will remain active even if the virtual server is running on the other NG
Firewall in the HA cluster.
enGateway routes are defined for all networks that are not directly attached to a port of the Barracuda NG Firewall. The Barracuda NG Firewall
will forward all traffic with the configured destination to the gateway (next hop) IP address specified in the gateway route. For example the default
route (0.0.0.0/0), which will route all traffic to the ISP gateway IP address is a gateway route.
1.
2.
3.
4.
Trust Level Select the trust level. Use Untrusted for WAN connections,
(optional) Advertise Route To propagate this network route via the dynamic routing service, select Yes. For more
information
5. Click OK.
6. Click Send Changes and Activate.
Step 2. Activate the Network Configuration
After you have configured the network route, you must execute your new network configuration.
1. Go to CONTROL > Box.
2. In the left menu, expand Network and click Activate new network configuration.
3. Select Soft. The "Soft Activation Succeeded" message is displayed after your new network configurations have been successfully
activated.
The gateway route is now active on the CONTROL > Network page. If the remote gateway no longer answers ARP request, the route is placed in
a pending state until the gateway is reachable again.
1.
2.
3.
4.
route.
Packet Load Balancing (only for multicast routes) If needed, enable packet load balancing.
Route Metric (only for unicast routes) Enter the route metric for the gateway route.
Advertise Route Select YES if you want to use dynamic routing service. For more information, see Dynamic Routing
Proctocols (OSPF/RIP/BGP).
5. Select where the route table is placed, before (premain) or after (postmain) the main routing table.
6. Click OK.
7. Click Send Changes and Activate.
Step 2. Activate the New Network Configuration
After you have configured the network route, you must execute your new network configurations.
1. Go to CONTROL > Box.
2. In the left navigation pane, expand Network and then click Activate new network configuration.
3. Select Failsafe. The Failsafe Activation Succeeded message is displayed after your new network configurations have been
successfully activated.
4. Click OK.
1.
Administration
en
You can use already existing services in your network, such as DNS, NTP or SCEP servers, when deploying the Barracuda NG. The Barracuda
NG Firewall supports multiple administrator accounts and restricting access based on source IP address or network.
Administrators
An administrator account on a Barracuda NG Firewall contains multiple parameters that specify the permissions and restrictions for an
administrator. Administrator rights are split into predefined administrative roles, defining which services an administrator is allowed to use and
which operations the administrator is allowed to perform within the different services.
For more information, see Managing Access for Administrators.
DNS
Introduce either a network DNS server or a DNS server assigned by your ISP on the Barracuda NG Firewall. When resolving DNS requests, the
Barracuda NG Firewall can alter the response (DNS Interception) and redirect or block queries for specific domains by using black and
whitelisting. You can use the same namespace internally and externally and redirect external clients to use one IP address, and internal clients to
use an internal path to the same hostname (Split DNS). DNS queries can be forwarded to or cached from the DNS server.
For more information, see How to Configure DNS Settings and How to Configure DNS Interception.
NTP
You can define one or more NTP server(s) to act as a master clock for the Barracuda NG Firewall. The current time on the system is
synchronized via Network Time Protocol (NTP). Time settings apply to all time-related services on the Barracuda NG Firewall and affect data
accounting, logging, and event notifications. Correct time settings are also important for HA synchronization.
For more information, see How to Configure Time Server (NTP) Settings
Email Notifications
Some services, such as the virus scanner, can send email notifications. You can configure the email address and the SMTP server used to for
email notifications.
For more information, see How to Configure the System Email Notification Address.
Restricting access to the management interface of the Barracuda NG Firewall is important for network security. Barracuda Networks strongly
recommends changing the root password after the first login. Use the management access control list to whitelist IP addresses that are allowed to
connect via NG Admin to the Barracuda NG Firewall or NG Control Center.
In this article:
en
Change the Root Password
Manage the Management Access Control List
The Barracuda NG Firewall can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names installed in
its configuration. With local DNS caching enabled, DNS queries will be forwarded to or cached from the specified DNS servers and DNS queries
can be logged.
In this article:
configure Basic DNS Settings
1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
2. In the left menu, click DNS Settings.
3. From the Configuration Mode menu, select Switch to Advanced View.
4. Click Lock.
5. Enter the Box DNS Domain that the Barracuda NG Firewall belongs to.
6. In the DNS Server IP table, specify the DNS server's IPv4 and/or IPv6 addresses to be queried by the Barracuda NG Firewall.
7. Click Send Changes and Activate.
Configure Advanced DNS Settings
1. From the Configuration Mode menu, select Switch to Advanced View.
2. In the DNS Search Domains table, add the names of the domains that should automatically be appended to an alias name when
performing a DNS query. Separate multiple domains with spaces.
3. When using multiple DNS servers,
a. Select if DNS queries should regularly rotate between the servers from the DNS Query Rotation list.
en
b. Specify the DNS Query Timeout in seconds. When the timeout is exceeded, the next DNS server is queried.
4. To add local hosts,
a. Click + in the Known Hosts section.
VirtualSevsndc
Services
The service layer runs on the virtual server layer of the Barracuda NG Firewall. It introduces the services such as firewall, HTTP proxy, VPN, and
DHCP. The services use the configured IP addresses of the virtual server on which they are running. If the virtual server shuts down, all of the
assigned services and IP addresses are also shut down and made unavailable. If the Barracuda NG Firewall is deployed in a high availability
cluster, the services and necessary IP addresses transparently failover to the other HA unit.
For more information, see How to Configure Services, NG Firewall Services or NG Control Center Shared Services
To manage networking and services on the Barracuda NG Firewall, you can use the virtual server S1 that is already present on the unit. To
extend firewalling and networking capabilities, introduce additional servers with IP addresses that can be adapted and used by networks and
services created under them. If a Barracuda NG Firewall system hosting virtual servers is running in a high availability (HA) cluster, the virtual
servers are also present on the HA unit. If the primary unit fails, the virtual server, IP addresses, and all services are taken over instantly by the
secondary unit.
In this article:
Create a Virtual Server on a Standalone Barracuda NG Firewall
Create a Virtual Server on a Barracuda Control Center
Deleting a Virtual Server
Moving/Copying Virtual Servers (NG Control Center only)
Verify that direct routes exist on the box layer for the network the virtual server IPs are in. If you are using a HA cluster, the routes must be
configured on both units.
Right-click on the virtual server you want to delete and click Lock.
Right-click on the virtual server and click Remove Server.
Click Yes. The virtual server and all its services are now marked with a red "x".
Click Activate.
Right-click on the virtual server you want to move or copy and click Lock.
Right-click on the virtual server and click Move Server or Copy Server.
Select the destination in the Range/cluster tree.
Enter the new name of the virtual server.
Click OK.
Click Activate.
To ensure and maintain the connectivity of a virtual server, you can define pools of IP addresses and/or network interfaces that are continuously
monitored by the Barracuda NG Firewall. If the health check of a monitored IP address or the link state of a network interface fails, the virtual
server is automatically shut down. As soon as the health check target is successful, the virtual server is started again. Monitoring policies define
which requirements must be met for the virtual server to remain active, or to be shut down. If you are using an HA cluster, you can use monitoring
policies to define the behavior of the secondary HA unit. If necessary, you can use custom scripts which are executed when the virtual server is
started or stopped.
In this article:
en
Layer 3 Monitoring
Layer 2 Monitoring
Server Monitoring in HA Clusters
Step 1. Configure the Operation Mode
Step 2. Configure the Monitoring Policy
Configure Custom Scripts
Layer 3 Monitoring
The Layer 3 monitoring policy defines the settings for IP address monitoring. The policy configuration provides two address pool tables. Add the
target addresses to the tables. These IP addresses must be reachable for the virtual server to stay up. The following Layer 3 monitoring policies
are available:
all-OR-all-present All of the IP addresses from at least one IP address pool, e.g., from the Monitored IPs I table, must be reachable. If
you enter IP addresses in both the Monitored IPs I and II tables, the IP addresses from at least one of these tables must be available.
Otherwise, the virtual server is deactivated.
one-AND-one-present At least one IP address from each monitoring pool must be reachable. If you only enter IP addresses in the Mo
nitored IPs I table, at least one IP address from this table must be available. If you enter IP addresses in both tables, at least one IP
address in each table must be available.
The control service runs an ICMP check on all IP addresses in 10-second intervals. If no answer is received, the IP addresses are probed every
second for a 10-second period. If no response is received from a valid health check target during the 10-second period, the virtual server shuts
down. The server is reactivated as soon as an answer is received for the subsequent probes.
Example Setup:
Layer 3 monitoring is configured for the virtual server S2, using both address pools with the following IP addresses and statuses:
Monitored IPs I
Status
Monitored IPs II
Status
10.0.10.110
up
10.0.10.88
up
10.0.10.68
down
10.0.10.99
down
The status of the virtual server is displayed on Control > Server page:
If the monitoring policy one-AND-one-present is used, the server stays up because one IP address of each address pool is available.
If the all-OR-all-present policy is used, the server shuts down because at least no IP pool is fully available.
Layer 2 Monitoring
The Layer 2 monitoring policy defines the settings for interface monitoring. Add the interfaces that should be checked according to the policy in
the Monitored Interfaces I and II tables. Layer 2 monitoring is available in the following modes:
all-OR-all-present All of the interfaces from at least one interface pool, e.g. from the Monitored Interfaces I table, must be available.
one-AND-one-present At least one interface from each interface pool table must be available. If you have added interfaces in one
table, at least one IP address from this table must be available. If you have added interfaces in both tables, at least one interface from
each table must be available.
The control service checks the link status of each interface on a regular basis. Depending on the selected policy, the server is shut down if the
links on the monitored interfaces are unavailable. The server is restarted when the links of the monitored interfaces are up again.
s, the monitoring policy will also be enforced by the backup box. In case of a failover, the virtual server is then also deactivated on the
second unit if the monitoring also fails on the secondary unit.
Shared-HA-Probing Shared HA probing combines the IP address and interface information of both units. Both sets of IP addresses or
interfaces must be available on both units. An IP address or interface that is not operational on both HA peers will be excluded from the
HA logic decision. If a server is active on a unit and blocked on the peer unit, any probing results will be ignored. The probing decision will
only be made if a situation persists over two probing cycles. This gives the system time to account for the delay between detection and
synchronization and avoids aliasing effects.
Local-HA-Probing (default) Only local health check target resources are probed. This means every HA partner performs its own
monitoring procedure.
Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties.
In the left menu, select Monitoring Policy.
Click Lock.
From the Monitoring on Backup Box list, select whether monitoring should be performed and, in case of failover, adapted by a
secondary HA unit.
5. Select the Probing Policy. For more information, see Server Monitoring in HA Clusters.
Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties.
In the left menu, select Monitoring Policy.
Click Lock.
In the Layer 3 Monitoring section, specify the IP address monitoring policy. For more information, see Layer 3 Monitoring.
In the Monitored IPs I / II tables, add the IP addresses that must be reachable via the ICMP protocol by the system that is hosting the
server.
6. In the Layer 2 Monitoring section, specify the interface monitoring policy. For more information, see Layer 2 Monitoring.
7. In the Monitored Interfaces I / II tables, add the physical interfaces that must have a link in order for the server to stay up.
8. Click Send Changes and Activate.
1.
2.
3.
4.
Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties.
In the left menu, select Custom Scripts.
Click Lock.
In the Start and Stop Script fields, enter the commands that should be executed when the server is started up or shut down (7-bit ASCII
characters and standard Bash version 2-compliant).
5. Click Send Changes and Activate.
The Barracuda NG Firewall has two types of services. Box services provide functionality required to run the Barracuda NG Firewall system. They
are factory-defined and cannot be created or removed by the user. Server services are created and run in a virtual server. Services relying on
other services for certain functionality (i.e., firewall and virus scanner service) must be created on the same virtual server. Although possible, it is
recommended to only create one service type per virtual server. You can create the following services:
Barracuda NG Firewall Services
Depending on your model, some services may not be available. Consult the datasheet for your appliance for more information on which services
In this article:
Create a Service
Remove a Service
Enable or Disable a Service
Move a Service
Create a Service
Step 1. Add a Service to a Virtual Server
1.
2.
3.
4.
Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services.
Right-click Assigned Services and select Create Service.
Enter a Service Name. The name must be unique and no longer than six characters. The service name cannot be changed later.
In the Software Module field, select the type of service that you are creating. You cannot change the service type after the service is
created.
The types of services that you can create are dependent on your license and system model. Verify the product type and
appliance model in the Box Properties if services are missing.
3. Click Next .
Step 3. Statistics (optional)
Enable statistics settings for the service. By default, all settings are enabled for the service:
1. In the Statistics Settings section set Generate Statistics to yes.
2. Edit the following settings according to your requirements:
Src Statistics Generates IP source-based statistical data for the service. Only the number of connections from IP addresses is
recorded. The times at which the connections were made are not recorded.
Src Time-Statistics Generates IP source-based statistical data for the service. Both the number of connections made from IP
addresses and the times at which the connections were made are recorded.
Dst Statistics Generates IP destination-based statistical data for the service. Only the number of connections to IP addresses
is recorded. The times at which the connections were made are not recorded.
Dst Time-Statistics Generates IP destination-based statistical data for the service. Both the number of connections made to
IP addresses and the times at which the connections were made are recorded.
Src-Dst Statistics Generates IP source/destination pair based-statistical data for the service. Only the number of connections
to and from IP addresses is recorded. The times at which the connections were made are not recorded.
3. Click Next.
Click Finish.
Click Activate to create the service.
Remove a Service
Removing a service is permanent and cannot be undone.
1.
2.
3.
4.
5.
Expand the Assigned Services node (Configuration > Configuration Tree > Box > Virtual Servers > your virtual server).
Right-click the service you want to delete and click Lock.
Right-click the service you want to delete and click Remove Service. A verification popup opens.
Click Yes.
Click Activate.
Windows Defender 1.x: the chart states Implemented although it may not work on the 64-bit client. The reason for this is that the
released version of the 64-bit client contains a 32-bit compatible COM+ server for integrated OPSWAT modules (health-check).
Therefore, this component is not yet implemented as native 64-bit.
This leads to some restrictions regarding auto-remediation features of the health agent system:
Enabling and disabling of Virus and Spyware Scanner functionality can not be done automatically for some vendors (see
support charts).
Auto-remediation for Virus Scanner and Spyware Scanner engine and pattern updates is disabled in the 64-bit client.
DHCP
en
DHCP Service
The DHCP service automatically assigns IP addresses to clients that reside in a defined subnet. In the DHCP server configuration, you can define
address pools and explicitly map MAC addresses to a reserved IP address. You can also define additional parameters that are passed to the
client when an IP address is requested.
For configuration instructions, see How to Configure the DHCP Service and Advanced DHCP Settings.
DHCP Relay
The DHCP Relay service forwards DHCP broadcast messages to other network segments. DHCP relaying allows you to share a single DHCP
server across logical network segments that are separated by a firewall.
For more information, see How to Configure the DHCP Relay Agent.
Add a Virtual Server IP for each subnet you want to use for the DHCP server. For more information, see Virtual Servers and Services.
Configure the DHCP Service
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service
> DHCP Enterprise Configuration.
2. Click Lock.
3. In the left menu, select Operational Setup IPv4 or 6.
4. In the Address Pool Configuration window, enable DHCP.
5. Click + to add an entry to the Subnets table.
6. Enter a descriptive name for the subnet and click OK. The Subnets configuration window opens.
7. From the Used Subnet list, select one of the available IPv4 subnets or select explicit and enter the IP address in the Network Address fi
eld.
When using IPv6 select any (stateless dhcp) to use DHCPv6 to extend IPv6 with DHCP capabilities (assigning domain name or
DNS servers).
8. In the DHCP Server Identifier field, enter the name of the server. This name is provided to the client.
9. Click + to add a new entry to the Pool Ranges table.
10.
Enter the TFTP Server Name if the 'sname' field in the DHCP header has been used for DHCP options.
Enter the TFTP Server IP Address for Cisco CallManager devices. In this field, you can enter a comma-delimited list of addresses.
Enter the Boot File Name if the 'file' field in the DHCP header has been used for DHCP options.
If you set the Barracuda Network Access Clients Policy of an Address Pool to Barracuda Network Access Clients or guests, add the
required info to the Access Control Service IPs/Names table for a client to receive valid policy server information.
You can add vendor IDs, policy server IP addresses, or DNS resolvable policy server names. If the Barracuda Network
Access Clients Policy field is set to none, the information in the Access Control Service IPs/Names table is ignored.
23.
24.
25.
26.
For information on dynamic DNS configuration, refer to How to Configure DHCP with Dynamic DNS.
For information on lease configuration, refer to How to Configure DHCP Parameter Templates.
Click OK.
Click Send Changes and Activate.
Click the DHCP Tab to check the real-time status of the configured DHCP server.
Configure Advanced DHCP Settings
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service
> DHCP Enterprise Configuration.
2. From the left Configuration Mode menu, select Switch to Advanced View.
3. Click Lock.
4. In the left pane, select Operational Setup IPv4 or 6.
5.
6. Enable Use Advanced Pool Configuration. This disables the Subnets section and allows configuration of address pools.
7.
In the DHCP Server Identifier field, enter the name of the server. This name is provided to the client.
Firewall
The Host and Forwarding Firewall can handle only IP protocols. Non-IP traffic (such as Spanning Tree Protocol or IPX/SPX) is not
forwarded.
Forwarding Firewall
The Forwarding Firewall handles all traffic for which the destination does not match with a listening socket on the Barracuda NG Firewall. You can
create one (forwarding) Firewall service on each virtual server. This service listens to all IP addresses configured for the virtual server and is
responsible for all connections that must be transferred over the Barracuda NG Firewall to a remote host. The firewall rules for the Forwarding
Firewall are maintained in the forwarding ruleset. The Forwarding Firewall is tightly integrated with Application Control 2.0, Virus Scanners,
Advanced Threat Detection (ATD), Intrusion Prevention System (IPS), and the URL Filter. Examples of connections that use the Forwarding
Firewall are:
A web browser that connects to an external web server without using the HTTP Proxy service on the Barracuda NG Firewall
The administrator pings an external Linux server
Incoming and outgoing traffic coming out of a VPN tunnel
For more information, see Forwarding Firewall.
Host Firewall
There is one Host Firewall service running on the box layer of every Barracuda NG Firewall and Barracuda NG Control Center. Host Firewall rules
are applied to connections where the target IP address and port number match a listening socket of a service on the Barracuda NG Firewall. The
boxfw service manages this ruleset and additional traffic handlers such as SIP, RPC, Timer, Audit, Trace, and Sync. Restarting the boxfw servic
e reinitializes the service handlers and reloads the ruleset. The boxfw service is automatically activated on the Barracuda NG Firewall. You can
have only one Host Firewall on a system. Examples of connections that are handled by the Host Firewall are:
An incoming connection from a web browser to the HTTP Proxy service running on the Barracuda NG Firewall
An outgoing connection from the HTTP Proxy service running on the Barracuda NG Firewall to a web server on the Internet
Outgoing and incoming VPN traffic from the Barracuda NG Firewall VPN service to the tunnel endpoint
Outgoing NTP or DNS queries
For more information, see Host Firewall.
Forwarding Firewall
en
The forwarding firewall service provides a policy framework to direct and manage traffic passing through the Barracuda NG Firewall:
Firewall Policies:
Firewall Access Rule Set The access rule set contains a list of access rules. Incoming traffic is compared against the
matching criteria set within each access rule. When a match is found, the action set in the access rule is executed. You can
enable advanced features (Application Control, QoS, IPS) on a per-rule basis.
