Está en la página 1de 184

DOCUMENT GUIDE FOR BARRACUDA

NG FIREWALL AND CONTROL CENTER

1. Barracuda NG Firewall 6.1 - Overview

...........................................................................3

1.1 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 How to Activate Network Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.3 Routing

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.2.1 How to Change the Root Password and Management ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.2.2 How to Configure DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3 Virtual Servers and Services .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.3.1 How to Configure Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.3.2 Virtual Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3.3 How to Configure Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4 NG Firewall Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4.1 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.4.2 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.4.3 Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
1.4.4 Virrus Scanner . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
1.4.5 Wi-Fi . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
1.5 NG Control Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
1.5.1 NG Control Center Getting Started with the CC Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
1.5.2 NG Control Center Manually Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
1.5.3 Center Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
1.5.4 Barracuda NG Control Center Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
1.5.5 CC Eventing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . . . . 161
1.5.6 NG Control Center Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
1.6 Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
1.6.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
1.6.2 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
1.7 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 167
1.7.1 Updating Barracuda NG Firewalls and NG Control Centers. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
1.7.2 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Barracuda NG Firewall 6.1 - Overview


en
The Barracuda NG Firewall is a family of hardware and virtual appliances designed to protect your network infrastructure. On top of
industry-leading centralized management, highly resilient VPN technology combined with intelligent traffic management capabilities allow the
customer to save line costs and increase overall network availability

Barracuda NG Firewall
The Barracuda NG Firewall is an enterprise-grade, next-generation firewall that was purpose-built for efficient deployment and operation within
dispersed, highly dynamic, and security-critical network environments. In addition to next-generation firewall protection, it provides
industry-leading operations efficiency and added business value by safeguarding network traffic against line outages and link quality degradation.
User identity and application awareness are used to select the best network path, traffic priority, and available bandwidth for business-critical
traffic. The Barracuda NG Firewall can transparently move traffic to alternative lines to keep traffic flowing.

Barracuda NG Control Center


All policies, client, and device settings can be centrally managed and tracked by the Barracuda NG Control Center. This allows the Barracuda NG
Firewall to meet enterprise requirements of massive scalability, efficient configuration, and life cycle and license management across dispersed
networks, while at the same time offering performance guarantees for business-critical applications. The concept of integrated WAN optimization
coupled with industry-leading centralized management results in significantly lower overall operational costs for multi-site deployments.

Platform Flexibility
The Barracuda NG offers hardware and virtual models in various sizes, from branch offices up to headquarters and data centers. Virtual NG
Firewall and NG Control Center can run on a wide range of hypervisors, effortlessly integrating with your existing network and server
infrastructure. The Barracuda NG Firewall is designed for deployment across the entire enterprise, including environments using Microsoft Azure
and Amazon AWS public clouds.

NETWORK
WAN Connections
en
The Barracuda NG Firewall supports all commonly used WAN connection types. You can set up static, DHCP, xDSL, UMTS/3G, and ISDN WAN
connections to connect your network to the Internet. Link failover and balancing can be configured either on a per-access rule basis by using
custom connection objects or in a more basic configuration via route metrics. You can also select different Internet connections based on the
application type.
Static Internet Connections
If your ISP assigns a static IP address or network to your Internet connection, configure a static Internet connection to connect the Barracuda NG
Firewall to the Internet. You must add a route on box layer for the network port the ISP is connected to. The connection becomes active when the
assigned IP address or IP address within the assigned network is configured as virtual server IP address or if the unit is remote managed a
additional IP address is defined on box layer.
For more information, see How to Configure an ISP with Static IP Addresses.

xDSL Connections
The Barracuda NG Firewall supports xDSL connections using PPP, PPTP, and PPPoE. Because some xDSL providers periodically disconnect
xDSL modem from the network, xDSL link management automatically introduces and deactivates routes as required.
For more information, see How to Configure an ISP with xDSL. For more information, see How to Configure an ISP with ISDN.
Link Balancing and Failover
Configure link balancing and failover to optimize usage of two or more WAN connections. Use custom connection objects to select the optimal
connection for the traffic handled by that access rule. You can define multiple connection objects, each with a different failover or link balancing
policy. You can also use route metrics for basic link failover functionality.

How to Configure an ISP with Static IP Addresses


If your Internet connection is using static IP addresses or entire network ranges assigned by your ISP, you must create routing entries on box level and then
assign the IP address(es) to the virtual server. Choose the network type Untrusted to automatically create a default route(0.0.0.0/0) for the connection.

In this article:
en
Before you Begin
Step 1. Add a Direct Route
Step 2. Network Activation
Step 3. Add the Static IP Address to a Virtual Server
Verify the Network Configuration
Before you Begin

Connect the network equipment installed by your provider to an unused port (not the management port) of your Barracuda NG Firewall.
Step 1. Add a Direct Route

Create a direct attached route entry to create the network on box level of the Barracuda NG Firewall. Be sure to create the route on the port the
ISP is plugged into.
1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, select Routing.
Click Lock.
In the Main Routing Table, click + to add a new route.
Enter a Name for the route and click OK.

6. In the Target
7.
8.
9.
10.
11.

Network Address field, enter the IP address of the target network. E.g.,: 62.99.0.0/24

Select directly attached network as the Route Type.


From the Interface Name list, select the port the ISP is connected to. E.g.,: port 2.
If the default route will be introduced in an environment where multiple dynamic links are available, specify a Route Metric.
Select Untrusted as the Trust Level.
Enter the Default Gateway IP address. E.g.,: 62.99.0.254

12. Click OK.


13. Click Send Changes and Activate.
Step 2. Network Activation

After you create or change basic network configurations such as routing, you must activate your new network configurations.
1. Go to CONTROL > Box.
2. In the left menu, expand the Network section and click Activate new network configuration.
3. Select Soft. The 'Soft Activation Succeeded' message is displayed after your new network configurations have been successfully
activated.
Your route is now displayed as a disabled route (grey "x" icon) in CONTROL > Network.
Step 3. Add the Static IP Address to a Virtual Server

Assign the individual WAN IP addresses you want to use to the virtual servers on the Barracuda NG Firewall. By introducing the external IP
addresses on the virtual server, you can use a high availability (HA) cluster to transfer the WAN address to the secondary unit and still be
reachable under the same IP address. In our example, you would enter 62.99.0.221 in the virtual Server Properties (CONFIGURATION >

Full Configuration > Virtual Servers > your virtual server) as the First-IP, Second-IP or Additional IP address.
For more information, see Virtual Servers and Services.
Verify the Network Configuration

Open the CONTROL > Network page to verify that all network routes have been introduced successfully. Verify the WAN IP addresses are
displayed with a green status icon and that the introduced routes are available in the tables Main and Default and that the default route is directing
traffic through your ISP connection.

How to Configure an ISP with xDSL


en
An xDSL connection is a tunneled connection using Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol
(PPTP), depending on your ISP. The Barracuda NG Firewall can handle up to four xDSL connections. The WAN IP address assigned by the ISPcan be
dynamic or static, depending on your ISP.

Before you Begin

To use Dynamic DNS, you must have an active account at www.dyndns.org. For more information on DynDNS, see http://dyn.com/dns/.
To use the xDSL connection as part of a PPP multilink bundle, your ISP must support PPP multilink connections.
If your ISP supports synchronous PPP mode, using it can result in higher PPP performance. The performance gain is achieved only in
some cases and depends on your and your ISPs setup.
Enabling synchronous PPP without support of the remote server causes an unstable connection and massive performance
loss.

Configuring an ISP with xDSL

Configure an xDSL connection using PPPoE or PPTP as the tunneling protocol, depending on your ISP:
How to Configure an ISP with xDSL using PPPoE
How to Configure an ISP with xDSL using PPTP
To avoid routing conflicts in multiprovider environments, be aware that every provider usually assigns the same gateway to a dynamically
assigned IP address. Do not configure multiple xDSL links managed by the same provider, unless you are sure that the assigned addresses stem
from distinctive IP pools and use clearly distinguishable gateways.

How to Configure an ISP with xDSL using PPPoE


en
Point-to-Point Protocol over Ethernet (PPPoE) provides an easy solution for high-speed access services by using broadband modems. Configure
an xDSL connection using PPPoE that uses the configuration parameters supplied by your ISP. PPPoE requires no special configuration to the
access network. Each PPP session learns the Ethernet address of the remote peer and creates a unique session identification (ID).
In this article:
Before you Begin
Step 1. Configure Link Properties
Step 3. Configure Authentication
Step 4. Configure Routing Settings
Step 5. Configure Connection Monitoring
Step 6. Activate Network Changes
Operating a DHCP Link in Standby Mode
Troubleshooting
Before you Begin

Connect the Ethernet port of the ISP modem to a free port of your Barracuda NG Firewall. Depending on the modem, a standard Ethernet cable
or a crossover cable must be used. Contact the ISP or vendor or the xDSL modem for more information.
Step 1. Configure Link Properties

Specify the properties for the DHCP link and define the transport protocol for PPP.
1. Go to CONFIGURATION > Configuration Tree > Box > Network.
2.

2.
3.
4.
5.
6.
7.
8.
9.

In the left menu, select xDSL/DHCP/ISDN.


Click Lock.
Set xDSL Enabled to Yes.
In the XDSL Links table, click + to add an entry.
Enter a name for the xDSL link (no special characters) and click OK. The xDSL Links window opens.
Select the Connection Type to specify the transport protocol for PPP.
(optional) Enter the Static Local and Gateway IP address if your ISP does not assign it automatically.
Select the Ethernet Interface the xDSL modem is attached to.
PPPoA and PPPoE and Bridged Ethernet are only useable with a legacy-integrated ADSL modem.

Step 3. Configure Authentication

Most ISPs require authentication information to connect. These configuration settings are provided by your ISP. If no authentication is required,
set Authentication Method to NONE.
1.
2.
3.
4.
5.
6.
7.

8.

In the Authentication section, select the Authentication Method. Default: PAP_or_CHAP


Enter the User Access ID (PPP username) assigned by your ISP.
If provided by your ISP, enter the User Access Sub-ID. The # and @ symbols are generated automatically.
The complete user ID is formatted as follows: [user_id]#[access_sub_id]@[provider_name], e.g.,
000xxxxxxxxx520069204717#0001@t-online.de
Enter the Access Password assigned by your ISP.
If you want to use your ISPs DNS servers, select Use ProviderDNS.
To use dynamic DNS, select Use Dynamic DNS and click Set. The Dynamic DNS Params window opens.
a. Select a dynamic DNS Service Type. For information on DynDNS service types, see http://www.dyndns.com/services/.
b. Enter the Dyn DNS Name that was registered on dyndns.org.
c. Enter the User Access ID and Password for accessing the dyndns.org service.
Click OK.

Step 4. Configure Routing Settings

Configure whether to create a default route, dynamic routing, and the route metric.
1. Set Create Default Route to YES to automatically create a default route via this xDSL connection.
2. If you are using dynamic routing protocols like OSPF/RIP/BGP, enable Advertise Route.
3. Enter a Route Metric if multiple dynamic links are available. The link with the lowest route metric is automatically chosen if more than
one default route is available.
Step 5. Configure Connection Monitoring

Configure log settings and define target IP addresses that will be regularly pinged to monitor the availability of the connection. Each target IP
address is pinged every 20 seconds (2 ICMP packets each). If there is no response, the link is re-established.
1. In the Connection Monitoring section, select the Monitoring method:
LCP If ping fails, the dial-in daemon is probed directly via LCP.
ICMP The Barracuda NG Firewall probes the Reachable IPs and, if there is no response, the gateway.
StrictLCP No ICMP probing occurs.
2. Enter one or more Reachable IPs to monitor the availability of the connection. The target IP addresses should only be accessible via the
xDSL connection.
3. Select the Unreachable Action to be taken if the connection cannot be established. The following options are available:
Restart Restarts the xDSL connection.
Increase-Metric Changes the preference for xDSL routes until the probe succeeds.
4. Click OK.
5. Click Send Changes and Activate.
Step 6. Activate Network Changes

You must activate the network changes to bring up the xDSL connection.
1. Go to CONTROL > Box.
2. In the left menu, expand the Network section and click Activate new network configuration.
3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully

4. Click OK.
5. Click Send Changes and Activate.
Step 4. Activate Network Changes

You must activate the network changes to bring up the xDSL connection.
1. Go to CONTROL > Box.
2. In the left menu, expand the Network section and click Activate new network configuration.
3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully
activated.
Your ISDN connection is now active and the IP addresses assigned by your ISP are visible on the CONTROL > Network page. The status icons
next to the ISDN interface are green, indicating an active connection. If the ISDN connection is your primary uplink, the default route pointing to
the ISDN interface is also created. If more than one default route is present, the connection with the lowest route metric is used.
Operating an ISDN Link in Standby Mode

Enable Standby Mode in the ISDN configuration if you want to use the ISDN connection as a backup uplink. In standby mode, activation and
subsequent monitoring of the connection must be triggered externally. Standby mode also lets you combine HA setups for HA ISDN connections.
1. The ISDN routes are set to pending, and the Barracuda NG Firewall does not check whether they are established.
2. The configuration is completely run through but the connection is not yet established.
Standby connection can only be started by a command line script. Example usage:
connection start: /etc/phion/dynconf/network/isdnrestart &
connection stop: /etc/phion/dynconf/network/wipeisdn &

How to Configure Link Balancing and Failover for Multiple WAN Connections
en
If you are using two DHCP connections from the same carrier that is using the same remote network and gateway, see How to
Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway.
If your are using two or more ISP connections, you can use outbound link and load balancing to balance the traffic between the different Internet
connections. If one ISP goes down, the traffic will be routed over the remaining connection. Basic link failover functionality can be achieved by
using different route metrics. A better solution is to use custom connection objects to distribute the load and/or configure failover for different links.
Using custom connection objects allows you to decide on link balancing on a per-access rule basis. For this article, we assume we are using a
mix of one static and one dynamic (DHCP) Internet connection.
In this article:
en
Step 1. Configure the WAN Connections
Step 2. Add a Source Based Route
Step 3. Configure Link Monitoring
Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback)
Step 5. Apply the Connection Object
Step 6. (optional) Configure Notifications

Step 1. Configure the WAN Connections

Configure your WAN connections:


For information on setting up an ISP with static IP address assignment, see How to Configure an ISP with Static IP Addresses -D.
For information on setting up an ISP with dynamic DHCP IP address assignment, see How to Configure an ISP with Dynamic IP
Addresses (DHCP).
This configuration uses the following example settings for both WAN connections:
ISP

IP Address

Gateway

Network Interface

ISP 1

62.99.0.69

62.99.0.254

port 3

ISP 2

dynamically assigned

dynamically assigned

dhcp

For WAN connections with dynamic address assignment (e.g. ,DHCP), verify that you enable the settings Own Routing Table, Use Assigned IP,
Create Default Route, and Clone Routes in the configuration.
Step 2. Add a Source Based Route

Configure the source routes for both connections to avoid IP packets from being sent

via the wrong ISP line. For DHCP


connections, the routes are already introduced automatically by the DHCP client. For ISP connections with
static IP addresses, configure a source-based route.
1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, select Routing.
Click Lock.
In the Source Based Routing section, click + to add a new route.
Enter a Name for the route and click OK.

6. In the Source Networks table,

add the network for which the routing table is consulted., e.g., 62.99.0.0/24

7. In the Routing Table Contents section, click + to configure the route.


8.

In the Target Network Address field, enter 0.0.0.0/0.

9. Select unicast as the Route Type.


10. Enter the Gateway IP address, e.g., 62.99.0.254
11. Click OK.
12. Select postmain as the Table
13.

Placement option.

Click OK.

14. Click Send Changes and Activate.

Step 3. Configure Link Monitoring

For the dynamic Internet connection, configure link monitoring for both routes (default and source based) to monitor IP addresses beyond the
ISP gateway.
1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, select xDSL/DHCP/ISDN.
In the Configuration Mode menu, select Switch to Advanced View.
Click Lock.
Edit the DHCP link.

6. In the Connection Monitoring section, add

a target IP address to be used for monitoring into the Reachable IPs


table. This address must be reachable only via the DHCP connection.

7. Click OK.
8. Click Send Changes and Activate.
After you configure your routes, you must activate your new network configurations.
1. Go to CONTROL > Box.
2. In the left menu, expand Network and click Activate new network configuration.
3. Select Failsafe. A Network Configuration Reconfigured message will appear.
Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback)

The Barracuda NG Firewall can perform link failover and link cycling using multiple connections. The failover and load balancing policy used in the
custom connection object defines how the traffic is routed:
Link Balancing with Fallback Traffic is always routed over the primary uplink as long as it is available. If the main uplink fails, the
secondary uplink is used.
Random Link Balancing Sessions are distributed randomly according to the weight of the connections. If one of the connections fails,
traffic is routed through the other available connections as defined in the connection policy.
Sequential Link Balancing The Source IPs are sequentially cycled through, factoring in the weight defined for each uplink. The
Barracuda NG Firewall remembers the sources/destination of active sessions and will reuse the same connection if a similar connection
is established.
Create a custom connection object for link balancing and failover:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. In the left menu, click on Connections.
4. Right-click and select New. The Edit/Create a Connection Object window opens.
5. Enter a Name for the connection object. E.g., LBFailover
6. Select From Interface as the NAT Address.
7. In the Interface Name field, enter the port the ISP 1 is connected to. E.g. ,port3 or dhcp
8. In the Failover and Load Balancing section, select one load balancing/failover Policy:
a. FALLBACK (Fallback to alternative Source Addresses)
Select either Interface or source IP address for each Internet connection.
Enter the interface or source IP address for the connection.
b. SEQ (Sequentially cycle Source Addresses)
Select either Interface or source IP address for each Alternative connection.
Enter the interface or source IP address for each connection.
Enter the Weight factor. This value determines how the load is distributed between the different connections.
c. RAND (Random Source Addresses)
Select either Interface or source IP address for each Alternative connection.
Enter the interface or source IP address for each connection.
Enter the Weight factor. This value determines how the load is distributed between the different connections.
9. Click OK.
10. Click Send Changes and Activate.
Step 5. Apply the Connection Object

Use the object for all access rules handling outgoing traffic.

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Edit an access rule handling outgoing traffic. E.g., LAN-2-INTERNET
4. Select the custom connection object created in Step 4 from the Connection Method list.
5. Click OK.
6. Click Send Changes and Activate.
Step 6. (optional) Configure Notifications

You can configure the Barracuda NG Firewall to send SNMP traps or email notifications in case one of the ISP connections fails. Depending on
what kind of notification you want to send, change the notification ID for:
62 (Route Changed)
64 (Route Disabled)
For more information, see Events.
You are now load balancing and/or using failover for all outgoing connections, which are handled by access rules using the custom connection
object. If needed, you can define multiple custom connection objects and use them to control which ISP connections are used by a specific
network or IP address.

How to Activate Network Changes


en
After changing the configuration of the network subsystem, you must activate the new network configuration. There are three types of network
ctivation:
a
Failsafe A backup of the existing configuration is created, and the new network configuration is activated. If the connection to NG
Admin is established successfully after activation, the network activation is complete. If it fails, the network configuration is reverted to
the previously working state. During activation in failsafe mode, the whole network system is shut down and the Barracuda NG Firewall is
briefly unreachable. All active connections are terminated.
Force In this activation mode, the new network configuration is activated without making a backup of the old configuration. If the new
network configuration does not work, there is no fallback mechanism. During activation in Force mode, the whole network system is shut
down and the Barracuda NG Firewall is briefly unreachable. All active connections are terminated.
Soft Only use the Soft activation mode to add a route to an existing network configuration. All other network configuration changes
cannot be activated in Soft mode. During activation in this mode, the network system is not shut down and firewall connections are not
interrupted. Alternatively, you can soft activate a new network configuration and reboot the Barracuda NG Firewall or NG Control Center for
the network
configuration changes to take effect.

After activation, the network may briefly show an error state until all connections are established.

Routing
en

Routing tables are used to store the best path to a remote network. The Barracuda NG Firewall uses the routing tables to forward traffic to the
correct interfaces, next hop gateways, or VPN tunnels. Routes are first evaluated by destination, route metric (preference) and. optionally, source
address of an IP packet and then by the scope (network size) to determine which routes matches. Two routes of the same scope (e.g., /24) and
metric can not be created. The Management IP address always uses a preference of 0.
If two routes with different preferences exist, the route with the lower preference is chosen. E.g., 10.0.10.0/25 (preference 10) is preferred
over 10.0.10.0/25 (preference 100)
If two routes with the same preference exist to a destination the route with the smaller subnet mask is used. E.g., 10.0.10.0/24 is
preferred over 10.0.0.0/16
VPN routes are source-based routes by default. If single routing table is enabled in the VPN Settings, VPN routes are inserted with a
preference of 10. For more information
en
Directly Attached Network Routes (Direct Routing)
Gateway Routes (Next Hop Routing)
Multipath Routing
Source-Based Routes (Policy Based Routing)

Directly Attached Network Routes (Direct Routing)


Define how to reach networks that are directly plugged in to a port (virtual or physical) of the Barracuda NG Firewall. To define a directly attached
network route, you must enter:

Target network in CIDR Format E.g., 172.16.0.0/24


Interface The network interface on the Barracuda NG Firewall the network is attached to. E.g., eth2 or port 2
After you have introduced the directly attached route and activated the network, the route is in a pending state. Pending routes are marked with
the

icon in CONTROL > Network and are not active. When an suitable source network address (virtual server IP or additional IP address

on box level) has been introduced, the route becomes active and the

icon is displayed for the route.

In the example above, you must create a direct route for the ISP issued 62.99.0.0/24. To reach the Internet, a gateway route (see below) must be
created. If you enter the optional gateway IP address when creating the direct attached route, the default gateway route is created automatically.
You do not need to create a directly attached route for the network the management IP address is in. This route is created automatically when the
management IP address is configured.
For setup instructions, see How to Configure Direct Routes.

Gateway Routes (Next Hop Routing)


To reach networks that cannot be directly accessed, you must define gateway routes. A common gateway route is the default route (0.0.0.0/0),
which will forward all packets not belonging to one of the trusted networks to the remote gateway provided by the ISP. Before adding a gateway
route, a direct route must be configured. Otherwise, you cannot contact the next hop IP address. To define a gateway route, you must enter:
Target network Target network in CIDR format. E.g., 0.0.0.0/0 for the default route
Next hop address IP Address of the gateway device the traffic is sent to. E.g., 62.99.0.254

After adding the gateway route, you must initiate a Soft network activation for the route to become active (
n CONTROL > Network)

For setup instructions, see How to Configure Gateway Routes.

Multipath Routing
The Barracuda NG Firewall supports standard Linux multipath routing and Firewall-assisted multipath routing. Standard Linux multipath routing
balances does not offer dead next hop detection or session packet balancing. Simple redundancy by next hop detection can be provided by
adding multiple routing entries with different route preference numbers. Firewall-assisted multipath routing supports per packet balancing between
next hops and dead next peer detection and is configured in the Forwarding Firewall service.
For setup instructions, see:
How to Configure Multipath Routing
How to Configure Linux Standard Multipath Routing

Source-Based Routes (Policy Based Routing)


Source-based or policy routing is a way to implement more complex routing scenarios. The implementation provided by the Barracuda
NG Firewall only uses a subset of the functional scope of policy routing. The source address used to establish a connection determines whether
or not a routing table is consulted.
Because the firewall configuration (on a per rule basis) lets you specify the address with which an allowed connection is established, policy
routing represents an extremely powerful instrument to manage routing on the NG Firewall in complex topologies. VPN tunnels make use of policy
routing.
Policy routing rules assign an IP address range (source addresses) to a named routing table. These rules are organized in an ordered list, so that
each rule is associated with a preference number. Routing decisions are made by evaluating the ruleset starting with lowest preference number
rule. The first ruleset (route table) that matches the source IP address is chosen. If a matching route to the desired destination address is found in
the table, the route is applied. Otherwise, the Barracuda NG Firewall continues to evaluate the routing tables (rules) until a match is found. If none
of the rules match, the destination is unreachable.

For setup instructions, see How to Configure Source-Based Routes.

How to Add a Direct Attached Route


enDirect attached routes are routing entries for network that can be reached from an interface of the Barracuda NG Firewall without having to use
a next hop gateway.

In this article:
en
Before you Begin
Step 1. Configure a Direct Route
Step 2. Activate the Network Configuration
Next Steps
Before you Begin

Connect the network to a port of the Barracuda NG Firewall. Do not use the management port.
Step 1. Configure a Direct Route

Add a route for the direct attached network.


1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, click Routing.
Click Lock.
In the Routes table, click + to add a route:
Name Enter a name.
Target Network Address Enter the network in CIDR format. E.g., 62.99.0.0/24

Route Type Select direct attached network.


Interface Name Select the interface you used to connect to the network. E..g, eth1
Trust Level Select the trust level. Your network will automatically be connected to the corresponding network objects. Use Un
trusted for WAN connections, Trusted for LAN connections.
(optional) Advertise Route To propagate this network route via the OSPF/RIP/BGP service, select Yes. For more
information
5. Click OK.
6. Click Send Changes and Activate.
Step 2. Activate the Network Configuration

After you have configured the network route, you must activate your new network configuration.
1. Go to CONTROL > Box.
2. In the left menu, expand Network and click Activate new network configuration.
3. Select Soft. The Soft Activation Succeeded message is displayed after your new network configurations have been successfully
activated.
The direct attached route is now displayed as pending on the CONTROL > Network page. To make the route active, you must use one of the IP
addresses in the network as a virtual server IP address (default) or as an additional IP address (remote units).
Next Steps

Default: You must use at least one IP address from the network as a virtual server IP address. If you are using a high availability setup,
these virtual server IP addresses will be transferred to the secondary NG Firewall in case of a failure.
In case of remote access: If you are using the Barracuda NG Firewall via remote management tunnel, add the IP address to the Additi
onal IP addresses (CONFIGURATION > Configuration Tree > Box > Network). IP addresses assigned on box level are not synced to
the HA partner. When using the IP address on box level, the route will remain active even if the virtual server is running on the other NG
Firewall in the HA cluster.

How to Configure Gateway Routes

enGateway routes are defined for all networks that are not directly attached to a port of the Barracuda NG Firewall. The Barracuda NG Firewall
will forward all traffic with the configured destination to the gateway (next hop) IP address specified in the gateway route. For example the default
route (0.0.0.0/0), which will route all traffic to the ISP gateway IP address is a gateway route.

Step 1. Configure a Gateway Route

1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Network.


From the Configuration menu in the left navigation pane, click Routing.
Click Lock.
In the Routes table click + to add a gateway route:
Name Enter a name.
Target Network Address Enter the network in CIDR format. E.g., 0.0.0.0/0 for the default route
Route Type Select gateway.
Gateway The gateway IP address. E.g., 62.99.0.254

Trust Level Select the trust level. Use Untrusted for WAN connections,
(optional) Advertise Route To propagate this network route via the dynamic routing service, select Yes. For more
information
5. Click OK.
6. Click Send Changes and Activate.
Step 2. Activate the Network Configuration

After you have configured the network route, you must execute your new network configuration.
1. Go to CONTROL > Box.
2. In the left menu, expand Network and click Activate new network configuration.
3. Select Soft. The "Soft Activation Succeeded" message is displayed after your new network configurations have been successfully
activated.
The gateway route is now active on the CONTROL > Network page. If the remote gateway no longer answers ARP request, the route is placed in
a pending state until the gateway is reachable again.

How to Configure Source-Based Routes


en
Source-based routing, often referred to as policy routing, is used when the source IP address of the connection determines, in part or completely,
which route is used. Source-based routing can be used to ensure that traffic is sent via a specific connection. For each source-based routing
entry, a routing table for that specific IP address/network is created and consulted when traffic from that network comes in.
Step 1. Create a Source-Based Route

1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, click Routing.
Click Lock.
In the Source Based Routing section, add or edit an entry for your route in the Routing Rules table:
a. Name Enter a name. E.g., route1
b. Source Networks Add the source IP address or network. E.g., 10.0.10.0/24
c. Routes Click + to add a route table entry for the source network.
Target Network Address Enter the target network IP address. E.g., 0.0.0.0/0
Route Type Select unicast, multipath or throw. If throw is selected, the route lookup will end once the first matching
route is found.
Gateway (only for unicast routes) Enter the IP address of the remote gateway.
Multipath Gateway (only for multicast routes) Enter the Multipath Gateway and Weight Number (Metric) for each

route.
Packet Load Balancing (only for multicast routes) If needed, enable packet load balancing.
Route Metric (only for unicast routes) Enter the route metric for the gateway route.
Advertise Route Select YES if you want to use dynamic routing service. For more information, see Dynamic Routing
Proctocols (OSPF/RIP/BGP).
5. Select where the route table is placed, before (premain) or after (postmain) the main routing table.
6. Click OK.
7. Click Send Changes and Activate.
Step 2. Activate the New Network Configuration

After you have configured the network route, you must execute your new network configurations.
1. Go to CONTROL > Box.
2. In the left navigation pane, expand Network and then click Activate new network configuration.
3. Select Failsafe. The Failsafe Activation Succeeded message is displayed after your new network configurations have been
successfully activated.
4. Click OK.

1.

Administration

en

You can use already existing services in your network, such as DNS, NTP or SCEP servers, when deploying the Barracuda NG. The Barracuda
NG Firewall supports multiple administrator accounts and restricting access based on source IP address or network.

Administrators
An administrator account on a Barracuda NG Firewall contains multiple parameters that specify the permissions and restrictions for an
administrator. Administrator rights are split into predefined administrative roles, defining which services an administrator is allowed to use and
which operations the administrator is allowed to perform within the different services.
For more information, see Managing Access for Administrators.

Changing the Root Password and Management ACLs


The Management ACL specifies which IP addresses can access the system. In the system access configuration, you can also change the
password for the root user.
For more information, see How to Change the Root Password and Management ACL.

Administrative Session Time Limits


Session timeouts mitigate the security risk from authenticated, unsupervised connections to the NG Firewall by defining the session time-out for
idle administrative sessions. After the session has been terminated, the admin has to log in again.
For more information, see How to Set Idle Administrative Session Time Limits.

DNS
Introduce either a network DNS server or a DNS server assigned by your ISP on the Barracuda NG Firewall. When resolving DNS requests, the
Barracuda NG Firewall can alter the response (DNS Interception) and redirect or block queries for specific domains by using black and
whitelisting. You can use the same namespace internally and externally and redirect external clients to use one IP address, and internal clients to
use an internal path to the same hostname (Split DNS). DNS queries can be forwarded to or cached from the DNS server.
For more information, see How to Configure DNS Settings and How to Configure DNS Interception.

NTP
You can define one or more NTP server(s) to act as a master clock for the Barracuda NG Firewall. The current time on the system is
synchronized via Network Time Protocol (NTP). Time settings apply to all time-related services on the Barracuda NG Firewall and affect data
accounting, logging, and event notifications. Correct time settings are also important for HA synchronization.
For more information, see How to Configure Time Server (NTP) Settings

Global HTTP Proxy Settings


To configure the Barracuda NG Firewall to connect to the Internet via a proxy server, specify global connection and authentication settings for
your system.
For more information, see How to Configure Global HTTP Proxy.

Email Notifications
Some services, such as the virus scanner, can send email notifications. You can configure the email address and the SMTP server used to for
email notifications.

For more information, see How to Configure the System Email Notification Address.

How to Change the Root Password and Management ACL


en

Restricting access to the management interface of the Barracuda NG Firewall is important for network security. Barracuda Networks strongly
recommends changing the root password after the first login. Use the management access control list to whitelist IP addresses that are allowed to
connect via NG Admin to the Barracuda NG Firewall or NG Control Center.
In this article:
en
Change the Root Password
Manage the Management Access Control List

Change the Root Password


1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.


In the left menu, click System Access.
Click Lock.
In the Root Password section, enter the password for the root user.
Click Send Changes and Activate.

Manage the Management Access Control List


Enter the IP addresses or networks for which access to the management IP on TCP ports 22 (secure shell) and 800-820 is granted. Access from
all other addresses to these port/addresses are denied. By default, access is allowed from an arbitrary address. Changing the ACL does not
terminate active admin sessions. To enforce ACL changes, manually terminate active sessions on the FIREWALL > Sessions page.
1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
2. In the left menu, click System Access.
3. Click Lock.
4. In the Access Control List section, click + and add the IP addresses from which the Barracuda NG Firewall can be administered.
5. Click Send Changes and Activate.