Application Rule Set If application control is enabled in an access rule that is executed, the application rule set is called.
Applications and (if applicable) URL categories are detected and compared to the list of application rules. Upon a match, the
application traffic is either passed or blocked depending on the action set in the application rule.
IPS Policies Detect and block network attacks, by comparing incoming traffic with predefined, constantly updated patterns.
Traffic Shaping (QoS) Policies Shape traffic to improve use of the available bandwidth, by prioritizing connections that are important
for your business.
User Policies Allow or block access to network resources based on user information.
Schedule (Time) Policies Allow or block access to network resources based on time or date.
Traditional packet forwarding capabilities are handled by the access rule set while next generation application-aware policies are applied in the
dedicated application rule set.
Access Rules
The basic job of the firewall is to manage traffic between various trusted and untrusted network segments. Incoming network traffic is compared to
the first access rule in the rule set. If the traffic does not match the criteria set in the rule, the next rule is evaluated, continuing from top to bottom
until a matching rule is found. The first matching access rule is executed. If none of the rules match, the default BLOCKALL rule blocks the traffic.
For more information, see Firewall Access Rules.
Next Generation Firewall Capabilities
Application Control 2.0 (with or without SSL Interception), a tightly integrated Intrusion Prevention System (IPS), URL filtering for content security,
and Virus Scanning in the firewall offer granular control over your network traffic.
Application Detection For each access rule, you can enable Application Control. Application Control detects applications and
subapplications. Detected application traffic can then be manipulated by the application rule set. By using custom application-based link
selection connection objects, you can route traffic based on application type.
For more information, see Application Control 2.0
SSL Interception Most application traffic is SSL encrypted. SSL Interception transparently decrypts the SSL connections and
re-encrypts the connection before it is forwarded it to its destination. SSL Interception enables Application Control to better detect
sub-applications, making it possible to block single features such as Facebook games, while still allowing access to the rest of the site.
URL Filter If you want to block inappropriate web-based content from your network, use the Barracuda Webfilter to filter a large
number of websites based on categories. With the URL filter, you can create either a whitelist (blocking everything except for selected
sites) or a blacklist (blocking known unwanted content). If a site is not in the URL database, you can define a custom URL policy for it.
The URL Filter can only filter based on the URL of the website. It does not offer the more granular control over sub-applications that
Application Control does.
For more information, see URL Filter.
Virus Scanning To protect against malware and viruses, enable antivirus (AV) scanning in the firewall. If a user downloads a file
containing malware, the Barracuda NG Firewall detects and discards the infected file and then redirects the user to a warning page. You
can use the Avira and/or the ClamAV antivirus engines and specify the MIME types of all files that are to be scanned.
For more information, see How to Configure Virus Scanning in the Firewall.
ATD Barracuda Advanced Threat Detection secures your network against zero day exploits and other malware not recognized by the
IPS or Virus Scanner. You can choose between two policies which either scan the files after the user has downloaded them and if
perceived to be a threat quarantine the user, or scan the file first and then let the user download the file after it is known to be safe.
For more information, see Advanced Threat Detection (ATD).
Traffic Shaping (QoS)
You can adjust the QoS band traffic to prioritize business-critical traffic over less important traffic:
Traffic shaping protects the available overall bandwidth of a connection. Network traffic is classified and throttled or prioritized within each
access rule.
Traffic shaping for application traffic can be configured in the application policy rules. For more information, see Application Control 2.0.
For more information, see Traffic Shaping.
Intrusion Prevention System (IPS)
The tightly integrated Intrusion Prevention System (IPS) monitors the network for malicious activities and blocks detected network attacks. The
IPS engine analyzes network traffic and continuously compares the bitstream with its internal signature database for known attack patterns. IPS
must be globally enabled on a Barracuda NG Firewall. However, you can enable or disable IPS for each firewall rule.
For more information, see Intrusion Prevention System (IPS).
Users/Time
For more granular control, you can configure access rules that are only applied to specific users or during specific times.
Users can be used as a criteria for a rule. To enable the Barracuda NG Firewall to be aware of which connection belongs to a specific
user, use the Barracuda DC Agent, Barracuda TS Agent, or the The Barracuda NG Firewall Authentication Client.
For more information, see User Objects.
You can create access rules that are only active for specific times or dates. For example, you can create a time object that only includes
Mondays and the hours of 8:00 am to 9:00 am. A access rule including this time object allows traffic only during the time span defined in
the time object.
For more information, see Schedule Objects.
Firewall Objects
Use firewall objects to reference specific networks, services, time and dates, user groups, or connections when creating firewall rules. You can
use firewall objects that are preconfigured on the Barracuda NG Firewall or create custom objects to fit your needs. The main purpose for firewall
objects is to simplify the creation and maintenance of firewall rules. Firewall objects are re-usable, which means that you can use one firewall
object in as many rules as required. Each firewall object has a unique name that is more easily referenced than an IP address or a network
range.
For more information, see Firewall Objects.
Layer 7 Application Control (Legacy)
For each access rule you can configure the following settings:
Name The name of the access rule. This name is displayed on the Firewall > Live and History pages.
Description An additional field in which you can enter a description of the access rule, to help you and others determine the purpose of
the access rule in case the rule must be edited it later.
Action Specifies how the Barracuda NG Firewall handles network traffic that matches the criteria of the rule. The following actions are
available:
Pass The Barracuda NG Firewall passes all network traffic that matches the access rule.
Block The Barracuda NG Firewall ignores all network traffic that matches the access rule and does not answer to any packet
from this particular network session.
Deny The Barracuda NG Firewall dismisses all network traffic that matches the access rule. Matching network sessions are
terminated by replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, and ICMP Denied by Filter for
other IP protocols.
Dst NAT The Barracuda NG Firewall rewrites the destination IP address, network, or port to a predefined network address.
Map The Barracuda NG Firewall rewrites IP ranges or networks to a predefined network or IP range.
App Redirect The Barracuda NG Firewall redirects the traffic locally to one of the services running on the Barracuda NG
Firewall.
Broad Multicast The Barracuda NG Firewall forwards broadcasts for bridged networks.
Cascade Jump and evaluate a different rule list.
Cascade Back Jump back to the global rule list and resume evaluation the access rules below the cascade rule.
Service The protocol and protocol/port range of the matching traffic. You can define one or more services for the access rule. You can
select a predefined service object or create your own service objects (see: Service Objects).
Source The source IP address/netmask of the connection to be handled by the rule. You can select a network object or explicitly enter
a specific IP address/netmask.
Destination The destination IP address/netmask of the connection that is affected by the rule. You can select a network object or
explicitly enter a specific IP address/netmask.
Connection Method The outgoing interface and source (NAT) IP address for traffic matching the access rule, using connection objects
(see below).
Connection Objects
SNAT with 3G IP
Source NAT with the IP address of the ppp5 device (3G uplink)
Source NAT with the IP address of the dhcp device (DHCP uplink)
NAT Tables
You can also create custom connection objects. For more information, see Connection Objects.
Inline Editing
You can change a setting for an access rule without opening the Edit Rule window. Click the rule, hover your mouse pointer over the value that
you want to change, and then click the edit icon (
or
) that appears.
Safe Search For more information, see How to Enforce Safe Search in the Firewall.
YouTube For Schools For more information, see How to Enforce YouTube for Schools in the Firewall.
QoS Band (Fwd) or QoS Band (Reply) For more information, see Traffic Shaping.
1.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Edit a Block access rule. The Edit Rule window opens.
4. In the left menu click Advanced.
5. In the Miscellaneous section, set Block Page for TCP 80 to Access Block Page or Quarantine Block Page.
6. Click OK.
7. Click Send Changes and Activate.
When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more
information, see How to Configure Custom Block Pages.
5.
6. Click OK.
7. Click Send Changes and Activate.
When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more
information, see How to Configure Custom Block Pages.
1.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.
wraps the larger source network into the smaller redirection network.
Example
Operation
port2,port3,192.168.200.10
Network interface(s)
port2,port3,vpnr0,brid01
IP address(es)
192.168.200.10,10.10.0.100
<interface>:<IP address>
port2:192.168.200.10
<interface>:<IP address>!
192.168.200.10!
8. Click OK.
9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
10. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Connection Method For more information, see Connection Objects.
Additional Policies
Time Objects For more information, see Schedule Objects.
Rule
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.
6.
Service Select a service object, or select Any for this rule to match for all services.
7. Click OK.
8. Drag and drop the access rule to the order that you want. Usually this rule is placed last in the rule list, but you can drag it further up the
rule list as well.
9. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Additional Policies
Time Objects For more information, see Schedule Objects.
5. Click OK.
6. Click Send Changes and Activate.
Enable and Disable Dynamic Rules via NG Admin
1. Open the FIREWALL > Dynamic page.
2. Double click a dynamic rule to open the Change Dynamic Rule dialog.
mobile portal.
For more information, see How to Create and Activate a Dynamic Access Rule and Mobile Portal User Guide.
In the new rule list, you can now specify a range of access rules. To switch between rule lists, click the tabs. You can also copy a rule from the
main rule list by right-clicking the rule and selecting Copy and then right-clicking the additional rule list and selecting Paste.
Description
Length of time that the firewall waits until the destination has to
answer. After this timeout, the firewall sends a TCP RST packet to
both partners (default: 10).
Length of time in seconds that the firewall waits until the source has
to retransmit packets. If nothing happens, the firewall registers the
session as a hijacking attempt (default: 300 seconds).
Checks the SYN and SYNACK TCP packets for an MSS that is
larger than the configured MSS. If the MSS TCP attribute is smaller,
the packet is rewritten with the configured MSS. Use this feature for
VPNs to force a TCP MSS that fits the MTU of the VPN tunnel
device. For IPv4, the maximum transmission size must be at least 40
bytes smaller than the MTU.
Resource Protection
In the Resource Protection section, you can specify the following session limits to conserve your system resources:
Setting
Description
Allow this access rule to override the global session limits defined in
the General Firewall Configuration.
Maximum length of time in seconds that the session can stay active.
By default, there is no duration limit for the session.
This setting is only executable in the forwarding firewall; it
does not affect the local firewall.
Description
Statistics Entry
Service Statistics
Eventing
The severity level of the rule's event messages. Host firewall rules
are not affected by this setting. You can select the following event
levels to be generated if a forwarding firewall rule matches:
None (default) No events are generated.
Normal Generates the FW Rule Notice [4020] event.
Notice Generates the FW Rule Warning [4021] event.
Alert Generates the FW Rule Alert [4022] event.
In the event settings, you can specify actions for these event
messages. For more information, see How to Configure Event
Settings.
Regardless of this setting, forwarding as well as host
firewall rules will generate event messages if BLOCK on
Mismatch is selected for any of the Rule Mismatch Policy
settings.
Miscellaneous
In the Miscellaneous section, you can edit the following settings:
Setting
Description
Authentication
IP Counting Policy
Time Restriction
Clear DF Bit
Color
Quarantine Policy
In the Quarantine Policy section, you can select one of the following rule matching policies for evaluating sessions to and from a specific
quarantine class:
Match The rule matches.
Block The rule blocks the request.
Deny The rule denies the request.
Continue Rule evaluation continues with the next rule in the rule set.
A session is only evaluated when it matches the specified policy for the following settings:
Setting
Description
Description
Source Interface
In this article
en
Before your Begin
Step 1. Create a Transparent Redirect DNAT Access Rule
Step 2. Create a PASS Access Rule for the HTTP Proxy to Access the Internet
Step 3. Create a PASS Access Rule for the HTTP Proxy to Access the Client
Step 4. Configure the HTTP Proxy
Before your Begin
Verify that the Forwarding Firewall service is using Feature Level 6.1 or above.
The Barracuda NG Firewall and the HTTP Proxy must be directly connected to the same subnet (within the same ARP domain).
Step 1. Create a Transparent Redirect DNAT Access Rule
Create the DNAT access rule to forward all HTTP traffic to the proxy.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules.
2. Click Lock.
3. Create an access rule to forward HTTP traffic coming from your clients to the HTTP proxy:
Action Select Dst NAT.
Source Select Trusted Networks. Alternatively enter the network the client using the HTTP Proxy is in.
Destination Select Internet.
Service Select HTTP+S
Target List Enter the IP address and optionally the port of the HTTP Proxy. You can use multiple HTTP Proxies. E.g.. 172.16
.0.10:3128
Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname
or FQDN.
Fallback/Cycle If you have defined multiple target IP addresses, select how the Barracuda NG Firewall distributes the traffic
between the IP addresses.
Fallback The connection is redirected to the first available IP address in the list.
Cycle New incoming TCP connections are distributed evenly over the available IP addresses in the list on a per
source IP address basis. The same redirection target is used for all subsequent connections of the source IP address.
UDP connections are redirected to the first IP address and not cycled.
List of Critical Ports Enter a space-delimited list of ports used.
Connection Method Select No SNAT.
Application Policy Disable Application Control.
4.
6. Click OK.
7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
8. Click Send Changes and Activate.
Step 2. Create a PASS Access Rule for the HTTP Proxy to Access the Internet
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules.
2. Click Lock.
3. Create a PASS rule to allow the HTTP proxy to access the Internet:
Action Select Pass.
Source Enter the IP address of the HTTP Proxy.
Destination Select Internet.
Service Select HTTP+S.
Connection Method Select Dynamic SNAT.
Application Policy Disable Application Control.
Firewall Objects
en
Firewall objects are named collections that represent specific networks, services, applications, user groups or connections. You can use the
firewall objects that are preconfigured on the Barracuda NG Firewall, but you can also create custom firewall objects depending on your
requirements. Firewall objects are re-usable which means that you can use one firewall object in as many rules as required. The following section
explains the firewall objects that are available for use and configuration on the Barracuda NG Firewall and contains articles on how to create the
different firewall objects for your firewall rules.
Advantages of Firewall Objects
The following types of firewall objects are available for use and configuration:
Connection Objects The egress interface and source (NAT) IP address for traffic matching a firewall access rule.
For more information, see Connection Objects.
Proxy ARPs Resolve MAC addresses not physically on the Barracuda NG Firewall to the corresponding IP addresses.
For more information, see Proxy ARPs.
Network Objects Networks, IP addresses, geolocation, host names, or interfaces when configuring firewall rules.
For more information, see Network Objects.
Service Objects TCP/UDP ports for a service.
For more information, see Service Objects.
User Objects Lists of users and/or user groups for use within firewall rules.
For more information, see User Objects.
Schedule Objects Time restriction or scheduling tables that can be applied to access rules on an hourly, weekly, or calendar date
basis.
For more information, see Schedule Objects.
Interface Groups A specific interface or interface group containing one of more interfaces.
For more information, see How to Create Interface Groups.
Applications Lists of applications and/or sub-applications when creating application aware firewall rules.
For more information, see Application Objects and Application Control 2.0.
URL Filter Access restrictions for web sites. The Barracuda NG Firewall provides a predefined list of URL categories that are available
for blacklisting and whitelisting.
For more information, see How to Create an URL Filter Policy Object.
Network Objects
en
Use network objects to reference networks, IPv4 and IPv6 addresses, hostnames, geolocation objects, or interfaces when you create firewall
rules. A network object can also include other existing network objects. Network objects are stored in the host and forwarding firewall. If the
Barracuda NG Firewall is managed by a Barracuda NG Control Center, it also inherits all network objects in the Global, Range, and Cluster
Firewall Object stores.
Firewall rule management is simplified with the use of network objects instead of explicit IP addresses. For example, if an IP address changes,
you do not have to edit it in every rule that references it; you must only change the IP address in the network object. The IP address is then
automatically updated for every rule that references the network object.
Unified networks objects cannot contain both IPv4 and IPv6 addresses. For more information, see How to Use IPv6.
Network Object Types
A network object may consist of the following:
Generic Network Objects You can add network addresses of all types. All network objects that are available on Barracuda NG
Firewall systems by default are configured as generic network objects.
Single IP Address A single IP address.
List of IP Addresses Multiple single IP addresses and/or references to other single IP address objects. For example: 10.0.10.1, 10
.0.10.10, 10.0.10.127
Single Network Address A single network. For example: 10.0.10.0/25
List of Network Addresses Any combination of multiple networks, IP addresses, and/or references to other network address objects.
For example: 10.0.10.0/25, 172.16.0.10
Hostname (DNS Resolved) A single DNS resolvable host name. For example: myhost.test.com
If the hostname used in the network object is not resolvable, any firewall rules that use it will never be matched to traffic. For a
detailed description of configuration options, see Hostname (DNS Resolvable) Network Objects.
Single IPv6 Address A single IPv6 address.
List of IPv6 Addresses Multiple IPv6 addresses and/or references to other single IPv6 address objects.
Single IPv6 Network A single IPv6 network.
List of IPv6 Networks Any combination of multiple IPv6 networks, IPv6 IP addresses, and/or references to other IPv6 network
address objects.
Excluded Entries Specific networks that are excluded from the network object.
For transparency and consistency, other network objects cannot be referenced in the Excluded Entry section.
Enable L3 Pseudo Bridging When bridging is activated on an interface, host routes and PARPs are automatically created by
the Barracuda NG Firewall. In this section, you can specify the information required for this task. The Bridging section is only available in
the Local Networks list of the Forwarding Firewall service. Select Bridging enabled (Advanced Settings) from the list (default: Bridging
not Enabled) if you want to configure bridging details.
The configuration options in the Bridging section are only applicable for Layer 3 Bridging. For more information, see How to
Configure Layer 3 Bridging.
Interface Address Reside The name of the interface on which bridging is to be enabled (for example, eth1).
Parent Network The superordinate network from which the bridged interface has been separated.
Introduce Routes Introduces host routes to the IP addresses to be separated from the superordinate network (IP
addresses listed in the network object) automatically.
Restrict PARP to Parent Network Restricts the Proxy ARP to only answering ARP requests within the parent network.
Network objects cannot be deleted if they are referenced by other objects. You can delete network objects when they are only
referenced in configuration files. Before you delete a network object, verify that it is not used anywhere. The Referenced By column in
the Network Objects listing displays where a network object is currently referenced.
When the firewall is started or restarted, it can take up to 10 seconds until DNS resolution is provided for all configured hostname
network objects. Because the firewall is already active, the traffic that you want to be handled by the rule with the added hostname
object can be matched to another rule instead.
To use hostname network objects, you must specify a DNS server in the DNS Server IP field in the Box Settings file (How to
Configure DNS Settings).
Using DNS resolvable host names in firewall rule sets can cause problems because of the following:
IP addresses that are allocated to DNS host names might change.
A DNS record might contain multiple IP addresses.
Name Into this field insert the DNS resolvable name the object is to be created for.
Description Into this field insert a significant object description.
The specified name is the name of the network object at the same time. The object name may be changed retroactively.
Resolve The functionality of this button is purely informational. Click it to execute a DNS query for the host name inserted into the Nam
e field. The result of the query is displayed in the IP field in the Entry section. Note that the query is executed using the DNS server(s)
known to the client running the graphical administration tool Barracuda NG Admin and NOT using the DNS server(s) known to the
Barracuda NG Firewall running the firewall service.