How to Configure DNS Settings


en

The Barracuda NG Firewall can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names installed in
its configuration. With local DNS caching enabled, DNS queries will be forwarded to or cached from the specified DNS servers and DNS queries
can be logged.
In this article:
configure Basic DNS Settings
1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
2. In the left menu, click DNS Settings.
3. From the Configuration Mode menu, select Switch to Advanced View.
4. Click Lock.
5. Enter the Box DNS Domain that the Barracuda NG Firewall belongs to.
6. In the DNS Server IP table, specify the DNS server's IPv4 and/or IPv6 addresses to be queried by the Barracuda NG Firewall.
7. Click Send Changes and Activate.
Configure Advanced DNS Settings
1. From the Configuration Mode menu, select Switch to Advanced View.
2. In the DNS Search Domains table, add the names of the domains that should automatically be appended to an alias name when
performing a DNS query. Separate multiple domains with spaces.
3. When using multiple DNS servers,
a. Select if DNS queries should regularly rotate between the servers from the DNS Query Rotation list.
en
b. Specify the DNS Query Timeout in seconds. When the timeout is exceeded, the next DNS server is queried.
4. To add local hosts,
a. Click + in the Known Hosts section.

VirtualSevsndc

Virtual Servers and Services


Virtual Servers
The virtual server layer runs on the box layer of the Barracuda NG Firewall. It is a purely logical layer whose most important function is to make IP
addresses available for the services (service layer). By default, the virtual server S1 is already created on every Barracuda NG Firewall except the
larger hardware models. When a virtual server is started, it assigns IP addresses to its services, causing the box layer to automatically activate
pending routes of directly attached network routes.
On a virtual server you must introduce all IP addresses that should be managed by the server and assigned to the services under it. These IP
addresses must be in one of the networks for which a directly attached network route exists on box level. Do not use the IP addresses configured
on the box layer, such as the management IP address or additional local IP addresses, because this causes problems in HA setups. The
encryption level is also configured at the virtual service level. If your Barracuda NG Firewall is running without a valid license (demo mode) or in
an export-restricted country, you can only use export-restricted encryption until your system gets licensed. Virtual servers are bound to the
product type and name. Once created, they cannot be renamed.
For more information, see How to Configure Virtual Servers.

HA Monitoring and Transparent Failover


A virtual server is transferable between members of a high availability cluster. If the primary unit fails, the virtual server, including its assigned IP
addresses and all services, is instantly transferred to the secondary unit. You can also create virtual servers with services to run only on a
secondary unit that, in case of a failover, are transferred to the primary unit and vice versa.
For HA failover, the management IP address and the 1st virtual server IP address are monitored by default. To configure transparent monitoring
for HA clusters, create monitoring policies for interfaces and IP addresses. The virtual server stays up as long as these health check targets are
reachable.
For more information, see Virtual Server Monitoring and High Availability.

Virtual Servers in the NG Control Center


On the Barracuda NG Control Center, virtual servers are created in the NG Control Center cluster. The setup procedure is very similar to the
procedure on a Barracuda NG Firewall, which means that you can create a server and assign the network IP addresses and services. Virtual
servers act as separate configuration entities, so you can copy them from one to another cluster. For example, you can assign the virtual server
S1 once per cluster. When assigning virtual servers to different clusters, the setup requires the matching product type. For example, you cannot
assign a VF25 virtual server to a Barracuda NG Firewall F10.
For more information, see How to Configure Virtual Servers.

Services
The service layer runs on the virtual server layer of the Barracuda NG Firewall. It introduces the services such as firewall, HTTP proxy, VPN, and
DHCP. The services use the configured IP addresses of the virtual server on which they are running. If the virtual server shuts down, all of the
assigned services and IP addresses are also shut down and made unavailable. If the Barracuda NG Firewall is deployed in a high availability
cluster, the services and necessary IP addresses transparently failover to the other HA unit.
For more information, see How to Configure Services, NG Firewall Services or NG Control Center Shared Services

How to Configure Virtual Servers


en

To manage networking and services on the Barracuda NG Firewall, you can use the virtual server S1 that is already present on the unit. To
extend firewalling and networking capabilities, introduce additional servers with IP addresses that can be adapted and used by networks and
services created under them. If a Barracuda NG Firewall system hosting virtual servers is running in a high availability (HA) cluster, the virtual
servers are also present on the HA unit. If the primary unit fails, the virtual server, IP addresses, and all services are taken over instantly by the
secondary unit.
In this article:
Create a Virtual Server on a Standalone Barracuda NG Firewall
Create a Virtual Server on a Barracuda Control Center
Deleting a Virtual Server
Moving/Copying Virtual Servers (NG Control Center only)

Before you Begin

Verify that direct routes exist on the box layer for the network the virtual server IPs are in. If you are using a HA cluster, the routes must be
configured on both units.

Create a Virtual Server on a Standalone Barracuda NG Firewall


1. Go to CONFIGURATION > Multi-Range > your range > your cluster.
2. Right-click on Virtual Servers in your cluster and select Create Server. The Create Server windows opens.
3. Configure the following settings:
Server Name Enter a unique name up to six characters long for the virtual server.
Product Type Select the model of your Barracuda NG Firewall. The product type of the virtual server and the NG Firewall the
virtual server is running on must match.
Active Box Select This-Box.
Backup Box (optional) Select Other-Box if you are using a high availability cluster, or No-Backup if you are using a
standalone Barracuda NG Firewall.
Encryption Level Select Full Featured Encryption unless you are running in demo mode or are located in an
export-restricted country.
First-IP Enter the first IP address for the virtual server.
Reply to Ping Select yes for the virtual server to answer ICMP pings on the first IP address.
Second-IP (optional) Enter the second IP address for the virtual server.
Reply to Ping Select yes for the virtual server to answer ICMP pings on the second IP address.
Additional IP (optional) Enter as many additional IP addresses as needed.
4. Click Next
5. (optional) Configure monitoring settings for the virtual server. For more information, see Virtual Server Monitoring.
6. Click Next.
7. (optional) Enter custom command-line scripts that are executed when the virtual server is started or stopped. For more information, see C
ommand-Line Interface
8. Click Finish.
9. Click Activate.

Create a Virtual Server on a Barracuda Control Center


Create a virtual server in a cluster on the Barracuda NG Control Center. The virtual server can be used for every managed NG Firewall of the
same product type in the cluster.
1. Go to CONFIGURATION > Multi-Range > your range > your cluster.
2. Right-click on Virtual Servers in your cluster and select Create Server. The Create Server windows opens.
3. Configure the following settings:
Server Name Enter a unique name up to six characters long for the virtual server.
Product Type Select the model of your Barracuda NG Firewall. The product type of the virtual server and the NG Firewall the
virtual server is running on must match.
Encryption Level Select Full Featured Encryption unless you are running in demo mode or are located in an
export-restricted country.
Primary Box Select the NG Firewall the virtual server runs on. The box must be in the same cluster as the virtual server.
Secondary Box (optional) Select the secondary NG Firewall
First-IP Enter the first IP address for the virtual server.
Reply to Ping Select yes for the virtual server to answer ICMP pings on the first IP address.
Second-IP (optional) Enter the second IP address for the virtual server.
Reply to Ping Select yes for the virtual server to answer ICMP pings on the second IP address.
Additional IP (optional) Enter as many additional IP addresses as needed.
4. Click Next.
(optional) Create or import the Server Private Key.
(optional) Import the Server Certificate.
5. Click Next.
6. (optional) If you are planning to use GTI, add the local networks for the VPN tunnels. For more information, see CC VPN GTI Editor.
7. Click Next.
8. (optional) Configure monitoring settings for the virtual server. For more information, see Virtual Server Monitoring.
9. Click Next.
10. (optional) Enter custom command-line scripts that are executed when the virtual server is started or stopped. For more information, see C
ommand-Line Interface
11. Click Finish.
12. Click Activate.

Deleting a Virtual Server


If you delete a virtual server, all of its assigned services are also deleted. Before changing server and service settings, back up your system
configuration. For more information, see Backups and Recovery.
1.
2.
3.
4.

Right-click on the virtual server you want to delete and click Lock.
Right-click on the virtual server and click Remove Server.
Click Yes. The virtual server and all its services are now marked with a red "x".
Click Activate.

Moving/Copying Virtual Servers (NG Control Center only)


You can move or copy virtual servers on the NG Control Center between different clusters. It is not possible to create a copy of a virtual server in
the same cluster it is currently in. The clusters must use at least the same release version. For example, you cannot move a 6.0 virtual server to a
5.2 cluster.
1.
2.
3.
4.
5.
6.

Right-click on the virtual server you want to move or copy and click Lock.
Right-click on the virtual server and click Move Server or Copy Server.
Select the destination in the Range/cluster tree.
Enter the new name of the virtual server.
Click OK.
Click Activate.

Virtual Server Monitoring


en

To ensure and maintain the connectivity of a virtual server, you can define pools of IP addresses and/or network interfaces that are continuously
monitored by the Barracuda NG Firewall. If the health check of a monitored IP address or the link state of a network interface fails, the virtual
server is automatically shut down. As soon as the health check target is successful, the virtual server is started again. Monitoring policies define
which requirements must be met for the virtual server to remain active, or to be shut down. If you are using an HA cluster, you can use monitoring
policies to define the behavior of the secondary HA unit. If necessary, you can use custom scripts which are executed when the virtual server is
started or stopped.
In this article:
en
Layer 3 Monitoring
Layer 2 Monitoring
Server Monitoring in HA Clusters
Step 1. Configure the Operation Mode
Step 2. Configure the Monitoring Policy
Configure Custom Scripts

Layer 3 Monitoring
The Layer 3 monitoring policy defines the settings for IP address monitoring. The policy configuration provides two address pool tables. Add the
target addresses to the tables. These IP addresses must be reachable for the virtual server to stay up. The following Layer 3 monitoring policies
are available:
all-OR-all-present All of the IP addresses from at least one IP address pool, e.g., from the Monitored IPs I table, must be reachable. If
you enter IP addresses in both the Monitored IPs I and II tables, the IP addresses from at least one of these tables must be available.
Otherwise, the virtual server is deactivated.
one-AND-one-present At least one IP address from each monitoring pool must be reachable. If you only enter IP addresses in the Mo
nitored IPs I table, at least one IP address from this table must be available. If you enter IP addresses in both tables, at least one IP
address in each table must be available.
The control service runs an ICMP check on all IP addresses in 10-second intervals. If no answer is received, the IP addresses are probed every
second for a 10-second period. If no response is received from a valid health check target during the 10-second period, the virtual server shuts
down. The server is reactivated as soon as an answer is received for the subsequent probes.
Example Setup:
Layer 3 monitoring is configured for the virtual server S2, using both address pools with the following IP addresses and statuses:

Monitored IPs I

Status

Monitored IPs II

Status

10.0.10.110

up

10.0.10.88

up

10.0.10.68

down

10.0.10.99

down

The status of the virtual server is displayed on Control > Server page:
If the monitoring policy one-AND-one-present is used, the server stays up because one IP address of each address pool is available.

If the all-OR-all-present policy is used, the server shuts down because at least no IP pool is fully available.

Layer 2 Monitoring
The Layer 2 monitoring policy defines the settings for interface monitoring. Add the interfaces that should be checked according to the policy in
the Monitored Interfaces I and II tables. Layer 2 monitoring is available in the following modes:
all-OR-all-present All of the interfaces from at least one interface pool, e.g. from the Monitored Interfaces I table, must be available.
one-AND-one-present At least one interface from each interface pool table must be available. If you have added interfaces in one
table, at least one IP address from this table must be available. If you have added interfaces in both tables, at least one interface from
each table must be available.
The control service checks the link status of each interface on a regular basis. Depending on the selected policy, the server is shut down if the
links on the monitored interfaces are unavailable. The server is restarted when the links of the monitored interfaces are up again.

Server Monitoring in HA Clusters


If your Barracuda NG Firewall is part of an HA cluster, you can extend the monitoring policy to both units. For HA monitoring, you can select the
following options:
Monitoring on Backup Box If set to No (default), server monitoring on box and HA box is processed only by the primary unit. In case
of failover, the non-availability of health check targets is ignored by the HA box and the server stays up on the secondary unit. If set to Ye

s, the monitoring policy will also be enforced by the backup box. In case of a failover, the virtual server is then also deactivated on the
second unit if the monitoring also fails on the secondary unit.
Shared-HA-Probing Shared HA probing combines the IP address and interface information of both units. Both sets of IP addresses or
interfaces must be available on both units. An IP address or interface that is not operational on both HA peers will be excluded from the
HA logic decision. If a server is active on a unit and blocked on the peer unit, any probing results will be ignored. The probing decision will
only be made if a situation persists over two probing cycles. This gives the system time to account for the delay between detection and
synchronization and avoids aliasing effects.
Local-HA-Probing (default) Only local health check target resources are probed. This means every HA partner performs its own
monitoring procedure.

Step 1. Configure the Operation Mode


Configure the monitoring policies for IP addresses and interfaces that must be reachable in order for the virtual server to stay up. When your
Barracuda NG Firewall unit resides in an HA cluster, specify the monitoring policy for the case of HA failover:
1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties.
In the left menu, select Monitoring Policy.
Click Lock.
From the Monitoring on Backup Box list, select whether monitoring should be performed and, in case of failover, adapted by a
secondary HA unit.
5. Select the Probing Policy. For more information, see Server Monitoring in HA Clusters.

Step 2. Configure the Monitoring Policy


Specify the monitoring policy for IP addresses and interfaces.
1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties.
In the left menu, select Monitoring Policy.
Click Lock.
In the Layer 3 Monitoring section, specify the IP address monitoring policy. For more information, see Layer 3 Monitoring.
In the Monitored IPs I / II tables, add the IP addresses that must be reachable via the ICMP protocol by the system that is hosting the
server.
6. In the Layer 2 Monitoring section, specify the interface monitoring policy. For more information, see Layer 2 Monitoring.
7. In the Monitored Interfaces I / II tables, add the physical interfaces that must have a link in order for the server to stay up.
8. Click Send Changes and Activate.

Configure Custom Scripts


Configure custom scripts for use with your monitoring policies. These scripts are run after the server starts or before the server shuts down due to
unreachable IP addresses or interfaces.
Do not use phionctrl in your custom scripts; this might cause a deadlock.

1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties.
In the left menu, select Custom Scripts.
Click Lock.
In the Start and Stop Script fields, enter the commands that should be executed when the server is started up or shut down (7-bit ASCII
characters and standard Bash version 2-compliant).
5. Click Send Changes and Activate.

How to Configure Services


en

The Barracuda NG Firewall has two types of services. Box services provide functionality required to run the Barracuda NG Firewall system. They
are factory-defined and cannot be created or removed by the user. Server services are created and run in a virtual server. Services relying on
other services for certain functionality (i.e., firewall and virus scanner service) must be created on the same virtual server. Although possible, it is
recommended to only create one service type per virtual server. You can create the following services:
Barracuda NG Firewall Services
Depending on your model, some services may not be available. Consult the datasheet for your appliance for more information on which services

are available for your model.


Click here to view a list of services available on the Barracuda NG Firewall ...
DHCP Service
DHCP Relay
DNS
Firewall
FTP Gateway
HTTP Proxy
URL Filter
Mail Gateway
OSPF/RIP/BGP Service
SNMP Service (Server Layer)
SPAM Filter
SSH Proxy
Virus Scanner
VPN Service
Access Control Service
Barracuda NG Control Center Services
Click here to view a list of services available on the Barracuda NG Control Center ...
CC DNS
CC Firewall
CC Configuration Service
CC Event Service
CC Syslog Service
CC FW Audit Log Service
CC Reporter
CC Statistics Collector
CC VPN Service
CC Access Control Service
CC PKI Service

In this article:
Create a Service
Remove a Service
Enable or Disable a Service
Move a Service

Create a Service
Step 1. Add a Service to a Virtual Server

1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services.
Right-click Assigned Services and select Create Service.
Enter a Service Name. The name must be unique and no longer than six characters. The service name cannot be changed later.
In the Software Module field, select the type of service that you are creating. You cannot change the service type after the service is
created.
The types of services that you can create are dependent on your license and system model. Verify the product type and
appliance model in the Box Properties if services are missing.

Step 2. Service IPs and Type of Service

Assign the IP addresses the service listens on.


1. In the Service IPs section, enter the IP addresses for the service.
2. Select the IP addresses the service listens on from theService Availability list.
All IPs Some services (i.e., firewall) will automatically listen on all available Server IP addresses.
First + Second-IP Listen on the first and second virtual server IP address.
First-IP Listen on the first virtual server IP address.
Second-IP Listen on the second virtual server IP address.
Explicit Add the IP addresses you want to use to the Explicit Service IPs table. Explicit IP addresses must also be added to
the Additional IP table in the Server Properties of the virtual server. For more information, see How to Configure Virtual
Servers.

3. Click Next .
Step 3. Statistics (optional)

Enable statistics settings for the service. By default, all settings are enabled for the service:
1. In the Statistics Settings section set Generate Statistics to yes.
2. Edit the following settings according to your requirements:
Src Statistics Generates IP source-based statistical data for the service. Only the number of connections from IP addresses is
recorded. The times at which the connections were made are not recorded.
Src Time-Statistics Generates IP source-based statistical data for the service. Both the number of connections made from IP
addresses and the times at which the connections were made are recorded.
Dst Statistics Generates IP destination-based statistical data for the service. Only the number of connections to IP addresses
is recorded. The times at which the connections were made are not recorded.
Dst Time-Statistics Generates IP destination-based statistical data for the service. Both the number of connections made to
IP addresses and the times at which the connections were made are recorded.
Src-Dst Statistics Generates IP source/destination pair based-statistical data for the service. Only the number of connections
to and from IP addresses is recorded. The times at which the connections were made are not recorded.
3. Click Next.

Step 4. Access Notification (optional)


Configure which events are created for successful and unsuccessful logins. On standalone Barracuda NG Firewalls and on the box level of the
NG Control Center, this setting can only be configured for all administrators. On the Barracuda NG Control Center, each type of administrator (Mu
lti-Range > Global Settings > CC Access Notification) can be handled separately: Access notifications are only available for DHCP Server,
Firewall, VPN Service and the Mail Gateway service.

The following events are used for login attempts:


The User Unknown event is generated when the admin ID is unknown to the underlying Barracuda Networks authentication module.
The Authentication Failure event type is used when the password or key do not match or the admin is not authorized to access the
service (multi-admin environment, only in conjunction with a Barracuda NG Control Center).
To configure which events are created, complete the following steps:
1. In the Notification section, edit

the following settings according to your requirements:

a. Success Select the notification level for a successful login:


Silent No event.
Notice NGFW Subsystem Login Notice [2420].
Warning NGFW Subsystem Login Warning [2421].
Alert NGFW Subsystem Login Alert [2422].
b. Failure Select the notification level for an unsuccessful login:
Silent No event.
Notice NGFW Subsystem Login Notice [2420].
Warning NGFW Subsystem Login Warning [2421].
Alert NGFW Subsystem Login Alert [2422].
2.
3.

Click Finish.
Click Activate to create the service.

The service is now displayed as active (

) on the CONTROL > Server page.

Remove a Service
Removing a service is permanent and cannot be undone.
1.
2.
3.
4.
5.

Expand the Assigned Services node (Configuration > Configuration Tree > Box > Virtual Servers > your virtual server).
Right-click the service you want to delete and click Lock.
Right-click the service you want to delete and click Remove Service. A verification popup opens.
Click Yes.
Click Activate.

Enable or Disable a Service

Windows Defender 1.x: the chart states Implemented although it may not work on the 64-bit client. The reason for this is that the
released version of the 64-bit client contains a 32-bit compatible COM+ server for integrated OPSWAT modules (health-check).
Therefore, this component is not yet implemented as native 64-bit.
This leads to some restrictions regarding auto-remediation features of the health agent system:
Enabling and disabling of Virus and Spyware Scanner functionality can not be done automatically for some vendors (see
support charts).
Auto-remediation for Virus Scanner and Spyware Scanner engine and pattern updates is disabled in the 64-bit client.

DHCP
en

DHCP Service
The DHCP service automatically assigns IP addresses to clients that reside in a defined subnet. In the DHCP server configuration, you can define
address pools and explicitly map MAC addresses to a reserved IP address. You can also define additional parameters that are passed to the
client when an IP address is requested.
For configuration instructions, see How to Configure the DHCP Service and Advanced DHCP Settings.

DHCP Relay
The DHCP Relay service forwards DHCP broadcast messages to other network segments. DHCP relaying allows you to share a single DHCP
server across logical network segments that are separated by a firewall.
For more information, see How to Configure the DHCP Relay Agent.

How to Configure the DHCP Service


en
Configure the DHCP service and specify a network range from which the IP address for the clients will be assigned. In the advanced settings for
DHCP, you can configure additional service availability settings,and set up HA synchronization.
In this article:
en
Before you Begin
Configure the DHCP Service
Check the DHCP Server Status
Configure Advanced DHCP Settings
Before you Begin

Add a Virtual Server IP for each subnet you want to use for the DHCP server. For more information, see Virtual Servers and Services.
Configure the DHCP Service

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service
> DHCP Enterprise Configuration.
2. Click Lock.
3. In the left menu, select Operational Setup IPv4 or 6.
4. In the Address Pool Configuration window, enable DHCP.
5. Click + to add an entry to the Subnets table.
6. Enter a descriptive name for the subnet and click OK. The Subnets configuration window opens.
7. From the Used Subnet list, select one of the available IPv4 subnets or select explicit and enter the IP address in the Network Address fi
eld.
When using IPv6 select any (stateless dhcp) to use DHCPv6 to extend IPv6 with DHCP capabilities (assigning domain name or
DNS servers).
8. In the DHCP Server Identifier field, enter the name of the server. This name is provided to the client.
9. Click + to add a new entry to the Pool Ranges table.
10.

10. Specify the following for each range:

IP Begin The first IP address in the network range. E.g.: 10.10.10.20


IP End The last IP address in the network range. E.g.: 10.10.10.40
11. Click OK.
12. (optional) Add MAC to IP address mappings to the Reservations table:
a. Enter the Reserved IP for the client.
b. Enter the MAC Address of the client.
13. Click OK.
14. In the Router table, add the default gateway IP address. E.g.: 10.10.10.100
15. In the DNS Servers table, add the DNS server IP address. E.g.: 10.10.10.100
16. Enter the Domain Name if the client range is part of a domain.
17. Enter the NIS Domain Name and specify the details required for all servers that should be assigned.
18. In the Static Route Net table, click + to add static routes that the client should install in its routing cache. If there are multiple routes to
the same destination, list them in descending order of priority.
a. In the Static
b.
c.
19.
20.
21.
22.

Route Net field, enter the destination IP address.


In the Static Route GW field, enter the IP address of the router.
Click OK.

Enter the TFTP Server Name if the 'sname' field in the DHCP header has been used for DHCP options.
Enter the TFTP Server IP Address for Cisco CallManager devices. In this field, you can enter a comma-delimited list of addresses.
Enter the Boot File Name if the 'file' field in the DHCP header has been used for DHCP options.
If you set the Barracuda Network Access Clients Policy of an Address Pool to Barracuda Network Access Clients or guests, add the
required info to the Access Control Service IPs/Names table for a client to receive valid policy server information.
You can add vendor IDs, policy server IP addresses, or DNS resolvable policy server names. If the Barracuda Network
Access Clients Policy field is set to none, the information in the Access Control Service IPs/Names table is ignored.

23.
24.
25.
26.

For information on dynamic DNS configuration, refer to How to Configure DHCP with Dynamic DNS.
For information on lease configuration, refer to How to Configure DHCP Parameter Templates.
Click OK.
Click Send Changes and Activate.

Check the DHCP Server Status

Click the DHCP Tab to check the real-time status of the configured DHCP server.
Configure Advanced DHCP Settings

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service
> DHCP Enterprise Configuration.
2. From the left Configuration Mode menu, select Switch to Advanced View.
3. Click Lock.
4. In the left pane, select Operational Setup IPv4 or 6.
5.

In the Address Pool Configuration window, enable DHCP.

6. Enable Use Advanced Pool Configuration. This disables the Subnets section and allows configuration of address pools.
7.

In the DHCP Server Identifier field, enter the name of the server. This name is provided to the client.

8. Enable Server Is Authoritative.


When the DHCP server receives a DHCPREQUEST message from a DHCP client requesting a specific IP address, the DHCP
protocol requires that the server determines whether the IP address is valid for the network to which the client is attached. If the
address is not valid, the DHCP server should respond with a DHCPNAK message, forcing the client to acquire a new IP
address. To make this determination for IP addresses on a particular network segment, the DHCP server must have complete
configuration information for that network segment. Unfortunately, it is not safe to assume that DHCP servers are configured
with complete information. Therefore, the DHCP server normally assumes that it does not have complete information and, thus,
is not sufficiently authoritative to safely send DHCPNAK messages as required by the protocol.
9. Select the UDP Listen Port on which the DHCP server listens for DHCP requests. By default, the server listens on port 67.
10. For an HA setup, edit the settings in the HA Synchronization Setup section to synchronize the DHCP database between both units:
a. Enable HA Synchronization to synchronize the DHCP database between the HA units.
b.

Firewall

The Host and Forwarding Firewall can handle only IP protocols. Non-IP traffic (such as Spanning Tree Protocol or IPX/SPX) is not
forwarded.

Forwarding Firewall
The Forwarding Firewall handles all traffic for which the destination does not match with a listening socket on the Barracuda NG Firewall. You can
create one (forwarding) Firewall service on each virtual server. This service listens to all IP addresses configured for the virtual server and is
responsible for all connections that must be transferred over the Barracuda NG Firewall to a remote host. The firewall rules for the Forwarding
Firewall are maintained in the forwarding ruleset. The Forwarding Firewall is tightly integrated with Application Control 2.0, Virus Scanners,
Advanced Threat Detection (ATD), Intrusion Prevention System (IPS), and the URL Filter. Examples of connections that use the Forwarding
Firewall are:
A web browser that connects to an external web server without using the HTTP Proxy service on the Barracuda NG Firewall
The administrator pings an external Linux server
Incoming and outgoing traffic coming out of a VPN tunnel
For more information, see Forwarding Firewall.

Host Firewall
There is one Host Firewall service running on the box layer of every Barracuda NG Firewall and Barracuda NG Control Center. Host Firewall rules
are applied to connections where the target IP address and port number match a listening socket of a service on the Barracuda NG Firewall. The
boxfw service manages this ruleset and additional traffic handlers such as SIP, RPC, Timer, Audit, Trace, and Sync. Restarting the boxfw servic
e reinitializes the service handlers and reloads the ruleset. The boxfw service is automatically activated on the Barracuda NG Firewall. You can
have only one Host Firewall on a system. Examples of connections that are handled by the Host Firewall are:
An incoming connection from a web browser to the HTTP Proxy service running on the Barracuda NG Firewall
An outgoing connection from the HTTP Proxy service running on the Barracuda NG Firewall to a web server on the Internet
Outgoing and incoming VPN traffic from the Barracuda NG Firewall VPN service to the tunnel endpoint
Outgoing NTP or DNS queries
For more information, see Host Firewall.

Forwarding Firewall
en
The forwarding firewall service provides a policy framework to direct and manage traffic passing through the Barracuda NG Firewall:
Firewall Policies:
Firewall Access Rule Set The access rule set contains a list of access rules. Incoming traffic is compared against the
matching criteria set within each access rule. When a match is found, the action set in the access rule is executed. You can
enable advanced features (Application Control, QoS, IPS) on a per-rule basis.
Application Rule Set If application control is enabled in an access rule that is executed, the application rule set is called.
Applications and (if applicable) URL categories are detected and compared to the list of application rules. Upon a match, the
application traffic is either passed or blocked depending on the action set in the application rule.
IPS Policies Detect and block network attacks, by comparing incoming traffic with predefined, constantly updated patterns.
Traffic Shaping (QoS) Policies Shape traffic to improve use of the available bandwidth, by prioritizing connections that are important
for your business.
User Policies Allow or block access to network resources based on user information.
Schedule (Time) Policies Allow or block access to network resources based on time or date.
Traditional packet forwarding capabilities are handled by the access rule set while next generation application-aware policies are applied in the
dedicated application rule set.

Access Rules

The basic job of the firewall is to manage traffic between various trusted and untrusted network segments. Incoming network traffic is compared to
the first access rule in the rule set. If the traffic does not match the criteria set in the rule, the next rule is evaluated, continuing from top to bottom
until a matching rule is found. The first matching access rule is executed. If none of the rules match, the default BLOCKALL rule blocks the traffic.
For more information, see Firewall Access Rules.
Next Generation Firewall Capabilities

Application Control 2.0 (with or without SSL Interception), a tightly integrated Intrusion Prevention System (IPS), URL filtering for content security,
and Virus Scanning in the firewall offer granular control over your network traffic.
Application Detection For each access rule, you can enable Application Control. Application Control detects applications and
subapplications. Detected application traffic can then be manipulated by the application rule set. By using custom application-based link
selection connection objects, you can route traffic based on application type.
For more information, see Application Control 2.0
SSL Interception Most application traffic is SSL encrypted. SSL Interception transparently decrypts the SSL connections and
re-encrypts the connection before it is forwarded it to its destination. SSL Interception enables Application Control to better detect
sub-applications, making it possible to block single features such as Facebook games, while still allowing access to the rest of the site.
URL Filter If you want to block inappropriate web-based content from your network, use the Barracuda Webfilter to filter a large
number of websites based on categories. With the URL filter, you can create either a whitelist (blocking everything except for selected
sites) or a blacklist (blocking known unwanted content). If a site is not in the URL database, you can define a custom URL policy for it.
The URL Filter can only filter based on the URL of the website. It does not offer the more granular control over sub-applications that
Application Control does.
For more information, see URL Filter.
Virus Scanning To protect against malware and viruses, enable antivirus (AV) scanning in the firewall. If a user downloads a file
containing malware, the Barracuda NG Firewall detects and discards the infected file and then redirects the user to a warning page. You
can use the Avira and/or the ClamAV antivirus engines and specify the MIME types of all files that are to be scanned.
For more information, see How to Configure Virus Scanning in the Firewall.
ATD Barracuda Advanced Threat Detection secures your network against zero day exploits and other malware not recognized by the
IPS or Virus Scanner. You can choose between two policies which either scan the files after the user has downloaded them and if
perceived to be a threat quarantine the user, or scan the file first and then let the user download the file after it is known to be safe.
For more information, see Advanced Threat Detection (ATD).
Traffic Shaping (QoS)

You can adjust the QoS band traffic to prioritize business-critical traffic over less important traffic:
Traffic shaping protects the available overall bandwidth of a connection. Network traffic is classified and throttled or prioritized within each
access rule.

Traffic shaping for application traffic can be configured in the application policy rules. For more information, see Application Control 2.0.
For more information, see Traffic Shaping.
Intrusion Prevention System (IPS)

The tightly integrated Intrusion Prevention System (IPS) monitors the network for malicious activities and blocks detected network attacks. The
IPS engine analyzes network traffic and continuously compares the bitstream with its internal signature database for known attack patterns. IPS
must be globally enabled on a Barracuda NG Firewall. However, you can enable or disable IPS for each firewall rule.
For more information, see Intrusion Prevention System (IPS).
Users/Time

For more granular control, you can configure access rules that are only applied to specific users or during specific times.
Users can be used as a criteria for a rule. To enable the Barracuda NG Firewall to be aware of which connection belongs to a specific
user, use the Barracuda DC Agent, Barracuda TS Agent, or the The Barracuda NG Firewall Authentication Client.
For more information, see User Objects.
You can create access rules that are only active for specific times or dates. For example, you can create a time object that only includes
Mondays and the hours of 8:00 am to 9:00 am. A access rule including this time object allows traffic only during the time span defined in
the time object.
For more information, see Schedule Objects.
Firewall Objects

Use firewall objects to reference specific networks, services, time and dates, user groups, or connections when creating firewall rules. You can
use firewall objects that are preconfigured on the Barracuda NG Firewall or create custom objects to fit your needs. The main purpose for firewall
objects is to simplify the creation and maintenance of firewall rules. Firewall objects are re-usable, which means that you can use one firewall
object in as many rules as required. Each firewall object has a unique name that is more easily referenced than an IP address or a network
range.
For more information, see Firewall Objects.
Layer 7 Application Control (Legacy)

Barracuda Networks recommends using Application Control 2.0.