DNS Lifetime (Sec) The DNS Lifetime defines the interval after which to refresh DNS entries for network objects of type Hostname tha
t are configured for use in currently effective firewall rules (default: 600 s). Setting to a lower value than 30 seconds might cause
problems in network object lists containing a huge number of hostname objects. DNS entries may also be refreshed manually in FIREWA
LL > Dynamic > Dynamic Rules.
The DNS Lifetime has no effect on actively established connections, even if the DNS resolution of a network object that is
currently used in a firewall rule changes. In this case to force a refresh terminate the active session in order to enable new
connection establishment using the updated DNS entry.
The Include and Exclude Entries sections may be used to restrict a network object and to force a condition to match explicitly or to
exclude it from being part of it. For example, if a DNS host name entry www.domain.com matches four DNS A-records pointing to the IP
addresses 10.0.6.1, 10.0.8.1, 10.0.8.2 and 10.0.8.3, and it is wanted that connection requests must always point to addresses residing in
the 10.0.8.0/24 network, but must never be addressed to the IP address 10.0.8.3, the following values need to be configured in the
corresponding fields: Section Included Entry: IP 10.0.8.0/24, section Excluded Entry: IP 10.0.8.3. The configuration stated above will
be processed as follows, when it is utilized in a firewall rule: Connection requests may be addressed to IP addresses living in the network
10.0.8.0/24, but they may not address the excluded IP address 10.0.8.3.
Using Hostname Network Objects
You can use hostname objects as:
Source/Destination in rules within the Forwarding Firewall.
Source/Destination in rules within the Local Firewall.
Reference in the Entry list of generic network objects.
You cannot reference hostname objects in other network object types.
Monitoring Network Objects of Type Hostname
DNS queries addressed to the DNS server configured in the box settings are triggered when a hostname network object is created. You can view
these queries in the following places:
In all views but the Dynamic Rules tab, DNS resolution is retrieved using the DNS server(s) known to the client running the graphical
administration tool Barracuda NG Admin and NOT using the DNS server(s) known to the Barracuda NG Firewall running the firewall
service.
In the Entries column in the network object list.
In the Rule Object list when the hostname object configured in the rule is used.
In the Source/Destination window querying the rule object list when the hostname object is currently used.
In the Rule Tester.
In the Dynamic Rules tab of the Firewall Monitoring Interface.
Site-Specific Network Objects
Site-specific network objects can be used to share single firewall rule sets for branch offices with template-based network layout. This type of
object inherits its content from the IP address or IP network defined in the Virtual Servers Server Properties of a branch office.
8. Click OK.
9. Click Send Changes and Activate.
You can now use the network object in your firewall rules. When creating or editing a firewall rule click on the Object Viewer in the left navigation
to see a list of all available network objects.
c. Click OK.
6. Click Send Changes and Activate.
You can now select the geolocation network object you just created from the Source and Destination dropdown lists when creating firewall rules.
Alternatively you can find the network object ion the Object Viewer in the Networks > Network Objects section.
The IP addresses and networks in the custom external network objects are not displayed on the CONFIGURATION > Full
Configuration > Virtual Servers > your virtual server > Firewall > Firewall Rules page.
Step 3. (Optional) Create a Cron Job for Import
Create a cron job to automatically trigger a periodic import process.
1.
2.
3.
4.
5.
6.
Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > System Scheduler.
Click Lock.
In the left menu click Daily Schedule.
Click + to add an Interhour Schedule job.
Enter the Name, and click OK.
Enter /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses -o <External Firewall
Object Number> in the Command section.
7. For High Availability setups, add -h to execute the CustomExternalAddrImport binary located in /opt/phion/bin and import the IP
addresses to the Custom Network Object with the index number 1 E.g., CustomExternalObject1
8. Select every from the Minutely Schedule dropdown and enter the period for the Run Every...Minutes parameter.
9. Click OK.
10. Click Send Changes and Activate.
On a Barracuda NG Firewall in the Public Cloud
If your Barracuda NG Firewall is running in the public cloud (AWS or Azure), the custom external network objects will be automatically filled with:
Custom external object number 1 contains the internal IP address.
Custom external object number 2 contains the internal network address.
Custom external object number 3 contains the external IP address.
If you are using multiple virtual network interfaces in AWS, only information for the first interface will be imported. The IP addresses will also be
automatically synced to the NG Control Center.
Service Objects
en
Service objects, when applied to a firewall access rule, define which destination and client TCP/UDP ports and/or IP protocols that the service
applied to the rule can use. By default, the Barracuda NG Firewall contains a set of pre-configured service objects. You can edit these service
objects for a custom setup or use of a non-standard port, or you can create new
In this article:
en
combination of port ranges and a space-delimited list of ports. For example: 25 80 8080
3001-3008
9. In the Port Protocol Protection section, select an action from the Action for prohibited Protocols list.
Service Label Here you may enter certain labels. If left empty, well-known service names (available in /etc/services) are used.
It is highly recommended that you use this parameter only for defining service names that are not well-known (for example,
Oracle521).
Client Port Used The port range the firewall uses for the connection. This port range is only used if a dynamic port allocation is
required, e.g., as in the 'proxy dynamic' connection type. If you want to enter a custom port range, select Manual Entry and enter the first
port in the From field and the last port in the To field. This parameter is not evaluated when the firewall services checks if the rule
matches.
ICMP Echo
Max Ping Size The maximum size allowed for the ping packet.
Min Delay The minimum allowed delay for pinging. The 'FW Flood Ping Protection Activated [4002]' event is generated if this limit is not
met.
General
Session Timeout Time in seconds that a session can remain idle until it is terminated by the firewall (default values: TCP: 86400; UDP:
60; ICMP: 20; all other protocols: 120). This timeout is applied to all TCP connections by counting the time that has passed in a session
since the last traffic transmission. Similarly, it applies an initial timeout to all stateless protocols counting the time until the source has
answered the initial datagram. When the datagram is answered, the Balanced Timeout setting comes into effect.
This parameter can only be used in the forwarding firewall. Setting this parameter in the host firewall has no effect.
Balanced Timeout The time in seconds that a session-like connection established through a non-connection oriented protocol
(all protocols except TCP) can remain idle until it is terminated by the firewall (default values: UDP: 30; ICMP: 10; all other protocols:
120). The balanced timeout comes into effect after the initial datagram sent by the source has been answered and the "session" has
been established. Generally, the balanced timeout should be shorter than the session timeout because it is otherwise overridden by the
session timeout and never comes into effect. The balanced timeout allows for keeping non-connection oriented "sessions" short and
minimizing the amount of concurrent sessions. The larger initial session timeout guarantees that late replies to initial datagrams are
not inevitably dropped.
This parameter is only executable in the forwarding firewall. Setting this parameter in the local firewall takes no effect.
Plugin The name and parameters of any plugins that you might be required for this object. For more information, see Firewall Plugin
Modules.
Port Protocol Protection
Action for prohibited Protocols From this list, select an action that should be taken if prohibited
protocols are detected. For more information, see How to Define Port Protocol Protection.
Detection Policy From this list, select the policy to be applied. For more information, see How to
Define Port Protocol Protection.
Schedule Objects
en
To restrict firewall rules to specific times and intervals, configure schedule objects as an additional matching criteria. Schedule objects can be
used in host, access, and application rules. Schedule objects provide time granularity in minutes. When time objects are evaluated the time of the
NG Firewall it is running on is used.
The Barracuda NG Firewall, the client running NG Admin, and, if applicable, the NG Control Center must use the correct time for their
respective time zones. Using NTP is highly recommended. For more information, see How to Configure Time Server (NTP) Settings.
A schedule object consists of two time configuration elements that can be combined or used separately:
Recurring Schedule Configure the schedule to be active during specific days and intervals by selecting weekdays and time from a list.
Restrict to time interval Configure the schedule to be active during a specific interval by specifying a date and time span.
For information on how to create schedule objects, see How to Create and Apply Schedule Objects.
In this article:
en
Recurring Schedules
Time Interval
Schedule Object Options
Legacy Time Restriction Settings for Access Rules
Recurring Schedules
You can restrict the schedule to a specific day and time interval, e.g., every week from Monday at 09:00 until Wednesday at 15:30, by selecting
the Enable Recurring Schedule checkbox. Selecting this option expands the configuration and provides the Recurring Schedule table, where
you specify the days and times for the schedule to be active.
A time schedule entry can cover up to one week, starting on Mon-00:00, and ending on Mo 0:00 of the next week . To enable the
schedule for an interval crossing the Mo 00:00 threshold, split the entry. E.g., Fri-15:00 to Mo 0:00 and Mon-00:00 to Tue-10:30.
Time Interval
Selecting the Restrict to time interval checkbox lets you restrict the schedule to a date and time span by specifying the dates and times in the
fields provided by the section.
Terminate existing sessions By default, sessions that match the rule using the schedule object stay active until they are closed or
time out. Selecting the Terminate existing sessions checkbox immediately terminates active sessions as soon as the time restriction
configured in the schedule applies. Sessions are not terminated between two time intervals which directly follow each other. (E..g, Tue
8:00 - Tue 9:00 and Tue 9:00 - Tue 10:00)
Block if schedule does not match When you enable this option, the connection is blocked when the time schedule does not match,
since no further access rule will be evaluated.
Legacy Time Restriction Settings for Access Rules
Existing Time Restrictions (Edit Rule > Advanced > Miscellaneous > Time Restriction) for an access rule override the schedule objects of
an access rule. Barracuda Networks recommends configuring schedule objects instead of time restrictions in an access rule. Barracuda NG
Firewall firmware 6.1 or later no longer supports legacy time restrictions. Use schedule objects instead.
6.
a.
i. Select the Enable Recurring Schedule checkbox.
ii. Select the weekdays and hours from the dropdown fields provided in the section.
Recurring time intervals must be between Monday 0:00 to Monday 0:00 of the next week. Create multiple entries if the
time interval passes the Mo 00:00 threshold. For more information, see Configuring Daytime Intervals in Schedule
Objects.
b. To create a schedule for a specific date and time span:
i. Select the Restrict to time interval checkbox.
ii. Enter or select the dates and times in the fields provided in the section.
7. Select Terminate existing sessions if you wish active sessions to be terminated as soon as the time restriction begins.
8. By default, the rest of the access rules in the ruleset are evaluated when the schedule object of the access rule does not match. Select Bl
ock if schedule does not match to immediately block the connection when the schedule object does not match. No further rules will be
evaluated.
9. Click Save.
The schedule object is now listed in the Schedules window and can be applied to host rules, access rules, or application rules.
Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules.
Click Lock.
Edit the rule that you want to apply the schedule to.
Select the time object from the Schedules dropdown.
Click OK.
Click Send Changes and Activate.
9. Click OK.
10. Click Send Changes and Activate.
You can now apply the connection object to your firewall rules. Double-click a rules number (or right click an existing firewall rule and select Edit
Rule to open the rule configuration). From the left navigation pane, select the Object Viewer check box to drag connections objects from the Obj
ect Viewer window to the Connection Method table.
Parameters
Click here to expand...
General Settings
Parameter
Description
Name
Description
Connection Color
Connection Timeout
This general option for all connection types is the timeout for trying
to establish a connection. The default value is 30 seconds.
Increasing this value can be useful for very protracted connection
partners. Decreasing this value can be useful for faster failover
mechanisms.
NAT Address
This parameter specifies the Bind IP. The following options are
available:
Proxyfirst | Src NAT - 1st Server IP First IP address of
server under which firewall service is operating. May be used
to restrict the bind address or when policy routing is activated.
Proxysecond | Src NAT - 2nd Server IP Second IP
address of server under which firewall service is operating.
May be used to restrict the bind address or when policy routing
is activated.
Proxy Dyn | Dynamic Source NAT (default) Dynamically
chosen according to firewall routing tables. This is a general
purpose option.
Client | No Src NAT IP Address of the Client. Source IP =
Bind IP.
Explicit Explicitly specified IP address. May be used to
restrict the bind address to a specific address. Selecting Expli
cit activates further options below and in section Firewall
Configuration Service Objects - General settings
section Failover and Load Balancing:
Same Port Ticking this checkbox enforces to use the
same client port when establishing the connection.
Explicit IP Here the specific IP address is to be
entered.
Create Proxy ARP If the explicitly defined IP address
does not exist locally, an appropriate ProxyARP entry may
be created by selecting this checkbox.
From Interface Explicitly specified interface. May be used to
restrict the bind address to a specific interface. Selecting
Interface activates further options below and in section Firewal
l configuration Service Objects - General Settings
section Failover and Load Balancing:
Interface Name Here the name of the affected interface
is to be entered.
Translation Table Source NAT for a complete subnet. In
order to avoid dramatic misconfiguration, the netmask is
limited to up to 16 bits. Otherwise, a Proxy ARP with 10.0.0.0/8
would "blank out" the whole internal network for example.
If you define a map, youve got to make sure that the
source range using this connection is equal or
smaller than the map range. If not, the firewall will
wrap the larger source net into the smaller bind net.
Map to Network Here the specific mapping network is to be
entered.
Netmask Here the corresponding netmask is to be entered.
Proxy ARP This parameter is needed by a router if the
addresses live in its local network. For more information, see H
ow to Create Proxy ARP Objects.
The section Failover and Load Balancing is only available with parameter Address Selection set to Explicit or Interface.
Failover and Load Balancing
Parameter
Policy
Description
This parameter allows you to specify what should happen if the
connection cannot be established. Especially when having multiple
providers and policy routing this parameter comes handy because
it allows you to specify which IP address/interface has to be used
for backup reasons. Otherwise, connecting via the backup provider
using the wrong IP address in conjunction with the backup provider
would make routing back quite impossible. Available policies are:
NONE (No Fallback or Source Address Cycling) [default
setting] Selecting this option deactivates the fallback feature.
Fallback (Fallback to alternative Source Addresses) Causes
use of the alternative IP addresses/interfaces specified below.
SEQ (Sequentially Cycle Source Addresses) Causes cycling
of the IP addresses/interfaces specified below.
RAND (Randomize Source Addresses) Causes randomized
usage of the IP addresses/interfaces specified below.
Configuration examples related to multipath routing are described
below in more detail in the section Barracuda NG Firewall Multipath
Routing.
Alternative/Type
Weight
AplicatonCr2.0
Because applications either are web-based or connect via SSL or TLS encrypted connections to servers in the Internet, they can be detected and
then controlled as they pass the Barracuda NG Firewall. If Application Control 2.0 and SSL Interception is enabled in the forwarding firewall rule
that handles the application traffic, then the traffic is sent to the application rule set and processed as follows:
1. SSL traffic is decrypted.
2. Application rules are processed from top to bottom to determine if they match the traffic. If no rule matches, the default application policy
is applied.
3. If a matching application rule is found, the detected application is handled according to the rule settings. The application can be reported,
or it can be restricted by time, bandwidth (QoS), user information, or content (e.g., MPEG).
4. If the traffic was decrypted, it is re-encrypted.
5. The traffic is sent back to the forwarding firewall, which forwards it to its destination.
How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD
Application Rule Set and Lists
How to Create a Custom Application Object
How to Create an Application Object
How to Create a Protocol Object
How to Create an Application Filter
How to Create an Application Rule
Application Based Provider Selection
How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD
en
Before creating application rules, you must enable Application Control 2.0. You can also enable and configure the SSL Interception feature, Virus
Scanning or ATD in the Firewall. Application Control 2.0 SSL Interception and Virus Scanning is only supported for IPv4 traffic.
Virus Scanning or SSL Interception can not be used on layer 2 bridging interfaces which is not assigned an IP address. Use routed
layer 2 or layer 3 bridging interfaces instead.
In this article:
en
Supported NG Firewall Models
Enable Application Control 2.0
Enable SSL Interception
Enable the URL Filter
Enable Virus Scanner in the Firewall
Enable Advanced Threat Detection (ATD)
Configure Advanced SSL Interception Settings
Certificate Management
Certificate Management with Intermediate Certificate Authorities
Supported NG Firewall Models
Feature
SSL Interception
URL Filtering
Virus Scanning
3.
Feature
SSL Interception
URL Filter
ATD
Safe Search
4. To enable the use of application rules, select Use Application Ruleset from the Application Ruleset list.
5. Click OK.
6. Click Send Changes and Activate.
Enable SSL Interception
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Sec
urity Policy.
2. Click Lock.
3. Select the Enable SSL Interception check box.
4. In the Root Certificate section, either select Use self signed certificate or add your certificate by clicking the plus sign (+). The root
certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NG Firewall can then intercept the HTTP/S
connections by presenting the client with a CA that was derived from this root CA.
When changing the root certificate, the firewall service must be restarted on the Server Page.
5. In the Trusted Root Certificates table, you can extend the default set of trusted root certificates by clicking the plus sign (+). To view the
Barracuda NG Firewall's certificate store, click the Show CA Certificates link.
6. Select the Enable CRL Checks check box to automatically check for revoked CA certificates.
7. In the Exception Handling section, add domains that should be excluded from SSL Interception. SSL-encrypted traffic to and from these
domains is not decrypted, although SSL Interception is globally enabled.
8. In the Block Settings section, enter a browser message that should be displayed when traffic is blocked.
9. Click Send Changes and Activate.
To ensure that SSL interception is activated, you must enable Application Control and SSL Interception in the settings of the forwarding
firewall rules that it should apply to. For more information, see How to Create an Application Rule.
Enable the URL Filter
1.
1.
2.
3.
4.
5.
Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration.
Click Lock.
From the Configuration menu in the left pane, click Application Detection.
Set the Working Mode to On.
Click Send Changes and Activate.
Create URL Filter Policy objects or URL Filter Match objects to use the URL Filter in the Application rules. For more information, see How to
Create an URL Filter Policy Object and How to Create an URL Filter Match Object.
Enable Virus Scanner in the Firewall
After configuring the virus scanner service. virus scanning in the firewall must be enabled in the Security Policy settings.
For more information, see How to Configure Virus Scanning in the Firewall.
Enable Advanced Threat Detection (ATD)
ATD is enabled in the Security Policy settings of the Firewall service.
For more information, see How to Configure ATD in the Firewall.
Configure Advanced SSL Interception Settings
For SSL Interception, you can also configure advanced settings such as the number of working instances that are involved in the SSL decryption
process, log verbosity, or CRL checks.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Security Policies.
2. Click the Advanced link in the upper right of the Security Policy page. The SSL Interception Advanced window opens.
4. Click OK.
5. Click Send Changes and Activate.
Certificate Management
SSL Interception process breaks the certificate trust chain. To reestablish the trust chain you must install the security certificate (root certificate)
and if applicable intermediate certificates that are used by the SSL Interception engine. Install this certificate on every client in your network. To
prevent browser warnings and allow transparent SSL interception, install the security certificate into the operating system's or web browsers
certificate store.
1. On the Security Policy page, click the edit icon next to (Self Signed) Certificate and click Export to file.
2. Enter a name, select *.cer as file type, and click Save.
3. Deploy this certificate to the computers in your network. Either create a group policy object or install the certificate manually (MS
Certificate Import wizard). Ensure that you deploy the certificate into MS Windows' Trusted Root Certification Authorities certificate
store.
Mozilla Firefox does not automatically use trusted CA certificates installed in MS Windows' certificate store.
Certificate Management with Intermediate Certificate Authorities
Intermediate CAs are not directly delivered from the Barracuda NG Firewall to the client and must be deployed manually from the Microsoft Active
Directory PKI.