Layer 7 Application Control is a legacy feature using Deep Packet Inspection (DPI) and behavioral traffic analysis to detect and classify network
traffic based on Layer 7 applications and protocols.
For more information, see Layer 7 Application Control.

Firewall Access Rules


en
The firewall service compares the incoming traffic to the access rules until it has found a match and then executes the policy defined in the
matching rule. The following article explains the configuration and interaction of access rules on the Barracuda NG Firewall.
Access Rule Settings

For each access rule you can configure the following settings:
Name The name of the access rule. This name is displayed on the Firewall > Live and History pages.
Description An additional field in which you can enter a description of the access rule, to help you and others determine the purpose of
the access rule in case the rule must be edited it later.
Action Specifies how the Barracuda NG Firewall handles network traffic that matches the criteria of the rule. The following actions are
available:
Pass The Barracuda NG Firewall passes all network traffic that matches the access rule.
Block The Barracuda NG Firewall ignores all network traffic that matches the access rule and does not answer to any packet
from this particular network session.
Deny The Barracuda NG Firewall dismisses all network traffic that matches the access rule. Matching network sessions are
terminated by replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, and ICMP Denied by Filter for
other IP protocols.

Dst NAT The Barracuda NG Firewall rewrites the destination IP address, network, or port to a predefined network address.
Map The Barracuda NG Firewall rewrites IP ranges or networks to a predefined network or IP range.
App Redirect The Barracuda NG Firewall redirects the traffic locally to one of the services running on the Barracuda NG
Firewall.
Broad Multicast The Barracuda NG Firewall forwards broadcasts for bridged networks.
Cascade Jump and evaluate a different rule list.
Cascade Back Jump back to the global rule list and resume evaluation the access rules below the cascade rule.
Service The protocol and protocol/port range of the matching traffic. You can define one or more services for the access rule. You can
select a predefined service object or create your own service objects (see: Service Objects).
Source The source IP address/netmask of the connection to be handled by the rule. You can select a network object or explicitly enter
a specific IP address/netmask.
Destination The destination IP address/netmask of the connection that is affected by the rule. You can select a network object or
explicitly enter a specific IP address/netmask.
Connection Method The outgoing interface and source (NAT) IP address for traffic matching the access rule, using connection objects
(see below).
Connection Objects

The following table lists the five default connection objects.


Predefined Connection Object

Outgoing Interface and IP Address Determined by

Dynamic SNAT (Source-based NAT)

Change the source IP address of network packets to the IP address


to that of the matching interface with the lowest metric according to
the routing table.

No SNAT (No Src NAT - Client)

Connection is established using the original source IP address.

SNAT with DSL IP

Source NAT with the IP address of the ppp1 device

SNAT with 3G IP

Source NAT with the IP address of the ppp5 device (3G uplink)

SNAT with DHCP IP

Source NAT with the IP address of the dhcp device (DHCP uplink)

NAT Tables

Source NAT for networks or IP ranges. Multiple rewrite conditions can


be configured per connection object.

Application Based Link selection Connection Objects

Source NAT based on application type.

You can also create custom connection objects. For more information, see Connection Objects.

How to Edit, Copy, Clone, Deactivate, or Delete Access Rules


en
You can perform various basic tasks when working with access rules in the host and forwarding rule sets:
en
Edit Access Rules
Inline Editing
Edit Multiple Access Rules
Clone Access Rules
Copy, Cut, and Paste Access Rules
Delete Access Rules
Deactivate Access Rules
Move Access Rules Up or Down
Edit Access Rules
Edit access rules by either double-clicking the rule or right-clicking the rule and selecting Edit. In the Edit Rule window, you can configure all
possible configuration settings for the access rule. Toggle the Object Viewer check box in the left navigation display or hide the Object Viewer a
ccording to your preferences.

Inline Editing
You can change a setting for an access rule without opening the Edit Rule window. Click the rule, hover your mouse pointer over the value that
you want to change, and then click the edit icon (

or

) that appears.

Edit Multiple Access Rules


Use caution when you edit multiple access rules simultaneously because you can introduce a severe misconfiguration.
For a basic setting such as source or destination that is used in multiple access rules, you can use a firewall object. When you change the object,
the change is automatically updated in every rule that refers to this object.
If you must change Advanced or ICMP Handling settings for more than one access rule, you can edit multiple access rules simultaneously.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Hold the Ctrl key and select the access rules that you want to edit.
4. Right-click the selected access rules and select Edit.
5. In the Edit Multiple Rules window, change Advanced, or ICMP Handling settings as needed. The settings are color-coded:
Yellow This setting differs from the default value and is the same for all selected access rules.
Red One or more of the selected access rules use differing settings for this parameter. Changing the parameter overwrites the
settings for all selected access rules.
6. Click Send Changes and Activate.

Clone Access Rules


If you want to duplicate an access rule, click Lock. Then right-click the access rule that you want to duplicate and select Clone. A copy of the rule
is inserted below the original rule, with COPY appended to the rule name.
Copy, Cut, and Paste Access Rules
If you want to copy or cut an access rule from one rule set to another, click Lock. Then right-click the rule and select Copy or Cut. To paste the a
ccess rule into a rule set, right-click the rule above the location that you want the new rule to be inserted and select Paste.
Delete Access Rules
To delete an access rule, click Lock. Then right-click the rule that you want to delete and select Delete.
Deactivate Access Rules
If you want to temporarily disable an access rule, click Lock. Then right-click the rule that you want to deactivate and select Deactivate. Until the
rule is reactivated, it is not evaluated by the Firewall service. If you want to create temporary rules (e.g., for administrative SSH access), use dyna
mic firewall rules.
Move Access Rules Up or Down
To change the order in which the access rules are evaluated, you can either drag and drop rules to the desired location or right-click the rule and
select Move Up or Move Down to move the rule up or down one line.

How to Create a Pass Access Rule


en
A Pass access rule permits traffic for a specific Service coming from the Source to access the selected Destination. For the Source and Destin
ation, you can specify network objects, IP addresses, networks, or geolocation objects.

Create a Pass Access Rule


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) at the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Pass as the action.


5. Enter a name for the rule. For example, LAN-DMZ.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses of the traffic.
Destination The destination addresses of the traffic.
Service Select a service object, or select Any for this rule to match for all services.
For the example access rule displayed in the figure above, a network object named HQ-DMZ containing the IP address of the
DMZ server has been created. For more information, see How to Create Network Objects.
7. Click OK.
8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
9. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Schedule Objects For more information, see Schedule Objects.
Connection Method For more information, see Connection Objects.
Additional Policies
IPS Policy For more information, see Intrusion Prevention System (IPS).
Application Control For more information, see Application Control 2.0.
SSL Interception For more information, see How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus
Scanning and ATD.
URL Filter For more information, see URL Filter.
AV Scan For more information, see How to Configure Virus Scanning in the Firewall.
ATD For more information, see How to Configure ATD in the Firewall.

Safe Search For more information, see How to Enforce Safe Search in the Firewall.
YouTube For Schools For more information, see How to Enforce YouTube for Schools in the Firewall.
QoS Band (Fwd) or QoS Band (Reply) For more information, see Traffic Shaping.

How to Create a Block Access Rule


en
A Block access rule prevents traffic from passing through the Barracuda NG Firewall. The sender is not notified that the traffic was blocked.

Create a Block Access Rule


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Block as the action.


5. Enter a Name for the rule. For example, ExampleBlockRule.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses.
Destination The destination addresses of the traffic.
Service Select a service object, or select Any for this rule to match for all services.
7. Click OK.
8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to block. Ensure that the rule is located ab
ove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
9. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Additional Policy
Schedule Objects For more information, see Schedule Objects.
Returning a Block Page for HTTP Traffic
BLOCK and DENY access rules can return a block page if the user was blocked using the HTTP protocol on port 80. All other protocols and ports
covered by the access rule will be blocked at TCP SYN level.

1.

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Edit a Block access rule. The Edit Rule window opens.
4. In the left menu click Advanced.
5. In the Miscellaneous section, set Block Page for TCP 80 to Access Block Page or Quarantine Block Page.

6. Click OK.
7. Click Send Changes and Activate.
When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more
information, see How to Configure Custom Block Pages.

How to Create a Deny Access Rule


en
A Deny access rule terminates matching network sessions by replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, or
ICMP Denied by Filter for other IP protocols. Because the remote host receives a reply, it knows that your system is up and running and
protected by a firewall.

Create a Deny Access Rule


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Deny as the action.


5. Enter a Name for the rule. For example, ExampleDenyRule.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses.
Destination The destination addresses of the traffic.
Service Select a service object, or select Any for this rule to match for all services.
7. Click OK.
8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to deny. Ensure that the rule is located abo
ve the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
9. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Additional Policy
Schedule Objects For more information, see Time Objects.
Returning a Block Page for HTTP Traffic
BLOCK and DENY access rules can return a block page if the user was blocked using the HTTP protocol on port 80. All other protocols and ports
covered by the access rule will be blocked at TCP SYN level.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Edit a Block access rule. The Edit Rule window opens.
4. In the left menu click Advanced.
5. In the Miscellaneous section, set Block Page for TCP 80 to Access Block Page or Quarantine Block Page.

5.

6. Click OK.
7. Click Send Changes and Activate.
When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more
information, see How to Configure Custom Block Pages.

How to Create a Destination NAT Access Rule


en
A Dst NAT access rule redirects traffic sent to an external IP address to a destination in the internal network. The following example shows a Dst
NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ (172.16.0.10).

Create a Dst NAT Access Rule

1.

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Dst NAT as the action.


5. Enter a Name for the rule. For example, Internet-2-DMZ-HTTPS-Server.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses of the traffic.
Destination The destination addresses of the traffic.
Service Select a service object, or select Any for this rule to match for all services.
Target List The redirection target. You have the following options to define the target:
Enter one IP address with or without a specific port. If you append a port to the IP address, the Barracuda NG Firewall
maps the external port to that of the internal server (port 80 to port 8080). For example, 172.16.0.10 or 172.16.0.1
0:8080.
Enter a space-delimited list of IP addresses.
Click the Reference check box, and select a network object from the drop-down list that appears. If the network objects
contains multiple IP addresses, only the first IP address is used.
Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a
hostname or FQDN.
Fallback/Cycle If you have defined multiple target IP addresses, select how the Barracuda NG Firewall distributes the traffic
between the IP addresses.
Fallback The connection is redirected to the first available IP address in the list.
Cycle New incoming TCP connections are distributed evenly over the available IP addresses in the list on a per
source IP address basis. The same redirection target is used for all subsequent connections of the source IP address.
UDP connections are redirected to the first IP address and not cylced.
List of Critical Ports Enter a space-delimited list of ports used.
Connection Method Select No SNAT.
7. Click OK.
8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
9. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Connection Method For more information, see Connection Objects.
Additional Policies
IPS Policy For more information, see Intrusion Prevention System (IPS).
Application Control For more information, see Application Control 2.0.
SSL Interception For more information, see How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus
Scanning and ATD.
URL Filter For more information, see URL Filter.
AV Scan For more information, see How to Configure Virus Scanning in the Firewall.
Schedule Objects For more information, see Schedule Objects.
QoS Band (Fwd) or QoS Band (Reply) For more information, see Traffic Shaping.

How to Create an App Redirect Access Rule


en
The App Redirect access rule rewrites the destination IP address and forwards the traffic to service running on a local IP address of the
Barracuda NG Firewall. For example, you can use an app redirect rule transparently redirect all web traffic over the HTTP proxy service.

Create an App Redirect Rule


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select App Redirect as the action.


5. Enter a Name for the rule. For example, Transparent-Proxy-LAN2INTERNET.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses of the traffic.
Destination The destination addresses of the traffic.
Service Select a service object, or select Any for this rule to match for all services.
7. Enter the Redirection IP address and optional port as the Local Address. For example, 127.0.0.9:3128 for the HTTP proxy service.
8. Click OK.
9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
10. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Additional Policies
IPS Policy For more information, see Intrusion Prevention System (IPS).
Application Control For more information, see Application Control 2.0.
URL Filter For more information, see URL Filter.
Schedule Objects For more information, see Schedule Objects.
QoS Band (Fwd) or QoS Band (Reply) For more information, see Traffic Shaping.

How to Create a Map Access Rule


en
A Map access rule rewrites incoming network ranges or IP address to destination networks or IP ranges, just like a Dst NAT rule does for a single
IP address. You can use a NAT Table as an object for the Destination and/or Connection settings.
Ensure that the Destination network is the same size or smaller than the network used to redirect the request. Otherwise, the firewall

wraps the larger source network into the smaller redirection network.

Create a Map Access Rule


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Map as the action.


5. Enter a Name for the rule. For example, ExampleMapRule.
6. Select the the Bi-Directional check box.
7. Specify the following settings that must be matched by the traffic that to be handled by the access rule:
Source The source addresses of the traffic. For example, select Internet.
Destination Enter the destination network, or select a NAT table Connection object.
Service Select a service object, or select Any for this rule to match for all services.
8. Enter the Redirection IP address or network. This is the network range that the connections will be rewritten to.
9. If the redirection IP network is not physically present on a network interface, select the Create Proxy ARP check box. For the example
above, proxy ARP is not needed.
10. Click OK.
11. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
12. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Connection Method For more information, see Connection Objects.
Additional Policies
IPS Policy For more information, see Intrusion Prevention System (IPS).
Application Control For more information, see Application Control 2.0.
SSL Interception For more information, see How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus
Scanning and ATD.
URL Filter For more information, see URL Filter.
AV Scan For more information, see How to Configure Virus Scanning in the Firewall.

Schedule Objects For more information, see Schedule Objects.


QoS Band (Fwd) or QoS Band (Reply) For more information, see Traffic Shaping - MORE INFO OVERVIEW.

How to Create a Broad-Multicast Access Rule


en
A Broad-Multicast access rule propagates broadcasts between multiple bridged network interfaces.

Create a Broad-Multicast Access Rule


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Broad-Multicast as the action.


5. Enter a name for the rule. For example, EnableDeviceShare.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The bridged network.
Destination The broadcast addresses that you want to propagate in the network.
Service Select a service object, or select Any for this rule to match for all services.
7. In the Broad- Multicast - Propagation List field, enter the propagation interface or IP address(es). You can also enter a
comma-delimited array of (bridged) network interfaces or existing IP addresses.
Propagation List Content

Example

Operation

Mixed list of IP addresses and interfaces

port2,port3,192.168.200.10

IP packets are propagated through the


specified interface and in case of IP
addresses, the outgoing interface is
determined by performing a routing
lookup.

Network interface(s)

port2,port3,vpnr0,brid01

The IP packets are transmitted unchanged


through the specified interface(s).

IP address(es)

192.168.200.10,10.10.0.100

The target of IP packets is changed


according to the specified IP address(es)
and packets are delivered after performing
a routing lookup.

<interface>:<IP address>

port2:192.168.200.10

The IP packets are transmitted through


the specified interface and the target is
changed according to the specified IP
address. For a standard IP address, a
layer 2 broadcast is triggered. For a
multicast IP address, a corresponding
layer 2 multicast MAC is created.

<interface>:<IP address>!

192.168.200.10!

Forces a layer 2 broadcast and the target


MAC address is changed to ff:ff:ff:ff:ff:ff.
This will also work if the destination is a
multicast address.

8. Click OK.
9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
10. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Connection Method For more information, see Connection Objects.
Additional Policies
Time Objects For more information, see Schedule Objects.

How to Create Cascade and Cascade Back Access Rules


en
To better organize the access rule set, you can create additional rule lists. At the point in the rule list where you want to evaluate another rule list
create a Cascade access rule. If none of the rules in the additional rule list you cascaded to matched, create a Cascade Back access rule to
continue evaluating the rules in the main rule list. If you do not define a Cascade-Back rule in the additional rule list and none of the rules match,
the default policy (BLOCK or ALLOW) is executed at the end of the rule list.

Before You Begin


Create one or more rule lists. For more information, see How to Create New Rule Lists.
Create a Cascade Access Rule
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Cascade as the action.


5. Enter a Name for the rule. For example, CascadetoDMZRuleList.
6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses of the traffic.
Destination The destination addresses of the traffic.
Service Select a service object, or select Any for this rule to match for all services.
7. Select the Rulelist that you want to also evaluate the traffic. E.g., DMZRuleList.
8. Click OK.
9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
10. Click Send Changes and Activate.
Create a Cascade Back Access

Rule

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.

4. Select Cascade Back as the action.


5. Enter a Name for the rule. For example, CascadeBack.
6. Specify the following settings that must be matched by the traffic that will be handled by the access rule:
Source The source addresses of the traffic.
Destination The destination addresses of the traffic.

6.

Service Select a service object, or select Any for this rule to match for all services.
7. Click OK.
8. Drag and drop the access rule to the order that you want. Usually this rule is placed last in the rule list, but you can drag it further up the
rule list as well.
9. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User For more information, see User Objects.
Additional Policies
Time Objects For more information, see Schedule Objects.

How to Create and Activate a Dynamic Access Rule


en
Dynamically activated rules are flagged by the clock icon. Dynamic access rules prevent the security vulnerabilities caused by forgetting to
revoking service access that is needed only temporarily. If you create a dynamic rule, it is inactive by default and can be enabled on demand for a
configured time span.
Create a Dynamic Access Rule
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Edit the access rule you want to make dynamic.
4. Enable Dynamic Rule.

5. Click OK.
6. Click Send Changes and Activate.
Enable and Disable Dynamic Rules via NG Admin
1. Open the FIREWALL > Dynamic page.
2. Double click a dynamic rule to open the Change Dynamic Rule dialog.

3. Select Enable to enable the rule.


4. If you want the rule to be enabled temporarily enter the time span in the Timer section.
5. Select an action from the Action on expiry drop down list.
Enable Enables the access rule.
Disable Disables the access rule.
Disable & Terminate Disables the rule and terminates all existing connections based on this rule.
Block Blocks all traffic matching this rule explicitly.
Block & Terminate Blocks all traffic matching this rule and terminates all existing connections based on this rule explicitly.
None None.
7. Click OK.
8. Click Send Changes and Activate.
Enable and Disable Dynamic Rules via SSL VPN Desktop and Mobile Portal
Create a dynamic access rule resource to be able to use the web interface to enable or disable dynamic access rules on the SSL VPN desktop or

mobile portal.
For more information, see How to Create and Activate a Dynamic Access Rule and Mobile Portal User Guide.

How to Create New Rule Lists


en
For a better overview and organization of your access rule set, you can create additional rule lists to assigning rules a main or sub-priority within
the forwarding rule set. You can apply the additional rule lists to traffic by creating a Cascade access rule. (see How to Create Cascade and
Cascade Back Access Rules).
Create a Rule List
To create a new rule list:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. On the Access Rules page, click the yellow table icon in the top left of the rule set (next to Main Rules).

4. Enter a name for the rule list and click OK.


5. Click Send Changes and Activate.
After the rule list is created, a tab for it appears next to the Main Rules tab on top of the list.

In the new rule list, you can now specify a range of access rules. To switch between rule lists, click the tabs. You can also copy a rule from the
main rule list by right-clicking the rule and selecting Copy and then right-clicking the additional rule list and selecting Paste.

Firewall Rule Tester and Test Reports


en
The Barracuda NG Firewall provides you with a few tools to test your firewall rule set:
Check for Overlapping Rules Highlights firewall rules with criteria that matches those of a selected firewall rule and helps you
determine the best order for your firewall rules.
Rule Tester Tests the firewall rule set with the specified connection settings. Also verifies the consistency of your firewall rule set.
Test Report Contains settings and results that are saved from a rule test. Notifies you if any later changes to the firewall rule set result
in an unsuccessful connection request with the saved settings.
In this article:
en
Check for Overlapping Rules
Test the Firewall Rule Set
Save the Rule Test to a Test Report
Test Reports

Check for Overlapping Rules


Because a connection request can match the criteria of multiple firewall rules, the order of the rules is important. To help you identify firewall rules
with criteria that matches those of a selected rule, use the overlap checker.
1. Open the Forwarding Rules page (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server >
Assigned Services > Firewall).
2. Right-click a firewall rule and select Select Overlapping.
Any firewall rules with matching criteria are highlighted. In most cases, the overlap is a harmless outcome of a very openly defined firewall object
such as Any.
Test the Firewall Rule Set
To test your firewall rule set, you can simulate a specific connection by entering the network data in the rule tester. The rule tester then
determines which firewall rule would match this connection attempt.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, expand the Rule List Verification section and click Rule Tester.
3. In the TEST CONNECTION section, enter the network parameters you want to test:
Proto Protocol
Day/Hour (Optional) Day of week and time
Date (Optional) Month, day, and year
From Source IP address
Port Source port (default is 2048)
To Destination IP address
Port Destination port
SMAC (optional) Source MAC address
Input-IF (optional) Incoming interface
Output-IF (optional) Outgoing interface
Srv Service
4. Click Test. The test result is displayed in the TEST RESULT section.
Save the Rule Test to a Test Report
To save your firewall rule test settings and result, click LOCK, enter a name in the Save Result to field and click Save Result to.
Your test is saved as a test report.
To view your saved test results, expand Rule List Verification and click Test Report in the left pane of the rule set page.
Test Reports
On the Test Report page, successful test results are indicated by a green icon. Unsuccessful test results are indicated by a red icon. If you make
changes to the firewall rule set that would cause an unsuccessful test connection for a test report (such as renaming objects or changing the order
of firewall rules), the green icon turns into a red icon.
The new results are added to the test report while the old results are displayed in brackets. You can validate or edit the settings for the failed
connection request. If the new results for a failed connection request are correct, you can validate the test report by right-clicking it and selecting
Rectify. The red icon for the test report turns into a green icon. If the new results for a failed connection request are incorrect, you can edit the
firewall rule or the test report settings.
To edit the test report, right-click it and select Edit.
To edit the firewall rule, double-click the test report. In the TEST RESULT section, click Edit next to the Rule field.
While editing the test report, you can also use it as a template and save the new settings as a new test report.
Test reports are only saved temporarily. If you want to save test reports, click Send Changes and Activate.

Advanced Access Rule Settings


en
In some specific situations, you may have to modify the default behavior of your firewall by changing the advanced access rule parameters. Some
of these parameters can be used to increase the security level while others provide rarely needed exceptions to the strict default security policy of
the Barracuda NG Firewall.
The advanced parameters of an access rule can impact security if not properly configured. Ensure that you fully understand the

functionality of a parameter before you change it.


Advanced Access Rule Settings
Rule Mismatch Policy
TCP Policy
Resource Protection
Counting / Eventing / Audit Trail
Miscellaneous
Quarantine Policy
Dynamic Interface Handling
Rule Mismatch Policy
Usually, a connection request is required to match the source, service, and destination of a rule. By default, the firewall continues to the
subsequent rule in the rule set if one of the three conditions is not met. If you do not want a rule to be bypassed, you can change the policy for
mismatches to the rule conditions.
The following policies are available for Source, Destination, Service, User, and MAC address condition mismatch:
CONTINUE on Mismatch (default) Continues processing the next access rules.
BLOCK on Mismatch Ignores all traffic and does not answer to any matching packet (= silent drop).
DENY on Mismatch Dismisses all traffic and sends TCP-RST (for TCP requests), ICMP Port Unreachable (for UDP requests), or ICMP
Denied by Filter (for other IP protocols) to the source.
If you want the session to be reevaluated when the rule set or authentication settings are changed, enable the Persistence setting.
Example Use Case
Two machines in your LAN have access to a database server on a critical port (for example, telnet). You want to ensure that no other rule
accidentally allows access for a source other than these two clients. In this case, select Block on Mismatch from the Source list in the Rule
Mismatch Policy section of the Advanced Rule Parameters window.
The effect of these options is cumulative. If you check two options, you blank out the remaining values for all subsequent rules.
TCP Policy
In the TCP Policy section, you can edit the following TCP policy settings for traffic that is handled by the access rule:
Setting

Description

Generic TCP Proxy

The firewall engine is capable of two TCP forwarding methods:


Application Controlled Packet Forwarding (ACPF) / Generic
TCP Proxy OFF (Default) The firewall does not terminate the
TCP connection. The TCP connection is directly established
between the source and destination. Malformed packets are
filtered by ACPF.
Generic TCP Proxy ON Also called Stream Forwarding. If you
want to avoid any direct TCP connection between two TCP
partners traversing the firewall, use stream forwarding to build
two distinct TCP connections. The destination will not get any
packets that are not generated by the firewall TCP stack itself,
making it impossible for a potential attacker to exploit a security
flaw in the destination servers TCP stack. Selecting this option
reduces the performance of the firewall (400 - 500 MBit
maximum). The security advantage of stream forwarding is not
as important today as it was when firewall engines were less
powerful. For detailed performance data, contact Barracuda
Networks Technical Support.

Features not available when using the Generic TCP Proxy:


Application Detection
High availability (HA) synchronization
Intrusion Prevention System (IPS)
Network Address Translation (NAT)
Plug-ins
TCP State Detection
Syn Flood Protection (Forward/Reverse)

Defines the behavior of the firewall with regard to the TCP


three-way-handshake. You can select the following options:
Server Default Uses the default configuration.
Outbound Passes the SYN untouched through to the target
address.
Inbound The firewall completes the handshake and only then
performs a handshake with the actual target. This helps to
protect the target from SYN flood attacks. Disabling this option
may speed up interactive protocols like SSH.
For more information, see Best Practice - Protect Against TCP SYN
Flooding Attacks with TCP Accept Policies.

Accept Timeout (s)

Length of time that the firewall waits until the destination has to
answer. After this timeout, the firewall sends a TCP RST packet to
both partners (default: 10).

Last ACK Timeout (s)

Length of time in seconds that the firewall waits after an ACK to


terminate the connection (default: 10).

Retransmission Timeout (s)

Length of time in seconds that the firewall waits until the source has
to retransmit packets. If nothing happens, the firewall registers the
session as a hijacking attempt (default: 300 seconds).

Halfside Close Timeout (s)

Length of time in seconds that the firewall waits after conscious


termination of the connection to close the socket (default: 30).

Disable Nagle Algorithm

Enables TCP_NODELAY. This option is only available when the Gen


eric TCP Proxy is enabled.

Force MSS (Maximum Segment Size)

Checks the SYN and SYNACK TCP packets for an MSS that is
larger than the configured MSS. If the MSS TCP attribute is smaller,
the packet is rewritten with the configured MSS. Use this feature for
VPNs to force a TCP MSS that fits the MTU of the VPN tunnel
device. For IPv4, the maximum transmission size must be at least 40
bytes smaller than the MTU.

Raw TCP mode

Handles sole chunks of TCP traffic without analyzing the entire


contiguous TCP stream to allow routing loops. However, this mode is
limited in terms of intrusion prevention, application detection, overall
TCP state tracking, and other aspects.
Raw TCP mode must be explicitly enabled in a forwarding firewall
rule. Raw TCP sessions are not synchronized.
You must only use this feature when it is absolutely
necessary. It does not replace Traffic Intelligence or the
Graphical Tunnel Interface. Raw TCP mode can also
decrease the overall performance of the system.
The following features are not available in Raw TCP mode:
Application Control 2.0
Legacy Level 7 Application Detection
High Availability (HA) Synchronization
Intrusion Prevention System (IPS)
Network Address Translation (NAT)
Firewall Plugin Modules
TCP State Detection
WAN Optimization

Resource Protection
In the Resource Protection section, you can specify the following session limits to conserve your system resources:
Setting

Description

Allow to exceed global session limits

Allow this access rule to override the global session limits defined in
the General Firewall Configuration.

Max Number of Sessions

Maximum number of accepted concurrent connections for this rule on


a global basis (default: 0 = unlimited).

If the Rule Limit Exceeded setting is enabled in your event


monitor settings, the FW Rule Connection Limit Exceeded
[4016] event is generated when the Max Number of
Sessions limit is exceeded.

Max Number of Sessions per Source

Maximum number of accepted concurrent connections per source


address (default: 0 = unlimited).

You must only specify this limit if your system is susceptible


to Denial of Service (DoS) attacks.

If the Source/Rule Limit Exceeded setting is enabled in


your event monitor settings, the FW Rule Connection per
Source Limit Exceeded [4018] event is generated when the
Max. Number of Sessions per Source limit is exceeded.

Session Duration Limit (s)

Maximum length of time in seconds that the session can stay active.
By default, there is no duration limit for the session.
This setting is only executable in the forwarding firewall; it
does not affect the local firewall.

Counting / Eventing / Audit Trail


In the Counting / Eventing / Audit Trail section, define when events are logged or written to the access cache.
Setting

Description

Firewall History Entry

Save the connection information to the firewall history. (default: Yes).

Log File and FW Audit Entry

Obtains log file entries (default: Yes).

Transparent Failover State Sync

Synchronizes the session on a high availability system (default: Yes).

Statistics Entry

Obtains statistics (default: Yes).


If you select No, global firewall statistics are not generated and
information is not displayed in the firewall dashboard.

Log Session State Changed

Logs changes of session states (default: No).

Own Log File

Saves all log events in an extra log file (default: No).

Service Statistics

Generates service statistics for this rule (default: No).

Eventing

The severity level of the rule's event messages. Host firewall rules
are not affected by this setting. You can select the following event
levels to be generated if a forwarding firewall rule matches:
None (default) No events are generated.
Normal Generates the FW Rule Notice [4020] event.
Notice Generates the FW Rule Warning [4021] event.
Alert Generates the FW Rule Alert [4022] event.
In the event settings, you can specify actions for these event
messages. For more information, see How to Configure Event
Settings.
Regardless of this setting, forwarding as well as host
firewall rules will generate event messages if BLOCK on
Mismatch is selected for any of the Rule Mismatch Policy
settings.

Application Log Policy

Default No detected applications are logged.


Log Blocked Applications Only blocked applications are
logged.
Log Allowed Applications Allowed applications are logged.
Log All Applications All detected applications are logged.

Miscellaneous
In the Miscellaneous section, you can edit the following settings:
Setting

Description

Authentication

The required user authentication method for HTTP and HTTPS


connections. You can select the following authentication methods:
No Inline Authentication (default)
Login+Password Authentication
X509 Certificate Authentication
X509 Certificate & Login+Password Authentication
For more information about authentication, see Firewall
Authentication and Guest Access.

IP Counting Policy

You can select the following policies:


Default Policy Uses the interface realm settings that are
assigned in the network configuration for the local networks and
interface routes. Depending on the specified realm, the source or
destination IP counts.
The Default Policy is hard-coded and cannot be
changed in the Barracuda NG Firewall configuration.
Count Source IP Counts source IP addresses towards license
limits.
Count Destination IP Counts destination IP addresses
towards license limits.

Time Restriction

Applies a time restriction to rules that are configured with a feature


level that is equal to or lower than 3.2.

Clear DF Bit

The DF bit determines whether a packet can be fragmented or not. In


networks where packet size is limited to an MTU, packet
fragmentation may become vital when packets sent to this network
exceed the MTU (for example, as may frequently occur with SAP
applications).
Because the firewall must not override the DF bit setting,
fragmentation is up to the client. When the DF bit is set and the target
network's MTU specification requires fragmentation, the firewall
responds with an ICMP Destination Unreachable message (Co
de 4: Packet too large. Fragmentation required but
DF bit in the IP header is set). If the client does not
understand the answer code, data transmission fails and data loss
may occur if packet sizes exceed the MTU of the network.
Before enabling this setting, consider the following points:
The fragmentation and packet reassembling process might lead
to significant performance loss at high traffic rates.
The maximum segment size (MSS) is automatically decreased
as necessary when traffic is routed through the respective VPN.
Encapsulating packets reduces the available MTU size. The DF
bit is automatically cleared from traffic, which is forwarded
towards a VPN interface.
Only enable this setting when experiencing transport problems
that are clearly associated with packet size restrictions.
To clear the DF bit from the IP header and fragment packets if
necessary regardless of the setting in the packet's IP header, select
Yes. By default, this setting is disabled.