1. Use Microsoft Internet Explorer and connect to your MS Active Directory Certificate Services server. For example, https://127.0.0.1/certsr
v
2. Click Request a Certificate and select advanced certificate request.
3. Click Create and submit a request to this CA and answer all questions with Yes.
4. Select Subordinate Certification Authority from the Certificate Template.
5. Fill out the form below.
6. Select your key size in the Key Options section and select the Mark keys as exportable check box.
7. Click Submit and answer all questions with Yes.
8. Click Install this certificate.
After the certificate is installed successfully, start the MS Active Directory's management console.
1.
2.
3.
4.
5.
6.
7.
7.
8.
9.
10.
13. You can now import the certificate (*.p12) and private key (*.pem) pair to be used for SSL Interception.
14. Install the certificate (*.p12) and Root CA from which the certificate was derived, on the certificate store of affected clients.
In the rule set, information and settings for each rule is organized into the following columns:
Column
Description
Name
Application
Content
The types of multimedia content that are affected by the rule. You can
choose to globally block Flash, AVI, MPEG, QuickTime, and
RealMedia content in websites.
The URL Filter Match policy that are affected by the rule. You can
either statically assign specific URL filters or use an existing URL
filter match object.
Barracuda Networks recommends that you use URL Filter Match
Objects instead of linking static URL Filter Match policies to access
rules.
The URL Filter Policy that are affected by the rule. You can either
statically assign specific URL Policies or use an existing URL Filter
Policy object.
Barracuda Networks recommends that you use URL Filter Policy
Object instead of linking static URL Filter policies to access rules.
Protocol
The protocols that are affected by the rule. With protocols, traffic can
be controlled without having to match criteria like source or
destination network. For example, you can select protocols to globally
detect IPsec or SMTP network traffic and apply QoS policies to
prioritize business critical network communications without needing to
know the origin or target.
User
The users and user groups who are affected by the rule.
Schedule
QoS
The traffic shaping settings that are used by the rule. For more
information, see Traffic Shaping and How to Create and Apply QoS
Bands.
Action
Source
The source network address of the traffic that is affected by the rule.
Because the source network is already evaluated in the Access Rule
set, you can either use Any or enter specific IP addresses.
Destination
Comment
IPS Policy
Usage
TI-Settings
The Traffic Intelligence (TI) settings. For more information, see Traffic
Intelligence.
In the Applications section of the Forwarding Firewall - Rules page, you can view, create, and edit the applications and application objects that
are used in application rules. Applications are organized into the following categories:
Application Object Lists any application objects that you have created. An application object is a reusable combination of predefined
applications, custom applications, and other applications objects. Application objects help simplify the configuration of application rules.
For more information, see How to Create an Application Object.
Protocol Object Lists any protocol objects that you have created. A protocol object is a reusable combination of predefined
protocols. For more information, see How to Create a Protocol Object.
Custom Application Lists any custom applications that you have created. If the default Application Control 2.0 pattern database does
not cover an application that you want to use in your application rules, you can customize an application. For more information, see How
to Create a Custom Application Object.
Application Overrides Lists any applications whose risk levels you have changed. For more information, see How to Override the Risk
Classification of an Application.
Applications Lists predefined applications from the Application Control 2.0 database.
The following figure displays the Applications section.
The following information is provided for each application and application object:
Name The name of the application including the icon of the service/application.
Ref by The reference to which application object the selection points. This is applied when an
application filter is created. Note that referenced objects cannot be deleted.
Description A description of the application including type and features.
Comment General information about the application.
URL Filter Objects List
In the URL Filter section of the Forwarding Firewall - Rules page, you can view, create, and edit URL filter objects that are used in application
rules.
OK.
2. Click Lock.
3. In the left menu, expand Firewall Objects and select Applications.
4. Create the protocol object by either right-clicking the table and selecting New > Protocol Object or using the icons in the top-right area of
the rule set.
5. Either search or filter for the protocols to include in the object.
6. Add protocols by either dragging them to the Protocol Set section or clicking the plus sign (+) next to their names.
7. If an application consists of more than one component, you can add the parent application to also add the child objects.
8. Click Save.
9. Click Send Changes and Activate.
The following figure displays the process for creating a protocol object.
3.
4. Select the Application Control 2.0 features used for this access rule:
Application Control
SSL Interception
URL Filter
AV Scan
ATD
Safe Search
YouTube for Schools
5. Click OK.
6. Click Send Changes and Activate.
Step 2. Create an Application Rule
For each application policy create an application rule. Rules are evaluated from the top to bottom. The action set in the first matching rule is
executed.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, click Application Rules.
3. Click Lock.
4. Click the green plus sign (+) in the top right of the page or right-click the rule set and select New > Rule. An application rule New Rule is
added to the application ruleset.
5. Double click on the New Rule application rule you just created. The Edit Rule window opens.
6. Select Pass or Deny as the action.
7. Enter a name for the rule. For example, LAN-DMZ.
8. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses of the traffic. The source must be the same or a subset of the source of the matching access
8.
rule.
Destination The destination addresses of the traffic.The destination must be the same or a subset of the destination of the
matching access rule.
Application Select the application object or application filter.
For the example access rule displayed above, a network object named FacebookAndGooglePlus has been created. For more
information, see How to Create an Application Object and How to Create an Application Filter.
9. Set Additional Matching Criteria or change the QoS Bands as needed (see below).
10. Click OK.
11. Drag and drop the application rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is
located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
12. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User Select a user object to apply this application policy only to a specific user group. For example, you can use this to
allow social media access to specific employees, whereas an application policy below denies it for everybody else. For more information,
see User Objects.
Schedule Objects Applies time restrictions to the application policy. For example, you can use a schedule object to throttle social
media during office hours. For more information, see Schedule Objects.
Protocol Selecting a protocol object for a detected application allows to apply a policy that will deny an application the usage of this
protocol, or alternatively apply a higher traffic shaping queue to the VOIP feature of an application. Protocols not allowed by the matching
access rule cannot be allowed in the application rule. For more information, see How to Create a Protocol Object.
Content To block or allow specific content types, you can select from the following content types:
Any
AVI
Flash
MPEG
Quicktime
Realmedia
URL Filter
You can combine URL filtering with application control. Use URL filter policy objects or URL Filter Match objects to block website categories.
URL Filter Policy URL Filter policies define the allow/block/warn/alert policy for every URL filter category. To apply that policy to the
application rule select the URL filter policy object from the list. For more information, see How to Create an URL Filter Policy Object.
URL Filter Matching URL Filter matching is used to assign additional policies such as traffic shaping or TI settings to web categories.
For more information, see How to Create an URL Filter Match Object.
Applications can not only be allowed or denied, you can also change the QoS Band assigned to the traffic matching this application rule. This
allows you to throttle or prioritize applications as needed. By default the QoS Band of the matching access rule is used. For more information, see
Traffic Shaping.
Change the QoS Band Select this checkbox to use a different QoS band than the QoS band used by the matching access rule.
QoS Band (Fwd) Select the QoS Band to be applied to the outgoing application traffic matching this application rule.
QoS Band (Reply) Select the QoS Band to be applied to the incoming application traffic matching this application rule.
In this article:
en
Before You Begin
Step 1. Create a Application Link Connection Object
Step 2. Create a Firewall Rule
Before You Begin
Before you create an application based link selection connection object, complete the following:
Enable Application Control 2.0. For more information, see Application Control 2.0.
Create connection objects for every ISP line that you want to route application traffic over. For more information on how to create
connection objects, see Connection Objects.
Step 1. Create a Application Link Connection Object
To create an application link connection object:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, click Connections.
3. Click Lock.
4. Right-click the table and select New > Application Based Link Selection.
4.
5. In the Edit Application Based Link Selection Object window, specify the following settings:
Object Name Enter a name for the connection object (e.g., AppBasedProviderSelection).
Default Connection Select the default connection from the list by clicking the link. Traffic that is not defined in the application
based links is routed over this connection.
6. For every application or application category that you want to add:
a. Click the plus sign (+) to add an application based link entry.
b. Edit the Name of the new entry.
c. Select the Connection Object for the ISP to route the detected application traffic (e.g., Source NAT with DHCP for the first
DHCP line).
d. Double-click the Condition field.
e. In the Edit Condition window, click the No Application selected tab.
f. Either add applications from the list by category or double-click the entry. You can also filter the application list by selecting Cate
gory, Risk, and Properties.
g. Click Save.
h. Click Save.
7. Click Send Changes and Activate.
The application link connection object is now in the Connections list.
Step 2. Create a Firewall Rule
Create a firewall rule to redirect the application traffic. Alternatively, you can also edit an existing matching firewall rule.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Right-click the Main Rules table and select New > Rule to create a new firewall rule.
4. Create a Pass firewall rule with the following settings:
Source Select Trusted LAN.
Service Select the type of service.
Destination Select Internet.
Application Policy Select App Control + SSL Interception.
Connection Method Select the application link connection object that you created in Step 1 (e.g., AppBasedProviderSelec
tion).
5. Click OK.
6. Click Send Changes and Activate.
All applications are now routed over the provider selected in the application based link selection object. Go to the Firewall > History page to
monitor which link is selected for the applications defined in the connection object.
en
Every application pattern delivered with the Barracuda NG Firewall's Application Control 2.0 database contains a risk classification. The risk
classification extends the category of each application, to allow an even more granular classification of single applications. Depending on the
common usage and reputation, the risk classification may vary from 1 (low risk) to 4 (high risk).
Let's take the category File Storage and Backup as an example: Cloud storage is more popular than ever and sometimes even an integral part
of modern business communication. But depending on the business model of cloud storage services, some of them are highly attractive for illegal
and extremely bandwidth consuming file sharing activities. While Copy and Amazon Web Services enjoy a good reputation, others like DepositFil
es or Mega have a poor reputation. Transforming these reputations into risk categories, allows you to only allow services with a good reputation.
Barracuda Networks continuously observes web application reputations and keeps you up to date with the latest risk classifications. However, in
some cases it may be necessary to manually override risk classification.
Click the CONFIGURATION tab. The Configuration Overview page opens in the Simple Configuration view.
In the Operational Configuration table, click Ruleset in the Firewall section.
In the left navigation pane, expand Firewall Objects and click Applications.
Change the risk level of an application by either right-clicking it and selecting Override this Application or using the icons in the top-right
area of the rule set.
5. Select the new risk level for the application and then click OK.
The following figure displays process of overriding the risk classification of an application.
7. Click Save.
8. Click Send Changes and Activate.
The following figure displays the process for creating a URL Filter Match object.
5. Click Advanced. The URL Cat Policy Object - Advanced Settings window opens.
6. Select the Action if online URL database is unavailable.
7.
6.
7. Enter the timeout for Warn and Continue Override valid for [min]. Default: 10 min.
8. Click OK.
9. Click on Default Action and select Block, Allow or Alert from the dropdown.
10. Select Block, Allow, Warn and Continue or Alert in the Action column for each URL category.
b. For each whitelisted domain, click + to select the action and to enter the domain name in the Allow List.
Application Control
2.0
Sub-application
Detection
SSL Interception
ATD
Application Based
Provider Selection
HTTP Proxy
Service (Forward
Proxy on ports
3128 and 8080)
No
Yes
No
HTTP Proxy
Service
(Transparent
Proxy)
Yes
Yes
No
External HTTP(S)
Proxy
Yes
Yes
Yes
Yes
External HTTP +
HTTPS Proxies
Yes
Yes
Yes
Yes
External Proxy
When clients use an external proxy for both HTTP and HTTPS traffic, there are no restrictions. Application Control 2.0 can inspect all traffic
coming from or going to the proxy.
Bridging
Bridging Type Feature Comparison
To help you decide which method to use, the following table compares the features that are available for each bridging method:
Features
Layer 3 Bridging
MAC Transparent
Yes
Yes
No
Routing-Bridging-Forwarding
No
Yes
Yes
No
Yes
Yes
Yes
Yes
No
No
Yes
No
Yes
Yes
No
Broad-Multicast Propagation
Yes
Yes
Yes
High Availability
Yes
Yes
Yes
VLAN capable
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
Because bridging heavily depends on broadcasts for establishing connectivity, this results in a few weak points that you must carefully consider.
Try to implement bridging in a trusted environment. Broadcasts in huge environments also consume a lot of bandwidth. Barracuda NG Firewall
offers different methods to help prevent the following common attacks.
Preventing IP or ARP Spoofing over Layer 2 Bridges
Network nodes may use the IP addresses of fake ARP responses in order to fake network traffic with arbitrary IP addresses. Because firewall
security is enforced on Layer 3, the security policy is bypassed. These issues can be solved by taking the following measures:
Segment Access Control Lists (Bridging Interface ACLs) Specify which IP addresses are allowed on a segment.
Static Bridge ARP Entries Statically specify IP addresses, MAC addresses, and segments to avoid learning via ARP.
MAC-based Firewall Rules Define source MAC conditions for network objects.
ARP Change Reporting Specify which types of the IP-MAC-Segment relationship changes must be reported in the access cache and
log.
Prevent Destination MAC Spoofing
Another security issue in bridged environments is the possible exploitation of security enforcement on Layer 3 and traffic delivery on Layer 2. You
can prevent these issues by enforcing Layer 2 when a Layer 3 session is granted. MAC addresses for a session are fixed when the session is
created and remain enforced until the session ends.
In the figure below, a client from LAN 1 tries to force a connection grant to a client in LAN 3. To do so, it sends a packet to the client in LAN 2
using MAC-A as a destination MAC address and 10.0.8.10 as the destination IP address. After the session has been granted through the bridge
and communication has been allowed, it sends a second packet exchanging the MAC address for the client in LAN2 with the MAC address for the
client in LAN3 leaving the IP address the same.If MAC enforcement is configured, the connection with the spoofed MAC address will not be
allowed.
In this article
en
Before you Begin
Step 1. Configure the Local Bridge
Step 2. Create a Firewall Rule for Local Bridging
Before you Begin
Before configuring a local bridge, make sure that the following services are correctly configured
Firewall It is assumed that port 1 is the management port and the default management IP 192.168.200.200 listens on this interface.
WiFi For the Barracuda NG Firewall F101/F201/F301, the Country must be selected. Otherwise, IP configurations involving WiFi
interfaces are not possible.
DHCP Server Make sure that DHCP server and DHCP client are disabled. By default, both are disabled.
These instructions also provide example settings that assume that your workstation is connected to port 1 and that you are creating a bridge
between port 2 and port 3.
Step 1. Configure the Local Bridge
1. Go to CONFIGURATION > Configuration Tree > Box > Network.
2.
2. For the Barracuda NG Firewall F101, F201, or F301 with WiFi enabled:
Select WIFI from the Configuration menu in the left navigation pane.
Make sure that the correct Location setting is selected.
3. Open the Forwarding Firewall Settings page (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server
> Assigned Services > Firewall).
4. From the Configuration menu in the left navigation pane, select Layer 2 Bridging.
5. Click Lock.
6. In the Bridged Interface Group table, add a group:
Bridged Interfaces In this table, add all of the interfaces that must be bridged together in this group. For example, add entries
for port 2 and 3.
For each interface, you can specify the following settings:
Name The exact network interface label, as listed in the network configuration. For VLANs, enter the physical VLAN
interface and the VLAN tag separated by a dot. For example, eth1.5 .
Allowed Networks (ACL) Networks that are allowed to communicate over the bridged interface. You can enter
complete networks, individual client/server IP addresses, or network ranges. For example, enter 0.0.0.0/0 in the
configurations for port 2 and port 3.
Unrestricted MACs List of MAC address for which the Allowed Networks (ACL) does not apply.
MAC Change Policy To specify if the MAC address of the interface can be changed, select AllowMACChange (def
ault). If the MAC address must not be changed, select DenyMACChange.
Bridge IP Address In this table, add an entry or edit an existing entry for the gateway to assign an IP address to this bridging
group. In the entry, specify the following settings for the gateway.
Bridge IP Address IP address for the gateway. For example, enter 10.17.11.55 or an IP address that is relative to
your network.
Bridge IP Netmask Netmask for the gateway.
To get the gateway of the LAN before you disconnect your computer from the LAN, go to Control Panel >
Network and Sharing > Change adapter settings on your workstation. Select your LAN adapter and click
the IPv4 properties. If you have a static IP address, information including the default route and DNS
information is displayed. If you have a DHCP address, your information will not display.
If you have a DHCP address, enter the following at the Windows command line
ipconfig/all
All of the network configurations display on the screen. Scroll to the top and find the Ethernet adapter Local
Area Connection settings.
2. (Optional) Enable Application Control and SSL Interception. For more information, see Application Control 2.0.
3. Click OK.
4. Click Send Changes and Activate.
In this article:
en
Step 1. Configure Transparent Layer 2 Bridging
Step 2. Create Firewall Rules for Layer 2 Bridging
Step 1. Configure Transparent Layer 2 Bridging
To configure transparent Layer 2 bridging, complete the following steps:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Settings.
2. In the left navigation pane, select Layer 2 Bridging.
3. Click Lock.
4. In the Bridged Interface Group table, click + to add an entry. For each interface group, you can edit the following settings:
Bridged Interfaces Add all interfaces to be bridged together in this group. For each interface enter the following settings:
Name The exact network interface label, as listed in the network configuration. E.g., eth1
Allowed Networks (ACL) Networks that are allowed to communicate over the bridged interface. You can enter
complete networks, individual client/server IP addresses, or network ranges.
Unrestricted MACs List of MAC address for which the Allowed Networks (ACL) does not apply.
MAC Change Policy Select AllowMACChange to permit the MAC address of the interface to be changed,
otherwise select Deny-MAC-Change.
Use IP BARP Entries Select yes if the Barracuda NG Firewall must learn the MAC addresses from IP and ARP traffic and
record IP addresses that are assigned to a specific MAC address in a separate table. If there are a very large number of IP
addresses in a specific network segment, select no to keep the ARP table from being overrun
5. Click OK.
6. Click Send Changes and Activate.
2. Click Lock.
3. Create a Pass firewall rule with the following settings:
BiDirectional Yes
Source Select Any (0.0.0.0/0)
Service Select Any
Destination Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 an
d 172.31.1.25
Connection Method Select No SNAT
4. Create a BroadMulticast firewall rule with the following settings:
Source Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 and 17
2.31.1.25
Service Select Any
Connection Method Select No SNAT
Destination Enter the destination networks/IP addresses. E.g., 10.0.8.255
Optional
To use a DHCP server over the layer 2 bridge, also add 0.0.0.0 to the source and 255.255.255.255 to the destination
IP addresses.
5. Rearrange the order of the firewall rules so the new rules can match incoming traffic.
6. Click Send Changes and Activate.
4.
5. Click OK.
6. Click Send Changes and Activate.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Create a Pass firewall rule with the following settings:
BiDirectional Yes
Source Select Any (0.0.0.0/0)
Service Select Any
Destination Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 an
d 172.31.1.25
Connection Method Select No SNAT
4. Create a BroadMulticast firewall rule with the following settings:
Source Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 and 17
2.31.1.25
Service Select Any
Connection Method Select No SNAT
Destination Enter the destination networks/IP addresses. E.g., 10.0.8.255
Optional
To use a DHCP server over the layer 2 bridge, also add 0.0.0.0 to the source and 255.255.255.255 to the destination
IP addresses.
5. Rearrange the order of the firewall rules so the new rules can match incoming traffic.
6. Click Send Changes and Activate.
In this article
en
Before you Begin
Step 1. Create a Network Object for the client PC
Step 2. Create Proxy ARP Objects
Before you Begin
Assign an IP addresses to each network interface of the Barracuda NG Firewall that you want to use for the bridge. (CONFIGURATION > Config
uration Tree > Box > Virtual Servers > your virtual server > Server Properties).