Set TOS Value

The TOS value. By default, the value is set to 0 (TOS unchanged).

Prefer Routing over Bridging

Controls the routing behavior of routed transparent Layer 2 bridges.


To route traffic over bridges that are configured on the Barracuda NG
Firewall, select Yes. Enable this setting when an external router
connects the bridges and traffic should not be directed to this router.
If traffic is first routed to the external router, it is rejected because it
passes the gateway twice.
By default, this setting is disabled.
For more information on routed transparent Layer 2 bridges, see How
to Configure Routed Layer 2 Bridging.
The color of the rule in the rule set.

Color
Quarantine Policy

In the Quarantine Policy section, you can select one of the following rule matching policies for evaluating sessions to and from a specific
quarantine class:
Match The rule matches.
Block The rule blocks the request.
Deny The rule denies the request.
Continue Rule evaluation continues with the next rule in the rule set.
A session is only evaluated when it matches the specified policy for the following settings:
Setting

Description

LAN Rule Policy

Matching policy for sessions to and from a nonquarantine net.

Quarantine Class 1 Rule Policy

Matching Policy for sessions to and from a Quarantine class 1 net.

Quarantine Class 2 Rule Policy

Matching Policy for sessions to and from a Quarantine class 2 net.

Quarantine Class 3 Rule Policy

Matching Policy for sessions to and from a Quarantine class 3 net.

Dynamic Interface Handling


Setting

Description

Source Interface

Restricts rule processing to the specified dynamic network interface


(if installed and configured).

Continue on Source Interface Mismatch

Continues with rule processing, even if no matching interface can be


found. The subsequent rule is then used for rule evaluation.

Reverse Interface (Bi-directional)

The interface that the destination address is allowed to use. Only


applicable for bi-directional rules.

Interface Checks After Session Creation

Disables interface checks. Only applicable for bi-directional rules.

Example - How to Enable Remote Management Access From the Internet


en
Barracuda Networks recommends that you only enable management access from the Internet for a limited period of time. Remote
management access constitutes a significant security risk, especially if you allow access via SSH. To minimize risk potential, restrict
access to very few trusted source addresses or networks, disable access when it is not needed, and use strong passwords or key
authentication.
When you place a standalone Barracuda NG Firewall at a remote site, you can enable access to it over the Internet for remote management and
configuration. You can also enable remote access for Barracuda Networks Technical Support if direct access to the system is required for
troubleshooting.
Create an App Redirect Firewall Rule
To enable remote management access to the Barracuda NG Firewall from the Internet, create an App Redirect Rule for the management ports to
the internal management IP address.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. From the Rule Lists menu in the left pane, select Access Rules.
3. Click Lock.
4. Create an App Redirect rule with the following settings:
Source Select Internet. To restrict access to specific IP addresses, you can explicitly enter the IP addresses or create a
network object for reference.
Service Select NGF-MGMT-STAT (TCP 807 Single Point Of Entry)
Destination If the Barracuda NG Firewall connects to the Internet via a dynamic address, select the network object to match
your connection (DHCP Local IP, DSL Local IP or 3G Local IP). If the system uses a static public IP address, enter this
address.
Redirection In the Local Address field, enter your internal management IP address (MIP) as defined in the network settings.

5. Click Send Changes and Activate.


Next Step
You can now manage your Barracuda NG Firewall over the Internet with the Barracuda NG Admin application. Instead of connecting to the
management IP address of the unit, log into the system via the public IP address of your unit.

How to Configure a Transparent Redirect to an HTTP Proxy


en
To transparently forward HTTP/HTTPS connections to a proxy behind a Barracuda NG Firewall in the DMZ, you can configure the Dst NAT
access rule to not rewrite the source and destination addresses of the connection. This configuration allows the proxy to apply all policies as if it
were directly connected to the client. It also allows the proxy to create meaningful statistics and connection information. HTTPS connections can
only be forwarded if Application Control 2.0 is not enabled for that access rule.
The HTTP/HTTPS proxy as described here may be a Barracuda Web Filter.

In this article
en
Before your Begin
Step 1. Create a Transparent Redirect DNAT Access Rule
Step 2. Create a PASS Access Rule for the HTTP Proxy to Access the Internet
Step 3. Create a PASS Access Rule for the HTTP Proxy to Access the Client
Step 4. Configure the HTTP Proxy
Before your Begin
Verify that the Forwarding Firewall service is using Feature Level 6.1 or above.
The Barracuda NG Firewall and the HTTP Proxy must be directly connected to the same subnet (within the same ARP domain).
Step 1. Create a Transparent Redirect DNAT Access Rule

Create the DNAT access rule to forward all HTTP traffic to the proxy.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules.
2. Click Lock.
3. Create an access rule to forward HTTP traffic coming from your clients to the HTTP proxy:
Action Select Dst NAT.
Source Select Trusted Networks. Alternatively enter the network the client using the HTTP Proxy is in.
Destination Select Internet.
Service Select HTTP+S
Target List Enter the IP address and optionally the port of the HTTP Proxy. You can use multiple HTTP Proxies. E.g.. 172.16
.0.10:3128

Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname
or FQDN.
Fallback/Cycle If you have defined multiple target IP addresses, select how the Barracuda NG Firewall distributes the traffic
between the IP addresses.
Fallback The connection is redirected to the first available IP address in the list.
Cycle New incoming TCP connections are distributed evenly over the available IP addresses in the list on a per
source IP address basis. The same redirection target is used for all subsequent connections of the source IP address.
UDP connections are redirected to the first IP address and not cycled.
List of Critical Ports Enter a space-delimited list of ports used.
Connection Method Select No SNAT.
Application Policy Disable Application Control.

4.

4. In the left menu, click Advanced.


5. In the Miscellaneous section set Transparent Redirect to Enable.

6. Click OK.
7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located a
bove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
8. Click Send Changes and Activate.
Step 2. Create a PASS Access Rule for the HTTP Proxy to Access the Internet
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules.
2. Click Lock.
3. Create a PASS rule to allow the HTTP proxy to access the Internet:
Action Select Pass.
Source Enter the IP address of the HTTP Proxy.
Destination Select Internet.
Service Select HTTP+S.
Connection Method Select Dynamic SNAT.
Application Policy Disable Application Control.

4. In the left menu, click Advanced.


5. In the Dynamic Interface Handling section set Source Interface to Any.
6. Click OK.
7. Click Send Changes and Activate.
Step 3. Create a PASS Access Rule for the HTTP Proxy to Access the Client
To allow the HTTP proxy to access the client, you must create a PASS rule:
Action Select Pass.
Source Enter the IP address of the HTTP Proxy.
Destination Select Trusted Networks.
Service Select HTTP+S.
Connection Method Select No SNAT.
Application Policy Disable Application Control.

Step 4. Configure the HTTP Proxy


In order to successfully send the connection from the HTTP proxy or Barracuda Web Filter to the Internet you must configure the device to:
Route to the Internet using the NG Firewall as the gateway.
Route to the internal client network using the NG Firewall as gateway.
HTTP traffic must use the IP address of the HTTP Proxy or Barracuda Web Filter as the source IP for outgoing connections.

Firewall Objects
en
Firewall objects are named collections that represent specific networks, services, applications, user groups or connections. You can use the
firewall objects that are preconfigured on the Barracuda NG Firewall, but you can also create custom firewall objects depending on your
requirements. Firewall objects are re-usable which means that you can use one firewall object in as many rules as required. The following section
explains the firewall objects that are available for use and configuration on the Barracuda NG Firewall and contains articles on how to create the
different firewall objects for your firewall rules.
Advantages of Firewall Objects

Using firewall objects gives you the following advantages:


Each firewall object has a unique name that is more easily referenced than, for example, an IP address or a network range.
Maintenance of the firewall rule set is simplified. When you update a firewall object, the changes are automatically updated in every rule
that refers to this object.
Firewall Object Types

The following types of firewall objects are available for use and configuration:
Connection Objects The egress interface and source (NAT) IP address for traffic matching a firewall access rule.
For more information, see Connection Objects.

Proxy ARPs Resolve MAC addresses not physically on the Barracuda NG Firewall to the corresponding IP addresses.
For more information, see Proxy ARPs.
Network Objects Networks, IP addresses, geolocation, host names, or interfaces when configuring firewall rules.
For more information, see Network Objects.
Service Objects TCP/UDP ports for a service.
For more information, see Service Objects.
User Objects Lists of users and/or user groups for use within firewall rules.
For more information, see User Objects.
Schedule Objects Time restriction or scheduling tables that can be applied to access rules on an hourly, weekly, or calendar date
basis.
For more information, see Schedule Objects.
Interface Groups A specific interface or interface group containing one of more interfaces.
For more information, see How to Create Interface Groups.
Applications Lists of applications and/or sub-applications when creating application aware firewall rules.
For more information, see Application Objects and Application Control 2.0.
URL Filter Access restrictions for web sites. The Barracuda NG Firewall provides a predefined list of URL categories that are available
for blacklisting and whitelisting.
For more information, see How to Create an URL Filter Policy Object.

Network Objects
en
Use network objects to reference networks, IPv4 and IPv6 addresses, hostnames, geolocation objects, or interfaces when you create firewall
rules. A network object can also include other existing network objects. Network objects are stored in the host and forwarding firewall. If the
Barracuda NG Firewall is managed by a Barracuda NG Control Center, it also inherits all network objects in the Global, Range, and Cluster
Firewall Object stores.
Firewall rule management is simplified with the use of network objects instead of explicit IP addresses. For example, if an IP address changes,
you do not have to edit it in every rule that references it; you must only change the IP address in the network object. The IP address is then
automatically updated for every rule that references the network object.
Unified networks objects cannot contain both IPv4 and IPv6 addresses. For more information, see How to Use IPv6.
Network Object Types
A network object may consist of the following:
Generic Network Objects You can add network addresses of all types. All network objects that are available on Barracuda NG
Firewall systems by default are configured as generic network objects.
Single IP Address A single IP address.
List of IP Addresses Multiple single IP addresses and/or references to other single IP address objects. For example: 10.0.10.1, 10
.0.10.10, 10.0.10.127
Single Network Address A single network. For example: 10.0.10.0/25
List of Network Addresses Any combination of multiple networks, IP addresses, and/or references to other network address objects.
For example: 10.0.10.0/25, 172.16.0.10
Hostname (DNS Resolved) A single DNS resolvable host name. For example: myhost.test.com

If the hostname used in the network object is not resolvable, any firewall rules that use it will never be matched to traffic. For a
detailed description of configuration options, see Hostname (DNS Resolvable) Network Objects.
Single IPv6 Address A single IPv6 address.
List of IPv6 Addresses Multiple IPv6 addresses and/or references to other single IPv6 address objects.
Single IPv6 Network A single IPv6 network.
List of IPv6 Networks Any combination of multiple IPv6 networks, IPv6 IP addresses, and/or references to other IPv6 network
address objects.
Excluded Entries Specific networks that are excluded from the network object.
For transparency and consistency, other network objects cannot be referenced in the Excluded Entry section.
Enable L3 Pseudo Bridging When bridging is activated on an interface, host routes and PARPs are automatically created by
the Barracuda NG Firewall. In this section, you can specify the information required for this task. The Bridging section is only available in

the Local Networks list of the Forwarding Firewall service. Select Bridging enabled (Advanced Settings) from the list (default: Bridging
not Enabled) if you want to configure bridging details.
The configuration options in the Bridging section are only applicable for Layer 3 Bridging. For more information, see How to
Configure Layer 3 Bridging.

Interface Address Reside The name of the interface on which bridging is to be enabled (for example, eth1).
Parent Network The superordinate network from which the bridged interface has been separated.
Introduce Routes Introduces host routes to the IP addresses to be separated from the superordinate network (IP
addresses listed in the network object) automatically.
Restrict PARP to Parent Network Restricts the Proxy ARP to only answering ARP requests within the parent network.
Network objects cannot be deleted if they are referenced by other objects. You can delete network objects when they are only
referenced in configuration files. Before you delete a network object, verify that it is not used anywhere. The Referenced By column in
the Network Objects listing displays where a network object is currently referenced.

Hostname (DNS Resolvable) Network Objects


en
You can use hostnames in a network object. This might be needed in contexts where the remote network uses a dynamic IP address and can
only be reached by hostname. The Firewall service resolves and uses the first 24 IP addresses in the network object. The firewall rule set uses
these resolved IP addresses when evaluating rules. If the hostname is not resolvable or the DNS server is currently not available, the firewall rule
will never match.
In this article:
en
Limitations and Drawbacks
Creating Hostname Network Objects
Using Hostname Network Objects
Monitoring Network Objects of Type Hostname
Site-Specific Network Objects
Limitations and Drawbacks
There are several limitations and drawback to using hostnames in network objects:
Only explicit host names can be used. For example: www.barracuda.com
A maximum of 24 IP addresses can be resolved
Using a hostname network object in a BLOCK firewall rule is not recommended.
When a non-resolvable object is used in a rule, rules cannot be matched or processed correctly. Hostname objects become
non-resolvable when they refer to a non-existent host name or the DNS server is unavailable.
Active sessions are not re-evaluated when DNS resolution changes; sessions are re-evaluated only when the rule itself is modified. To
establish new connections with updated DNS entries, you must manually terminate persistent sessions.

When the firewall is started or restarted, it can take up to 10 seconds until DNS resolution is provided for all configured hostname
network objects. Because the firewall is already active, the traffic that you want to be handled by the rule with the added hostname
object can be matched to another rule instead.

To use hostname network objects, you must specify a DNS server in the DNS Server IP field in the Box Settings file (How to
Configure DNS Settings).
Using DNS resolvable host names in firewall rule sets can cause problems because of the following:
IP addresses that are allocated to DNS host names might change.
A DNS record might contain multiple IP addresses.

Creating Hostname Network Objects


You can create hostname objects:
In the Local Firewall rule set.
In the Forwarding Firewall rule set.
As global, range-specific, or cluster-specific firewall objects.
Hostname objects cannot be created as explicit source or destination objects in firewall rules.
To create a hostname network object, select Hostname (DNS resolved) from the Type list in the Network Object window. Consider the
following detail configuration options:

You can configure the following parameters:


Type The type defines specific object characteristics. Network objects of type Hostname expect specification of an explicit DNS
resolvable host name in the Name field below.
Once the object has been created its type cannot be changed.

Name Into this field insert the DNS resolvable name the object is to be created for.
Description Into this field insert a significant object description.
The specified name is the name of the network object at the same time. The object name may be changed retroactively.
Resolve The functionality of this button is purely informational. Click it to execute a DNS query for the host name inserted into the Nam
e field. The result of the query is displayed in the IP field in the Entry section. Note that the query is executed using the DNS server(s)
known to the client running the graphical administration tool Barracuda NG Admin and NOT using the DNS server(s) known to the
Barracuda NG Firewall running the firewall service.
DNS Lifetime (Sec) The DNS Lifetime defines the interval after which to refresh DNS entries for network objects of type Hostname tha
t are configured for use in currently effective firewall rules (default: 600 s). Setting to a lower value than 30 seconds might cause
problems in network object lists containing a huge number of hostname objects. DNS entries may also be refreshed manually in FIREWA
LL > Dynamic > Dynamic Rules.

The DNS Lifetime has no effect on actively established connections, even if the DNS resolution of a network object that is
currently used in a firewall rule changes. In this case to force a refresh terminate the active session in order to enable new
connection establishment using the updated DNS entry.
The Include and Exclude Entries sections may be used to restrict a network object and to force a condition to match explicitly or to
exclude it from being part of it. For example, if a DNS host name entry www.domain.com matches four DNS A-records pointing to the IP
addresses 10.0.6.1, 10.0.8.1, 10.0.8.2 and 10.0.8.3, and it is wanted that connection requests must always point to addresses residing in
the 10.0.8.0/24 network, but must never be addressed to the IP address 10.0.8.3, the following values need to be configured in the
corresponding fields: Section Included Entry: IP 10.0.8.0/24, section Excluded Entry: IP 10.0.8.3. The configuration stated above will
be processed as follows, when it is utilized in a firewall rule: Connection requests may be addressed to IP addresses living in the network
10.0.8.0/24, but they may not address the excluded IP address 10.0.8.3.
Using Hostname Network Objects
You can use hostname objects as:
Source/Destination in rules within the Forwarding Firewall.
Source/Destination in rules within the Local Firewall.
Reference in the Entry list of generic network objects.
You cannot reference hostname objects in other network object types.
Monitoring Network Objects of Type Hostname
DNS queries addressed to the DNS server configured in the box settings are triggered when a hostname network object is created. You can view
these queries in the following places:
In all views but the Dynamic Rules tab, DNS resolution is retrieved using the DNS server(s) known to the client running the graphical
administration tool Barracuda NG Admin and NOT using the DNS server(s) known to the Barracuda NG Firewall running the firewall
service.
In the Entries column in the network object list.
In the Rule Object list when the hostname object configured in the rule is used.
In the Source/Destination window querying the rule object list when the hostname object is currently used.
In the Rule Tester.
In the Dynamic Rules tab of the Firewall Monitoring Interface.
Site-Specific Network Objects
Site-specific network objects can be used to share single firewall rule sets for branch offices with template-based network layout. This type of
object inherits its content from the IP address or IP network defined in the Virtual Servers Server Properties of a branch office.

How to Create Network Objects


en
Create a network object containing an IP address, a reference to another network object and a network.
Do not change the dynamic network objects that are automatically generated by the Barracuda NG Firewall.
Create a Network Object
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left navigation click on Networks.
3. Click Lock.
4. Right-click the table and select New. The Edit/Create Network Object window opens.
5. Enter a Name for the network object. E.g., ExampleNetworkObject
6. In the Include Entries section, click + , enter the IP address/es that should be included in the IP field and then click Insert and Close.
7. In the Exclude Entry section, add the IP addresses that should be excluded from the rule.

8. Click OK.
9. Click Send Changes and Activate.
You can now use the network object in your firewall rules. When creating or editing a firewall rule click on the Object Viewer in the left navigation
to see a list of all available network objects.

How to Create a Gelocation based Network Object


enThe geolocation database included with the Barracuda NG Firewall can match the IP address and network to the country it was issued to. This
enables you to create firewall ruled based on the physical location of the source or destination. Lists of countries or regions are combined in a
reusable network object. The geolocation database is updated with every firmware release.
Create a Network Object
Create a network object and include all countries you want to use for your firewall rule.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left pane, click on Networks.
3. Right click in the main area and select New. The Edit/Create Network Object window will open.
4. Enter a Name.
5. To include or exclude a region or country:
a. Click the globe icon either in the Include or Exclude Entries section.

b. In the Select Region/Country window, select the region or country.

c. Click OK.
6. Click Send Changes and Activate.

You can now select the geolocation network object you just created from the Source and Destination dropdown lists when creating firewall rules.
Alternatively you can find the network object ion the Object Viewer in the Networks > Network Objects section.

Custom External Network Objects


en
If you have a file containing a list of IP addresses or networks, you can import them automatically or manually into the external network objects.
On Barracuda NG Firewalls running in the Public Cloud, these objects are automatically filled in with information gathered from the cloud provider.
In this article
en

Before you Begin


Importing External IP File on a Standalone Barracuda NG Firewall
Step 1. Copy the File to the NG Firewall
Step 2. Import the File into a Custom External Object
Step 3. (Optional) Create a Cron Job for Import
On a Barracuda NG Firewall in the Public Cloud
On a Barracuda NG Control Center
Before you Begin
An admin account with full shell access is required.
The IP addresses in the file must be whitespace separated and may not exceed 10,000 IP addresses per file.
Importing External IP File on a Standalone Barracuda NG FirewallStep 1. Copy the File to the NG Firewall
1. Copy the file containing the IP addresses to /var/phion/home/ on the Barracuda NG Firewall. Use a temporary file format to ensure that
only data of completely copied files are imported into the network objects E.g., addresses.dirty
2. Rename the file after the copy process:
# mv -f /var/phion/home/addresses.dirty /var/phion/home/addresses
Step 2. Import the File into a Custom External Object
On the command line /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses -o <External Firewall
Object Number> in the Command section. E.g., /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses
-o 1 to import into the Custom External Object 1.
Check the CustomExternalImport firewall log file to verify the import was successful. You can also open the FIREWALL > Forwarding Rules p
age and click on Networks.

The IP addresses and networks in the custom external network objects are not displayed on the CONFIGURATION > Full
Configuration > Virtual Servers > your virtual server > Firewall > Firewall Rules page.
Step 3. (Optional) Create a Cron Job for Import
Create a cron job to automatically trigger a periodic import process.
1.
2.
3.
4.
5.
6.

Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > System Scheduler.
Click Lock.
In the left menu click Daily Schedule.
Click + to add an Interhour Schedule job.
Enter the Name, and click OK.
Enter /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses -o <External Firewall
Object Number> in the Command section.

7. For High Availability setups, add -h to execute the CustomExternalAddrImport binary located in /opt/phion/bin and import the IP
addresses to the Custom Network Object with the index number 1 E.g., CustomExternalObject1
8. Select every from the Minutely Schedule dropdown and enter the period for the Run Every...Minutes parameter.
9. Click OK.
10. Click Send Changes and Activate.
On a Barracuda NG Firewall in the Public Cloud
If your Barracuda NG Firewall is running in the public cloud (AWS or Azure), the custom external network objects will be automatically filled with:
Custom external object number 1 contains the internal IP address.
Custom external object number 2 contains the internal network address.
Custom external object number 3 contains the external IP address.
If you are using multiple virtual network interfaces in AWS, only information for the first interface will be imported. The IP addresses will also be
automatically synced to the NG Control Center.

On a Barracuda NG Control Center


The Barracuda NG Control Center has an established trust relationship with its managed NG Firewall units, so data import can take place directly
into selected boxes or into the CC itself by using the same methods as described above. With such a setup, a separate schedule can be used to
transfer and subsequently move the imported address information to all affected boxes.
On these boxes, the same 5-minute insertion job schedule can be run.
You should not use the h (HA synchronization flag) when doing this via the CC. The more direct method is to transfer the files to each
affected box via a secure copy to the actual box management IP address.
Via linkage, the schedule can be configured on the CC for all affected boxes.
The predefined external objects can be copied into the global objects database and then be used throughout the firewall policy
configuration where appropriate.

Service Objects
en
Service objects, when applied to a firewall access rule, define which destination and client TCP/UDP ports and/or IP protocols that the service
applied to the rule can use. By default, the Barracuda NG Firewall contains a set of pre-configured service objects. You can edit these service
objects for a custom setup or use of a non-standard port, or you can create new

services objects to reference IP protocols and, if

TCP/UDP is used, the destination port numbers.


A service object can consist of the following:
IP Protocol The required protocol (e.g. TCP) for the service used by an access rule.
Ports and Port Ranges The ports or port ranges that the service can use for the protocol.
Dynamic Services Dynamic services.
Plugin Modules Plugins for shared service objects (see Shared Service Objects).
Port Protocol Protection Policies for handling prohibited services.
Shared Service Objects
Shared service objects refer to services using dynamic port allocation. The Firewall service uses firewall plugin modules to dynamically open and
close required ports. For more information, see Firewall Plugin Modules.

Create a New Service Object


For instructions on how to create a new service object, see How to Create Service Objects.

How to Create Service Objects


en
Create service objects to reference IP protocols and, if TCP/UDP is used, the destination port numbers, when configuring firewall access rules.
The Barracuda NG Firewall provides a range of predefined service objects. When creating a new service object, you can also include (reference
to) other

service objects that are already configured.

In this article:
en

Create a Service Object


Apply a Service Object to a Firewall Rule
Service Object Settings

Create a Service Object


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, click on Services.
3. Click Lock.
4. Right-click the table and select New. The Edit/Create Service Object window opens.
5. Enter a Name for the service object. E.g., POP3 Service.
6. If you want to include an already configured service object, select it from the Any drop down list and click New Reference.
7. Click New Object. The Service Entry Parameters window opens.
8. From the IP Protocol list, select the required protocol. E.g., 006 TCP
For TCP- and UDP-based protocols, you can enter a space-delimited list of ports in the Port Range field. To use all ports for
the protocol, enter an asterisk (*). You

can also define a port range, such as 3001-3008, or enter a

combination of port ranges and a space-delimited list of ports. For example: 25 80 8080
3001-3008
9. In the Port Protocol Protection section, select an action from the Action for prohibited Protocols list.

10. Click OK.


11. Click Send Changes and Activate.
You can now apply the service object to your firewall access rules.
Apply a Service Object to a Firewall Rule
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left navigation, click on Access Rules.
3. Click Lock.
4. Double-click the number of the rule you want to apply the service object to, or right-click it and select Edit Rule. (You can also create a
new rule.)
5. In the Edit Rule window, select the Object Viewer check box.
6. In the Object Viewer window that appears, open the Services tab, and drag the service object to the Service table in the Edit Rule wind
ow.
7. Finish your rule configuration.
Service Object Settings
TCP & UDP
Port Range Port or port range the service is running on.
Dyn. Service This parameter is required in conjunction with ONCRPC.

Service Label Here you may enter certain labels. If left empty, well-known service names (available in /etc/services) are used.

It is highly recommended that you use this parameter only for defining service names that are not well-known (for example,
Oracle521).
Client Port Used The port range the firewall uses for the connection. This port range is only used if a dynamic port allocation is
required, e.g., as in the 'proxy dynamic' connection type. If you want to enter a custom port range, select Manual Entry and enter the first
port in the From field and the last port in the To field. This parameter is not evaluated when the firewall services checks if the rule
matches.
ICMP Echo
Max Ping Size The maximum size allowed for the ping packet.
Min Delay The minimum allowed delay for pinging. The 'FW Flood Ping Protection Activated [4002]' event is generated if this limit is not
met.
General
Session Timeout Time in seconds that a session can remain idle until it is terminated by the firewall (default values: TCP: 86400; UDP:
60; ICMP: 20; all other protocols: 120). This timeout is applied to all TCP connections by counting the time that has passed in a session
since the last traffic transmission. Similarly, it applies an initial timeout to all stateless protocols counting the time until the source has
answered the initial datagram. When the datagram is answered, the Balanced Timeout setting comes into effect.
This parameter can only be used in the forwarding firewall. Setting this parameter in the host firewall has no effect.
Balanced Timeout The time in seconds that a session-like connection established through a non-connection oriented protocol
(all protocols except TCP) can remain idle until it is terminated by the firewall (default values: UDP: 30; ICMP: 10; all other protocols:
120). The balanced timeout comes into effect after the initial datagram sent by the source has been answered and the "session" has
been established. Generally, the balanced timeout should be shorter than the session timeout because it is otherwise overridden by the
session timeout and never comes into effect. The balanced timeout allows for keeping non-connection oriented "sessions" short and
minimizing the amount of concurrent sessions. The larger initial session timeout guarantees that late replies to initial datagrams are
not inevitably dropped.
This parameter is only executable in the forwarding firewall. Setting this parameter in the local firewall takes no effect.
Plugin The name and parameters of any plugins that you might be required for this object. For more information, see Firewall Plugin
Modules.
Port Protocol Protection

Action for prohibited Protocols From this list, select an action that should be taken if prohibited
protocols are detected. For more information, see How to Define Port Protocol Protection.
Detection Policy From this list, select the policy to be applied. For more information, see How to
Define Port Protocol Protection.
Schedule Objects
en
To restrict firewall rules to specific times and intervals, configure schedule objects as an additional matching criteria. Schedule objects can be
used in host, access, and application rules. Schedule objects provide time granularity in minutes. When time objects are evaluated the time of the
NG Firewall it is running on is used.
The Barracuda NG Firewall, the client running NG Admin, and, if applicable, the NG Control Center must use the correct time for their
respective time zones. Using NTP is highly recommended. For more information, see How to Configure Time Server (NTP) Settings.
A schedule object consists of two time configuration elements that can be combined or used separately:
Recurring Schedule Configure the schedule to be active during specific days and intervals by selecting weekdays and time from a list.
Restrict to time interval Configure the schedule to be active during a specific interval by specifying a date and time span.
For information on how to create schedule objects, see How to Create and Apply Schedule Objects.

In this article:
en
Recurring Schedules
Time Interval
Schedule Object Options
Legacy Time Restriction Settings for Access Rules

Recurring Schedules
You can restrict the schedule to a specific day and time interval, e.g., every week from Monday at 09:00 until Wednesday at 15:30, by selecting
the Enable Recurring Schedule checkbox. Selecting this option expands the configuration and provides the Recurring Schedule table, where
you specify the days and times for the schedule to be active.
A time schedule entry can cover up to one week, starting on Mon-00:00, and ending on Mo 0:00 of the next week . To enable the
schedule for an interval crossing the Mo 00:00 threshold, split the entry. E.g., Fri-15:00 to Mo 0:00 and Mon-00:00 to Tue-10:30.

Time Interval
Selecting the Restrict to time interval checkbox lets you restrict the schedule to a date and time span by specifying the dates and times in the
fields provided by the section.

Schedule Object Options

Terminate existing sessions By default, sessions that match the rule using the schedule object stay active until they are closed or
time out. Selecting the Terminate existing sessions checkbox immediately terminates active sessions as soon as the time restriction
configured in the schedule applies. Sessions are not terminated between two time intervals which directly follow each other. (E..g, Tue
8:00 - Tue 9:00 and Tue 9:00 - Tue 10:00)
Block if schedule does not match When you enable this option, the connection is blocked when the time schedule does not match,
since no further access rule will be evaluated.
Legacy Time Restriction Settings for Access Rules
Existing Time Restrictions (Edit Rule > Advanced > Miscellaneous > Time Restriction) for an access rule override the schedule objects of
an access rule. Barracuda Networks recommends configuring schedule objects instead of time restrictions in an access rule. Barracuda NG
Firewall firmware 6.1 or later no longer supports legacy time restrictions. Use schedule objects instead.

How to Create and Apply Schedule Objects


en
Create schedule objects to configure rules with a time restriction. When applied to a host rule, application rule, or access rule, the schedule
specifies the days and times that an action handled by the rule, is allowed or denied. You can also select specific dates that the schedule is valid
for. Schedule Objects use the time of the NG Firewall they are running on.
In this article:
en
Before you Begin
Create a Schedule Object
Apply a Schedule Object to a Forwarding Rule
Before you Begin
Verify that the feature level of the Firewall service is set to 6.1 or later.
1. Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules.
2. Click Lock.
3. In the left menu, expand the Settings section and click Setup.
4. Select Release 6.1 from the Feature Level dropdown.
5. Click OK.
6. Click Send Changes and Activate.
Create a Schedule Object
1. Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules.
2. Click Lock.
3. In the left menu, click Schedules.
You can also create a schedule in the Object Viewer while editing an access rule.
4. Click the plus
sign to create a new schedule object, or right-click the table and select New Schedule Object. The Schedule window
opens.
5. In the Object Name field, enter a name for the schedule.
6. Configure the active time interval for the schedule object:
a. To create a schedule for a recurring interval, e.g., Every Monday - Tuesday 14:00 - 15:00, and Thursday - Friday 09:00 - 15:00:
i.

6.
a.
i. Select the Enable Recurring Schedule checkbox.
ii. Select the weekdays and hours from the dropdown fields provided in the section.
Recurring time intervals must be between Monday 0:00 to Monday 0:00 of the next week. Create multiple entries if the
time interval passes the Mo 00:00 threshold. For more information, see Configuring Daytime Intervals in Schedule
Objects.
b. To create a schedule for a specific date and time span:
i. Select the Restrict to time interval checkbox.
ii. Enter or select the dates and times in the fields provided in the section.

7. Select Terminate existing sessions if you wish active sessions to be terminated as soon as the time restriction begins.
8. By default, the rest of the access rules in the ruleset are evaluated when the schedule object of the access rule does not match. Select Bl
ock if schedule does not match to immediately block the connection when the schedule object does not match. No further rules will be
evaluated.
9. Click Save.
The schedule object is now listed in the Schedules window and can be applied to host rules, access rules, or application rules.

Apply a Schedule Object to a Forwarding Rule


1.
2.
3.
4.
5.
6.

Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules.
Click Lock.
Edit the rule that you want to apply the schedule to.
Select the time object from the Schedules dropdown.
Click OK.
Click Send Changes and Activate.

How to Create a Custom Connection Object


en
Connection objects are used to rewrite the source IP address of a connection. Connection object is also used for outbound loadbalancing and
failover support. A custom connection object allows you to combine loadbalancing / failover support with a custom source IP address.
Create a Custom Connection Object
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left navigation click on Connections.
3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.
4. In the Name field, enter a name for the connection object. E.g., CustomConnectionObject
5. From the NAT Address list, select how the source address should be determined for your connection:
Client | No Src NAT Uses the source IP
Source-based NAT Dynamically chosen according to firewall routing tables. This is a general purpose option.
Src NAT 1st Srv IP (Proxyfirst) Uses the First-IP[IP1] configured in the virtual Server Properties the firewall service is
running on.
Src NAT 2nd Srv IP (Proxysecond) Uses the Second-IP[IP2] configured in the virtual Server Properties the firewall
service is running on.
From Interface Explicitly specified interface. May be used to restrict the bind address to a specific interface. Selecting
Interface activates further options below and in section Firewall configuration Explicit Explicitly specified IP address. May be used to restrict the bind address to a specific address. Selecting Explicit activa
tes further options below and in section Firewall Configuration Service Objects General settings section Failover and
Load Balancing:
Same Port Ticking this checkbox enforces to use the same client port when establishing the connection.
Explicit IP Here the specific IP address is to be entered.
Create Proxy ARP If the explicitly defined IP address does not exist locally, an appropriate ProxyARP entry may be

created by selecting this checkbox.


Network Object section Failover and Load Balancing:
Interface Name Here the name of the affected interface is to be entered.
Translation Table Source NAT for a complete subnet. In order to avoid misconfiguration, the netmasks up to 16 bits can be
used. Otherwise, a Proxy ARP with 10.0.0.0/8 would "blank out" the whole internal network for example.
If you define a map, make sure that the source range using this connection is equal or smaller than the map range. If
not, the firewall will wrap the larger source net into the smaller bind net. E.g., If you use X.X.X.X/24 network as source
and a Y.Y.Y.Y/25 as the map range, the IP address X.X.X.128 is mapped to Y.Y.Y.1.
6. Map to Network Here the specific mapping network is to be entered.
7. Netmask Here the corresponding netmask is to be entered.
8. Proxy ARP This parameter is needed by a router if the addresses live in its local network. For more information, see How to Create
Proxy ARP Objects.
If the connection object applies to a multi-transport VPN tunnel, you can define the preferred and secondary transport class in
the VPN Traffic Intelligence (TI) Settings section.

9. Click OK.
10. Click Send Changes and Activate.
You can now apply the connection object to your firewall rules. Double-click a rules number (or right click an existing firewall rule and select Edit
Rule to open the rule configuration). From the left navigation pane, select the Object Viewer check box to drag connections objects from the Obj
ect Viewer window to the Connection Method table.
Parameters
Click here to expand...
General Settings
Parameter

Description

Name

Name of the connection object.

Description

Significant connection object description.

Connection Color

Choose a color, in which you want the connection object to be


displayed in the Firewall - Connections window.

Connection Timeout

This general option for all connection types is the timeout for trying
to establish a connection. The default value is 30 seconds.
Increasing this value can be useful for very protracted connection
partners. Decreasing this value can be useful for faster failover
mechanisms.

NAT Address

This parameter specifies the Bind IP. The following options are
available:
Proxyfirst | Src NAT - 1st Server IP First IP address of
server under which firewall service is operating. May be used
to restrict the bind address or when policy routing is activated.
Proxysecond | Src NAT - 2nd Server IP Second IP
address of server under which firewall service is operating.
May be used to restrict the bind address or when policy routing
is activated.
Proxy Dyn | Dynamic Source NAT (default) Dynamically
chosen according to firewall routing tables. This is a general
purpose option.
Client | No Src NAT IP Address of the Client. Source IP =
Bind IP.
Explicit Explicitly specified IP address. May be used to
restrict the bind address to a specific address. Selecting Expli
cit activates further options below and in section Firewall
Configuration Service Objects - General settings
section Failover and Load Balancing:
Same Port Ticking this checkbox enforces to use the
same client port when establishing the connection.
Explicit IP Here the specific IP address is to be
entered.
Create Proxy ARP If the explicitly defined IP address
does not exist locally, an appropriate ProxyARP entry may
be created by selecting this checkbox.
From Interface Explicitly specified interface. May be used to
restrict the bind address to a specific interface. Selecting
Interface activates further options below and in section Firewal
l configuration Service Objects - General Settings
section Failover and Load Balancing:
Interface Name Here the name of the affected interface
is to be entered.
Translation Table Source NAT for a complete subnet. In
order to avoid dramatic misconfiguration, the netmask is
limited to up to 16 bits. Otherwise, a Proxy ARP with 10.0.0.0/8
would "blank out" the whole internal network for example.
If you define a map, youve got to make sure that the
source range using this connection is equal or
smaller than the map range. If not, the firewall will
wrap the larger source net into the smaller bind net.
Map to Network Here the specific mapping network is to be
entered.
Netmask Here the corresponding netmask is to be entered.
Proxy ARP This parameter is needed by a router if the
addresses live in its local network. For more information, see H
ow to Create Proxy ARP Objects.

The section Failover and Load Balancing is only available with parameter Address Selection set to Explicit or Interface.
Failover and Load Balancing

Parameter
Policy

Description
This parameter allows you to specify what should happen if the
connection cannot be established. Especially when having multiple
providers and policy routing this parameter comes handy because
it allows you to specify which IP address/interface has to be used
for backup reasons. Otherwise, connecting via the backup provider
using the wrong IP address in conjunction with the backup provider
would make routing back quite impossible. Available policies are:
NONE (No Fallback or Source Address Cycling) [default
setting] Selecting this option deactivates the fallback feature.
Fallback (Fallback to alternative Source Addresses) Causes
use of the alternative IP addresses/interfaces specified below.
SEQ (Sequentially Cycle Source Addresses) Causes cycling
of the IP addresses/interfaces specified below.
RAND (Randomize Source Addresses) Causes randomized
usage of the IP addresses/interfaces specified below.
Configuration examples related to multipath routing are described
below in more detail in the section Barracuda NG Firewall Multipath
Routing.

Alternative/Type

Here up to three Alternative IP addresses or interfaces can be


configured for use with the selected policy.
Usage of alternative interfaces is recommended when no
permanently assigned IP address exists on an interface.

Weight

Assigns a weight number to the IP address or interface. Higher


numbers mean higher priority. When performing load balancing, the
weight numbers represent the traffic balancing ratio of the available
links. A weigh ratio of 40:20:10 means that traffic is balanced over
the configured interfaces in a ratio of 4:2:1. Thus the first link will
process twice as much traffic as link two and four times as much as
link three.

VPN Traffic Intelligence (TI) Settings


Settings configured in this section only apply to Traffic Intelligence configuration in combination with TINA tunnel VPN technology. See Traffic
Intelligence for details.

How to Create NAT Tables (Translation Maps)


en
NAT Table are a expanded type of source NAT for a network or IP address range. The NAT Tables connection object rewrites the source IP
address to a source NAT IP address range. To rewrite both the destination and the source address of the connection, you can choose to use a
NAT Table connection object with a MAP firewall rule. You can enter multiple rewriting maps that are are processed from the top to the bottom.
The first matching rewrite map is used.

Create a NAT Table Connection Object


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. From the left menu, click Connections.
3. Click Lock.
4. Right-click the table and select New >NAT Table.
5. Enter a Name for the NAT Table.
If you want to use this NAT Table in a firewall rule, select this name from the Connection list in the firewall rule settings.
6. In the Original Address/Net/Range field, enter the source IP range or network.
7. In the Translated Address field, enter the network that you want the source IP address or network to be rewritten to.
8. Unless the destination network is connected by a Layer 2 bridge to the source network, select the Proxy ARP check box.

9. Click New to add the addresses to the list.


10. Click OK.
11.

AplicatonCr2.0

Application Control 2.0


You can use Application Control 2.0 in combination with HTTP(S) proxies. However, the detection of sub-applications might not be available
depending on the configuration and type of proxy service. For more information, see Using Application Control 2.0 with HTTP(S) Proxies.
In this article:
en
Understanding Application Control 2.0
Using Application Control 2.0
Understanding Application Control 2.0

Because applications either are web-based or connect via SSL or TLS encrypted connections to servers in the Internet, they can be detected and
then controlled as they pass the Barracuda NG Firewall. If Application Control 2.0 and SSL Interception is enabled in the forwarding firewall rule
that handles the application traffic, then the traffic is sent to the application rule set and processed as follows:
1. SSL traffic is decrypted.
2. Application rules are processed from top to bottom to determine if they match the traffic. If no rule matches, the default application policy
is applied.
3. If a matching application rule is found, the detected application is handled according to the rule settings. The application can be reported,
or it can be restricted by time, bandwidth (QoS), user information, or content (e.g., MPEG).
4. If the traffic was decrypted, it is re-encrypted.
5. The traffic is sent back to the forwarding firewall, which forwards it to its destination.

Using Application Control 2.0

How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD
Application Rule Set and Lists
How to Create a Custom Application Object
How to Create an Application Object
How to Create a Protocol Object
How to Create an Application Filter
How to Create an Application Rule
Application Based Provider Selection

How to Override the Risk Classification of an Application


How to Create an URL Filter Match Object
How to Create an URL Filter Policy Object
Using Application Control 2.0 with HTTP(S) Proxies

How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD
en
Before creating application rules, you must enable Application Control 2.0. You can also enable and configure the SSL Interception feature, Virus
Scanning or ATD in the Firewall. Application Control 2.0 SSL Interception and Virus Scanning is only supported for IPv4 traffic.
Virus Scanning or SSL Interception can not be used on layer 2 bridging interfaces which is not assigned an IP address. Use routed
layer 2 or layer 3 bridging interfaces instead.
In this article:
en
Supported NG Firewall Models
Enable Application Control 2.0
Enable SSL Interception
Enable the URL Filter
Enable Virus Scanner in the Firewall
Enable Advanced Threat Detection (ATD)
Configure Advanced SSL Interception Settings
Certificate Management
Certificate Management with Intermediate Certificate Authorities
Supported NG Firewall Models
Feature

Supported NG Firewall Model

Application Control 2.0

Available on all Barracuda NG Firewall models with valid Energize


Update subscription. On hardware models without valid Energize
Update subscription or with a legacy phion license, Application
Control 2.0 is limited to detecting applications only.

SSL Interception

Available on all Barracuda NG Firewall models with valid Energize


Update subscription, except F10 and F100/F101.

URL Filtering

Available on all Barracuda NG Firewall models with valid Energize


Update subscription, except F10.

Virus Scanning

Available on all Barracuda NG Firewall models with valid Energize


Update and Malware subscription, except F10 and F100/F101.

Advanced Threat Detection

Available on all Barracuda NG Firewall models with valid Energize


Update, Malware and Advanced Threat Detection subscription, excep
t F10 and F100/F101.

Enable Application Control 2.0


1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, expand Settings and click Setup. The Ruleset Setup window opens.

3. Verify that the correct Feature Level is selected:

3.
Feature

Required Firewall Feature Level

Application Control 2.0

Release 5.4.0 or higher

SSL Interception

Release 5.4.0 or higher

URL Filter

Release 5.4.2or higher

Virus Scanning in the Firewall

Release 5.4.3 or higher

ATD

Release 6.0.0 or higher

Safe Search

Release 6.1.0 or higher

YouTube for Schools

Release 6.1.0 or higher

4. To enable the use of application rules, select Use Application Ruleset from the Application Ruleset list.

5. Click OK.
6. Click Send Changes and Activate.
Enable SSL Interception
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Sec
urity Policy.
2. Click Lock.
3. Select the Enable SSL Interception check box.
4. In the Root Certificate section, either select Use self signed certificate or add your certificate by clicking the plus sign (+). The root
certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NG Firewall can then intercept the HTTP/S
connections by presenting the client with a CA that was derived from this root CA.
When changing the root certificate, the firewall service must be restarted on the Server Page.
5. In the Trusted Root Certificates table, you can extend the default set of trusted root certificates by clicking the plus sign (+). To view the
Barracuda NG Firewall's certificate store, click the Show CA Certificates link.
6. Select the Enable CRL Checks check box to automatically check for revoked CA certificates.
7. In the Exception Handling section, add domains that should be excluded from SSL Interception. SSL-encrypted traffic to and from these
domains is not decrypted, although SSL Interception is globally enabled.
8. In the Block Settings section, enter a browser message that should be displayed when traffic is blocked.
9. Click Send Changes and Activate.
To ensure that SSL interception is activated, you must enable Application Control and SSL Interception in the settings of the forwarding
firewall rules that it should apply to. For more information, see How to Create an Application Rule.
Enable the URL Filter
1.

1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration.
Click Lock.
From the Configuration menu in the left pane, click Application Detection.
Set the Working Mode to On.
Click Send Changes and Activate.

Create URL Filter Policy objects or URL Filter Match objects to use the URL Filter in the Application rules. For more information, see How to
Create an URL Filter Policy Object and How to Create an URL Filter Match Object.
Enable Virus Scanner in the Firewall
After configuring the virus scanner service. virus scanning in the firewall must be enabled in the Security Policy settings.
For more information, see How to Configure Virus Scanning in the Firewall.
Enable Advanced Threat Detection (ATD)
ATD is enabled in the Security Policy settings of the Firewall service.
For more information, see How to Configure ATD in the Firewall.
Configure Advanced SSL Interception Settings
For SSL Interception, you can also configure advanced settings such as the number of working instances that are involved in the SSL decryption
process, log verbosity, or CRL checks.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Security Policies.
2. Click the Advanced link in the upper right of the Security Policy page. The SSL Interception Advanced window opens.

3. Change the advanced SSL Interception settings according to your requirements:


Number of Workers The number of working instances to be involved in the SSL decryption and encryption process. Default:
auto
Maximum Workers The maximum number of working instances that decrypt and encrypt SSL connections. When all workers
are used SSL connections are refused. Default: auto
Worker Idle Timeout The timeout for the working instances involved in the SSL decryption and encryption process. Default: 0
Log Verbosity You can select one of the following log granularity options: Normal, Verbose or Debug.
Ignore Validation Status Since the clients cannot check the revocation status for server certificates of intercepted SSL
connections, you can configure the default validation policy for all intercepted SSL connections for which CRL/OCSP checks
could not be performed. Default: Yes
Yes The NG Firewall creates a valid certificate for the client as long as the content of the sever certificate validates.
No The NG Firewall creates an invalid certificate, to let the client know that CRL/OCSP checks could not be
performed.
SSL version handling
Allow (obsolete) SSLv2 Enable if you must support clients that are SSLv3 only.
Allow (obsolete) SSLv3 Enable if you must support clients that are SSLv3 only.
OpenSSL cipher string You can set a custom cipher string. By default the Barracuda NG Firewall uses the DEFAUL
T cipher string of the OpenSSL version used in the firmware.

4. Click OK.
5. Click Send Changes and Activate.
Certificate Management
SSL Interception process breaks the certificate trust chain. To reestablish the trust chain you must install the security certificate (root certificate)
and if applicable intermediate certificates that are used by the SSL Interception engine. Install this certificate on every client in your network. To
prevent browser warnings and allow transparent SSL interception, install the security certificate into the operating system's or web browsers
certificate store.
1. On the Security Policy page, click the edit icon next to (Self Signed) Certificate and click Export to file.
2. Enter a name, select *.cer as file type, and click Save.
3. Deploy this certificate to the computers in your network. Either create a group policy object or install the certificate manually (MS
Certificate Import wizard). Ensure that you deploy the certificate into MS Windows' Trusted Root Certification Authorities certificate
store.
Mozilla Firefox does not automatically use trusted CA certificates installed in MS Windows' certificate store.
Certificate Management with Intermediate Certificate Authorities
Intermediate CAs are not directly delivered from the Barracuda NG Firewall to the client and must be deployed manually from the Microsoft Active
Directory PKI.
1. Use Microsoft Internet Explorer and connect to your MS Active Directory Certificate Services server. For example, https://127.0.0.1/certsr
v
2. Click Request a Certificate and select advanced certificate request.
3. Click Create and submit a request to this CA and answer all questions with Yes.
4. Select Subordinate Certification Authority from the Certificate Template.
5. Fill out the form below.
6. Select your key size in the Key Options section and select the Mark keys as exportable check box.
7. Click Submit and answer all questions with Yes.
8. Click Install this certificate.
After the certificate is installed successfully, start the MS Active Directory's management console.
1.
2.
3.
4.
5.
6.
7.

Open the Certificates - Current User snap-in.


Right-click the Intermediate Certification Authorities\Certificates section and select your certificate.
Select All Tasks > Export in the upcoming window.
Click Next to proceed.
In the Export Private Key window, select Yes, export the private key and proceed.
Enter a password and click Next.

7.
8.
9.
10.

Select the export destination folder and enter a file name.


Click Finish.
After the certificate has been exported, rename the file extension from *.pfx to *.p12 .
Use openssl to extract the private key from your *.p12 file. Enter the following command:

openssl.exe pkcs12 -in <filename>.p12 -nocerts -nodes -out privateKey.pem

11. Enter the password entered in step 6.


12. Use openssl to convert the key file to RSA. Enter the following command:

openssl.exe rsa -in privateKey.pem -out yourPrivateKey.pem

13. You can now import the certificate (*.p12) and private key (*.pem) pair to be used for SSL Interception.
14. Install the certificate (*.p12) and Root CA from which the certificate was derived, on the certificate store of affected clients.

Application Rule Set and Lists


en
On the Forwarding Firewall - Rules page, you can view and configure the application rule set. You can also view the list of application and URL
filter objects that can be used in application rules.
In this article:
en
Application Rule Set
Application Objects List
URL Filter Objects List
Application Rule Set
In the Application Rules section of the Forwarding Firewall - Rules page, you can view and edit the application rule set. It lists all of the
application rules that have been created. After adding a new application rule, you can directly edit specific rules. For more information, see Firewa
ll Access Rules
The following figure displays the application rule set.

In the rule set, information and settings for each rule is organized into the following columns:
Column

Description

Name

The name of the application rule.

Application

The applications and sub-applications that are affected by the rule.


You can either statically assign specific applications or use an
application object.
Barracuda Networks recommends that you use Application Object or
Application Filter instead of linking static applications to access rules.

Content

The types of multimedia content that are affected by the rule. You can
choose to globally block Flash, AVI, MPEG, QuickTime, and
RealMedia content in websites.

URL Filter Match

The URL Filter Match policy that are affected by the rule. You can
either statically assign specific URL filters or use an existing URL
filter match object.
Barracuda Networks recommends that you use URL Filter Match
Objects instead of linking static URL Filter Match policies to access
rules.

URL Filter Policy

The URL Filter Policy that are affected by the rule. You can either
statically assign specific URL Policies or use an existing URL Filter
Policy object.
Barracuda Networks recommends that you use URL Filter Policy
Object instead of linking static URL Filter policies to access rules.

Protocol

The protocols that are affected by the rule. With protocols, traffic can
be controlled without having to match criteria like source or
destination network. For example, you can select protocols to globally
detect IPsec or SMTP network traffic and apply QoS policies to
prioritize business critical network communications without needing to
know the origin or target.

User

The users and user groups who are affected by the rule.

Schedule

The time or date during which the rule can be applied.

QoS

The traffic shaping settings that are used by the rule. For more
information, see Traffic Shaping and How to Create and Apply QoS
Bands.

Action

The action that is performed when the application is accessed by the


user (Deny or Pass).

Source

The source network address of the traffic that is affected by the rule.
Because the source network is already evaluated in the Access Rule
set, you can either use Any or enter specific IP addresses.

Destination

The destination network address of the traffic that is affected by the


rule. Because the destination network is already evaluated in the
Access Rule set, you can either use Any or enter specific IP
addresses.

Comment

Optional. Additional information about the application rule.

IPS Policy

The Intrusion Prevention System (IPS) policy that is enforced by the


rule. For more information on IPS, see Intrusion Prevention System
(IPS).

Usage

Optional. Additional information about the application rule.

TI-Settings

The Traffic Intelligence (TI) settings. For more information, see Traffic
Intelligence.

Application Objects List

In the Applications section of the Forwarding Firewall - Rules page, you can view, create, and edit the applications and application objects that
are used in application rules. Applications are organized into the following categories:
Application Object Lists any application objects that you have created. An application object is a reusable combination of predefined
applications, custom applications, and other applications objects. Application objects help simplify the configuration of application rules.
For more information, see How to Create an Application Object.
Protocol Object Lists any protocol objects that you have created. A protocol object is a reusable combination of predefined
protocols. For more information, see How to Create a Protocol Object.
Custom Application Lists any custom applications that you have created. If the default Application Control 2.0 pattern database does
not cover an application that you want to use in your application rules, you can customize an application. For more information, see How
to Create a Custom Application Object.
Application Overrides Lists any applications whose risk levels you have changed. For more information, see How to Override the Risk
Classification of an Application.
Applications Lists predefined applications from the Application Control 2.0 database.
The following figure displays the Applications section.

The following information is provided for each application and application object:

Name The name of the application including the icon of the service/application.
Ref by The reference to which application object the selection points. This is applied when an
application filter is created. Note that referenced objects cannot be deleted.
Description A description of the application including type and features.
Comment General information about the application.
URL Filter Objects List
In the URL Filter section of the Forwarding Firewall - Rules page, you can view, create, and edit URL filter objects that are used in application
rules.

The following information is provided for each URL filter object:


Name The name of the URL filter object.
Ref by The reference to which URL filter object the selection points. Note that referenced objects cannot be deleted.
Description A description of the URL filter object, including type and features.

Comment General information about the URL filter object.

How to Create a Custom Application Object


en
If the default Application Control 2.0 pattern database does not include an application that you want to use in your application rules, you can
create a custom application object. Select a template for an existing application and configure it to match the application that you want to drop,
throttle, prioritize, or report.
Create a Custom Application Object
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, expand Firewall Objects and select Applications.
3. Click Lock.
4. Create the custom application by either right-clicking the table and selecting New > Custom Application or using the icons in the
top-right area of the rule set.
5. Select an application to customize and click

OK.

6. You can customize the following settings for the application:


Name The name of the application.
Comment Additional information about the application.
Category The category of the application.
Risk The risk level of the application, from 1 (low) to 4 (high).
Properties The properties of the application.
Application Name If

you want to customize specific components of the application, add the


component names. To get the name of a component, go to the Firewall > Monitor page, click the
application, and see the Deep Application Control window in the Application Statistics section.
Examples:
Facebook Use the canvas name of the FB application: https://apps.facebook.com/<canvasname>.
SSL Create matching criteria based on X.509 certificate content.
Web browsing Create matching criteria based on URL host (www.acme.com) or URL path (/images?/)
7. Click Save.
The following figure displays the process for creating a custom application.

How to Create an Application Object


en
An application object is a reusable combination of predefined applications and custom applications. You can use application objects to create your
own set of applications with custom include and exclude lists.
Create an Application Object
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3.

3. In the left menu, expand Firewall Objects and select Applications.


4. Create the application by either right-clicking the table and selecting New > Application Object or using the icons in the top-right area of
the rule set.
5. Filter the available applications by Name or Category.
6. Select the applications that you want to add to your application objects and either drag them to the Application Set section or click the
plus sign (+) that appears in the Name column.
If an application consists of more than one component, you can add the parent application and to also add the child objects.
7. Click Result to view a list of all currently selected applications.
8. To exclude specific sub-applications from applications containing of more than one component:
a. Expand the application.
b. Click the minus icon (-) icon next to the application features that you want to exclude.
The base component belongs to the application and must never be excluded separately.
9. Click Save.
10. Click Send Changes and Activate.
The following figure displays the process for creating an application object:

How to Create a Protocol Object


en
Internet communication systems are based on defined protocols that reside in the application layer (most common: HTTP, HTTPS, or SMTP) and
guarantee that users can visit websites, access encrypted online banking accounts, and send emails through the web. Although Application
Control 2.0 works on the application layer and detects applications based on communication patterns, you still want to have full control over
generic network communication protocols like IPsec, BGP or SIP. In critical back-end environments (like MSSP), Application Control 2.0 detection
based on protocol objects is the right tool to detect, classify, regulate, or even block generic IP-based protocols independent from communication
criteria like source and destination network or even protocol.
Create a Protocol Object
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2.

2. Click Lock.
3. In the left menu, expand Firewall Objects and select Applications.
4. Create the protocol object by either right-clicking the table and selecting New > Protocol Object or using the icons in the top-right area of
the rule set.
5. Either search or filter for the protocols to include in the object.
6. Add protocols by either dragging them to the Protocol Set section or clicking the plus sign (+) next to their names.
7. If an application consists of more than one component, you can add the parent application to also add the child objects.
8. Click Save.
9. Click Send Changes and Activate.
The following figure displays the process for creating a protocol object.

How to Create an Application Filter


en
Application filters are objects that are dynamically updated to include applications based on category, risk, or properties selection. Any
applications that match the criteria of the application filter are automatically added to the application filter object.
Create an Application Filter
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. In the left menu, click Applications.
4. Create the filter by right-clicking the table and selecting New > Application Filter or using the icons in the top-right area of the rule set.
5. Select the categories, risk level, and properties for the applications to be filtered into the object.
6. Click Save.
7. Click Send Changes and Activate.
The following figure displays the process for creating an application filter.

How to Create an Application Rule


en
Configuring an application rule is similar to configuring an access rule. You can enable Application Control 2.0 features on a per access rule
basis. Application rules allow you to block or throttle traffic for detected applications. You can optionally combine the application rule with a URL
filter policy objects. The application ruleset is evaluated every time an access rule matches that has enabled any of the Application Control
options. Make sure the matching access rule allows all protocols needed for the applications you are creating policies for. The application ruleset
can be created as a positive or negative list, depending on whether the default policy is set to allow or block undetected applications per default.
In most cases setting the default policy to allow undetected applications and then creating application rules to block or throttle application traffic is
the recommended setup.
In this article:
en
Before you Begin
Step 1. Enable Application Control Features in the Access Rule
Step 2. Create an Application Rule
Additional Matching Criteria
URL Filter
Applying Traffic Shaping to Detected Applications
Before you Begin
Verify that you have enabled Application Control 2.0 and that you are using the latest feature level of the Firewall service. For more
information, see How to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD.
Create Application Objects and/or Application Filters necessary for your application policies. For more information, see How to Create
an Application Object and How to Create an Application Filter.
Step 1. Enable Application Control Features in the Access Rule
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Double-click to edit the access rule you want to enable application control for.
3. Click on the Application Policy link.

3.

4. Select the Application Control 2.0 features used for this access rule:
Application Control
SSL Interception
URL Filter
AV Scan
ATD
Safe Search
YouTube for Schools

5. Click OK.
6. Click Send Changes and Activate.
Step 2. Create an Application Rule
For each application policy create an application rule. Rules are evaluated from the top to bottom. The action set in the first matching rule is
executed.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, click Application Rules.
3. Click Lock.
4. Click the green plus sign (+) in the top right of the page or right-click the rule set and select New > Rule. An application rule New Rule is
added to the application ruleset.

5. Double click on the New Rule application rule you just created. The Edit Rule window opens.
6. Select Pass or Deny as the action.
7. Enter a name for the rule. For example, LAN-DMZ.
8. Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source The source addresses of the traffic. The source must be the same or a subset of the source of the matching access

8.

rule.
Destination The destination addresses of the traffic.The destination must be the same or a subset of the destination of the
matching access rule.
Application Select the application object or application filter.

For the example access rule displayed above, a network object named FacebookAndGooglePlus has been created. For more
information, see How to Create an Application Object and How to Create an Application Filter.
9. Set Additional Matching Criteria or change the QoS Bands as needed (see below).
10. Click OK.
11. Drag and drop the application rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is
located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
12. Click Send Changes and Activate.
Additional Matching Criteria
Authenticated User Select a user object to apply this application policy only to a specific user group. For example, you can use this to
allow social media access to specific employees, whereas an application policy below denies it for everybody else. For more information,
see User Objects.
Schedule Objects Applies time restrictions to the application policy. For example, you can use a schedule object to throttle social
media during office hours. For more information, see Schedule Objects.

Protocol Selecting a protocol object for a detected application allows to apply a policy that will deny an application the usage of this
protocol, or alternatively apply a higher traffic shaping queue to the VOIP feature of an application. Protocols not allowed by the matching
access rule cannot be allowed in the application rule. For more information, see How to Create a Protocol Object.
Content To block or allow specific content types, you can select from the following content types:
Any
AVI
Flash
MPEG
Quicktime
Realmedia
URL Filter
You can combine URL filtering with application control. Use URL filter policy objects or URL Filter Match objects to block website categories.
URL Filter Policy URL Filter policies define the allow/block/warn/alert policy for every URL filter category. To apply that policy to the
application rule select the URL filter policy object from the list. For more information, see How to Create an URL Filter Policy Object.

URL Filter Matching URL Filter matching is used to assign additional policies such as traffic shaping or TI settings to web categories.
For more information, see How to Create an URL Filter Match Object.

Applying Traffic Shaping to Detected Applications

Applications can not only be allowed or denied, you can also change the QoS Band assigned to the traffic matching this application rule. This
allows you to throttle or prioritize applications as needed. By default the QoS Band of the matching access rule is used. For more information, see
Traffic Shaping.
Change the QoS Band Select this checkbox to use a different QoS band than the QoS band used by the matching access rule.
QoS Band (Fwd) Select the QoS Band to be applied to the outgoing application traffic matching this application rule.
QoS Band (Reply) Select the QoS Band to be applied to the incoming application traffic matching this application rule.

Application Based Provider Selection


en
You can specify which link is used for an application by creating an application based link selection connection object. In this object, add
applications or application categories, and then assign them to a connection object that includes the links that they must use.
The Barracuda NG Firewall detects the application as the client connects and routes the traffic through the link that is defined in the application
based link selection connection object. If the application is not explicitly defined, the default connection policy is used.

In this article:
en
Before You Begin
Step 1. Create a Application Link Connection Object
Step 2. Create a Firewall Rule
Before You Begin
Before you create an application based link selection connection object, complete the following:
Enable Application Control 2.0. For more information, see Application Control 2.0.
Create connection objects for every ISP line that you want to route application traffic over. For more information on how to create
connection objects, see Connection Objects.
Step 1. Create a Application Link Connection Object
To create an application link connection object:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. In the left menu, click Connections.
3. Click Lock.
4. Right-click the table and select New > Application Based Link Selection.

4.

5. In the Edit Application Based Link Selection Object window, specify the following settings:
Object Name Enter a name for the connection object (e.g., AppBasedProviderSelection).
Default Connection Select the default connection from the list by clicking the link. Traffic that is not defined in the application
based links is routed over this connection.
6. For every application or application category that you want to add:
a. Click the plus sign (+) to add an application based link entry.
b. Edit the Name of the new entry.
c. Select the Connection Object for the ISP to route the detected application traffic (e.g., Source NAT with DHCP for the first
DHCP line).
d. Double-click the Condition field.
e. In the Edit Condition window, click the No Application selected tab.
f. Either add applications from the list by category or double-click the entry. You can also filter the application list by selecting Cate
gory, Risk, and Properties.

g. Click Save.

h. Click Save.
7. Click Send Changes and Activate.
The application link connection object is now in the Connections list.
Step 2. Create a Firewall Rule
Create a firewall rule to redirect the application traffic. Alternatively, you can also edit an existing matching firewall rule.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Right-click the Main Rules table and select New > Rule to create a new firewall rule.
4. Create a Pass firewall rule with the following settings:
Source Select Trusted LAN.
Service Select the type of service.
Destination Select Internet.
Application Policy Select App Control + SSL Interception.
Connection Method Select the application link connection object that you created in Step 1 (e.g., AppBasedProviderSelec
tion).

5. Click OK.
6. Click Send Changes and Activate.
All applications are now routed over the provider selected in the application based link selection object. Go to the Firewall > History page to
monitor which link is selected for the applications defined in the connection object.