Step 1. Create a Network Object for the client PC
Create a network object for the clients that should be bridged:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Create a network object for the clients that must be bridged.
4. In the IP/Ref table, add the IP address of the client:
6. Click OK.
7. Click Send Changes and Activate.
You now have a network object for the client that you can use when creating the layer 3 bridge.
Step 2. Create Proxy ARP Objects
To make sure that ARP requests are answered on the interface for the new network, create a proxy ARP object for the bridging parent network
and bridged clients.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Create a proxy ARP object for the bridging parent network. E.g., 10.0.8.0/24
4. Create a proxy ARP object for the bridged client. E.g., 10.0.8.162. (optional) Restrict the source IP addresses of the proxy ARP
object to the bridging parent network.
Bridging Groups
A bridged interface group defines a set of network interfaces for which network traffic is forwarded with bridging.
Bridging Interfaces
A bridging interface is a network interface that is assigned to a bridged interface group.
A bridging interface can only be a member of one bridged interface group.
Bridging ARP Entries
A bridging ARP entry (BARP) stores the information that specifies on which bridge interface that a certain MAC address resides. Additionally,
associated IP addresses are stored along with the BARP entry.
The IP address is only used for visualization purposes.
Dynamic BARPs
Dynamic BARPs are built up during run time by analyzing network traffic. Whenever a packet is received on an interface, dynamic BARPs are
generated or updated. This way, the firewall "learns" which MAC address resides on which bridging interface. When ARP packets are analyzed,
the Layer 3 IP information is added to the BARP entry by adding the IP address.
With dynamic BARPs, relationships are learned as follows:
MAC-Interface relationship learned by any IP traffic.
MAC-Interface-IP relationship learned by ARP traffic.
Static BARPs
Static BARPs are part of the configuration and define a MAC-Interface-IP relationship that is present at all times and is not overwritten by
"learning" from traffic.
Bridging Interface ACL
The bridging interface ACL specifies which IP addresses can be received on a bridging interface. ACLs can be used to enforce a Layer 3 topology
when operating on the firewall. The most restrictive implementation of the ACL maintains a list of single IP addresses that are expected on a
certain bridge interface.
Virtual Bridge Interface
A virtual bridge interface is an interface that acts as parent interface for all interfaces of a bridged interface group. The name of a virtual interface
is always the name of the bridged interface group with a phbr- prefix. For example: phbr- <group-name>
Virtual Bridge Interface IP Address
Optionally, each virtual bridge interface may be configured with an IP address and a netmask. This way, the firewall itself can actively probe
(learn) on which segments each MAC address resides. It can also route traffic from a routed network to a bridged network or between bridging
groups. Through the introduction of a virtual bridge interface, Transparent Layer 2 is changed to Routed Layer 2 Bridging.
A virtual bridge interface has following main characteristics:
Active ARP queuing.
Forwarding between bridge groups.
Forwarding between routed and bridged networks.
Local firewall traffic (application gateways).
Still MAC transparent (like ).
Broad- and Multicast
Broadcast and multicast traffic can be forwarded between segments and routed networks. You must create a specific firewall rule to allow
broadcast or multicast propagation. Specify a list of network interfaces, IP addresses, and multicast addresses that define how traffic should be
propagated. Broadcast to unicast or multicast translations are possible.
For best matching results use Application Control 2.0 and the Barracuda Web Filter to enforce your application policies. The URL Filter Match
object is used as an application rule matching criteria and can be optionally used to apply different QoS settings depending on the URL category
or specific website.
For more information, see How to Enable the Barracuda Web Filter.
Barracuda Web Filter with HTTP Proxy
Web filtering allows you to control access to websites based on the URL category. To offer granular control it is
possible to define exceptions for individual users and IP addresses and also to log which requests are allowed
and denied.
For more information, see How to Configure Web Filtering.
en
In this article
Enable the URL Filter Service
Next Steps
Enable the URL Filter Service
1.
2.
3.
4.
Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration.
Click Lock.
In the left menu, click Application Detection.
Set the Working Mode to On.
Create URL Filter Policy objects or URL Filter Match objects. For more information, see How to Create an URL Filter Policy Object and H
ow to Create an URL Filter Match Object.
Create Application rules and select the URL filter objects to match website traffic to the URL categorization database. For more
information, see How to Create an Application Rule.
Virus Scanner
en
The Virus Scanner service offers malware protection in combination with the firewall, HTTP proxy, FTP, and mail gateway services. An active
Malware subscription is required. For all Barracuda NG Firewall models F200 and larger, you can use both the Avira and ClamAV virus scanning
engines. Barracuda NG Firewalls F100 and F101 support only the Avira virus scanning engine.
For more information, see:
How to Enable the Virus Scanner
How to Configure Avira Virus Scanning
How to Configure ClamAV Virus Scanning.
How to Update Virus Patterns Manually
1. Open the Virus Scanner Settings page (Virtual Servers > your virtual server > Assigned Services > Virus-Scanner).
2. Enable the virus engine that you are using.
If you are using Avira, set Enable Avira Engine to yes.
If you are using ClamAV, set Enable ClamAV Engine to yes.
If you are using ATD, set Enable ATD Engine to yes.
3. Define the following settings for the virus engine:
Max. RAM Cache (MB) Enter the maximum size of the cache that the virus scanner can create to store the files that it will
scan. Files that exceed the specified size are stored on the local hard drive of the Barracuda NG Firewall.
Max. Number of Workers Enter the maximum number of scanner instances that can be launched to handle requests.
Debug Log Level Select the level of detail for the virus scanner log. Selecting a value that is higher than 0 (zero) will display
debug output in the log.
4. In the left navigation pane, expand Configuration and click Update Handling.
5. Define the following settings for the virus pattern and scanner engine updates. By default, the virus scanner service contacts the pattern
update server every 60 minutes for new updates.
Update Every (mins) In minutes, enter how often the update server is contacted.
Download Retries Enter the maximum number of update attempts if the update server does not respond.
Proxy Settings If the virus scanner requires an HTTP proxy to reach the update servers, configure the parameters in this
section.
Do not change the server settings in the Download Server Addresses section. If you change these settings, your
virus pattern database may not update properly. However, if you are using ClamAV, you can change the ClamAV Safe
Browsing setting to enable or disable support for Google Safe Browsing.
Next Steps
To configure the Avira virus scanning settings, see How to Configure Avira Virus Scanning.
To configure the ClamAV virus scanning settings, see How to Configure ClamAV Virus Scanning.
Before configuring Avira virus scanning, activate the Virus Scanner service. For more information, see How to Enable the Virus Scanner.
The Avira scan engine requires an additional license (file extension: *.KEY). This license file must be imported with the Avira License
Button.
Configure Virus Scanning
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select Avira.
3. Set Scan Archives to yes to enable the archive scan.
4. In the Avira Archive Scanning section, define the following archive scanning settings:
Max. Scan Size (MB) The maximum amount of data to be scanned for each file (default:1024). Specifying a maximum size
prevents the virus scanner from being overloaded.
If a maximum scan size is not entered or the limit set too high, this may result in severe damage to the system.
Max. Nesting Depth The maximum nesting level for the archives (default: 20). If a limit is not required, enter 0 (zero).
Max. Compression Ratio The maximum compression ratio for the archives (default: 150).
If you use a very high compression ratio, a small archive can use a lot of working memory when it is decompressed
and overload the virus scanner. Such an archive is often called a "ZIP bomb."
Max. File Count The maximum number of files that can be stored in an archive (default: 10000). If a limit is not required, enter
0 (zero).
Block Encrypted Archives To block encrypted archives, select yes.
If the archive contains file types like .zip, .rar, .exe, .iso, .tar, .tgz, .cab, .msi, .btn, etc. it is possible that one of these
files is encrypted (virus scanner message: Encrypted archives are blocked). In this case, the virus scanner will block
the whole archive. To disable blocking of encrypted archives, select no.
Block on Other Error To block archives that cause errors while they are decompressing, select yes.
Block Unsupported Archives To block archives that cannot be decompressed because their formats are unsupported, select
yes.
The Barracuda NG Firewall uses the SAVAPI scan engine from AVIRA. This engine supports following archive types:
ZIP, ZIP-Sfx, ARJ, ARJ-Sfx, TAR, GZ, ZOO, UUEncode/XXEncode, TNEF, MIME, BinHex, MSCompress, MS CAB,
LZH/LHA, LZH/LHA Sfx, RAR, RAR-Sfx, JAR, BZ2, ACE, ACESfx.
5. To configure malware detection, specify the types of malware that the engine should scan for in the Avira Non-Virus Detection section.
6. To configure engine-specific options, configure the following parameters in the Avira Misc. Options section:
Legacy Avira license To import a legacy Avira license, click Ex/Import and select Import from file.
Contact Email Address The email address to receive notifications on when the license will expire.
Quarantine directory The path to the directory where infected files should be placed.
The Virus Scanner service places files that are infected by a virus into the Quarantine directory. This directory is NOT
cleaned up automatically. You must manually clean up the Quarantine directory.
7. Click Send Changes and Activate.
Configure HTTP Multimedia Streaming
To enable content streaming, disable virus scanning for specific DNS domains.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select Content Scanning.
3. Click Lock.
4. In the Scan Exceptions table, add an entry for each DNS domain that should not be scanned:
a. Enter a name for the entry and click OK.
b. In the Allowed MIME types table, add an entry for each MIME type that should not be scanned.
To determine the MIME type for a file, enable the debug log and check the cas log files.
To enable the debug log, go the Virus Scanner Settings -Basic Setup page. In the Debug Log Level field, enter 1.
c. In the Domain field, enter the domain name.
5. Click Send Changes and Activate.
Avira Update
Updates of the Avira engine are done automatically. If a faulty Avira update was downloaded and activated, a rollback to the last working version
is done. During this process, further updates will be blocked for 1 hour. A virscan/cas message will be created, stating "Doing rollback. Disabling
update for 60 min."
To manually update the Avira pattern, complete the following steps:
1. Go to CONTROL > Server.
2. In the Service Status section, right click the virscan service that should be updated with the most current pattern.
3. Click Update Pattern in the context menu.
If you must perform a manual rollback, create a file named /var/phion/run/virscan/dorollback. During this process, any other updates will be
blocked for 1 hour. The virscan/cas message will be created, stating "Doing rollback. Disabling update for 60 min."
After a successful update, Avira creates a backup which will be used for the next rollback. A log entry will be created, stating "Creating backup for
Rollback".
Before configuring ClamAV virus scanning, activate the Virus Scanner service. For more information, see How to Enable the Virus Scanner.
Configure Archive Scanning
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select ClamAV.
3. Click Lock.
4. Set Scan Archives to yes to enable the archive scan.
5. In the ClamAV Archive Scanning section, define the following archive scanning settings:
Max. Scan Size (MB) The maximum amount of data to be scanned for each file. Specifying a maximum size prevents the virus
scanner from being overloaded. Archive and other container files are recursively added and scanned up to this value.
If a maximum scan size is not entered or the limit set too high, this may result in severe damage to the system.
Max. File Size (MB) The maximum size for files to be scanned. Files that exceed this limit will not be scanned. If a limit is not
required, enter 0 (zero).
Max. Nesting Depth The maximum nesting level for the archives. If a limit is not required, enter 0 (zero).
Max. File Count The maximum number of files that can be stored in an archive. If a limit is not required, enter 0 (zero).
Block Encrypted Archives To block encrypted archives, select yes.
If the archive contains file types like .zip, .rar, .exe, .iso, .tar, .tgz, .cab, .msi, .btn, etc., it is possible that one of these
files is encrypted (virus scanner message: Encrypted archives are blocked). In this case, the virus scanner will block
the whole archive. To disable blocking of encrypted archives, select no.
6. In the ClamAV Possibly Unwanted Applications (PUA) section, specify the types of malware that the engine should scan for.
7. In the ClamAV Misc. Scanning Options section, specify the types of files that should be scanned. You can also enable heuristic and
HTML scanning.
8. In the ClamAV Email Scanning section, select whether or not to scan URLs found in mails.
9. In the ClamAV Phishing Protection section, specify the following settings to detect phishing attacks:
Use Phishing Signatures To enable signature based phishing detection, select yes.
Always block SSL Mismatch To block SSL mismatches in URLs (even if a URL is not in the database), select yes.
Always Block Cloak To block all cloaked URLs (even if a URL is not in the database), select yes.
10. In the ClamAV Data Loss Prevention (DLP) section, specify the following settings to detect possible private data theft:
Min. Credit Card Count The minimum amount of credit card numbers that can be stored in a file before the file is detected.
SSN Format To enable the DLP module to scan for valid social security numbers, select yes.
Min. SSN Count The minimum amount of social security numbers that can be stored in a file before the file is detected.
11. Click Send Changes and Activate.
Configure HTTP Multimedia Streaming
To enable content streaming, disable virus scanning for specific DNS domains.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select Content Scanning.
3. Click Lock.
4. In the Scan Exceptions table, add an entry for each DNS domain that should not be scanned.
a. Enter a name for the entry and click OK.
b. In the Allowed MIME types table, add an entry for each MIME type that should not be scanned.
To determine the MIME type for a file, enable the debug log and check the cas log files.
WIFI
Step 1. Enable the Wi-Fi Network
1.
2.
3.
4.
5.
6.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > WIFI > Service
Properties.
2. Click Lock.
3. In the Service Definition section, select yes from the Enable Service list.
4. In the Description field, enter an optional description of the Wi-Fi service.
5. Click Send Changes and Activate.
Step 3. Configure the Wi-Fi Default Routes
If your LAN and Wi-Fi connections are in two different networks, configure a default route for the Wi-Fi LAN by completing the following steps:
1.
2.
3.
4.
5.
6. In the Target Network Address field, enter the target network address. For example, 192.168.1.0/24.
7.
8.
9.
10.
1.
2.
3.
4.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > WIFI > WIFI AP
Configuration.
2. Click Lock.
3. In the Network Name (SSID) field, enter the network name.
4. In the Preshared Key (PSK) table, click + to add a new entry. The Preshared Key (PSK) Combination window opens.
5. In the New field, enter a new password.
6. In the Confirm field, re-enter the new password.
6.
The passwords must match in both fields and be at least eight characters long.
7. Click OK.
8. Click Send Changes and Activate.
After completing the configuration, go to the CONTROL > Network page and verify that the Wi-Fi interface is available. If the interface is
available, a green square is displayed next to its name.
Troubleshooting
To administer tickets for the Guest Access, you can also enable a web-based backend user interface for creating, deleting, managing, or printing
tickets.
In this article:
en
Step 1. Enable Guest Access
Step 2. Configure Guest Access
View Authenticated Users
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > WIFI > WIFI AP
Configuration.
2. Click Lock.
3. From the Guest Access list, select either Confirmation or Ticketing. If you want to disable the Guest Access, select None.
4. Click Send Changes and Activate.
Step 2. Configure Guest Access
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forw
arding Settings.
2. In the left menu, select Guest Access.
3. Click Lock.
4. You can specify the following settings for the Guest Access:
Section
Setting
Timing
Description
The time period after which users must
re-enter their login credentials.
When deleting ticketing users,
the user can still access the
guest network for the duration of
this value. To force a user to be
blocked immediately you must
delete the ticketing or
confirmation user in FIREWALL
> Users and terminate all
existing firewall sessions in FIR
EWALL > Live for that user.
Customization (Confirmation)
Confirmation text
Header Logo
Authentication Password
Use Accounting
Accounting Server IP
Accounting Port
Accounting Password
5. In the RADIUS Fallback Options section, you can edit the following settings for a secondary or fallback RADIUS server:
Setting
Description
NG Control Center
en
The Barracuda NG Control Center is a central administration appliance designed to manage a large number of Barracuda NG Firewalls. The
Barracuda NG Control Center provides a comprehensive set of central management services and features such as template-driven objects,
reusable global objects, user definable work views, and graphical representation of the global WAN network. The box layer of the Barracuda NG
Control Center is identical to the Barracuda NG Firewall.
en
Central Management
Multi-Admin Support and Role-Based Administration
Revision Control System (RCS)
Central Statistics
Central Syslog and Eventing
FW Audit
NG Access Monitor (NAC)
Barracuda NG Earth
Public Key Infrastructure (PKI)
Graphical VPN Configuration Interface (GTI Editor)
Shared Services
Other
Central Management
The Barracuda NG Control Center allows administrators to centrally manage and monitor Barracuda NG Firewalls. The NG Control Center can
simultaneously manage multiple releases and platforms (hardware, virtual, and public cloud). Configuration, file updates, and licenses are
distributed to the managed units. Remote units connect to the NG Control Center via remote management tunnels. The health and status of all
managed NG Firewalls is continuously checked.
For more information, see Central Management.
The Revision Control System (RCS) stores versioning information on all configuration changes to your system . You can view older configuration
versions and, if necessary, roll back previous changes.
For more information, see Revision Control System (RCS)
Central Statistics
The Barracuda NG Control Center can collect and store statistics of its managed NG Firewalls. The CC Statistics Collector and CC Statistic
Viewer process the raw data and present the collected data in the STATISTICS tab on the Barracuda NG Control Center.
For more information, see Statistics.
FW Audit
The CC FW Audit Log service receives structured firewall data from the managed units and stores the firewall audit information on the Barracuda
NG Control Center. The CC Firewall Audit Info viewer provides a consolidated view similar to the firewall access cache across multiple boxes. For
large or high-performance environments, dedicated Barracuda NG Firewall boxes can be configured to collect and retrieve firewall audit log
information. The collection and processing is handled by the CC FW Audit Log service and the Audit Info collector on the Barracuda NG Control
Center.
For more information, see FW Audit
Barracuda NG Earth
Barracuda NG Earth displays the status of your VPN site-to-site tunnels around the world. When connected to the Barracuda NG Control Center,
Barracuda NG Earth retrieves the data from your VPN connections and displays the tunnels according to the information on a customizable
interface. Barracuda NG Earth is not available for the Barracuda NG Control Center Standard Edition.
For more information, see Barracuda NG Earth.
Shared Services
There are three types of shared services than can run on multiple virtual servers:
Distributed Firewall
SNMP
DNS
For more information see, Shared Services.
Other
CC Firewall Service For more information, see Control Center CC Firewall.
CC Troubleshooting For more information, see NG Control Center Troubleshooting.
Migrate the Barracuda NG Control Center to a new network segment For more information, see Best Practice - Migrate the NG Control
Center to a New Network Segment.
For Barracuda NG Control Centers installed via NG Install, do not use the CC Wizard. For more information, see NG Control Center
Manually Getting Started.
Complete the CC Wizard to configure all necessary box layer and Control Center settings for your new Barracuda NG Control Center. The CC
Wizard can be launched from the OPTION menu or automatically starts when logging into a new NG Control Center on box layer. The CC Wizard
is available for all NG Control Centers running firmware 6.0.1 or later.
In this article
en
Before you Begin
Wizard Starts Automatically on First Login
Launch the CC Wizard Manually
Step 2. Enter your Company Data
Step 3. Activate the Barracuda NG Control Center
Step 4. Administrative Settings
Step 5. Network Configuration
Step 6. (optional) Create Administrators
Step 7. Review Configuration Summary
Step 8. Submit the Configuration
Next Steps
Log into Box Layer of a new NG Control Center to use the CC Setup Wizard.