How to Override the Risk Classification of an Application

en
Every application pattern delivered with the Barracuda NG Firewall's Application Control 2.0 database contains a risk classification. The risk
classification extends the category of each application, to allow an even more granular classification of single applications. Depending on the
common usage and reputation, the risk classification may vary from 1 (low risk) to 4 (high risk).
Let's take the category File Storage and Backup as an example: Cloud storage is more popular than ever and sometimes even an integral part
of modern business communication. But depending on the business model of cloud storage services, some of them are highly attractive for illegal
and extremely bandwidth consuming file sharing activities. While Copy and Amazon Web Services enjoy a good reputation, others like DepositFil
es or Mega have a poor reputation. Transforming these reputations into risk categories, allows you to only allow services with a good reputation.
Barracuda Networks continuously observes web application reputations and keeps you up to date with the latest risk classifications. However, in
some cases it may be necessary to manually override risk classification.

Override the Risk Level of an Application


1.
2.
3.
4.

Click the CONFIGURATION tab. The Configuration Overview page opens in the Simple Configuration view.
In the Operational Configuration table, click Ruleset in the Firewall section.
In the left navigation pane, expand Firewall Objects and click Applications.
Change the risk level of an application by either right-clicking it and selecting Override this Application or using the icons in the top-right
area of the rule set.
5. Select the new risk level for the application and then click OK.
The following figure displays process of overriding the risk classification of an application.

How to Create an URL Filter Match Object


en
An URL Filter Match object acts as an application rule matching criteria. Application rules containing this type of object are only processed if the
URL categories defined in the object are detected. If none of the defined URL categories match the traffic, the rule is not processed. Use this
object type in your application rules to detect specific web content for additional processing, such as Quality of Service assignment.
Before You Begin
Before you create URL Filter Match objects, verify that you have enabled the URL Filter. For instructions on how to activate the URL Filter, see Ho
w to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD. Otherwise, the URL Filter Match objects page is
grayed out and you will not be able to create URL Filter Match objects.
Create an URL Filter Match Object:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. In the left menu, expand Firewall Objects and click URL Filter.
4. Create the URL Filter Match object by either right-clicking the table and selecting New > URL Filter Match Object or using the icons in
the top-right area of the rule set.
5. Either search or filter for the URL categories that you want to include in the object.
6. Add an URL category by either dragging it to the Matching URL Categories section or clicking the plus sign (+) next to its name.
7.

7. Click Save.
8. Click Send Changes and Activate.
The following figure displays the process for creating a URL Filter Match object.

How to Create an URL Filter Policy Object


en
A URL Filter Policy object determines how a website that matches one of the URL categories is handled by the Barracuda NG Firewall. To
override Barracuda's URL database, you must define custom URL black- and whitelists. The following actions are available for each URL
category:
Allow The user can access the website.
Block The user is blocked from viewing the website and is redirected to the customizable URL Filter block page. For more information,
see How to Configure Custom Block Pages.
Warn and Continue The user can visit the webpage after clicking Continue on the customizable URL Filter warning page. This action
is logged to Box/Firewall/acknowledged. For more information, see How to Configure Custom Block Pages.
Alert Visiting a website in this category is silently logged. Go to FIREWALL > Monitor and filter for Allowed, Warn & Alert or Warn &
Alert to see the logged alerts.
Before You Begin
Before you create URL Filter Policy objects. verify that you have enabled the URL Filter. For instructions on how to activate the URL Filter, see Ho
w to Enable Application Control 2.0, SSL Interception, URL Filtering, Virus Scanning and ATD.
Create a URL Filter Policy Object
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. In the left menu, click URL Filter.
4. Create the URL Filter Policy object by either right-clicking the table and selecting New > URL Filter Policy object or by using the icons in
the top-right area of the ruleset.

5. Click Advanced. The URL Cat Policy Object - Advanced Settings window opens.
6. Select the Action if online URL database is unavailable.
7.

6.
7. Enter the timeout for Warn and Continue Override valid for [min]. Default: 10 min.
8. Click OK.

9. Click on Default Action and select Block, Allow or Alert from the dropdown.

10. Select Block, Allow, Warn and Continue or Alert in the Action column for each URL category.

11. (optional) To whitelist or blacklist specific domains, select Custom URLs.


a. For each blacklisted domain, click + to add a domain to the Block List.

b. For each whitelisted domain, click + to select the action and to enter the domain name in the Allow List.

12. Click Save.


13. Click Send Changes and Activate.
You can now apply the URL Filter policy object to selected Application Rules. For more information, see How to Create an Application Rule.

Using Application Control 2.0 with HTTP(S) Proxies


en
You can use Application Control with the internal HTTP Proxy service and external proxies. Depending on what type of proxy is used, Application

Control might be limited or require additional configuration.


Proxy Type

Application Control
2.0

Sub-application
Detection

SSL Interception

ATD

Application Based
Provider Selection

HTTP Proxy
Service (Forward
Proxy on ports
3128 and 8080)

Yes (only for HTTP)

No

Yes (via HTTP Proxy


service)

Yes

No

HTTP Proxy
Service
(Transparent
Proxy)

Yes

Yes (with a firewall


rule for HTTPS)

Yes (with a firewall


rule for HTTPS)

Yes

No

External HTTP(S)
Proxy

Yes

Yes

Yes

Yes

External HTTP +
HTTPS Proxies

Yes

Yes

Yes

Yes

HTTP Proxy Service (Forward Proxy)


When the client is configured to use the HTTP Proxy service for both HTTP and HTTPS, Application Control 2.0 can be used to detect
applications for HTTP connections. Clients contact the HTTP Proxy service directly on port 3128 or 8080 for both HTTP and HTTPS connections.
SSL Interception is handled in the HTTP Proxy service
Please note that this setup does not work if you are using a load balanced HA deployment where the Forwarding Firewall service and
the HTTP Proxy service are not on the same virtual server.

HTTP Proxy Service (Transparent Proxy)


When the HTTP Proxy service on the Barracuda NG Firewall is configured as a transparent proxy, only HTTP traffic is sent to the HTTP proxy. To
pass HTTPS traffic through Application Control and SSL Interception, you must configure an explicit firewall rule.
It is not possible to use the built-in SSL Interception in the HTTP proxy in a transparent proxy configuration.

External Proxy
When clients use an external proxy for both HTTP and HTTPS traffic, there are no restrictions. Application Control 2.0 can inspect all traffic
coming from or going to the proxy.

Separate HTTP and HTTPS (SSL) Proxies


No limitations apply when clients are configured to use separate external HTTP and HTTPS proxies. Application Control and SSL Interception can
inspect all traffic coming from and going to the HTTP and HTTPS proxies.

Bridging
Bridging Type Feature Comparison

To help you decide which method to use, the following table compares the features that are available for each bridging method:
Features

Transparent Layer 2 Bridging

Routed Transparent Layer 2


Bridging

Layer 3 Bridging

MAC Transparent

Yes

Yes

No

Routing-Bridging-Forwarding

No

Yes

Yes

Local Firewall Traffic


(Gateway)

No

Yes

Yes

Auto Learning of Network


Nodes

Yes

Yes

No

Active Learning of Network


Nodes

No

Yes

No

Next Hop Bridging

Yes

Yes

No

Broad-Multicast Propagation

Yes

Yes

Yes

High Availability

Yes

Yes

Yes

VLAN capable

Yes

Yes

Yes

IP and ARP Forwarding

Yes

Yes

Yes

Non IP Protocols Forwarding

No

No

No

Security Weaknesses and Solutions

Because bridging heavily depends on broadcasts for establishing connectivity, this results in a few weak points that you must carefully consider.
Try to implement bridging in a trusted environment. Broadcasts in huge environments also consume a lot of bandwidth. Barracuda NG Firewall
offers different methods to help prevent the following common attacks.
Preventing IP or ARP Spoofing over Layer 2 Bridges
Network nodes may use the IP addresses of fake ARP responses in order to fake network traffic with arbitrary IP addresses. Because firewall
security is enforced on Layer 3, the security policy is bypassed. These issues can be solved by taking the following measures:
Segment Access Control Lists (Bridging Interface ACLs) Specify which IP addresses are allowed on a segment.
Static Bridge ARP Entries Statically specify IP addresses, MAC addresses, and segments to avoid learning via ARP.
MAC-based Firewall Rules Define source MAC conditions for network objects.
ARP Change Reporting Specify which types of the IP-MAC-Segment relationship changes must be reported in the access cache and
log.
Prevent Destination MAC Spoofing
Another security issue in bridged environments is the possible exploitation of security enforcement on Layer 3 and traffic delivery on Layer 2. You
can prevent these issues by enforcing Layer 2 when a Layer 3 session is granted. MAC addresses for a session are fixed when the session is
created and remain enforced until the session ends.
In the figure below, a client from LAN 1 tries to force a connection grant to a client in LAN 3. To do so, it sends a packet to the client in LAN 2
using MAC-A as a destination MAC address and 10.0.8.10 as the destination IP address. After the session has been granted through the bridge
and communication has been allowed, it sends a second packet exchanging the MAC address for the client in LAN2 with the MAC address for the
client in LAN3 leaving the IP address the same.If MAC enforcement is configured, the connection with the spoofed MAC address will not be
allowed.

How to Configure a Local Bridge


en
To transparently connect your local workstation with the network across a Barracuda NG Firewall use a local bridge. This configuration allows you
to explore the Barracuda NG Firewalls advanced traffic and application inspection features by using traffic that your workstation generates on the
LAN. To make the connection transparent you must configure a local bridge and create a firewall rule to allow traffic between the bridged
interfaces.

In this article
en
Before you Begin
Step 1. Configure the Local Bridge
Step 2. Create a Firewall Rule for Local Bridging
Before you Begin
Before configuring a local bridge, make sure that the following services are correctly configured
Firewall It is assumed that port 1 is the management port and the default management IP 192.168.200.200 listens on this interface.
WiFi For the Barracuda NG Firewall F101/F201/F301, the Country must be selected. Otherwise, IP configurations involving WiFi
interfaces are not possible.
DHCP Server Make sure that DHCP server and DHCP client are disabled. By default, both are disabled.
These instructions also provide example settings that assume that your workstation is connected to port 1 and that you are creating a bridge
between port 2 and port 3.
Step 1. Configure the Local Bridge
1. Go to CONFIGURATION > Configuration Tree > Box > Network.
2.

2. For the Barracuda NG Firewall F101, F201, or F301 with WiFi enabled:
Select WIFI from the Configuration menu in the left navigation pane.
Make sure that the correct Location setting is selected.
3. Open the Forwarding Firewall Settings page (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server
> Assigned Services > Firewall).
4. From the Configuration menu in the left navigation pane, select Layer 2 Bridging.
5. Click Lock.
6. In the Bridged Interface Group table, add a group:
Bridged Interfaces In this table, add all of the interfaces that must be bridged together in this group. For example, add entries
for port 2 and 3.
For each interface, you can specify the following settings:
Name The exact network interface label, as listed in the network configuration. For VLANs, enter the physical VLAN
interface and the VLAN tag separated by a dot. For example, eth1.5 .
Allowed Networks (ACL) Networks that are allowed to communicate over the bridged interface. You can enter
complete networks, individual client/server IP addresses, or network ranges. For example, enter 0.0.0.0/0 in the
configurations for port 2 and port 3.
Unrestricted MACs List of MAC address for which the Allowed Networks (ACL) does not apply.
MAC Change Policy To specify if the MAC address of the interface can be changed, select AllowMACChange (def
ault). If the MAC address must not be changed, select DenyMACChange.
Bridge IP Address In this table, add an entry or edit an existing entry for the gateway to assign an IP address to this bridging
group. In the entry, specify the following settings for the gateway.
Bridge IP Address IP address for the gateway. For example, enter 10.17.11.55 or an IP address that is relative to
your network.
Bridge IP Netmask Netmask for the gateway.
To get the gateway of the LAN before you disconnect your computer from the LAN, go to Control Panel >
Network and Sharing > Change adapter settings on your workstation. Select your LAN adapter and click
the IPv4 properties. If you have a static IP address, information including the default route and DNS
information is displayed. If you have a DHCP address, your information will not display.
If you have a DHCP address, enter the following at the Windows command line
ipconfig/all
All of the network configurations display on the screen. Scroll to the top and find the Ethernet adapter Local
Area Connection settings.

7. Click Send Changes and Activate.


8. Perform a Failsafe Network Activation (Control > Box).
Step 2. Create a Firewall Rule for Local Bridging
After configuring the local bridge, you must create a firewall rule to allow traffic across the bridge and use the advanced traffic inspection features

of the Barracuda NG Firewall.


1. Create a PASS firewall rule with the following settings:
BiDirectional Enable
Source Select Any 0.0.0.0/0
Service Select Any
Destination Select Any 0.0.0.0/0
Connection Method Select No Src NAT [Client]

2. (Optional) Enable Application Control and SSL Interception. For more information, see Application Control 2.0.
3. Click OK.
4. Click Send Changes and Activate.

How to Configure Layer 2 Bridging


en
When performing layer 2 bridging the Barracuda NG Firewall will be completely transparent to the user. The interface is not assigned an IP
address and can not be directly contacted by the user in the bridged networks. Traffic passing through the layer 2 bridge will retain it's original
MAC address with the bridge acting as a proxy ARP in the middle. Since the bridged network interface do not have an IP address you will need to
use a separate interface to locally administer the Barracuda NG Firewall. You can define multiple bridging groups on one interface. Traffic
between the interface groups is forwarded on layer 3. Define a pass and a broad-multicast firewall rule for each bridge interface group.
The bridge can only be used for IP based protocols.

In this article:
en
Step 1. Configure Transparent Layer 2 Bridging
Step 2. Create Firewall Rules for Layer 2 Bridging
Step 1. Configure Transparent Layer 2 Bridging
To configure transparent Layer 2 bridging, complete the following steps:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Settings.
2. In the left navigation pane, select Layer 2 Bridging.
3. Click Lock.
4. In the Bridged Interface Group table, click + to add an entry. For each interface group, you can edit the following settings:
Bridged Interfaces Add all interfaces to be bridged together in this group. For each interface enter the following settings:
Name The exact network interface label, as listed in the network configuration. E.g., eth1
Allowed Networks (ACL) Networks that are allowed to communicate over the bridged interface. You can enter
complete networks, individual client/server IP addresses, or network ranges.
Unrestricted MACs List of MAC address for which the Allowed Networks (ACL) does not apply.
MAC Change Policy Select AllowMACChange to permit the MAC address of the interface to be changed,
otherwise select Deny-MAC-Change.
Use IP BARP Entries Select yes if the Barracuda NG Firewall must learn the MAC addresses from IP and ARP traffic and
record IP addresses that are assigned to a specific MAC address in a separate table. If there are a very large number of IP
addresses in a specific network segment, select no to keep the ARP table from being overrun

5. Click OK.
6. Click Send Changes and Activate.

Step 2. Create Firewall Rules for Layer 2 Bridging


To allow network traffic to pass between the bridged interfaces, create Pass and Broad-Multicast firewall rule for every bridged interface group.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2.

2. Click Lock.
3. Create a Pass firewall rule with the following settings:
BiDirectional Yes
Source Select Any (0.0.0.0/0)
Service Select Any
Destination Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 an
d 172.31.1.25
Connection Method Select No SNAT
4. Create a BroadMulticast firewall rule with the following settings:
Source Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 and 17
2.31.1.25
Service Select Any
Connection Method Select No SNAT
Destination Enter the destination networks/IP addresses. E.g., 10.0.8.255

Optional
To use a DHCP server over the layer 2 bridge, also add 0.0.0.0 to the source and 255.255.255.255 to the destination
IP addresses.
5. Rearrange the order of the firewall rules so the new rules can match incoming traffic.
6. Click Send Changes and Activate.

How to Configure Routed Layer 2 Bridging


en
Routed bridging is used when the firewall must act as a layer 2 bridging and layer 3 routing device simultaneously. This is needed when the
clients and servers in the bridged network must send data into another network. The bridged interfaces are assigned local ip addresses so the
clients in the bridged networks can directly address the Barracuda NG Firewall. Firewall rules forward traffic between the bridge interface groups
and the external networks.
In this article
en
Step 1. Configure a Routed Layer 2 Bridge

Step 2. Create Firewall Rules

Step 1. Configure a Routed Layer 2 Bridge


Create a layer 2 bridge and add bridge IP addresses to allow the clients in the bridges networks to directly access the Barracuda NG Firewall.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Settings.
2. In the left navigation, click on Layer 2 Bridging.
3. Click Lock.
4. In the Bridged Interface Group table, click + to add an entry. For each interface group, you can edit the following settings:
Bridged Interfaces Add all interfaces to be bridged together in this group. For each interface enter the following settings:
Name The exact network interface label, as listed in the network configuration. E.g., eth1
Allowed Networks (ACL) Networks that are allowed to communicate over the bridged interface. You can enter

4.

complete networks, individual client/server IP addresses, or network ranges.


Unrestricted MACs List of MAC address for which the Allowed Networks (ACL) does not apply.
MAC Change Policy Select AllowMACChange to permit the MAC address of the interface to be changed,
otherwise select Deny-MAC-Change.
Bridge IP Address Add an entry or edit an existing entry for the gateway. In the entry, specify the following settings for the
gateway:
Bridge IP Address IP address for the gateway. E.g., 62.99.0.254
Bridge IP Netmask Netmask for the gateway.
Use IP BARP Entries Select yes if the Barracuda NG Firewall must learn the MAC addresses from IP and ARP traffic and
record IP addresses that are assigned to a specific MAC address in a separate table. If there are a very large number of IP
addresses in a specific network segment, select no to keep the ARP table from being overrun.

5. Click OK.
6. Click Send Changes and Activate.

Step 2. Create Firewall Rules


To allow network traffic to pass between the bridged interfaces, create Pass

and Broad-Multicast firewall rules:

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Create a Pass firewall rule with the following settings:
BiDirectional Yes
Source Select Any (0.0.0.0/0)
Service Select Any
Destination Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 an
d 172.31.1.25
Connection Method Select No SNAT
4. Create a BroadMulticast firewall rule with the following settings:
Source Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24 and 17
2.31.1.25
Service Select Any
Connection Method Select No SNAT
Destination Enter the destination networks/IP addresses. E.g., 10.0.8.255

Optional
To use a DHCP server over the layer 2 bridge, also add 0.0.0.0 to the source and 255.255.255.255 to the destination
IP addresses.

5. Rearrange the order of the firewall rules so the new rules can match incoming traffic.
6. Click Send Changes and Activate.

How to Configure Layer 3 Bridging


en
Layer 3 bridging is best used for client and server groups that include just a few clients that usually communicate with machines in their group.
The bridge consists of two proxy ARPs and a firewall rule to pass traffic back and forth. If you want to bridge multiple clients, use a routed
transparent Layer 2 bridge instead.
All network traffic is delivered using Layer 3 (routing) lookups.
All bridged network nodes must be entered into the configuration.
Bridging is NOT Layer 2 transparent; the source MAC is not propagated in connection requests.
Traffic between routed and bridged destinations is forwarded.
Bridged network nodes may (if allowed) locally communicate with the interface.
An example setup that would be appropriate for layer 3 bridging would be if one PC in the network must be separated from the other clients and
protected by the firewall. The PC that is to be singled out is placed in its own small network (e.g., 10.0.8.160/29) and the firewall acts as a
non-transparent translational bridge between the 10.0.8.0/24 and the 10.0.8.0/29 networks. The Barracuda NG Firewall will answer all ARP
requests that are transmitted between the networks.

In this article
en
Before you Begin
Step 1. Create a Network Object for the client PC
Step 2. Create Proxy ARP Objects
Before you Begin
Assign an IP addresses to each network interface of the Barracuda NG Firewall that you want to use for the bridge. (CONFIGURATION > Config
uration Tree > Box > Virtual Servers > your virtual server > Server Properties).
Step 1. Create a Network Object for the client PC
Create a network object for the clients that should be bridged:
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Create a network object for the clients that must be bridged.
4. In the IP/Ref table, add the IP address of the client:

5. In the Bridging Parameters window, edit the following settings:


Interface Addresses Reside - Enter the network interface that points to the bridged clients. For example, enter eth1.
Parent Network - Enter the parent network address. E.g., 10.0.8.0/24
Select the Introduce Routes and Restrict PARP to Parent Network check boxes.

6. Click OK.
7. Click Send Changes and Activate.
You now have a network object for the client that you can use when creating the layer 3 bridge.
Step 2. Create Proxy ARP Objects
To make sure that ARP requests are answered on the interface for the new network, create a proxy ARP object for the bridging parent network
and bridged clients.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall >
Forwarding Rules.
2. Click Lock.
3. Create a proxy ARP object for the bridging parent network. E.g., 10.0.8.0/24

4. Create a proxy ARP object for the bridged client. E.g., 10.0.8.162. (optional) Restrict the source IP addresses of the proxy ARP
object to the bridging parent network.

5. Click Send Changes and Activate.


You can now use the separated PC as if it were on the same network with the exception that the MAC address of the PC will be replaced by the
MAC of the Barracuda NG Firewall when traversing the bridge.

Bridging Configuration Settings


en
This article describes the implementation of logical entities in context with the Barracuda NG Firewall bridging. It also explains how various
bridging elements interact with each other during the bridging process.
In this article:
en
Bridging Groups
Bridging Interfaces
Bridging ARP Entries
Dynamic BARPs
Static BARPs

Bridging Interface ACL


Virtual Bridge Interface
Virtual Bridge Interface IP Address
Broad- and Multicast
High Availability

Bridging Groups
A bridged interface group defines a set of network interfaces for which network traffic is forwarded with bridging.
Bridging Interfaces
A bridging interface is a network interface that is assigned to a bridged interface group.
A bridging interface can only be a member of one bridged interface group.
Bridging ARP Entries
A bridging ARP entry (BARP) stores the information that specifies on which bridge interface that a certain MAC address resides. Additionally,
associated IP addresses are stored along with the BARP entry.
The IP address is only used for visualization purposes.
Dynamic BARPs
Dynamic BARPs are built up during run time by analyzing network traffic. Whenever a packet is received on an interface, dynamic BARPs are
generated or updated. This way, the firewall "learns" which MAC address resides on which bridging interface. When ARP packets are analyzed,
the Layer 3 IP information is added to the BARP entry by adding the IP address.
With dynamic BARPs, relationships are learned as follows:
MAC-Interface relationship learned by any IP traffic.
MAC-Interface-IP relationship learned by ARP traffic.
Static BARPs
Static BARPs are part of the configuration and define a MAC-Interface-IP relationship that is present at all times and is not overwritten by
"learning" from traffic.
Bridging Interface ACL
The bridging interface ACL specifies which IP addresses can be received on a bridging interface. ACLs can be used to enforce a Layer 3 topology
when operating on the firewall. The most restrictive implementation of the ACL maintains a list of single IP addresses that are expected on a
certain bridge interface.
Virtual Bridge Interface
A virtual bridge interface is an interface that acts as parent interface for all interfaces of a bridged interface group. The name of a virtual interface
is always the name of the bridged interface group with a phbr- prefix. For example: phbr- <group-name>
Virtual Bridge Interface IP Address
Optionally, each virtual bridge interface may be configured with an IP address and a netmask. This way, the firewall itself can actively probe
(learn) on which segments each MAC address resides. It can also route traffic from a routed network to a bridged network or between bridging
groups. Through the introduction of a virtual bridge interface, Transparent Layer 2 is changed to Routed Layer 2 Bridging.
A virtual bridge interface has following main characteristics:
Active ARP queuing.
Forwarding between bridge groups.
Forwarding between routed and bridged networks.
Local firewall traffic (application gateways).
Still MAC transparent (like ).
Broad- and Multicast
Broadcast and multicast traffic can be forwarded between segments and routed networks. You must create a specific firewall rule to allow
broadcast or multicast propagation. Specify a list of network interfaces, IP addresses, and multicast addresses that define how traffic should be
propagated. Broadcast to unicast or multicast translations are possible.

Barracuda Web Filter


The Barracuda Web Filter is used by Application Control 2.0 and the HTTP proxy to categorize URLs accessed by the users. You must have an
active Energize Updates subscription to use the Barracuda Web Filter. The Barracuda Web Filter first attempts to find the requested page in the
local cache. If the page cannot be found in this cache, the page is checked against the URL filter database in the Barracuda Cloud. Access to the
URL is then granted or denied according to the specified policy.
Barracuda Web Filter with Application Control 2.0

For best matching results use Application Control 2.0 and the Barracuda Web Filter to enforce your application policies. The URL Filter Match
object is used as an application rule matching criteria and can be optionally used to apply different QoS settings depending on the URL category
or specific website.
For more information, see How to Enable the Barracuda Web Filter.
Barracuda Web Filter with HTTP Proxy

Web filtering allows you to control access to websites based on the URL category. To offer granular control it is
possible to define exceptions for individual users and IP addresses and also to log which requests are allowed
and denied.
For more information, see How to Configure Web Filtering.

How to Enable the Barracuda Web Filter


en
The Barracuda Web Filter (a.k.a. URL Filter) is used in combination with Application Control 2.0 in the Firewall service. A valid Energize
Subscription is necessary to use the Barracuda URL Filter.
In this article

en
In this article
Enable the URL Filter Service
Next Steps
Enable the URL Filter Service

1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration.
Click Lock.
In the left menu, click Application Detection.
Set the Working Mode to On.

5. Click Send Changes and Activate.


Next Steps

Create URL Filter Policy objects or URL Filter Match objects. For more information, see How to Create an URL Filter Policy Object and H
ow to Create an URL Filter Match Object.
Create Application rules and select the URL filter objects to match website traffic to the URL categorization database. For more
information, see How to Create an Application Rule.

Virus Scanner
en

The Virus Scanner service offers malware protection in combination with the firewall, HTTP proxy, FTP, and mail gateway services. An active

Malware subscription is required. For all Barracuda NG Firewall models F200 and larger, you can use both the Avira and ClamAV virus scanning
engines. Barracuda NG Firewalls F100 and F101 support only the Avira virus scanning engine.
For more information, see:
How to Enable the Virus Scanner
How to Configure Avira Virus Scanning
How to Configure ClamAV Virus Scanning.
How to Update Virus Patterns Manually

Virus Scanning in the Firewall


You can scan traffic passing through the Forwarding Firewall service by activating the AV scanning option for an Access Rule.
For more information, see How to Configure Virus Scanning in the Firewall.

Advanced Threat Detection


Advanced Threat Detection offers protection against advanced malware, zero-day exploits, and targeted attacks that are not detected by the Virus
Scanner or intrusion prevention system.
For more information, see Advanced Threat Detection (ATD).

Virus Scanning in the HTTP Proxy and FTP Gateway


Web traffic passing through the HTTP proxy and FTP gateway can be scanned for malware by the virus scanner service.
For more information, see Virus Scanner Integration in the HTTP Proxy and FTP Gateway.

Virus Scanning in the Mail Gateway


The Barracuda NG Firewall can scan all incoming and outgoing mail traffic for malware.
For more information, see How to Configure Antivirus Mail Gateway Integration.

How to Enable the Virus Scanner


en
The Barracuda Virus Scanner service supports two different virus scanning engines: Avira and ClamAV. You must have a Barracuda NG Malware
Protection license. Additional configuration is required to use the Virus Scanner in combination with the Firewall, HTTP Proxy, Mail Gateway or
FTP Gateway services.
en
Configure the Virus Scanner
Next Steps
Configure the Virus Scanner

1. Open the Virus Scanner Settings page (Virtual Servers > your virtual server > Assigned Services > Virus-Scanner).
2. Enable the virus engine that you are using.
If you are using Avira, set Enable Avira Engine to yes.
If you are using ClamAV, set Enable ClamAV Engine to yes.
If you are using ATD, set Enable ATD Engine to yes.
3. Define the following settings for the virus engine:
Max. RAM Cache (MB) Enter the maximum size of the cache that the virus scanner can create to store the files that it will
scan. Files that exceed the specified size are stored on the local hard drive of the Barracuda NG Firewall.
Max. Number of Workers Enter the maximum number of scanner instances that can be launched to handle requests.
Debug Log Level Select the level of detail for the virus scanner log. Selecting a value that is higher than 0 (zero) will display
debug output in the log.
4. In the left navigation pane, expand Configuration and click Update Handling.
5. Define the following settings for the virus pattern and scanner engine updates. By default, the virus scanner service contacts the pattern
update server every 60 minutes for new updates.
Update Every (mins) In minutes, enter how often the update server is contacted.
Download Retries Enter the maximum number of update attempts if the update server does not respond.
Proxy Settings If the virus scanner requires an HTTP proxy to reach the update servers, configure the parameters in this

section.
Do not change the server settings in the Download Server Addresses section. If you change these settings, your
virus pattern database may not update properly. However, if you are using ClamAV, you can change the ClamAV Safe
Browsing setting to enable or disable support for Google Safe Browsing.

Next Steps

To configure the Avira virus scanning settings, see How to Configure Avira Virus Scanning.
To configure the ClamAV virus scanning settings, see How to Configure ClamAV Virus Scanning.

How to Configure Avira Virus Scanning


en
Configure Avira virus scanning on the Barracuda NG Firewall. Import a legacy license and and specify which threats that the engine should scan
for. To configure Avira virus scanning, you can define settings for the following features:
Archive Scanning Define the settings for compressed scanning archives.
Malware Detection In addition to viruses, Avira can also detect malware, spyware, or bandwidth wasters. Specify which of these threats
that the engine should scan for.
Engine-Specific Options Import a legacy license, specify an email address to receive license notifications, and specify a quarantine
directory for Avira.
HTTP Multimedia Streaming Because the Virus Scanner service downloads an entire file before scanning and delivering it, some audio
or video streams cannot be accessed. Enable content streaming by disabling virus scanning for specific DNS domains.
In this article:
en
Before you Begin
Configure Virus Scanning
Configure HTTP Multimedia Streaming
Avira Update
Before you Begin

Before configuring Avira virus scanning, activate the Virus Scanner service. For more information, see How to Enable the Virus Scanner.
The Avira scan engine requires an additional license (file extension: *.KEY). This license file must be imported with the Avira License
Button.
Configure Virus Scanning

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select Avira.
3. Set Scan Archives to yes to enable the archive scan.
4. In the Avira Archive Scanning section, define the following archive scanning settings:
Max. Scan Size (MB) The maximum amount of data to be scanned for each file (default:1024). Specifying a maximum size
prevents the virus scanner from being overloaded.
If a maximum scan size is not entered or the limit set too high, this may result in severe damage to the system.
Max. Nesting Depth The maximum nesting level for the archives (default: 20). If a limit is not required, enter 0 (zero).
Max. Compression Ratio The maximum compression ratio for the archives (default: 150).
If you use a very high compression ratio, a small archive can use a lot of working memory when it is decompressed
and overload the virus scanner. Such an archive is often called a "ZIP bomb."
Max. File Count The maximum number of files that can be stored in an archive (default: 10000). If a limit is not required, enter
0 (zero).
Block Encrypted Archives To block encrypted archives, select yes.

If the archive contains file types like .zip, .rar, .exe, .iso, .tar, .tgz, .cab, .msi, .btn, etc. it is possible that one of these
files is encrypted (virus scanner message: Encrypted archives are blocked). In this case, the virus scanner will block
the whole archive. To disable blocking of encrypted archives, select no.
Block on Other Error To block archives that cause errors while they are decompressing, select yes.
Block Unsupported Archives To block archives that cannot be decompressed because their formats are unsupported, select
yes.
The Barracuda NG Firewall uses the SAVAPI scan engine from AVIRA. This engine supports following archive types:
ZIP, ZIP-Sfx, ARJ, ARJ-Sfx, TAR, GZ, ZOO, UUEncode/XXEncode, TNEF, MIME, BinHex, MSCompress, MS CAB,
LZH/LHA, LZH/LHA Sfx, RAR, RAR-Sfx, JAR, BZ2, ACE, ACESfx.
5. To configure malware detection, specify the types of malware that the engine should scan for in the Avira Non-Virus Detection section.
6. To configure engine-specific options, configure the following parameters in the Avira Misc. Options section:
Legacy Avira license To import a legacy Avira license, click Ex/Import and select Import from file.
Contact Email Address The email address to receive notifications on when the license will expire.
Quarantine directory The path to the directory where infected files should be placed.
The Virus Scanner service places files that are infected by a virus into the Quarantine directory. This directory is NOT
cleaned up automatically. You must manually clean up the Quarantine directory.
7. Click Send Changes and Activate.
Configure HTTP Multimedia Streaming

To enable content streaming, disable virus scanning for specific DNS domains.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select Content Scanning.
3. Click Lock.
4. In the Scan Exceptions table, add an entry for each DNS domain that should not be scanned:
a. Enter a name for the entry and click OK.
b. In the Allowed MIME types table, add an entry for each MIME type that should not be scanned.
To determine the MIME type for a file, enable the debug log and check the cas log files.
To enable the debug log, go the Virus Scanner Settings -Basic Setup page. In the Debug Log Level field, enter 1.
c. In the Domain field, enter the domain name.
5. Click Send Changes and Activate.
Avira Update

Updates of the Avira engine are done automatically. If a faulty Avira update was downloaded and activated, a rollback to the last working version
is done. During this process, further updates will be blocked for 1 hour. A virscan/cas message will be created, stating "Doing rollback. Disabling
update for 60 min."
To manually update the Avira pattern, complete the following steps:
1. Go to CONTROL > Server.
2. In the Service Status section, right click the virscan service that should be updated with the most current pattern.
3. Click Update Pattern in the context menu.
If you must perform a manual rollback, create a file named /var/phion/run/virscan/dorollback. During this process, any other updates will be
blocked for 1 hour. The virscan/cas message will be created, stating "Doing rollback. Disabling update for 60 min."
After a successful update, Avira creates a backup which will be used for the next rollback. A log entry will be created, stating "Creating backup for
Rollback".

How to Configure ClamAV Virus Scanning


en
To configure ClamAV virus scanning, you can define settings for the following features:

Archive Scanning Define the settings for compressed scanning archives.


Malware Detection In addition to viruses, ClamAV can also detect malware, spyware, or bandwidth wasters. Specify which of these
threats that the engine should scan for.
Engine-Specific Options Specify scanning, phishing detection, and data loss prevention settings for ClamAV.
HTTP Multimedia Streaming Because the Virus Scanner service downloads an entire file before scanning and delivering it, some audio
or video streams cannot be accessed. To enable content streaming, disable virus scanning for specific DNS domains.
Before you Begin

Before configuring ClamAV virus scanning, activate the Virus Scanner service. For more information, see How to Enable the Virus Scanner.
Configure Archive Scanning

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select ClamAV.
3. Click Lock.
4. Set Scan Archives to yes to enable the archive scan.
5. In the ClamAV Archive Scanning section, define the following archive scanning settings:
Max. Scan Size (MB) The maximum amount of data to be scanned for each file. Specifying a maximum size prevents the virus
scanner from being overloaded. Archive and other container files are recursively added and scanned up to this value.
If a maximum scan size is not entered or the limit set too high, this may result in severe damage to the system.
Max. File Size (MB) The maximum size for files to be scanned. Files that exceed this limit will not be scanned. If a limit is not
required, enter 0 (zero).
Max. Nesting Depth The maximum nesting level for the archives. If a limit is not required, enter 0 (zero).
Max. File Count The maximum number of files that can be stored in an archive. If a limit is not required, enter 0 (zero).
Block Encrypted Archives To block encrypted archives, select yes.
If the archive contains file types like .zip, .rar, .exe, .iso, .tar, .tgz, .cab, .msi, .btn, etc., it is possible that one of these
files is encrypted (virus scanner message: Encrypted archives are blocked). In this case, the virus scanner will block
the whole archive. To disable blocking of encrypted archives, select no.
6. In the ClamAV Possibly Unwanted Applications (PUA) section, specify the types of malware that the engine should scan for.
7. In the ClamAV Misc. Scanning Options section, specify the types of files that should be scanned. You can also enable heuristic and
HTML scanning.
8. In the ClamAV Email Scanning section, select whether or not to scan URLs found in mails.
9. In the ClamAV Phishing Protection section, specify the following settings to detect phishing attacks:
Use Phishing Signatures To enable signature based phishing detection, select yes.
Always block SSL Mismatch To block SSL mismatches in URLs (even if a URL is not in the database), select yes.
Always Block Cloak To block all cloaked URLs (even if a URL is not in the database), select yes.
10. In the ClamAV Data Loss Prevention (DLP) section, specify the following settings to detect possible private data theft:
Min. Credit Card Count The minimum amount of credit card numbers that can be stored in a file before the file is detected.
SSN Format To enable the DLP module to scan for valid social security numbers, select yes.
Min. SSN Count The minimum amount of social security numbers that can be stored in a file before the file is detected.
11. Click Send Changes and Activate.
Configure HTTP Multimedia Streaming

To enable content streaming, disable virus scanning for specific DNS domains.
1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner
> Virus Scanner Settings.
2. In the left menu, select Content Scanning.
3. Click Lock.
4. In the Scan Exceptions table, add an entry for each DNS domain that should not be scanned.
a. Enter a name for the entry and click OK.
b. In the Allowed MIME types table, add an entry for each MIME type that should not be scanned.
To determine the MIME type for a file, enable the debug log and check the cas log files.

WIFI
Step 1. Enable the Wi-Fi Network

1.
2.
3.
4.
5.
6.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, expand Configuration and select WIFI.
Select yes from the Wi-Fi Enabled list.
From the Location list, select your location.
From the Channel list, select the desired channel.
From the Transmission Power list, select the applicable transmission power level.
Because the Barracuda NG Firewall F101 does not have a cooling fan, do not select the highest transmission power level for it
unless the system is located in a cool and well ventilated location.

7. Click Send Changes and Activate.


Step 2. Configure the Wi-Fi Service Properties

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > WIFI > Service
Properties.
2. Click Lock.
3. In the Service Definition section, select yes from the Enable Service list.
4. In the Description field, enter an optional description of the Wi-Fi service.
5. Click Send Changes and Activate.
Step 3. Configure the Wi-Fi Default Routes

If your LAN and Wi-Fi connections are in two different networks, configure a default route for the Wi-Fi LAN by completing the following steps:
1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Box > Network.


In the left menu, expand Configuration and click Routing.
Click Lock.
In the Main Routing Table section, add a new entry to the Routes table.
Enter a Name for the route. For example, 1111. The Routes configuration window opens.

6. In the Target Network Address field, enter the target network address. For example, 192.168.1.0/24.
7.
8.
9.
10.

From the Route Type list, select directly attached network.


From the Interface Name list, select the interface the network is attached to.
Click OK.
Click Send Changes and Activate.

Step 4. Activate the Network Configuration

1.
2.
3.
4.

Go to CONTROL > Box.


In the left navigation pane, expand Network and click Activate new network configuration.
When the activation window opens, select Force as the activation mode.
When the Activation Succeeded window opens, click OK.
While the new network configurations are being activated, you may lose connection to the Barracuda NG Firewall. To
reconnect to the system, click Reconnect in the upper right of Barracuda NG Admin.

Step 5. Configure the Wi-Fi Security Settings

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > WIFI > WIFI AP
Configuration.
2. Click Lock.
3. In the Network Name (SSID) field, enter the network name.
4. In the Preshared Key (PSK) table, click + to add a new entry. The Preshared Key (PSK) Combination window opens.
5. In the New field, enter a new password.
6. In the Confirm field, re-enter the new password.

6.

The passwords must match in both fields and be at least eight characters long.
7. Click OK.
8. Click Send Changes and Activate.
After completing the configuration, go to the CONTROL > Network page and verify that the Wi-Fi interface is available. If the interface is
available, a green square is displayed next to its name.
Troubleshooting

If the Wi-Fi interface is not available (indicated by a red square),


1. Verify that you completed all the configuration steps.
2. Make sure that the system is up-to-date with firmware patches.
If the Wi-Fi interface is still not available after completing these two steps, reboot the system:
1. Open the CONTROL > Box page.
2. In the left menu, expand Operating System and click Reboot Box.
3. After rebooting the system, go to the CONTROL > Server page and check the Server Status table to make sure that the service is
running.
4. To restart the service, right-click it in the table and and click Restart Service.
If Wi-Fi still is not enabled, contact Barracuda Networks Technical Support.

How to Configure Wi-Fi Guest Access


en
Wi-Fi guest access can only be used for Wi-Fi users. For a more generic guest access configuration (ticketing and confirmation page),
see Firewall Authentication and Guest Access.
You can configure a fully customizable web-based portal that displays a disclaimer and requests login credentials from users when they first try to
access the Internet or special network segments. For example, you can configure a Guest Access that looks similar to the following page:

To administer tickets for the Guest Access, you can also enable a web-based backend user interface for creating, deleting, managing, or printing
tickets.
In this article:
en
Step 1. Enable Guest Access
Step 2. Configure Guest Access
View Authenticated Users

Authenticated Users in Firewall Rules


Guest Access Ticketing System
Access to the Admin Ticket Interface
Ticketing Next Steps
Step 1. Enable Guest Access

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > WIFI > WIFI AP
Configuration.
2. Click Lock.
3. From the Guest Access list, select either Confirmation or Ticketing. If you want to disable the Guest Access, select None.
4. Click Send Changes and Activate.
Step 2. Configure Guest Access

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forw
arding Settings.
2. In the left menu, select Guest Access.
3. Click Lock.
4. You can specify the following settings for the Guest Access:
Section

Setting

Timing

Renew Confirmation After (min.)

Description
The time period after which users must
re-enter their login credentials.
When deleting ticketing users,
the user can still access the
guest network for the duration of
this value. To force a user to be
blocked immediately you must
delete the ticketing or
confirmation user in FIREWALL
> Users and terminate all
existing firewall sessions in FIR
EWALL > Live for that user.

Customization (Confirmation)

Auto. Renew Confirmation

Confirmation is automatically renewed


within this time period, after the last
confirmation has timed out. The user does
not need to re-enter login credentials.

Confirmation text

Custom text that is displayed on the


confirmation window. If left blank, the
default Barracuda Networks disclaimer is
displayed.

Header Logo

(Only visible in advanced view) The


customizable header image for
confirmation Guest Access.
Before specifying an image in this field,
you must upload it. From the Configurati
on menu in the left navigation pane, click
Authentication Messages. Add the
picture to the Custom HTML Files table
within the lP subdirectory.

Authentication Password

The authentication password of the RADIUS authentication


server.

Use Accounting

Enables RADIUS accounting.

Accounting Server IP

The IP address of the RADIUS accounting server.

Accounting Port

The IP port of the accounting server.

Accounting Password

The password of the accounting server.

Accounting Update Interval[s]

The time interval in seconds for obtaining accounting updates.


You can enter 60 to 600 seconds.

5. In the RADIUS Fallback Options section, you can edit the following settings for a secondary or fallback RADIUS server:
Setting

Description

Primary Retry Interval[s]

The interval in seconds for trying to return to using the


primary RADIUS server.

Secondary Radius Servers

The list of secondary or fallback RADIUS servers.

6. Click Send Changes and Activate.

NG Control Center
en

The Barracuda NG Control Center is a central administration appliance designed to manage a large number of Barracuda NG Firewalls. The
Barracuda NG Control Center provides a comprehensive set of central management services and features such as template-driven objects,
reusable global objects, user definable work views, and graphical representation of the global WAN network. The box layer of the Barracuda NG
Control Center is identical to the Barracuda NG Firewall.
en
Central Management
Multi-Admin Support and Role-Based Administration
Revision Control System (RCS)
Central Statistics
Central Syslog and Eventing
FW Audit
NG Access Monitor (NAC)
Barracuda NG Earth
Public Key Infrastructure (PKI)
Graphical VPN Configuration Interface (GTI Editor)
Shared Services
Other

Central Management
The Barracuda NG Control Center allows administrators to centrally manage and monitor Barracuda NG Firewalls. The NG Control Center can
simultaneously manage multiple releases and platforms (hardware, virtual, and public cloud). Configuration, file updates, and licenses are
distributed to the managed units. Remote units connect to the NG Control Center via remote management tunnels. The health and status of all
managed NG Firewalls is continuously checked.
For more information, see Central Management.

Multi-Admin Support and Role-Based Administration


The Barracuda NG Control Center provides freely configurable permission schemes and user management.
For more information, see Barracuda NG Control Center Admins

Revision Control System (RCS)

The Revision Control System (RCS) stores versioning information on all configuration changes to your system . You can view older configuration
versions and, if necessary, roll back previous changes.
For more information, see Revision Control System (RCS)

Central Statistics
The Barracuda NG Control Center can collect and store statistics of its managed NG Firewalls. The CC Statistics Collector and CC Statistic
Viewer process the raw data and present the collected data in the STATISTICS tab on the Barracuda NG Control Center.
For more information, see Statistics.

Central Syslog and Eventing


The CC Syslog service collects log messages from Barracuda NG Firewalls that are managed by the Barracuda NG Control Center and streams
those log messages to an external log host. For system processes and CC services, events are generated and sent to the NG Control Center fro
m the managed Barracuda NG Firewall systems. On the Barracuda NG Control Center, event forwarding is based on communication between the
Box Event module running on the operative Barracuda NG Firewall (box) and the CC Event Service module running on the Barracuda NG Control
Center.
For more information, see How to Configure Syslog Streaming and CC Eventing.

FW Audit
The CC FW Audit Log service receives structured firewall data from the managed units and stores the firewall audit information on the Barracuda
NG Control Center. The CC Firewall Audit Info viewer provides a consolidated view similar to the firewall access cache across multiple boxes. For
large or high-performance environments, dedicated Barracuda NG Firewall boxes can be configured to collect and retrieve firewall audit log
information. The collection and processing is handled by the CC FW Audit Log service and the Audit Info collector on the Barracuda NG Control
Center.
For more information, see FW Audit

NG Access Monitor (NAC)


The Access Monitor is the key component of the Barracuda Network Access Client. Its responsibilities include collecting information from the
client that is necessary for health evaluation and taking measures depending on the heath check outcome.
For more information, see The Barracuda Access Monitor.

Barracuda NG Earth
Barracuda NG Earth displays the status of your VPN site-to-site tunnels around the world. When connected to the Barracuda NG Control Center,
Barracuda NG Earth retrieves the data from your VPN connections and displays the tunnels according to the information on a customizable
interface. Barracuda NG Earth is not available for the Barracuda NG Control Center Standard Edition.
For more information, see Barracuda NG Earth.

Public Key Infrastructure (PKI)


The PKI service on the Barracuda NG Control Center lets you create, manage, and revoke certificates. The PKI is not available for the Barracuda
NG Control Center Standard Edition.
For more information, see Control Center PKI Service

Graphical VPN Configuration Interface (GTI Editor)


The GTI Editor is a graphical user interface for creating and managing Site-to-Site TINA and IPsec VPN tunnels.
For more information, see GTI Editor.

Shared Services
There are three types of shared services than can run on multiple virtual servers:
Distributed Firewall

SNMP
DNS
For more information see, Shared Services.

Other
CC Firewall Service For more information, see Control Center CC Firewall.
CC Troubleshooting For more information, see NG Control Center Troubleshooting.
Migrate the Barracuda NG Control Center to a new network segment For more information, see Best Practice - Migrate the NG Control
Center to a New Network Segment.

NG Control Center Getting Started with the CC Setup Wizard


en

For Barracuda NG Control Centers installed via NG Install, do not use the CC Wizard. For more information, see NG Control Center
Manually Getting Started.
Complete the CC Wizard to configure all necessary box layer and Control Center settings for your new Barracuda NG Control Center. The CC
Wizard can be launched from the OPTION menu or automatically starts when logging into a new NG Control Center on box layer. The CC Wizard
is available for all NG Control Centers running firmware 6.0.1 or later.
In this article
en
Before you Begin
Wizard Starts Automatically on First Login
Launch the CC Wizard Manually
Step 2. Enter your Company Data
Step 3. Activate the Barracuda NG Control Center
Step 4. Administrative Settings
Step 5. Network Configuration
Step 6. (optional) Create Administrators
Step 7. Review Configuration Summary
Step 8. Submit the Configuration
Next Steps

Before you Begin


The CC Wizard can be used only on new or freshly installed Barracuda NG Control Centers.
Virtual NG Control Centers require a license token for activation. The license token is included in the email received from Barracuda
Customer Support after purchasing the NG Control Center license.

Step 1. Start the CC Wizard


The CC Wizard will launch automatically when logging in to a new NG Control Center or can be launched from the Option menu in NG Admin:
Wizard Starts Automatically on First Login

Log into Box Layer of a new NG Control Center to use the CC Setup Wizard.
1. Launch Barracuda NG Admin.
2. Select Box.
3. Log in to the NG Control Center box layer:
Management IP If you are using a hardware NG Control Center appliance, enter 192.168.200.200. For virtual NG Control
Centers, enter the IP address you set during deployment.
Password Enter the default password: ngf1r3wall.

4. Click Log In. The CC Setup Wizard window opens.


Launch the CC Wizard Manually

The CC Setup Wizard can also be accessed by the Options menu in NG Admin.
1. Launch Barracuda NG Admin.
2. Click the OPTION menu in the upper left-hand corner and click CC Wizard. The CC Setup Wizard window opens.

3. Log in to the NG Control Center:


Management IP If you are using a hardware NG Control Center appliance, enter 192.168.200.200. For virtual NG Control
Centers, enter the IP address you set during deployment.
Password Enter the default password: ngf1r3wall.

4. Click Next.

Step 2. Enter your Company Data


You must enter your company data to supply the information needed for:
NG Control Center license activation
Box level certificates
CC certificates

Activation template used on the NG Control Center to activate managed NG Firewalls.


System email address.
1. Enter the following information:
Company Name
Department
First Name
Last Name
Common Name
Email After successful activation, a confirmation email is sent to this email address.
Country
State
City
Street
ZIP/Postal Code
Phone

2. Click Next.

Step 3. Activate the Barracuda NG Control Center


Accept the Terms of Use to download, install, and activate the licenses. If you are using a virtual Barracuda NG Control Center, you are
prompted to enter the license token you received from Barracuda Customer Support after purchasing the license. Customer data entered in Step
1 is used to complete the contact information in the activation form.
1. Click Accept and Activate.

2. If you are using a virtual NG Control Center, enter the License Token: E.g., XXXXX-XXXXX-XXXXX

3. Click Next.

Step 4. Administrative Settings


Enter administrative settings for your NG Control Center. Enabling the Revision Control System (RCS) is strongly recommended.
1. Change the root user password. Depending on the password strength, the background of the New password textbox is green (strong),
yellow (medium), or red (weak).

2. Enter the DNS Settings:


DNS Server Enter the IP address for the primary DNS server on your network.
Default Domain Enter the default domain.

3. Enter the NTP Settings:


NTP Server Enter an IP address or hostname for your preferred NTP server.
Timezone Select the time zone from the dropdown.

4. Enable Revision Control System (RCS):


Enable RCS (recommended) Enable to allow the administrator to view and, if necessary, revert configuration changes made
on the NG Control Center.
Require RCS Change Messages Enable this option to force the admin to enter a description for every configuration change.

5. Click Next.

Step 5. Network Configuration


Configure basic network settings, such as management and Control Center IP address, gateway routes, and trusted networks (management
ACLs).
1.
2.
3.
4.
5.
6.

Enter a Hostname for your CC.


(optional) Change the Management IP.
Select the Netmask from the dropdown.
Enter the Control Center IP. This IP address must be different from the management IP address.
Enter the Default Gateway.
(optional) Enter all Trusted Networks that are allowed to access the NG Control Center.
Incorrect trusted networks (management ACLs) prevent you from connecting to your NG Control Center. For more information,
see How to Change the Root Password and Management ACL.

7. For each Additional Gateway Route:


a. Enter the destination Network and Gateway.
b. Click Add.

8. Click Next.

Step 6. (optional) Create Administrators


You can create additional administrators. All administrators created have full read/write permissions on the NG Control Center and also full
access to the box layer. If you want to use an external authentication server, create the CC admins after completing the CC Wizard. For more
information, see Barracuda NG Control Center Admins.
1. For each additional administrator, enter the following settings and click Add.
Username Enter a username.
Full Name Enter the full name of the user.
Password / Confirm Password Enter a password. Depending on the password strength, the background of the Password tex
tbox is green (strong), yellow (medium), or red (weak).

2. Click Next.

Step 7. Review Configuration Summary


1. (optional) Click Print Summary to print the configuration settings on the systems default printer.
2. (recommended) Click Save Summary to save a text file containing the configuration parameters collected by the CC Setup wizard.
3. Click Next.

Step 8. Submit the Configuration


The CC Wizard now sends and activates all configuration settings collected in steps 1 to 7. If one configuration step fails, use the Back button to
go back and change the configuration. You can then resubmit the settings to finish the configuration of the Barracuda NG Control Center. When
the configuration changes are complete, click Finish. The CC Setup Wizard is automatically disabled for this NG Control Center.

Next Steps
Use the CC IP Address to connect to the NG Control Center.

Link
Create Admins using External Authentication

Barracuda NG Control Center Admins

Configure Central Management

Central Management
How to Manage Ranges and Clusters

Add Managed NG Firewalls

How to Add a new Barracuda NG Firewall to the Control Center


How to Configure a Remote Management Tunnel for Barracuda
NG Firewalls

License Managed NG Firewalls

How to Assign and Activate Single Licenses on a Barracuda NG


Control Center
How to Install and Assign Pool Licenses on a Barracuda NG
Control Center

NG Control Center Manually Getting Started


en

Before you complete the steps in this article, finish the Getting Started section for the Barracuda NG Firewall and configure all box layer
settings.
The box layer of the Barracuda NG Control Center uses the same "Getting Started" steps as the Barracuda NG Firewall. Once the licenses and
other basic settings are complete, you must configure the NG Control Center management layer.
In this article
en
Before you Begin
Step 1. Configure the Time Settings
Step 2. Set the First IP for the Virtual Server
Step 3. Manually Import the Base License
Step 4. Configure CC Identification Settings
Step 5. (optional) Complete the Auto Activation Form
Next Steps

Before you Begin


Configure the box layer of your Barracuda NG Control Center. For more information, see Getting Started.

Step 1. Configure the Time Settings


Enable the NTP daemon and configure the time servers.
1.
2.
3.
4.
5.
6.
7.
8.
9.

Log into the box layer of the Barracuda NG Control Center.


Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
In the left menu, select Time Settings/NTP.
Click Lock.
Set Enable sync on Startup to yes.
Click + to add time servers to the Time ServerIP list.
Set Start NTPd to yes.
(optional) configure NTP peers. For more information, see How to Configure Time Server (NTP) Settings.
Click Send Changes and Activate.

Step 2. Set the First IP for the Virtual Server


Configure the CC management IP address (MIP) for the virtual server S1 on the box layer of the NG Control Center. This is the IP address you
use when connecting to the NG Control Center.
1. Log into the box layer of the Barracuda NG Control Center.
2. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > S1 > Server Properties.
3.

3.
4.
5.
6.

Click Lock.
Enter the CC MIP as the First-IP.
Set Reply to Ping to yes.
Click Send Changes and Activate.

Step 3. Manually Import the Base License


You must import the base license from the box layer of the NG Control Center. For

more information, see How to Manually Install the

Licenses for the Barracuda NG Control Center.

Step 4. Configure CC Identification Settings


The CC Identification settings are required to secure communication between the Barracuda NG Control Center and the Barracuda NG Firewalls
it manages.
1.
2.
3.
4.

Log into the Barracuda NG Control Center.


Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > CC Identity.
Click Lock.
In the Additional CC IP Addresses table, add an entry for the management IP address. Usually, the Barracuda NG Control Center has
one server IP address and one management IP address. In this case, enter the management IP address.
5. In the left menu, click Trust Chain.
6. Define the keys and certificates required for secure communication between the Barracuda NG Control Center and the Barracuda NG
Firewall systems that it will manage:
CC Certificate Click Edit and specify the certificate settings.
CC Private Key Click New Key and specify the key length.
CC SSH Key Click New Key and specify the key length.
7. Click Send Changes and Activate.

Step 5. (optional) Complete the Auto Activation Form


To automatically activate managed NG Firewall licenses, you must enter the data for the auto-activation form once.
1.
2.
3.
4.
5.
6.

Log into the Barracuda NG Control Center.


Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > CC Parameters.
In the left menu, select Activation Template.
Click Lock.
Enter the Owner and Purchase Information.
Click Send Changes and Activate.

Next Steps
Continue with the steps below to set up the Barracuda NG Control Center according to your needs.
Link
Create Admins

Barracuda NG Control Center Admins

Configure Central Management

Central Management
How to Manage Ranges and Clusters

Add Managed NG Firewalls

How to Add a new Barracuda NG Firewall to the Control Center


How to Configure a Remote Management Tunnel for Barracuda
NG Firewalls

License Managed NG Firewalls

How to Assign and Activate Single Licenses on a Barracuda NG


Control Center
How to Install and Assign Pool Licenses on a Barracuda NG
Control Center

Revision Control System (RCS)

Revision Control System (RCS)

Central Management
en

The Barracuda NG Control Center is designed for the central management of Barracuda NG Firewalls. NG Control Center admins configure
security, content, traffic management, and network access policies from one central management interface. Template-based security information
and configuration versions make it possible to manage all locations from one central system.
System Hierarchy: Ranges, Clusters and Boxes
System Health and Status Monitoring
Configuration Updates
Remote Management Tunnels
Licensing on the Barracuda NG Control Center
Firmware Updates on Managed NG Firewalls
Barracuda NG Control Center Trust Center Model

System Hierarchy: Ranges, Clusters and Boxes

The Barracuda NG Control Center organizes the managed NG Firewalls into a hierarchy of ranges and clusters, with the individual box
configurations at the lowest level. The number of available ranges and clusters depends on which edition NG Control Center you are using:
Standard Edition One range, one cluster, unlimited number of boxes (NG Firewalls).
Enterprise Edition One range, unlimited number of clusters, unlimited number of boxes (NG Firewalls).
Global Edition Five ranges with the option to add additional ranges, unlimited number of clusters, unlimited number of boxes (NG
Firewalls).
Ranges

Ranges simplify central administration of globally distributed NG Firewalls. For each range, you can define global settings, spanning all clusters in
the range. You must create at least one cluster in a range to be able to add Barracuda NG Firewall boxes. To make configuration easier, you can
define the following range-wide configuration settings:
Range Objects
Range GTI Editor
Range Statistics
Range Access Control Objects
Range QoS Shaping Trees
Activation Template
For more information, see How to Manage Ranges and Clusters
Clusters

At the second highest level, clusters represent groups of Barracuda NG Firewalls. To make configuration easier, you can define the following
cluster-wide configuration settings:
Cluster Objects
Cluster GTI Editor
Cluster Statistics
Cluster Access Control Objects
Cluster QoS Shaping Trees
Activation Template
For more information, see How to Manage Ranges and Clusters

Boxes

Boxes represent the individual Barracuda NG Firewall units within a Barracuda NG Control Center cluster.
For more information, see:
How to Import an Existing Barracuda NG Firewall into a NG Control Center
How to Add a new Barracuda NG Firewall to the Control Center.
How to Move, Copy and Delete Barracuda NG Firewalls

System Health and Status Monitoring


The Barracuda NG Control Center continuously monitors the system status of all managed units and displays a summary on the Barracuda NG
Admin Status Map.
For more information, see CC Status Map Page.

Configuration Updates
The configuration for all managed NG Firewalls is stored on the Barracuda NG Control Center. When the admin activates a configuration
change, it is automatically pushed out to the managed Barracuda NG Firewalls.
For more information, see CC Configuration Updates.

Remote Management Tunnels


Remote Barracuda NG Firewalls not able to directly reach the Barracuda NG Control Center connect to the NG Control Center via a remote
management tunnel. These secure remote management tunnels are used for all communication, such as configuration updates, statistics, and
monitoring updates.
For more information, see How to Configure a Remote Management Tunnel for Barracuda NG Firewalls.

Licensing on the Barracuda NG Control Center


The Barracuda NG Control Center automatically completes license activation for new Barracuda NG Firewalls. If pool licenses are used, the NG
Control Center can assign and update license information for remote systems NG Firewalls using these licenses.
For more information, see Licensing on a NG Control Center.

Firmware Updates on Managed NG Firewalls


The Barracuda NG Control Center manages deployment of hotfixes and firmware updates for all managed units. Updates and changes are
pushed to the managed units and can be triggered manually or automatically at a preset time.
For more information, see How to Update Barracuda NG Control Center Managed Systems.

Barracuda NG Control Center Trust Center Model

Connections between the Barracuda NG Control Center, NG Firewall, and Barracuda NG Admin are authenticated with X509 private/public
keys.The NG Control Center handles the certificate and authentication of remote NG Firewalls and NG Admin. The NG Control Center also stores

a list of valid SSH keys for all managed units.


NG Control Center connects to a managed NG Firewall During deployment, the public keys for the box certificate and the Control
Center certificate are exchanged. These keys are used to authenticate all SSL connections between the Control Center and the managed
units.
Connecting to the NG Control Center with NG Admin NG Admin can verify if the Control Center certificate is valid and if it is
communicating with the intended Barracuda NG Control Center by checking the certificate with the NG Control Center public key it has
previously downloaded from the Control Center.
Connecting to a managed NG Firewall with NG Admin NG Admin downloads the public key from the NG Control Center and then
uses that key to verify the box certificate of the managed NG Firewall.
For information on how to troubleshoot the certificate chain of trust, see the Authentication Level section in NG Control Center Troubleshooting.

How to Manage Ranges and Clusters


en
Barracuda NG Firewall systems are organized into a two level hierarchy on the Barracuda NG Control Center. A common use would be to create
ranges for regions such as North America and EMEA and then create clusters for each country in the region. Configuration and default settings
shared by multiple Barracuda NG Firewalls can be configured on the cluster or range level. To create reusable configurations for multiple
Barracuda NG Firewalls, use a repository. The configuration of an individual system can then be linked or copied from a range or global repository
making it easy to deploy a change to all managed systems.

In this article:
en
Create a Range
Remove a Range
Create a Cluster
Remove a Cluster
Range and Cluster Specific Settings
Migrating the Configuration
Migrating a Repository Linked Unit
Migrate a Cluster or Range
Migrate Multiple Clusters and Ranges
Create a Range

You must create at least one range on a NG Control Center.


1.
2.
3.
4.
5.
6.
7.
8.
9.

Click the CONFIGURATION tab.


Right-click Multi-Range and select Create Range.
Specify a Range Name (only numbers are allowed), and enter a Description.
Enter the contact details in the Contact Info field.
Configure the range properties as described in the Specific Settings section.
Click Next.
Enter the owner and purchase details in the information sections.
Click Finish.
Click Activate.

Remove a Range

Deleting a range is final and will also remove all clusters and managed NG Firewalls in the range. Create a backup before deleting a
range.
1.
2.
3.
4.
5.

Click the CONFIGURATION tab.


Right-click the range you wish to remove and click Lock.
Right-click the range and select Remove Range.
Click OK to confirm the deletion.
Click Activate.

Create a Cluster

Unless you are using a Standard Edition NG Control Center there is no limit on how many clusters you can create.

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Click the CONFIGURATION tab.


Expand Multi-Range, right-click your desired range and select Create Cluster.
Select the software release of the Barracuda NG Firewall boxes that should be managed and click OK.
Enter a descriptive Cluster Name.
Enter the contact details.
Configure the cluster properties as described in the Specific Settings section.
Click Next.
Enter the owner and purchase details in the information sections.
Click Finish.
Click Activate.

Remove a Cluster

Deleting a cluster is final and will also remove all clusters and managed NG Firewalls. Create a backup before deleting a cluster.
1.
2.
3.
4.
5.
6.

Click the CONFIGURATION tab.


Navigate to the cluster you wish to remove.
Right-click the cluster and click Lock.
Right-click the cluster and select Remove Cluster.
Click OK to confirm the deletion.
Click Activate.

Range and Cluster Specific Settings

Each range and cluster can override global settings by using its own configuration interface. When enabling these settings the scope is limited to
the range or cluster it is set for.
Click here to expand...
Setting

Description

Disable Update

Enables/disables configuration updates for boxes from this range or


cluster.