1. Launch Barracuda NG Admin.
2. Select Box.
3. Log in to the NG Control Center box layer:
Management IP If you are using a hardware NG Control Center appliance, enter 192.168.200.200. For virtual NG Control
Centers, enter the IP address you set during deployment.
Password Enter the default password: ngf1r3wall.
The CC Setup Wizard can also be accessed by the Options menu in NG Admin.
1. Launch Barracuda NG Admin.
2. Click the OPTION menu in the upper left-hand corner and click CC Wizard. The CC Setup Wizard window opens.
4. Click Next.
2. Click Next.
2. If you are using a virtual NG Control Center, enter the License Token: E.g., XXXXX-XXXXX-XXXXX
3. Click Next.
5. Click Next.
8. Click Next.
2. Click Next.
Next Steps
Use the CC IP Address to connect to the NG Control Center.
Link
Create Admins using External Authentication
Central Management
How to Manage Ranges and Clusters
Before you complete the steps in this article, finish the Getting Started section for the Barracuda NG Firewall and configure all box layer
settings.
The box layer of the Barracuda NG Control Center uses the same "Getting Started" steps as the Barracuda NG Firewall. Once the licenses and
other basic settings are complete, you must configure the NG Control Center management layer.
In this article
en
Before you Begin
Step 1. Configure the Time Settings
Step 2. Set the First IP for the Virtual Server
Step 3. Manually Import the Base License
Step 4. Configure CC Identification Settings
Step 5. (optional) Complete the Auto Activation Form
Next Steps
3.
4.
5.
6.
Click Lock.
Enter the CC MIP as the First-IP.
Set Reply to Ping to yes.
Click Send Changes and Activate.
Next Steps
Continue with the steps below to set up the Barracuda NG Control Center according to your needs.
Link
Create Admins
Central Management
How to Manage Ranges and Clusters
Central Management
en
The Barracuda NG Control Center is designed for the central management of Barracuda NG Firewalls. NG Control Center admins configure
security, content, traffic management, and network access policies from one central management interface. Template-based security information
and configuration versions make it possible to manage all locations from one central system.
System Hierarchy: Ranges, Clusters and Boxes
System Health and Status Monitoring
Configuration Updates
Remote Management Tunnels
Licensing on the Barracuda NG Control Center
Firmware Updates on Managed NG Firewalls
Barracuda NG Control Center Trust Center Model
The Barracuda NG Control Center organizes the managed NG Firewalls into a hierarchy of ranges and clusters, with the individual box
configurations at the lowest level. The number of available ranges and clusters depends on which edition NG Control Center you are using:
Standard Edition One range, one cluster, unlimited number of boxes (NG Firewalls).
Enterprise Edition One range, unlimited number of clusters, unlimited number of boxes (NG Firewalls).
Global Edition Five ranges with the option to add additional ranges, unlimited number of clusters, unlimited number of boxes (NG
Firewalls).
Ranges
Ranges simplify central administration of globally distributed NG Firewalls. For each range, you can define global settings, spanning all clusters in
the range. You must create at least one cluster in a range to be able to add Barracuda NG Firewall boxes. To make configuration easier, you can
define the following range-wide configuration settings:
Range Objects
Range GTI Editor
Range Statistics
Range Access Control Objects
Range QoS Shaping Trees
Activation Template
For more information, see How to Manage Ranges and Clusters
Clusters
At the second highest level, clusters represent groups of Barracuda NG Firewalls. To make configuration easier, you can define the following
cluster-wide configuration settings:
Cluster Objects
Cluster GTI Editor
Cluster Statistics
Cluster Access Control Objects
Cluster QoS Shaping Trees
Activation Template
For more information, see How to Manage Ranges and Clusters
Boxes
Boxes represent the individual Barracuda NG Firewall units within a Barracuda NG Control Center cluster.
For more information, see:
How to Import an Existing Barracuda NG Firewall into a NG Control Center
How to Add a new Barracuda NG Firewall to the Control Center.
How to Move, Copy and Delete Barracuda NG Firewalls
Configuration Updates
The configuration for all managed NG Firewalls is stored on the Barracuda NG Control Center. When the admin activates a configuration
change, it is automatically pushed out to the managed Barracuda NG Firewalls.
For more information, see CC Configuration Updates.
Connections between the Barracuda NG Control Center, NG Firewall, and Barracuda NG Admin are authenticated with X509 private/public
keys.The NG Control Center handles the certificate and authentication of remote NG Firewalls and NG Admin. The NG Control Center also stores
In this article:
en
Create a Range
Remove a Range
Create a Cluster
Remove a Cluster
Range and Cluster Specific Settings
Migrating the Configuration
Migrating a Repository Linked Unit
Migrate a Cluster or Range
Migrate Multiple Clusters and Ranges
Create a Range
Remove a Range
Deleting a range is final and will also remove all clusters and managed NG Firewalls in the range. Create a backup before deleting a
range.
1.
2.
3.
4.
5.
Create a Cluster
Unless you are using a Standard Edition NG Control Center there is no limit on how many clusters you can create.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Remove a Cluster
Deleting a cluster is final and will also remove all clusters and managed NG Firewalls. Create a backup before deleting a cluster.
1.
2.
3.
4.
5.
6.
Each range and cluster can override global settings by using its own configuration interface. When enabling these settings the scope is limited to
the range or cluster it is set for.
Click here to expand...
Setting
Description
Disable Update
Collect Statistics
Introduces the node Eventing where you can define custom event
settings for the range or cluster (see How to Configure Event
Notifications). If the range or cluster requires special event settings,
enable this parameter.
Migration can only be performed the next major firmware version (5.0 > 5.2 > 5.4 > 6.0 > 6.1).
Migrating a Repository Linked Unit
If you are using a repository you must prepare the repository linked units before migration:
For information, see How to Prepare Repository Linked Box Configurations for Migration.
1.
2.
3.
4.
5.
6.
Clusters can only be migrated to a higher firmware version. You can not downgrade a cluster configuration.
1.
2.
3.
4.
5.
6.
The MailGW Settings and the Service Configuration nodes will be changed during this migration process. Open the nodes to
look at the new configuration dialogs.
7. Click Activate .
Migrate Multiple Clusters and Ranges
2. Right-click Multi-Range and select Migrate Clusters/Ranges from the context menu.
3. Select the nodes to be migrated while holding down the SHIFT key.
For a more granulated definition of firewall objects, global firewall objects can be overridden by range or cluster firewall objects of the same name.
An object that overrides a globally defined object is indicated by a server icon with a red arrow.
Global objects that are overridden by range or cluster objects, are not visible within the host firewall or forwarding firewall rule editor on
range or cluster level.
To define network objects for IP addresses or networks which differ for each NG Firewall, define a site-specific network object. The values for
these network objects must be entered for each virtual server on the Server Properties > Networks page and can then be used in the
Forwarding Firewall rule set.
Global GTI Objects
When tunnel endpoints are created in the VPN GTI Editor, corresponding dynamic network objects are created at the same time (How to Create a
VPN Tunnel with the VPN GTI Editor). These objects are named servername_clustername_range with a prefixed GTI Server accordingly.
Global GTI objects are inherited as references by local and forwarding firewall rulesets of each Firewall service related to the tunnel endpoint
and may be used for rule specification. Every time a new tunnel endpoint is inserted into the Global VPN GTI Editor, the GTI Objects must be
reloaded in the Global Firewall Objects window in order to become available in the configuration dialogs Global GTI objects can not be edited or
renamed.
1.
2.
3.
4.
5.
Expand the Boxes node (CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster).
Right click on Boxes and select Create Box Wizard. The Wizard window opens.
Enter all settings requested by the Create Box Wizard.
Click Finish.
Click Activate.
If your NG Firewall can not directly access the NG Control Center, configure a remote management tunnel. For more information, see How to
Configure a Remote Management Tunnel for Barracuda NG Firewalls.
Step 3. Enable the NG Firewall
Imported NG Firewalls are disabled per default. Disables NG Firewall are represented by a grey status icon.
1. Open the Box Properties page for the NG Firewall (CONFIGURATION > Configuration Tree > Multi-Range > your range > your
cluster > your NG Firewall).
2. In the left menu click on Operational.
3. Set Disable Box to no.
4. Click Send Changes and Activate.
The status of the NG Firewall on the Status Map (CONTROL > Status Map) now changes from grey (offline) to red with dashes (unreachable).
Step 4. Deploy the PAR file to the NG Firewall
Deploy the configuration of the new Barracuda NG Firewall to the remote NG Firewall.
Step 4.1 Create the PAR file on the NG Control Center
1.
2.
3.
4.
1.
2.
3.
4.
5.
HowtMve,CpyandDlBrcuNGFis
A Barracuda NG Firewall that has been removed from the Barracuda NG Control Center does not automatically become a standalone
system. If you want to use the removed Barracuda NG Firewall as a standalone system, you must reconfigure it.
1.
2.
3.
4.
In the Configuration Tree, navigate to the Barracuda NG Firewall that you want to remove.
Right-click the Barracuda NG Firewall and select Lock.
Right-click the Barracuda NG Firewall and select Remove Box.
Click OK.
After the Barracuda NG Firewall has been removed, the box entry should disappear from the CC status map with the next configuration update. If
the entry stays on the system:
1. At the command line, enter the following commands:
$ find /opt/phion/rangetree/configroot/ -name box.dbconf | xargs rm
$ conftool r - rebuild_db
$ conftool r - rebuild_cache
2. Restart the CC Rangeconf service.
The base license for the NG Control Center is automatically downloaded on the box layer of the NG Control Center when it is activated. You must
also install this base license in the management interface of the NG Control Center, to establish the CC identity. Pool licenses are also bound to
the base license of the NG Control Center.
For more information, see How to Manually Install the Licenses for the Barracuda NG Control Center.
Licensing Managed NG Firewalls
Single licenses are bound to the MAC and cpuid of the individual NG Firewall and can not be transferred. To make deploying a large number of
NG Firewalls easier, the NG Control Center can automatically fill in or complete the Barracuda Activation for new managed NG Firewalls using
single licenses. If you have filled in the Activation Template (Config > CC Parameters) on the NG Control Center the web form is automatically
filled in. By enabling unattended activation in the Barracuda Activation tab for you license, you will not be prompted when a unit is activated.
Pool Licenses
F for hardware appliances. Hardware pool licenses must be purchased in combination with the hardware appliances.
VF for virtual appliances.
SF for software licenses.
Pool licenses can only be purchased in multiples of five and are bound to the base license of the NG Control Center. This means that they can be
assigned freely to all NG Firewalls of the same product type and model as the pool license managed by that NG Control Center. The licenses are
assigned and continuously renewed for all pool licensed managed NG Firewalls. Box licenses derived from a renewed pool license will be
updated automatically on the managed NG Firewalls.
For more information, see How to Install and Assign Pool Licenses on a Barracuda NG Control Center.
Managing Pool Licenses
The Pool Licenses section on the Barracuda Activation page offers several actions for license handling. To access the context menu options,
right click a license from the Pool Licenses list:
Import Pool License Import the pool license. You are prompted to enter the Token and select the Product Type. The pool license is
now listed in the Pool Licenses section.
Remove Pool BAR <License Number> Removes the selected pool license.
Use Unattended Activation If you activate this option, Barracuda NG Admin will not ask for personal contact information upon
activating licenses on Barracuda servers. Activation templates can be edited in the configuration on Global, Range and Cluster levels.
Update Licenses on CC Trigger an instant check if licenses are updated on the Barracuda license servers (This check is performed
hourly in the background).
Move Instances to another Pool Replace the box licenses derived from one pool license with box licenses from another pool license.
This can be used when a new pool license with a bigger pool was purchased. In the next step you can select from which new pool the
licenses should be generated. The new pool licenses must be already listed (i.e. previously imported) in the Pool Licenses window. The
new license pool must also have enough free instances as in the old pool and must also contain all the modules from the old license pool
and optionally additional ones.
Reassign Licenses to Instances If the pool license was renewed, but box licenses where not automatically updated by the Barracuda
NG Control Center, use this option to manually trigger the update.
Refresh Refresh the Pool Licenses list.
Tools Opens the standard Tools context menu from where you can export the list to file or clipboard.
Continuous Updating of the Pool License Float
Managed NG Firewalls using pool licenses must renew the license by connecting to the Barracuda NG Firewall at regular intervals. The license
status for each NG Firewall is listed on the Control > Floating Licenses page. Updating the pool license float follows the following scheme:
Licenses have a grace period of 15 days. The Barracuda NG Firewall starts to check the pool license state after a quarter of the grace period. If
this check fails, the next attempt is made after the first half of the grade period. If this check fails the license state enters grace mode. From now
on the NG Firewall will attempt to contact the NG Control Center four consecutive times every 10 minutes until the float could be successfully
updated. If a pool licensed NG Firewall is not able to connect to the NG Control Center for 15 days, all services are shut down and the license
state is changed to unlicensed.
If the host-ID or MAC address of the NG Control Center has changed the licenses will become invalid and enter a 14 day grace period. During the
grace period do not change settings on the CC Identity page.
Contact Barracuda Technical Support to resolve the licensing issues.
How to Manually Install the Licenses for the Barracuda NG Control Center
en
You must license the Barracuda NG Control Center before adding managed Barracuda NG Firewalls. The licenses for the Barracuda NG Control
Center are associated with the hardware ID of the system. The MAC address of a network card, the main board ID, or the CPU ID are used as the
key for the licenses. The base license must be installed on the box layer and in the NG Control Center management interface.
In this article:
en
Before You Begin
Step 1. Export the Base License on Box Layer
Step 2. Import the Base License
Before You Begin
Before installing the base license of a Barracuda NG Control Center, make sure the base license is installed and activated on the box layer. For
more information, see Licensing.
Step 1. Export the Base License on Box Layer
1. Log into the box layer of the Barracuda NG Control Center. If the Barracuda NG Control Center is running on a HA cluster, log into the
primary unit.
2. Open the CONFIGURATION > Full Config > Box > Box Licenses page.
3. Click Lock.
4. In the Licenses table, select the Base License and click Im/ Export and select Export to clipboard.
Step 2. Import the Base License
1.
2.
3.
4.
5.
6.
Pool licenses are bundles of single licenses that can be dynamically assigned to the NG Control Center managed Firewalls. License management
takes place directly on the Barracuda NG Control Center.
In this article:
en
Before you Begin
Step 1. Install the License
Step 2. Select Product Type and Disable Barracuda Activation
Step 3. Assign the License
Before you Begin
Make sure the Barracuda NG Admin has a connection to the Internet. When entering the license token, Barracuda NG Admin downloads the
purchased license file from Barracuda Networks and automatically installs the license on the Barracuda NG Control Center.
Step 1. Install the License
You must turn off Barracuda Activation for each firewall you want to use pool licenses for.
1.
2.
3.
4.
5.
6.
Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall > Box Properties.
Click Lock.
Select your Barracuda NG Firewall model the Product Type and Hardware Model dropdown menus.
In the left menu, click Operational.
Set Disable Barracuda Activation to Yes.
Click Send Changes and Activate.
The NG Firewall will no longer try to retrieve the licenses automatically, as the pool licenses are assigned by the NG Control Center.
Step 3. Assign the License
You can only use pool licenses of the same product type (F/VF/SF) and model (e.g., VF50) as the NG Firewall you are assigning the license to.
1.
2.
3.
4.
Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall > Box Properties.
Click Lock.
Click + and select Import from Pool License.
Double click on the pool license you want to assign to this unit. Repeat this step for every pool license (base, energize update, web
security,...) you want to assign.
5. Click Send Changes and Activate.
Make sure the Barracuda NG Admin can connect to the Internet. When entering the license token, Barracuda NG Admin downloads the
purchased license file from Barracuda Networks and automatically installs the license on the Barracuda NG Control Center.
Verify your data in the Activation Template (Global Settings > CC Parameters).
Step 1. Enter the Product Type and Enable Configuration Updates
1.
2.
3.
4.
5.
6.
Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall > Box Properties.
Click Lock.
Select your Barracuda NG Firewall model the Product Type and Hardware Model dropdown menus.
In the left menu, click Operational.
Set Disable Box to no.
Click Send Changes and Activate.
Step 2. Enter the License Token and Activate the Single License
5. If the NG Firewall is not online yet, you must enter the MAC address. Alternatively connect the appliance to the NG Control Center first,
then reenter the token.
6. If unattended activation is disabled, select the NG Firewall in the Single Licenses list and click Activate.
If unattended activation is enabled, the licenses are downloaded and activated automatically. The form data configured in Activation Template (
Global Settings > CC Parameters) is used to fill in the activation form. You can also manually trigger the activation.
The following table shows compatibility between the major versions of the Barracuda NG Control Center and various systems. Upgrade the
Barracuda NG Control Center to the same firmware version, or newer before updating the managed NG Firewalls. If you are using a NG Control
Center with an older firmware release to manage a newer firmware version, new features included in the newer firmware will not be configurable.
For more information, see Updating Barracuda NG Firewalls and NG Control Centers
System Version
Barracuda NG Control
Center 5.2.X
Barracuda NG Control
Center 5.4.X
Barracuda NG Control
Center 6.0.X
Barracuda NG Firewall
4.2.X
YES
YES
YES
YES
Barracuda NG Firewall
5.0.X
YES
YES
YES
YES
Barracuda NG Firewall
5.2.X
YES
YES
YES
Barracuda NG Firewall
5.4.X
YES
YES
Barracuda NG Firewall
6.1.X
YES
Step 2: Import the Update Package into the Barracuda NG Control Center
1.
2.
3.
4.
5.
On the Firmware Update page, select the Ranges, Clusters, or Boxes to be updated.
In the Files section, select the imported update package.
Click Create Task. The New Update Task window opens.
Select Immediate Execution as the Scheduling Mode.
Click OK.
The update packages are now copied to the selected remote systems. Go to CONTROL > Update Tasks for more information.
Step 4: Execute the Update Package
1.
2.
3.
4.
Wait for the update to finish. Depending on the system hardware, the process can last anywhere from 15 minutes (for a fast system) to 60
minutes (for flash appliances).
Unless noted otherwise all Barracuda NG Firewalls will reboot after the update has been applied.
If you are updating to a new major version (5.2 to 5.4 or 5.4. to 6.0) you must migrate the cluster version after the update has completed.
Update the Clusters Individually
1.
2.
3.
4.
5.
6.
Open the cluster you just updated (CONFIGURATION > Configuration Tree > Multi-Range> your range > your cluster).
Right click on the cluster and select Lock.
Right click on the cluster and select Migrate Cluster.
Select the new Release version.
Click OK.
Click Activate.
If all clusters in the range are on the same firmware version you can migrate all clusters simultaneously.
1.
2.
3.
4.
5.
6.
Open the range containing the clusters you just updated (CONFIGURATION > Configuration Tree > Multi-Range> your range).
Right click on the range and select Lock.
Right click on the range and select Migrate Range.
Select the new Release version.
Click OK.
Click Activate.
Troubleshooting / Logs
After the update process, review the Box\Release\update or Box\Release\update_hotfix log for each system to verify that it was successfully
updated. To view a system log, you must connect directly to the system and open the Logs page.
Repositories
en
Barracuda NG Control Center repositories contain configurations that can be applied to groups of Barracuda NG Firewalls. Configuration data that
is used on more than one machine should be stored in a repository. This saves time and reduces configuration errors, because the information
is entered only once and is then linked from the corresponding repository object. When you change a setting in a repository object, all linked
configuration entries are automatically updated. With a repository, you do not have to configure each affected system individually. Three types of
repositories exist:
General Repository
Range Repository
Cluster Repository
Due to compatibility reasons, two nodes are structured differently within the box repository tree than within box range tree configuration:
Authentication Service is placed in Advanced Configuration and not in Infrastructure Services.
System Settings is placed in Box and not in Advanced Configuration.
In this article:
en
Create a Repository
Copy an Existing Configuration to the Repository
Link a Barracuda NG Firewall Configuration to the Repository
Override the Repository Settings
Create a Repository
1. In the Configuration Tree, navigate to and expand the system with the required configuration settings.
2. Right-click the required configuration entry and click Lock.
3. Right-click the entry again and select Copy to Repository.
If you want to copy repository settings to a configuration entry, right-click the entry and select Copy from Repository.
4. Enter a name for the new repository object and click OK.
5. Click Activate.
Link a Barracuda NG Firewall Configuration to the Repository
1.
2.
3.
4.
5.
If you do not want a repository setting to be applied to an system, you can override it.
1.
2.
3.
4.
5.
Administrative accounts allow multiple users to simultaneously manage the Barracuda NG Control Center and its managed Barracuda NG
Firewall units. Initially, every Barracuda NG Control Center is managed by the user root who has unlimited access rights. The user root has the
ability to grant system access to other administrators who, depending on the assigned user rights, are allowed or denied to perform certain
operations. This is done by creating administrative profiles. Administrative profiles can be configured to use local or external authentication. The
profile settings both specify the scope that an administrator can access (e.g., range or cluster) and define permissions and restrictions specified in
the administrative roles that are assigned to the profile. Administrative roles define which services an administrator is allowed to use on the
Barracuda NG Control Center and the managed Barracuda NG Firewalls. The configuration level specifies which areas in the config tree an
administrator has read and/or write access to. The lowest (or best) configuration level that can be assigned to an administrator is 1 (like the user r
oot). When an admin user creates a new administrative profile, the new user can, at best, receive the configuration level plus one of the creating
admin.
Administrative Roles
The Barracuda NG Control Center provides a set of predefined administrative roles that can be modified if required and applied to an admin
profile (e.g., Manager, Editor, etc.). Administrative roles define which services administrators are allowed to use on the Barracuda NG Control
Center and the managed Barracuda NG Firewalls and which operations the administrator is allowed to perform within the different services (e.g.,
terminate VPN tunnels, etc.). When creating an administrative profile you can assign multiple administrative roles to a Barracuda NG Control
Center administrator account.
For more information, see How to Configure Administrative Roles.
Administrative Profiles
When introducing an administrator on the Barracuda NG Control Center, create an administrative profile and assign access
privileges, permissions, and restrictions.
An administrative profile consists of the following settings:
Account Settings Account settings define various parameters of an administrator account, such as username, authentication method,
password expiration policy, shell access level, etc. You can authenticate administrators via local or external schemes (e.g., MS Active
Directory, RADIUS, LDAP, etc.). External authentication enables the Barracuda NG Control Center and the Barracuda NG Firewalls to
verify the credentials of an administrator against any supported authentication server. Administrators can use their external authentication
(e.g., MSAD) password for logging into the Barracuda NG Firewall environment. Optionally, the administrator can also receive access
rights to the operating system layer (shell login).
Administrative Scope By assigning elements like a range or cluster, the administrative scope implicitly defines the systems that the
administrator can access. The administrative scope also restricts the administrators view on the Barracuda NG Control Center (e.g.,
status map, config tree, etc.) and access to certain Barracuda NG Firewall units that are managed by the Barracuda NG Control Center.
Configuration Levels The configuration level defines the read and write access a user has on configuration nodes in the Barracuda
NG Control Center config tree. When creating an administrative profile, you have to apply a configuration level to the administrative user.
In addition, you can specify or change configuration levels in the config tree. To read or edit a configuration node in the config tree, the
administrative user must have a configuration level that is lower than the nodes read and write level.
Software Item
Manager
Operator
Observer
Editor
Administrators
Access to CC
Config
Yes
Yes
Yes
Yes
Yes
Kill Sessions
Yes
Yes
No
Yes
No
Change
Permissions
Yes
No
No
Yes
No
Change Events
Yes
No
No
Yes
No
Show Admins
Yes
No
Yes
Yes
No
Manage
Admins
Yes
No
No
Yes
Yes
Create/Remove
Range
Yes
No
No
Yes
No
Create/Remove
Cluster
Yes
No
No
Yes
No
Use RCS
Yes
No
Yes
Yes
No
Create/Remove
Boxes
Yes
No
No
Yes
No
Create/Remove
Servers
Yes
No
No
Yes
No
Create/Remove
Service
Yes
No
No
Yes
No
Create/Remove
Repository
Yes
No
No
Yes
No
Manage HA
Sync
Yes
Yes
No
Yes
No
Yes
No
No
Yes
No
Allow Config
View on Box
Yes
Yes
Yes
Yes
No
Allow
Emergency
Override
Yes
No
No
Yes
No
Create/Remove
Workspace
Yes
No
No
Yes
No
Change
Workspaces
Yes
No
No
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
CC Control
Access to CC
Control
Yes
Yes
Yes
Yes
Yes
Show Map
Yes
Yes
Yes
Yes
Yes
Show Config
Updates
Yes
Yes
Yes
Yes
Yes
Manage Config
Updates
Yes
Yes
Yes
Yes
Yes
Show Box
REXEC
Yes
Yes
Yes
No
No
Manage Box
REXEC
Yes
Yes
No
No
No
Show Box
Firmware
Updates
Yes
Yes
Yes
No
No
Manage Box
Firmware
Updates
Yes
Yes
Yes
No
No
Manage Box
File Update
Yes
Yes
Yes
No
No
Yes
Yes
Yes
No
No
Manage Box
Geo Position
Yes
Yes
Yes
Yes
No
Manage Box
Activation
Yes
Yes
No
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
CC Audit Info
Access to CC
Audit Info
Yes
Yes
Yes
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
CC PKI
Access to CC
PKI
Yes
No
Yes
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Control
Access to
Control
Yes
Yes
Yes
Yes
No
Start/Stop
Server
Yes
Yes
No
No
No
Block Server
Yes
Yes
No
No
No
Start/Stop
Service
Yes
Yes
No
No
No
Block Service
Yes
Yes
No
No
No
Delete Wild
Route
Yes
Yes
No
No
No
Activate New
Configuration
Yes
Yes
Yes
Yes
No
Restart
Network
Subsystem
Yes
Yes
No
No
No
Set or Sync
Box Time
Yes
Yes
Yes
Yes
No
Firmware
Restart
Yes
Yes
No
No
No
Reboot/Shutdo
wn System
Yes
Yes
No
No
No
Activate Kernel
Update
Yes
No
No
No
No
Kill Sessions
Yes
Yes
No
No
No
Import License
Yes
Yes
Yes
Yes
No
Remove
License
Yes
Yes
Yes
Yes
No
View License
Data
Yes
Yes
Yes
Yes
No
SCEP
Operations
Yes
Yes
Yes
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Event
Access to
Event
Yes
Yes
Yes
Yes
No
Silence Events
Yes
Yes
No
Yes
No
Stop Alarm
Yes
Yes
No
Yes
No
Mark as Read
Yes
Yes
No
Yes
No
Confirm Events
Yes
Yes
No
Yes
No
Delete Events
Yes
No
No
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Log
Access to Log
Yes
Yes
Yes
Yes
No
Read Box
Logfiles
Yes
Yes
Yes
Yes
No
Delete Box
Logfiles
Yes
No
No
Yes
No
Read Service
Logfiles
Yes
Yes
Yes
Yes
No
Delete Service
Logfiles
Yes
No
No
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Statistics
Access to
Statistics
Yes
Yes
Yes
Yes
No
Read Box
Statistics
Yes
Yes
Yes
Yes
No
Delete Box
Statistics
Yes
No
No
Yes
No
Read Service
Statistics
Yes
Yes
Yes
Yes
No
Delete Service
Statistics
Yes
No
No
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
DHCP
Access to
DHCP
Yes
Yes
Yes
No
No
Enable
Commands /
deletion of
lease
Yes
Yes
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Access Control
Service
Access to
Access Control
Service
Yes
Yes
Yes
No
No
Enable
Commands /
deletion of
access cache
Yes
No
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
CC Access
Control Service
Access to CC
Access Control
Service
Yes
Yes
Yes
No
No
Enable
Commands
Yes
No
No
No
No
Block Box
Svnc
Yes
No
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Firewall
Access to
Firewall
Yes
Yes
Yes
Yes
No
Terminate
Connections
Yes
Yes
No
No
No
Modify
Connections
Yes
Yes
No
No
No
Kill Handler
Processes
Yes
Yes
No
No
No
Dynamic Rule
Control
Yes
Yes
No
No
No
Toggle Trace
Yes
Yes
No
No
No
View Trace
Output
Yes
Yes
No
No
No
Change
Settings
Yes
Yes
No
No
No
View Ruleset
Yes
Yes
Yes
Yes
No
Manipulate
Access Cache
Entries
Yes
No
No
No
No
Access ATD
tab and
Quarantine
Yes
No
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
VPN
Access to VPN
Yes
Yes
Yes
Yes
No
Terminate VPN
Tunnels
Yes
Yes
No
No
No
Disable/Enable
VPN Tunnels
Yes
Yes
No
No
No
View
Configuration
Yes
Yes
Yes
Yes
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Mail Router
Access to Mail
Router
Yes
Yes
Yes
No
No
Enable
Commands
Yes
No
No
No
No
View Stripped
Attachments
Yes
No
No
No
No
Retrieve Stripp
ed Attachments
Yes
No
No
No
No
Delete Stripped
Attachments
Yes
No
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Virus Scanner
Access to
Virscan Service
Yes
Yes
Yes
No
No
Allow Block
Virus Pattern
Update
Yes
Yes
No
No
No
Allow Manual
Virus Pattern
Update
Yes
Yes
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
Secure Web
Proxy
Access to
Secure Web
Proxy
Yes
Yes
Yes
No
No
Access Cache
Management
Yes
No
No
No
No
Ticket Manage
ment
Yes
Yes
No
No
No
Cert.
Authorities Ma
nagement
Yes
No
No
No
No
XML Services
Management
Yes
No
No
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
HTTP Proxy
Access to
HTTP Proxy
Yes
Yes
Yes
No
No
Box Menu
Software Item
Manager
Operator
Observer
Editor
Administrators
WiFi
Access to WiFi
Yes
Yes
Yes
No
No
1.
2.
3.
4.
5.
Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > Administrative Roles.
Click Lock.
In the Roles section, click + to create a new role. You can also edit and modify an existing entry.
Enter a Name for the role (only numbers are allowed) and click OK. The Roles configuration window opens.
To provide the administrative role with access to a service,
a. Select the Access to <service name> check box.
b. Click Set/Edit to configure detailed permissions for the service and click OK.
It is recommended that you grant the Show Map permission in the CC Control Module section to every admin
role. Admins that do not have this permission will get an error message immediately after they log into the Barracuda
NG Control Center.
6. Click OK.
7. Click Send Changes and Activate.
You can now assign the administrative role to an administrative user profile (see How to Configure Administrative Profiles).
Apply the Administrative Role to a Profile
1.
2.
3.
4.
5.
6.
The administrative user can now view and edit settings and services on the Barracuda NG Control Center according to their assigned roles.
Add an administrator account and select the range and cluster to which the user should have access.
1.
2.
3.
4.
6. Click OK.
The administrative scope is now defined for the user and the Administrator configuration window opens for further configuration.
Step 2. Configure Authentication Settings
When using external authentication, you must also configure the authentication scheme that is used on the Infrastructure Services >
Authentication Service pages for the Barracuda NG Control Centers box layer and on all Barracuda NG Firewalls that are managed
by the Barracuda NG Control Center. For more information, see Authentication.
You can use either local or external authentication for admin users:
Local Authentication
When creating an admin account using local authentication, configure the following settings in the Administrator window (To edit an existing
admin profile, right click the profile, select Lock All Instances and edit it .):
1.
2.
3.
4.
5.
6.
On the Administrator page, select Local (No external Authentication) from the External Authentication list.
Enter the Full Name and Password for the user in the General section.
Click the Details tab.
Specify the password settings in the Password Parameters section.
Click OK.
Click Activate.
External Authentication
When creating an admin account using external authentication, configure the following settings in the Administrator window (To edit an existing
admin profile, right click the profile, select Lock All Instances and edit it .):
1.
2.
3.
4.
5.
6.
On the Administrator page, select the authentication scheme from the External Authentication list. E.g., MS Active Directory.
Click the Details tab.
Select the applicable authentication method from the Authentication Level list.
When selecting Key or Password or/AND Key, you must import the Public Key.
Click OK.
Click Activate.
Specify the configuration and access level and assign administrative roles to the account. The default levels for config tree nodes are 99 or lower
for read access, and 2 or lower for write access. Usually, the write level is lower than the read level.
1. In the Administrator configuration window, click the Administrator tab. (To edit an existing admin profile, right click the profile, select Lo
ck All Instances and edit it.)
2. Specify the Configuration Level for the user in the Operative Settings section. 2 or lower means write access, 99 or lower means read
access (see also Barracuda NG Control Center Admins).
3. Assign one or several administrative roles,
Select the role from the Roles list and click Add. (For more information on administrative roles, see How to Configure
Administrative Roles), or
Select the Allow all Operations check box to grant permission for all administrative role operations. This overrides all
administrative roles that have been assigned to the administrator.
4. To grant permission for shell level access, select an option from the Shell Level list. You can select:
No Login Shell access is denied.
Standard Login A llows
access on the OS layer via a default user account (home directory: user/p
hion/home/username).
Restricted Login Permits access via a restricted shell (rbash) with limitations (e.g., specifying commands containing slashes,
changing directories by entering cd, ). A restricted login confines any saving action to the users home directory.
5. Click OK.
6. Click Activate.
Your admin user can now log into the Barracuda NG Control Center using the credentials specified in their profile and view or edit the services
and settings defined in the assigned administrative roles.
4. Click Change.
By default, the configuration level for an object is taken from its parent node. If you change a level, it is displayed as 'explicit'. When you change
the level of a parent node, the levels of all nodes below it are also changed. Be aware that nodes with status 'explicit' must be changed manually.
Create new Admin Instances to Add Scope and Permissions to Existing Profiles
To grant an administrative user different permissions or roles on further administrative scopes (ranges or clusters),
1.
2.
3.
4.
5.
6. Click OK.
7. Click Activate.
The administrative profile is now displayed in a tree structure, showing all instances when expanded.
Before administrators can create, view, and customize their workspaces, they must be
ative Roles configuration, assign the parameter CC Configuration Module to the user and select the Create/
Remove Workspaces and/or Change Workspaces check box in the CC Config Permissions settings. For
more information, see How to Configure Administrative Roles.
Create a Workspace
use the workspace. You can use wildcard characters such as "*" (asterisk) and "?" (question mark) to define ranges of
matching administrator names.
Admins to change the workspace A
4.
View a Workspace
To view a workspace, click the Workspaces tab in the right pane of the CONFIGURATION page and select the workspace. If you can not find
this section, move your mouse to the right of the screen and click/drag the line towards the middle.
If you are already viewing a workspace but want to switch to another workspace view, right-click the active workspace's root node, select Show
Workspaces, and then select the new workspace view.
Lock a Workspace
2.
While the workspace is locked, the background changes to yellow. To unlock the workspace, right-click its root node and select Unlock
Workspace.
Add a Configuration Node
Before you can add a node to a workspace, you must first lock the workspace. You can lock multiple workspaces at a time.
1. Open the CONFIGURATION tab. If you are already in the workspace, navigate back to the config tree by clicking Configuration Tree fro
m the Workspaces tab in the right menu of the Configuration Tree page.
2. In the config tree, right-click the required node, select Add Node to Workspace, and then select the workspace where you want to add
the node.
3. In the Enter Name window, enter a display name for the node and then choose to either remain in the configuration tree view or switch to
the workspace view.
4. After adding all of the required nodes to the workspace, switch to the workspace view.
5. Right-click the workspaces root node and select Activate Workspace Changes.
Edit a Workspace
After creating a workspace, you can edit its settings. You can also create directories and labels to organize its configuration nodes.
1. Lock the workspace in the workspace view.
2. Right-click the workspaces root node and select one of the following options to edit the workspace:
Create Directory Creates a directory. In the Enter Name window, enter the name for the directory and click OK.
Create Label Creates a label to partition the workspace into different sections. You can move nodes before or after the label.
Edit Workspace Properties Reopens the Workspace Settings window so you can edit the workspace properties.
Refresh Workspace Reloads the workspace.
Delete Workspace Deletes the workspace.
Show this Workspace on Startup Loads the workspace view instead of the configuration tree when you log into the
Barracuda NG Control Center and click the CONFIGURATION tab.
Show Tree on Startup Loads the configuration tree when you log into the Barracuda NG Control Center and click the CONFI
GURATION tab.
3. Right-click the workspaces root node and select Activate Workspace Changes.
Modify a Node
You can modify workspace nodes by removing, renaming, and moving them.
1. Lock the workspace in the workspace view.
2. Right-click the node and select one of the following options:
Remove Node Removes the node.
Rename Node Renames the node. In the Enter Name window, enter the new name for the node and then click OK.
Mark Node for Move Moves the node. The node is then marked by a red icon. Then right-click a label or another node and
choose to move the marked node before or after it. You can also right-click a directory and move the node into it.
3. Right-click the workspaces root node and select Activate Workspace Changes.
Back Up and Restore a Workspace
You can create a configuration file to back up and restore your workspace.
1.
2. Right-click the workspaces root node and select one of the following options:
Save Workspace to File Saves the workspace into a configuration file.
Load Workspace from File Restores a workspace from a saved configuration file.
Loading a workspace overwrites the currently active workspace.
1.
2.
3.
4.
5.
6.
CC Eventing
The Barracuda NG Control Center generates events for system processes and CC services and processes events from its administered
Barracuda NG Firewall systems. Some events are generated by default, some are configured according to system and service requirements. On
the Barracuda NG Control Center, e vent forwarding is based on communication between the Box Event module running on the operative
Barracuda NG Firewall (box) and the CC Event Service module running on the Barracuda NG Control Center. The event severity defines both
how urgent or critical an event is and the classification of the event. The notification type specifies if a server or client action (such as executing a
program or sending emails and SNMP traps) is be performed by the Barracuda NG Firewall or Barracuda NG Control Center when an assigned
event occurs.
In this article:
Viewing and Managing Events
Configure Event Notifications
Configure Access Notifications
NDFE
You have locked yourself out of the managed NG Firewalls after changing the CC IP addresses or certificates
Authentication Levels for Control Center - Box Communication
Since the Barracuda NG Admin uses the same communication protocol as the NG Control Center, this setting applies to any Barracuda
NG Admin-based login attempt with the user master.
As stated above, the Control Center-box trust relationship is governed by private/public key technology. Thus, in a working environment, the NG
Control Center knows its boxes, and the boxes recognize the NG Control Center as their one and only authority. The default level of
authentication is that a box and its NG Control Center identify themselves by their keys and IP addresses. This means that the Control Center
does not send any configuration data to untrusted boxes, and no box accepts data from an untrusted source. If, however, the Barracuda NG
Control Center does not have a valid license (and, therefore, no certificate) or major migrations are made, it might be necessary to reduce the
authentication level for a short period to establish a new trust relationship. Depending on which component is the untrusted one, this has to be
done either on the Barracuda NG Control Center (Control > Configuration Updates > Untrusted Update checkbox selected) or on the box itself
to make the unit accept the incoming data.
Setting
No Authentication
Level
-1
Check IP address
Check key
Admin
Peer
the report into a *.prp file for archiving purposes or import an archived prp file.
<< Prev / Next >> Navigate between the selected configuration versions.
Logs
en
The Barracuda NG Firewall generates log events for system processes on the box layer and, if present, for the virtual server layer and each
configured service. To limit the size of a single log file, the Barracuda NG Firewall creates a new log file for each service every four hours. All log
files are stored in plain text in the system's /var/phion/logs directory and can be viewed and filtered conveniently with the log viewer in the
Barracuda NG Admin application. For information on how to view and filter log file entries, see the LOGS Tab.
The /var/phion/logcache directory contains the Log Access Files (*.laf) for internal log file processing only. These are BDB (Berkeley DB)
files that are suitable for fast access to large log files. Intervention via the command line is generally not recommended. To view the contents of
the .laf files, use the showbdb utility.
DO NOT write, rename or put any files into this directory. Editing the contents of this directory may cause logs to be displayed
incorrectly.
<S1>\<SSH>\<SSH>
<S1>\<SSH>\sshd
<S1>\<S-PROXY>
<S1>\<Access Control>\<SSH>
SSH Proxy
Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > General Firewall Configuration.
In the left menu, select Audit and Reporting.
Expand the Configuration Mode menu and select Switch to Advanced View.
Click Lock.
In the Log Policy section enable Generate Audit Log.
Click Set next to Audit Log Data.
Select Regular Logfile from the Audit Delivery drop-down.
Click OK.
Click Send Changes and Activate.
Firewall Audit data is stored locally by default, but may be forwarded to the Barracuda NG Control Center or to a dedicated Barracuda NG Firewall
running the Firewall Audit Log service for central audit log file collection. For
In this article:
en
Enable the Syslog Service
Configure Logdata Filters
User Defined Log Groups
List of Available Box Module Names
List of Available CC-managed Box Modules
List of Available Single Box Module Names
List of Available Control Center-Module Names (CC Box)
List of Available Reporter Module Names (Reporter Box)
Enable the Barracuda NG Firewall to stream log files to external syslog devices like the Barracuda NG Control Center or a 3rd party syslog server
. When using SSL for log file streaming, export the certificate and key for SSL based authentication.
1.
2.
3.
4.
Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
Click Lock.
Enable the Syslog service.
When using SSL for log file streaming, you may require a certificate different from the key and certificate by which the box is routinely
identified:
a. Select Switch to Advanced View in the left Configuration Mode menu.
b. Disable Use Box Certificate/Key.
c. Export the certificate and key. This certificate needs to be imported on the destination server for SSL based authentication.
5. Click Send Changes and Activate.
Configure Logdata Filters
what kind of box logs are to be affected by the syslog daemon from
Events
Events
Security and Operational Events
All security and operational events are classified according to their severity and notification type.For more information, see Operational Events and
Security Events.
Access Control
Each system access attempt poses a potential security risk. By configuring access control notifications, you can keep track of successful or
unsuccessful system access attempts. Active notifications make it more difficult than simple log file based accounting for potential intruders to
conceal their actions.
For more information, see How to Configure Access Notifications.
Event Propagation
The firewall audit service allows propagating firewall events to a Barracuda NG Control Center. Firewall Audit data is stored locally by default, but
may be forwarded to the Barracuda NG Control Center or to a dedicated Barracuda NG Firewall running the Firewall Audit Log service for central
audit log file collection.
For more information, see How to Enable the Firewall Audit Log Service.
1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Eventing.
2. Click Lock.
3. Specify your event settings.
a.
b. To search for a specific event, enter its ID number in the Lookup field at the bottom of the page.
Maintenance
en
Barracuda Networks offers a multitude of instructions, tools and features to maintain your Barracuda NG Firewall environment:
System reports for support purposes
Update and migration instructions
Command line interface commands and scripts
In this Section
Updating Barracuda NG Firewalls and NG Control Centers
How to Generate a System Report for Barracuda Networks Technical Support
Command-Line Interface
How to Configure Cronjobs
How to Configure the Bootloader
How to Configure Advanced Barracuda OS System Settings
How to Configure SMS Control
Backups and Recovery
IPMI Appliance Management
Depending on whether you are updating a standalone or managed unit with or without high availability, you must complete different update
processes.
Updating a Standalone Barracuda NG Firewall or Barracuda NG Control Center
You can update a standalone Barracuda NG Firewall or Barracuda NG Control Center with Barracuda NG Admin or via SSH on the command
line.
How to Update the Barracuda NG Firewall or NG Control Center using NG Admin
How to Update the Barracuda NG Firewall or Control Center via SSH
Updating a Barracuda NG Firewall or Barracuda NG Control Center in a High Availability Setup
Additional considerations have to be made when updating a Barracuda NG Firewall or Barracuda NG Control Center in a high availability cluster.
For more information, see How to Update High Availability Clusters.
Updating Barracuda NG Firewalls Managed by a Barracuda NG Control Center
A Barracuda NG Control Center can automatically execute updates of the Barracuda NG Firewalls that it manages. The update file is uploaded to
the Barracuda NG Control Center and then distributed by update group. You can choose which units are upgraded and set the time at which the
upgrade is started.
Because all Barracuda NG Firewalls in a cluster must have the same firmware version, you must upgrade all the Barracuda NG
Firewalls in a cluster at the same time. Migrate the cluster configuration after updating the units.
For more information, see How to Update Barracuda NG Control Center Managed Systems.
The UPDATES dashboard element shows all available and installed updates, hotfixes and applications for your Barracuda NG Firewall. Click on
the download icon to download the update. Use the FILTER option to quickly find the desired update or hotfix. Click on the file to open the
description.
Available All available updates and updates for this NG Firewall as well as update notifications for NG Admin, NG Report Creator and
Barracuda Network Access Client.
Installed Previously installed updates and hotfixes.
Always check that you are not using an Barracuda NG Admin that is older than the NG Firewall or NG Control Center firmware. As NG Admin is
backward compatible, it is recommended to use the latest version. E.g., You can configure any 4.2, 5.0, 5.2, 5.4, 6.0 or 6.1 NG Firewall or NG
Control Center with NG Admin 6.1.
1.
2.
3.
4.
5.
6.
Barracuda NG Install creates the installation USB sticks used to reinstall Barracuda NG Firewall hardware appliances.
1. Log in to Barracuda Cloud Control.
2. Click Support and then click Access downloads for products.
3.
3.
4.
5.
6.
From your Barracuda Networks Account, you can download updates and hotfixes for the Barracuda NG Firewall:
Updates Used for upgrades to newer releases.
Patches Up to firmware 5.4 patches for minor releases are available. For example 5.4.5 to 5.4.6 Starting with 6.0 only update packages
are available.
Hotfixes Hotfixes include time critical bug fixes, such as security vulnerabilities.
1. Log in to Barracuda Cloud Control.
2. Click Support and then click Access downloads for products.
Migrating to 6.1
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
The Update element is disabled by default. Enable the element to see all available updates, hotfixes, and NG Admin updates in the dashboard
element. The update element is not available for managed NG Firewalls.
1.
2.
3.
4.
Go to CONFIGURATION > Configuration Tree > Advanced Configuration > Firmware Update.
Click Lock
In the Update Notification section set Enable to yes.
(optional) Enter the Check Interval in minutes.
5.
6.
7.
8.
Go to Barracuda Cloud Control and download the update or hotfix. For more information, see How to Download Applications, Updates, and
Hotfixes.
Step 2. Updating with NG Admin
1. Go to CONTROL > Box.
2. In the left menu, expand the Operating System section and click Install Update.
status <password>
Executes a custom bash script that is defined in the Custom Script table. Send: custom
<password>
Description
To back up and restore configurations for the Barracuda NG Firewall or the Barracuda NG Control Center, a Portable Archive (PAR) file
containing all configuration settings is used.
The following items are backed up in PAR files:
Configuration data
Licenses
CC global admin accounts (only on CC)
X.509 certificates from the CC PKI (only on CC)
Revision Control System data (only on CC)
The following items are NOT backed up and must be backed up separately:
Log files of the Barracuda NG Firewall and Control Center (CC)
Statistics Data
Eventing Database
Spamfilter learning database
Mail Gateway queue data
In this Section
How to Back Up and Restore Your Systems
How to Recover the Barracuda NG Firewall with a USB Flash Drive
How to Restore a Configuration on Appliances After an RMA
How to Use Active Recovery Technology (ART)
PAR File
Comment
PAR
uncompressed, unencrypted
archive file
NG Admin, /opt/phion/update/,
USB Stick when using NG Install
PGZ
compressed, unencrypted
archive file
NG Admin, /opt/phion/update
PCA
In this article:
Standalone Barracuda NG Firewall
Barracuda NG Control Center
Managed Barracuda NG Firewall
Create a PAR or PCA file to back up and restore the configuration of a standalone Barracuda NG Firewall.
Back Up the Barracuda NG Firewall
1.
2.
3.
4.
5.
6.
Two PAR files are needed to back up your Barracuda NG Control Center: The box layer box.par and the
To back up the Barracuda NG Control Center you must create a PAR file for the box layer and the archive.par for the Control Center
configuration.
1.
2.
3.
4.
1.
2.
3.
4.
5.
1.
2.
3.
4.
To back up and restore the configuration of a Barracuda NG Firewall that is managed by the Barracuda NG Control Center, you must create a
PAR file in the Barracuda NG Control Center and then recover the managed Barracuda NG Firewall directly.
Back Up the Managed Barracuda NG Firewall
1.
2.
3.
4.
5.
Before installing the Barracuda NG Firewall, you must have the following:
Empty USB flash drive that is at least 2 GB.
Barracuda NG Installer application.
Barracuda NG ISO image.
You must install the Visual C++ Redistributable for Visual Studio 2012 on your computer to use Barracuda NG Install.
(optional) PAR or PCA file.
You can download the Barracuda NG Installer and Barracuda NG ISO image from your Barracuda Cloud Control.
To format the USB flash drive with the Barracuda NG ISO image and any required PAR file:
1. Insert the USB flash drive into an available USB port on your client.
2. Launch Barracuda NG Installer with administrative privileges.
3. Select Auto Installation USB Flash Drive as the wizard mode.
If you are also installing hotfixes, the Auto Installation USB Flash Drive mode is required.
4.
5.
6.
7.
8.
9.
Click Next.
From the Write to USB flash drive list, select Yes.
From the Save to list, select your USB flash drive.
Click Next.
Select the Format USB flash drive check box.
If you want to install the unit with an existing configuration backup, click Modify in the Installation Mode Settings section and import the
appropriate PAR or PCA file.
You can only use PCA files that were encrypted using the serial number of the appliance as the password. Decrypt the PCA file
if a manual password was used or the serial number does not match the password of the PCA file. For more information, see p
hionar and conftool.
10.
11.
12.
13.
Click Next.
In the Installation Mode Settings section, click Import and import the Barracuda NG ISO image.
Click Next. The installation details window opens.
Click Finish. The files are written to the USB flash drive.
In the window that opens with a message asking you to format the USB flash drive, click cancel.
14. When the USB Drive Formatted Successfully window opens, click OK. The USB flash drive is now prepared for installation.
Step 2. (Optional) Install Hotfixes
General
Before you can restore a new Barracuda NG Firewall unit, a configuration backup of the production unit must be created. The backup can then be
used to restore the current configuration on a new hardware unit. For information on how to back up and restore configurations, see Backups and
Recovery. After restoring the configuration on the new NG Firewall unit, the Hardware Model must be adjusted to match the appliance revision of
the new unit. This is necessary because different hardware models typically come with newer network interfaces and thus require appropriate
drivers. If the hardware model is not set correctly, the network modules may not be available after restoring the appliance.
Standalone Units
1.
2.
3.
4.
5.
6.
7.
8.
9.
SCENARIO 1 - The primary unit is running, and the secondary unit was replaced by a new model.
Step 1: Log into the primary unit, configure the secondary unit, and create a PAR file for restoring the secondary unit.
1. Log into the primary unit.
2. Go to CONFIGURATION > Configuration Tree > HA Box and double-click Box Properties.
3. Click Lock.
4. In the Product and Model section, choose the correct Hardware Model for the replaced unit (secondary) and edit the remaining entries
according to the appliance model.
5. Click Send Changes and Activate.
6. Go to CONFIGURATION > Configuration Tree > HA Box and double-click HA Network.
7. Click Lock.
8. In the Management IP and Network section, set the Management IP of the new HA partner (secondary).
9. Click Send Changes and Activate .
10. On the CONFIGURATION > Configuration Tree page, right-click Box and select Create PAR file for HA box.
Step 2: Restore the secondary unit
1. Log into the secondary unit.
2. On the CONFIGURATION > Configuration Tree page, right-click Box and select Restore from PAR file.
3.
3.
4.
5.
6.
SCENARIO 2 - The secondary unit is running, and the primary unit was replaced by a new model.
Step 1: Log into the secondary unit, configure the primary unit, and create a PAR file for restoring the primary unit.
1. Log into the secondary unit.
2. Go to CONFIGURATION > Configuration Tree > HA Box and double-click Box Properties.
3. Click Lock.
4. In the Product and Model section, choose the correct Hardware Model for the replaced unit (primary) and edit the remaining entries
according to the appliance model.
5. Click Send Changes and Activate.
6. Go to CONFIGURATION > Configuration Tree > HA Box and double-click HA Network.
7. Click Lock.
8. In the Management IP and Network section, set the Management IP of the new HA partner (primary).
9. Click Send Changes and Activate.
10. From the Config Tree, right-click Box and select Create PAR file for HA box.
Step 2: Restore the primary unit
1.
2.
3.
4.
5.
6.
LCD display On systems with an LCD display and keypad. Before using the LCD display, deactivate serial access. On the CONFIGUR
ATION > Administrative Settings page, set Serial Access to no.
When you first boot the Barracuda NG Firewall after installation or firmware update, you cannot access ART for 10 to 45 minutes
(depending on the appliance model) while it generates the system configuration. To see if the according process (buildarttree) is still
running, refer to the Resources Page.
If the process was interrupted by a reboot of the system, it needs to be started manually. Launch the buildarttree script in the /boot/art
directory.
In this article:
en
Entering the ART Menu
Enter ART After Rebooting the System
Enter ART While the System Boots Up
The ART Menu
Changing the Firmware Version Used by ART
Entering the ART Menu
You can enter the ART menu after you reboot the Barracuda NG Firewall or while the system boots up.
Enter ART After Rebooting the System
3. In the Reboot window, select the Reboot into Active Recovery Technology check box and click OK.
To boot the NG Firewall into ART on the Command-Line Interface:
touch /boot/art.lock
reboot
1. When the "+++press any key to enter ART+++" message is displayed on the screen, press any key on your keyboard.
2. When prompted, press 1 to enter the ART menu.
2.
If you are not using the SSH client in Barracuda NG Admin, make sure that your SSH client correctly forwards all functions keys to the
serial console. If you are using PuTTY, enable Xterm R6 support in the PuTTY keyboard settings.
To navigate through the ART menu options, use the arrow and Esc keys. To select options, press the Enter key. You can select any of the
following ART menu options via the serial console:
When accessed via SSH, the ART menu additionally features a Reboot option:
Test hard disk drive Evokes a hard disk check tool. If bad blocks are found, you can only repair the hard disk file system with the
command-line interface.
Test CPU Performs a load test of all available CPUs.
Get hardware info Displays all system information that is stored in a hidden partition, such as the serial number, initial installation
date, etc.
Test RAM Evokes a RAM checking utility. The entire RAM cannot be tested because the ART OS is stored on a part of the RAM.
System recovery Reinstalls the system with a previously saved system configuration. For systems with a hard disk drive, an
installation *.iso image and PAR file on a dedicated partition of the disk drive are used. Optionally, an *.iso image on a USB flash drive
can also be used. For flash-only systems, a USB flash drive is required.
Configuration reset
Start shell
Reboot Only available via SSH; use this option instead of Exit to save your configuration changes and reboot the unit.
Exit Save and exit ART. Will only reboot the unit when accessed via the serial console. When accessed via SSH, use Reboot instead.
Saving and Recovering a System Configuration with ART
It is highly recommended that you save a working configuration of the Barracuda NG Firewall for ART. When you recover the system with ART,
this configuration will be used.
Flash-based systems like the Barracuda NG Firewall F10 and F10x do not have a partition that is dedicated to storing the files required
for recovering the system. For these systems, you must use a USB flash drive to save and recover your system configuration with ART.
On the USB flash drive, save and rename the required PAR file as box.par. Save and rename the required firmware ISO image as netfe
nce.iso.
Save a System Configuration for ART
1. Log into the Barracuda NG Firewall.
2. Go to the CONTROL > Box page.
3. In the left navigation pane, expand Operating System and click Save Current Config for ART.
Recover a System Configuration with ART
If you did not save a system configuration for ART, the Barracuda NG Firewall will be reinstalled with the default factory settings.
1. Enter the ART menu.
2. Select System recovery.
The Barracuda NG Firewall will be reinstalled with the firmware version that it was shipped with.
Setting Only Basic Configuration Parameters using ART
Use this function with care. Modifying these important basic system configuration parameters is a massive operational modification and
may prevent you from accessing your unit via Barracuda NG Admin and/or SSH.
It is possible to set a few important basic configuration parameters using the ART Basic Configuration menu. To enter this menu, perform the
following steps:
1. At the command line, enter: setip
3. Modify the Hostname, Management IP, Netmask, and/or Default Gateway fields as needed followed by pressing F3 to save the
changed values.
4. Select Reboot to reboot the unit so that the changed values become effective.
Changing the Firmware Version Used by ART
ART always uses the firmware version that is shipped with the Barracuda NG Firewall. After reinstalling your system with a new firmware version,
you must update ART to use the same firmware version. Use the command line via the SSH client in Barracuda NG Admin or another SSH client.
1. At the command line, change to the /art directory. Enter: cd /art
2. Upload the required firmware ISO image to the Barracuda NG Firewall. If you are using the SSH client in Barracuda NG Admin, click Sen
d File.
3. Rename the uploaded ISO file as netfence.iso and overwrite the existing ISO image. At the command line, enter: lt;your-iso-file>
netfence.iso
4. Change the file permission: enter chmod 755 netfence.iso.
Using ART with the Barracuda NG Control Center
You must enable ART before using it with the Barracuda NG Control Center. Go to the CONFIGURATION > Box Properties page. In
the left navigation pane, expand Configuration and click Operational. From the ART Network Activation list, select yes.
For Barracuda NG Firewalls that are managed by the Barracuda NG Control Center, you can initiate remote management tunnels from the ART
menu. You can also access the management IP address, VIP, default route, and remote management tunnel. If the system has an Internet
connection, you can also connect to the management IP address and VIP via SSH.
ART only makes the default route and the route's dynamic network link available. ISDN or 3G links are not available.
Use this function with care. Modifying these important basic system configuration parameters is a massive operational modification and
may prevent you from accessing your unit via Barracuda NG Admin and/or SSH.