Collect Statistics

Triggers the Barracuda NG Control Center to collect statistics from


managed boxes within this range or cluster.

Own Cook Settings

Introduces the node Statistics Cook Settings where you can


define the custom cook settings for the range (How to Configure
Statistics Processing and Maintenance) . If the range or cluster
requires special cook settings for statistical data, enable this
parameter.

Own Event Settings

Introduces the node Eventing where you can define custom event
settings for the range or cluster (see How to Configure Event
Notifications). If the range or cluster requires special event settings,
enable this parameter.

Own Firewall Objects

Enables range/cluster-specific firewall objects and introduces the


node Range/Cluster Firewall Objects where you can define
range/cluster-specific network objects (see Firewall Objects and Ne
twork Objects ).

Own VPN GTI Editor

Enables a range/cluster-specific VPN GTI Editor and introduces the


node VPN GTI Editor(range/clustername). For more information,
see How to Create a VPN Tunnel with the VPN GTI Editor.

Own Access Control Objects

Enables range/cluster-specific policy server objects and introduces


the node Access Control Objects containing the files Welcome
Message, Personal Firewall Rules, Pictures and Registry
Checks (like Access Control Service).

Own Shaping Trees

Enables range/cluster-specific traffic shaping settings and


introduces the node Range/Cluster Shaping Trees (see Traffic
Shaping ).

Send Statistics to Reporter (legacy)

Sends central statistics data to the legacy Barracuda NG Reporter


appliance.

Migrating the Configuration

Migration can only be performed the next major firmware version (5.0 > 5.2 > 5.4 > 6.0 > 6.1).
Migrating a Repository Linked Unit

If you are using a repository you must prepare the repository linked units before migration:
For information, see How to Prepare Repository Linked Box Configurations for Migration.
1.
2.
3.
4.
5.
6.

Click the CONFIGURATION tab.


Expand Multi-Range and navigate to the desired object in the Repository tree.
Right click the object and click Lock.
Right click the object and select Migrate Node.
Choose the version number as migration destination and click OK to confirm the migration.
Click Activate.

Migrate a Cluster or Range

Clusters can only be migrated to a higher firmware version. You can not downgrade a cluster configuration.
1.
2.
3.
4.
5.
6.

Click the CONFIGURATION tab.


Navigate to the cluster or range you wish to migrate.
Right-click the cluster or range and click Lock.
Right-click the cluster and select Migrate Cluster / Migrate Range.
Choose the version number as migration destination and click OK to confirm the migration.
Review the future configuration.

The MailGW Settings and the Service Configuration nodes will be changed during this migration process. Open the nodes to
look at the new configuration dialogs.
7. Click Activate .
Migrate Multiple Clusters and Ranges

1. Click the CONFIGURATION tab.


2.

2. Right-click Multi-Range and select Migrate Clusters/Ranges from the context menu.
3. Select the nodes to be migrated while holding down the SHIFT key.

4. Click OK to confirm the migration.


5. Click Activate.

Global Firewall Objects


en
Global firewall objects are available to all firewall services managed by the Barracuda NG Control Center. You can override global firewall objects
by enabling firewall objects on the range or cluster level. You can create the following global objects:
Network Objects
Service Objects
Application Objects
User Group Objects
Generic IPS Pattern Objects
In case global firewall objects are renamed this change has to be confirmed directly by clicking Send Changes and Activate before the
change becomes available in the firewall services. The object type can not be changed after it has been set.

Global Firewall Objects vs. Range/Cluster Firewall Objects

For a more granulated definition of firewall objects, global firewall objects can be overridden by range or cluster firewall objects of the same name.
An object that overrides a globally defined object is indicated by a server icon with a red arrow.
Global objects that are overridden by range or cluster objects, are not visible within the host firewall or forwarding firewall rule editor on
range or cluster level.

Site-Specific Network Objects

To define network objects for IP addresses or networks which differ for each NG Firewall, define a site-specific network object. The values for
these network objects must be entered for each virtual server on the Server Properties > Networks page and can then be used in the
Forwarding Firewall rule set.
Global GTI Objects

When tunnel endpoints are created in the VPN GTI Editor, corresponding dynamic network objects are created at the same time (How to Create a
VPN Tunnel with the VPN GTI Editor). These objects are named servername_clustername_range with a prefixed GTI Server accordingly.
Global GTI objects are inherited as references by local and forwarding firewall rulesets of each Firewall service related to the tunnel endpoint
and may be used for rule specification. Every time a new tunnel endpoint is inserted into the Global VPN GTI Editor, the GTI Objects must be
reloaded in the Global Firewall Objects window in order to become available in the configuration dialogs Global GTI objects can not be edited or
renamed.

How to Add a new Barracuda NG Firewall to the Control Center


en
Before you deploy a new Barracuda NG Firewall you can create and configure all necessary settings on the NG Control Center. Deploy the PAR
file to the NG Firewall to finish adding the NG Firewall to the NG Control Center.
In this article:
en
Step 1. Create a new Barracuda NG Firewall Box
Step 2. (optional) Configure Remote Management Tunnel
Step 3. Enable the NG Firewall
Step 4. Deploy the PAR file to the NG Firewall
Step 4.1 Create the PAR file on the NG Control Center
Step 4.2. Import the PAR on the NG Firewall
Step 1. Create a new Barracuda NG Firewall Box

1.
2.
3.
4.
5.

Expand the Boxes node (CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster).
Right click on Boxes and select Create Box Wizard. The Wizard window opens.
Enter all settings requested by the Create Box Wizard.
Click Finish.
Click Activate.

Step 2. (optional) Configure Remote Management Tunnel

If your NG Firewall can not directly access the NG Control Center, configure a remote management tunnel. For more information, see How to
Configure a Remote Management Tunnel for Barracuda NG Firewalls.
Step 3. Enable the NG Firewall

Imported NG Firewalls are disabled per default. Disables NG Firewall are represented by a grey status icon.
1. Open the Box Properties page for the NG Firewall (CONFIGURATION > Configuration Tree > Multi-Range > your range > your
cluster > your NG Firewall).
2. In the left menu click on Operational.
3. Set Disable Box to no.
4. Click Send Changes and Activate.
The status of the NG Firewall on the Status Map (CONTROL > Status Map) now changes from grey (offline) to red with dashes (unreachable).
Step 4. Deploy the PAR file to the NG Firewall

Deploy the configuration of the new Barracuda NG Firewall to the remote NG Firewall.
Step 4.1 Create the PAR file on the NG Control Center

1.
2.
3.
4.

Log in to the NG Control Center.


Expand the node for the NG Firewall you imported in Step 2.
Right click on the box name and select Create PAR file for box.
Choose the destination folder and click Save.

Step 4.2. Import the PAR on the NG Firewall

1.
2.
3.
4.
5.

Log into your NG Firewall.


Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall.
Right click on the Box node and select Restore from PAR file.
Click OK.

HowtMve,CpyandDlBrcuNGFis

How to Move, Copy and Delete Barracuda NG Firewalls


emove a Barracuda NG Firewall

A Barracuda NG Firewall that has been removed from the Barracuda NG Control Center does not automatically become a standalone
system. If you want to use the removed Barracuda NG Firewall as a standalone system, you must reconfigure it.
1.
2.
3.
4.

In the Configuration Tree, navigate to the Barracuda NG Firewall that you want to remove.
Right-click the Barracuda NG Firewall and select Lock.
Right-click the Barracuda NG Firewall and select Remove Box.
Click OK.

After the Barracuda NG Firewall has been removed, the box entry should disappear from the CC status map with the next configuration update. If
the entry stays on the system:
1. At the command line, enter the following commands:
$ find /opt/phion/rangetree/configroot/ -name box.dbconf | xargs rm
$ conftool r - rebuild_db
$ conftool r - rebuild_cache
2. Restart the CC Rangeconf service.

Licensing on a NG Control Center


en
The Barracuda NG Control Center is licensed by installing the base license on the box layer and NG control center management interface. For
managed NG Firewalls the NG Control Center manages, assigns and updates VF and SF pool licenses and optionally also automatically activates
licenses.
In this article
en
Licensing a Barracuda NG Control Center
Licensing Managed NG Firewalls
Single Licenses with Unattended or Manual License Activation
Pool Licenses
Managing Pool Licenses
Continuous Updating of the Pool License Float
Special Considerations for NG Control Center Licenses in Grace Period
Licensing a Barracuda NG Control Center

The base license for the NG Control Center is automatically downloaded on the box layer of the NG Control Center when it is activated. You must
also install this base license in the management interface of the NG Control Center, to establish the CC identity. Pool licenses are also bound to
the base license of the NG Control Center.
For more information, see How to Manually Install the Licenses for the Barracuda NG Control Center.
Licensing Managed NG Firewalls

Managed Barracuda NG Firewalls can be licensed with single or pool licenses.


Single Licenses with Unattended or Manual License Activation

Single licenses are bound to the MAC and cpuid of the individual NG Firewall and can not be transferred. To make deploying a large number of
NG Firewalls easier, the NG Control Center can automatically fill in or complete the Barracuda Activation for new managed NG Firewalls using
single licenses. If you have filled in the Activation Template (Config > CC Parameters) on the NG Control Center the web form is automatically
filled in. By enabling unattended activation in the Barracuda Activation tab for you license, you will not be prompted when a unit is activated.
Pool Licenses

There are three types of pool licenses:

F for hardware appliances. Hardware pool licenses must be purchased in combination with the hardware appliances.
VF for virtual appliances.
SF for software licenses.
Pool licenses can only be purchased in multiples of five and are bound to the base license of the NG Control Center. This means that they can be
assigned freely to all NG Firewalls of the same product type and model as the pool license managed by that NG Control Center. The licenses are
assigned and continuously renewed for all pool licensed managed NG Firewalls. Box licenses derived from a renewed pool license will be
updated automatically on the managed NG Firewalls.
For more information, see How to Install and Assign Pool Licenses on a Barracuda NG Control Center.
Managing Pool Licenses

The Pool Licenses section on the Barracuda Activation page offers several actions for license handling. To access the context menu options,
right click a license from the Pool Licenses list:
Import Pool License Import the pool license. You are prompted to enter the Token and select the Product Type. The pool license is
now listed in the Pool Licenses section.
Remove Pool BAR <License Number> Removes the selected pool license.
Use Unattended Activation If you activate this option, Barracuda NG Admin will not ask for personal contact information upon
activating licenses on Barracuda servers. Activation templates can be edited in the configuration on Global, Range and Cluster levels.
Update Licenses on CC Trigger an instant check if licenses are updated on the Barracuda license servers (This check is performed
hourly in the background).
Move Instances to another Pool Replace the box licenses derived from one pool license with box licenses from another pool license.
This can be used when a new pool license with a bigger pool was purchased. In the next step you can select from which new pool the
licenses should be generated. The new pool licenses must be already listed (i.e. previously imported) in the Pool Licenses window. The
new license pool must also have enough free instances as in the old pool and must also contain all the modules from the old license pool
and optionally additional ones.
Reassign Licenses to Instances If the pool license was renewed, but box licenses where not automatically updated by the Barracuda
NG Control Center, use this option to manually trigger the update.
Refresh Refresh the Pool Licenses list.
Tools Opens the standard Tools context menu from where you can export the list to file or clipboard.
Continuous Updating of the Pool License Float

Managed NG Firewalls using pool licenses must renew the license by connecting to the Barracuda NG Firewall at regular intervals. The license
status for each NG Firewall is listed on the Control > Floating Licenses page. Updating the pool license float follows the following scheme:
Licenses have a grace period of 15 days. The Barracuda NG Firewall starts to check the pool license state after a quarter of the grace period. If
this check fails, the next attempt is made after the first half of the grade period. If this check fails the license state enters grace mode. From now
on the NG Firewall will attempt to contact the NG Control Center four consecutive times every 10 minutes until the float could be successfully
updated. If a pool licensed NG Firewall is not able to connect to the NG Control Center for 15 days, all services are shut down and the license
state is changed to unlicensed.

Special Considerations for NG Control Center Licenses in Grace Period

If the host-ID or MAC address of the NG Control Center has changed the licenses will become invalid and enter a 14 day grace period. During the
grace period do not change settings on the CC Identity page.
Contact Barracuda Technical Support to resolve the licensing issues.

How to Manually Install the Licenses for the Barracuda NG Control Center
en
You must license the Barracuda NG Control Center before adding managed Barracuda NG Firewalls. The licenses for the Barracuda NG Control
Center are associated with the hardware ID of the system. The MAC address of a network card, the main board ID, or the CPU ID are used as the
key for the licenses. The base license must be installed on the box layer and in the NG Control Center management interface.
In this article:
en
Before You Begin
Step 1. Export the Base License on Box Layer
Step 2. Import the Base License
Before You Begin

Before installing the base license of a Barracuda NG Control Center, make sure the base license is installed and activated on the box layer. For
more information, see Licensing.
Step 1. Export the Base License on Box Layer

1. Log into the box layer of the Barracuda NG Control Center. If the Barracuda NG Control Center is running on a HA cluster, log into the
primary unit.
2. Open the CONFIGURATION > Full Config > Box > Box Licenses page.
3. Click Lock.
4. In the Licenses table, select the Base License and click Im/ Export and select Export to clipboard.
Step 2. Import the Base License

1.
2.
3.
4.
5.
6.

Log into the Barracuda NG Control Center.


Open the CC Identity page (Config > Global Settings > CC Identity).
Click Lock.
In the CC Identification section, click Import and select Import from Clipboard.
In the Organization field, enter your organization name.
Click Send Changes and Activate.

How to Install and Assign Pool Licenses on a Barracuda NG Control Center


en
Pool licenses are typically used in larger Barracuda NG Firewall environments using a Barracuda NG Control Center for management purposes.

Pool licenses are bundles of single licenses that can be dynamically assigned to the NG Control Center managed Firewalls. License management
takes place directly on the Barracuda NG Control Center.
In this article:
en
Before you Begin
Step 1. Install the License
Step 2. Select Product Type and Disable Barracuda Activation
Step 3. Assign the License
Before you Begin

Make sure the Barracuda NG Admin has a connection to the Internet. When entering the license token, Barracuda NG Admin downloads the
purchased license file from Barracuda Networks and automatically installs the license on the Barracuda NG Control Center.
Step 1. Install the License

To install the pool license on the Barracuda NG Control Center:


1.
2.
3.
4.

Go to CONTROL > Barracuda Activation.


In the Pool Licenses section, right-click and select Import Pool License.
Enter the pool license token and select the product type from the Product list.
Fill out the Barracuda customer activation form.

The pool license is now listed in the Pool Licenses section.


Step 2. Select Product Type and Disable Barracuda Activation

You must turn off Barracuda Activation for each firewall you want to use pool licenses for.
1.
2.
3.
4.
5.
6.

Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall > Box Properties.
Click Lock.
Select your Barracuda NG Firewall model the Product Type and Hardware Model dropdown menus.
In the left menu, click Operational.
Set Disable Barracuda Activation to Yes.
Click Send Changes and Activate.

The NG Firewall will no longer try to retrieve the licenses automatically, as the pool licenses are assigned by the NG Control Center.
Step 3. Assign the License

You can only use pool licenses of the same product type (F/VF/SF) and model (e.g., VF50) as the NG Firewall you are assigning the license to.
1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall > Box Properties.
Click Lock.
Click + and select Import from Pool License.
Double click on the pool license you want to assign to this unit. Repeat this step for every pool license (base, energize update, web
security,...) you want to assign.
5. Click Send Changes and Activate.

How to Assign and Activate Single Licenses on a Barracuda NG Control Center


en
You can activate single licenses for managed Barracuda NG Firewalls on the NG Control Center. After activation the licenses are downloaded
automatically. Activation can be done unattended or triggered manually by the administrator.
In this article
en
Before you Begin
Step 1. Enter the Product Type and Enable Configuration Updates
Step 2. Enter the License Token and Activate the Single License
Before you Begin

Make sure the Barracuda NG Admin can connect to the Internet. When entering the license token, Barracuda NG Admin downloads the

purchased license file from Barracuda Networks and automatically installs the license on the Barracuda NG Control Center.
Verify your data in the Activation Template (Global Settings > CC Parameters).
Step 1. Enter the Product Type and Enable Configuration Updates

1.
2.
3.
4.
5.
6.

Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your NG Firewall > Box Properties.
Click Lock.
Select your Barracuda NG Firewall model the Product Type and Hardware Model dropdown menus.
In the left menu, click Operational.
Set Disable Box to no.
Click Send Changes and Activate.

Step 2. Enter the License Token and Activate the Single License

Enter the license token to initiate the unattended or manual activation.


1. Log into the Barracuda NG Control Center.
2. Go to CONTROL > Barracuda Activation.
3. Right click on the unlicensed NG Firewall in the Single Licenses section and click Enter License Token. The Activate your Virtual
Appliance window opens.
4. Enter the license token you received when purchasing your License.

5. If the NG Firewall is not online yet, you must enter the MAC address. Alternatively connect the appliance to the NG Control Center first,
then reenter the token.
6. If unattended activation is disabled, select the NG Firewall in the Single Licenses list and click Activate.
If unattended activation is enabled, the licenses are downloaded and activated automatically. The form data configured in Activation Template (
Global Settings > CC Parameters) is used to fill in the activation form. You can also manually trigger the activation.

How to Update Barracuda NG Control Center Managed Systems


en
The Barracuda NG Control Center can manage multiple clusters each using different firmware versions: 4.2.X, 5.0.X, 5.2.X, 5.4.X or 6.0.X. The
Barracuda NG Control Center can only manage NG Firewalls using the same or lower firmware version. You can not mix different firmware
versions in a cluster. When upgrading to new firmware versions you must first update the NG Control Center then all NG Firewalls, virtual servers
and services in the cluster at the same time. After all managed NG Firewalls in a cluster have been updated you must also migrate the cluster to
the new release version.
In this article:
en
Step 1: Verify the Compatibility of Barracuda NG Control Center Versions with their Managed Units
Step 2: Import the Update Package into the Barracuda NG Control Center
Step 3: Send the Update Package to the Systems
Step 4: Execute the Update Package
Step 5. Migrate the Configuration Version of the Cluster
Update the Clusters Individually

Update all the Clusters in a Range


Troubleshooting / Logs
Step 1: Verify the Compatibility of Barracuda NG Control Center Versions with their Managed Units

The following table shows compatibility between the major versions of the Barracuda NG Control Center and various systems. Upgrade the
Barracuda NG Control Center to the same firmware version, or newer before updating the managed NG Firewalls. If you are using a NG Control
Center with an older firmware release to manage a newer firmware version, new features included in the newer firmware will not be configurable.
For more information, see Updating Barracuda NG Firewalls and NG Control Centers
System Version

Barracuda NG Control Center Version


Barracuda NG Control
Center 5.0.X

Barracuda NG Control
Center 5.2.X

Barracuda NG Control
Center 5.4.X

Barracuda NG Control
Center 6.0.X

Barracuda NG Firewall
4.2.X

YES

YES

YES

YES

Barracuda NG Firewall
5.0.X

YES

YES

YES

YES

Barracuda NG Firewall
5.2.X

YES - only 5.0.X feature


level

YES

YES

YES

Barracuda NG Firewall
5.4.X

YES - only 5.0.X feature


level

YES - only 5.2.X feature


level

YES

YES

Barracuda NG Firewall
6.1.X

YES - only 5.0.X feature


level

YES - only 5.2.X feature


level

YES - only 5.4.X feature


level

YES

Step 2: Import the Update Package into the Barracuda NG Control Center

Upload the update to the NG Control Center.


1. Log into the Barracuda NG Control Center.
2. Go to CONTROL > Firmware Update.
3. Click Import and select the update package from the file browser.
The file is copied to the NG Control Center and displayed in the Files section.
Step 3: Send the Update Package to the Systems

1.
2.
3.
4.
5.

On the Firmware Update page, select the Ranges, Clusters, or Boxes to be updated.
In the Files section, select the imported update package.
Click Create Task. The New Update Task window opens.
Select Immediate Execution as the Scheduling Mode.
Click OK.

The update packages are now copied to the selected remote systems. Go to CONTROL > Update Tasks for more information.
Step 4: Execute the Update Package

1.
2.
3.
4.

Go to CONTROL > Update Tasks.


In the column, a green icon is displayed, verifying that the update package was sent successfully.
Select the systems which have received the entire update package and right-click the system select Perform Update.
In the Schedule Task window, select Immediate Execution from the Scheduling Mode list and click OK.

Wait for the update to finish. Depending on the system hardware, the process can last anywhere from 15 minutes (for a fast system) to 60
minutes (for flash appliances).
Unless noted otherwise all Barracuda NG Firewalls will reboot after the update has been applied.

Step 5. Migrate the Configuration Version of the Cluster

If you are updating to a new major version (5.2 to 5.4 or 5.4. to 6.0) you must migrate the cluster version after the update has completed.
Update the Clusters Individually

1.
2.
3.
4.
5.
6.

Open the cluster you just updated (CONFIGURATION > Configuration Tree > Multi-Range> your range > your cluster).
Right click on the cluster and select Lock.
Right click on the cluster and select Migrate Cluster.
Select the new Release version.
Click OK.
Click Activate.

Update all the Clusters in a Range

If all clusters in the range are on the same firmware version you can migrate all clusters simultaneously.
1.
2.
3.
4.
5.
6.

Open the range containing the clusters you just updated (CONFIGURATION > Configuration Tree > Multi-Range> your range).
Right click on the range and select Lock.
Right click on the range and select Migrate Range.
Select the new Release version.
Click OK.
Click Activate.

Troubleshooting / Logs

After the update process, review the Box\Release\update or Box\Release\update_hotfix log for each system to verify that it was successfully
updated. To view a system log, you must connect directly to the system and open the Logs page.

How to Prepare Repository Linked Box Configurations for Migration


en
In most cases, NG Firewall configurations are at least partly linked to repositories for easier administration purposes. When migrating a Barracuda
NG Firewall to a newer release, pay special attention to these repository links to ensure that your future administration structure remains simple.
Similar to when you move or copy managed units (see: How to Move, Copy and Delete Barracuda NG Firewalls), the repository links cannot be
maintained if, for example, a version 5.2 cluster is migrated to version 5.4 while the repository is still in use by other 5.2 version units. If you
migrate the configuration before migrating the repository, the repository links will be broken and the content of the repository will be copied to the
NG Firewall configuration page. Proceed as follows to maintain the linked configurations while keeping the original repository objects.
Step 1 - Create a version 5.2 repository object with the same configuration settings as the former object.
Step 2 - Migrate the configuration.
Step 3 - Delete the configuration files that have been created during migration.
Step 4 - Create new links from the configuration nodes to the up-to-date repository object.
Repository migration follows the following migration path: 4.2 > 5.0 > 5.2 > 5.4 > 6.0

Repositories
en
Barracuda NG Control Center repositories contain configurations that can be applied to groups of Barracuda NG Firewalls. Configuration data that
is used on more than one machine should be stored in a repository. This saves time and reduces configuration errors, because the information
is entered only once and is then linked from the corresponding repository object. When you change a setting in a repository object, all linked
configuration entries are automatically updated. With a repository, you do not have to configure each affected system individually. Three types of
repositories exist:
General Repository
Range Repository
Cluster Repository

Due to compatibility reasons, two nodes are structured differently within the box repository tree than within box range tree configuration:
Authentication Service is placed in Advanced Configuration and not in Infrastructure Services.
System Settings is placed in Box and not in Advanced Configuration.
In this article:
en
Create a Repository
Copy an Existing Configuration to the Repository
Link a Barracuda NG Firewall Configuration to the Repository
Override the Repository Settings
Create a Repository

1. Click the CONFIGURATION tab.


2. In the Configuration Tree, right-click Multi-Range and select Create Repository.
In the repository, you can create new configuration entries or copy existing entries from the Configuration Tree.
3. Click Activate.
Copy an Existing Configuration to the Repository

1. In the Configuration Tree, navigate to and expand the system with the required configuration settings.
2. Right-click the required configuration entry and click Lock.
3. Right-click the entry again and select Copy to Repository.
If you want to copy repository settings to a configuration entry, right-click the entry and select Copy from Repository.

4. Enter a name for the new repository object and click OK.
5. Click Activate.
Link a Barracuda NG Firewall Configuration to the Repository

1.
2.
3.
4.
5.

In the Configuration Tree, navigate to and expand the system.


Right-click the configuration entry that must be linked to the repository and select Lock.
Right click the entry again and select Link from Repository.
Select the repository object and click OK.
Click Activate.

Override the Repository Settings

If you do not want a repository setting to be applied to an system, you can override it.
1.
2.
3.
4.
5.

In the Configuration Tree, navigate to and expand the system.


Right-click the linked configuration entry and and select Lock.
Right click the entry again and select Link Override from Repository.
Select the repository object and click OK.
To override a specific parameter of the configuration entry:
a. Double-click the configuration entry.
b. Right-click the orange icon of the parameter and select Override Entry.
c. Enter the new parameter value.

Barracuda NG Control Center Admins


en

Administrative accounts allow multiple users to simultaneously manage the Barracuda NG Control Center and its managed Barracuda NG
Firewall units. Initially, every Barracuda NG Control Center is managed by the user root who has unlimited access rights. The user root has the
ability to grant system access to other administrators who, depending on the assigned user rights, are allowed or denied to perform certain
operations. This is done by creating administrative profiles. Administrative profiles can be configured to use local or external authentication. The
profile settings both specify the scope that an administrator can access (e.g., range or cluster) and define permissions and restrictions specified in
the administrative roles that are assigned to the profile. Administrative roles define which services an administrator is allowed to use on the
Barracuda NG Control Center and the managed Barracuda NG Firewalls. The configuration level specifies which areas in the config tree an
administrator has read and/or write access to. The lowest (or best) configuration level that can be assigned to an administrator is 1 (like the user r
oot). When an admin user creates a new administrative profile, the new user can, at best, receive the configuration level plus one of the creating
admin.

Administrative Roles
The Barracuda NG Control Center provides a set of predefined administrative roles that can be modified if required and applied to an admin

profile (e.g., Manager, Editor, etc.). Administrative roles define which services administrators are allowed to use on the Barracuda NG Control
Center and the managed Barracuda NG Firewalls and which operations the administrator is allowed to perform within the different services (e.g.,
terminate VPN tunnels, etc.). When creating an administrative profile you can assign multiple administrative roles to a Barracuda NG Control
Center administrator account.
For more information, see How to Configure Administrative Roles.

Administrative Profiles
When introducing an administrator on the Barracuda NG Control Center, create an administrative profile and assign access
privileges, permissions, and restrictions.
An administrative profile consists of the following settings:
Account Settings Account settings define various parameters of an administrator account, such as username, authentication method,
password expiration policy, shell access level, etc. You can authenticate administrators via local or external schemes (e.g., MS Active
Directory, RADIUS, LDAP, etc.). External authentication enables the Barracuda NG Control Center and the Barracuda NG Firewalls to
verify the credentials of an administrator against any supported authentication server. Administrators can use their external authentication
(e.g., MSAD) password for logging into the Barracuda NG Firewall environment. Optionally, the administrator can also receive access
rights to the operating system layer (shell login).
Administrative Scope By assigning elements like a range or cluster, the administrative scope implicitly defines the systems that the
administrator can access. The administrative scope also restricts the administrators view on the Barracuda NG Control Center (e.g.,
status map, config tree, etc.) and access to certain Barracuda NG Firewall units that are managed by the Barracuda NG Control Center.
Configuration Levels The configuration level defines the read and write access a user has on configuration nodes in the Barracuda
NG Control Center config tree. When creating an administrative profile, you have to apply a configuration level to the administrative user.
In addition, you can specify or change configuration levels in the config tree. To read or edit a configuration node in the config tree, the
administrative user must have a configuration level that is lower than the nodes read and write level.

For more information, see How to Configure Administrative Profiles.


Barracuda NG Control Center box level admins must be created separately on the box level of the NG Control Center and be
configured as if on a standalone Barracuda NG Firewall unit (see How to Create a New Admin Account).

How to Configure Administrative Roles


en
As part of an administrative profile, administrative roles define the operative permissions and restrictions of an administrative user to the different
services of the Barracuda NG Control Center and the managed Barracuda NG Firewalls units. When configuring administrative roles, you can
define which services the administrative user is allowed to access and which operations they are allowed or denied to perform on the services.
You can then assign the role to an administrative profile (see How to Configure Administrative Profiles).
In this article:
en
Roles Permissions and Restrictions
Configure Administrative Roles
Apply the Administrative Role to a Profile
Roles Permissions and Restrictions

Administrative roles permissions and restrictions are defined as follows:


Click here to expand...
Box Menu
CC
Configuration

Software Item

Manager

Operator

Observer

Editor

Administrators

Access to CC
Config

Yes

Yes

Yes

Yes

Yes

Kill Sessions

Yes

Yes

No

Yes

No

Change
Permissions

Yes

No

No

Yes

No

Change Events

Yes

No

No

Yes

No

Show Admins

Yes

No

Yes

Yes

No

Manage
Admins

Yes

No

No

Yes

Yes

Create/Remove
Range

Yes

No

No

Yes

No

Create/Remove
Cluster

Yes

No

No

Yes

No

Use RCS

Yes

No

Yes

Yes

No

Create/Remove
Boxes

Yes

No

No

Yes

No

Create/Remove
Servers

Yes

No

No

Yes

No

Create/Remove
Service

Yes

No

No

Yes

No

Create/Remove
Repository

Yes

No

No

Yes

No

Manage HA
Sync

Yes

Yes

No

Yes

No

Create PAR File

Yes

No

No

Yes

No

Allow Config
View on Box

Yes

Yes

Yes

Yes

No

Allow
Emergency
Override

Yes

No

No

Yes

No

Create/Remove
Workspace

Yes

No

No

Yes

No

Change
Workspaces

Yes

No

No

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

CC Control

Access to CC
Control

Yes

Yes

Yes

Yes

Yes

Show Map

Yes

Yes

Yes

Yes

Yes

Show Config
Updates

Yes

Yes

Yes

Yes

Yes

Manage Config
Updates

Yes

Yes

Yes

Yes

Yes

Show Box
REXEC

Yes

Yes

Yes

No

No

Manage Box
REXEC

Yes

Yes

No

No

No

Show Box
Firmware
Updates

Yes

Yes

Yes

No

No

Manage Box
Firmware
Updates

Yes

Yes

Yes

No

No

Manage Box
File Update

Yes

Yes

Yes

No

No

Show Box File


Update

Yes

Yes

Yes

No

No

Manage Box
Geo Position

Yes

Yes

Yes

Yes

No

Manage Box
Activation

Yes

Yes

No

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

CC Audit Info

Access to CC
Audit Info

Yes

Yes

Yes

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

CC PKI

Access to CC
PKI

Yes

No

Yes

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Control

Access to
Control

Yes

Yes

Yes

Yes

No

Start/Stop
Server

Yes

Yes

No

No

No

Block Server

Yes

Yes

No

No

No

Start/Stop
Service

Yes

Yes

No

No

No

Block Service

Yes

Yes

No

No

No

Delete Wild
Route

Yes

Yes

No

No

No

Activate New
Configuration

Yes

Yes

Yes

Yes

No

Restart
Network
Subsystem

Yes

Yes

No

No

No

Set or Sync
Box Time

Yes

Yes

Yes

Yes

No

Firmware
Restart

Yes

Yes

No

No

No

Reboot/Shutdo
wn System

Yes

Yes

No

No

No

Activate Kernel
Update

Yes

No

No

No

No

Kill Sessions

Yes

Yes

No

No

No

Import License

Yes

Yes

Yes

Yes

No

Remove
License

Yes

Yes

Yes

Yes

No

View License
Data

Yes

Yes

Yes

Yes

No

SCEP
Operations

Yes

Yes

Yes

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Event

Access to
Event

Yes

Yes

Yes

Yes

No

Silence Events

Yes

Yes

No

Yes

No

Stop Alarm

Yes

Yes

No

Yes

No

Mark as Read

Yes

Yes

No

Yes

No

Confirm Events

Yes

Yes

No

Yes

No

Delete Events

Yes

No

No

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Log

Access to Log

Yes

Yes

Yes

Yes

No

Read Box
Logfiles

Yes

Yes

Yes

Yes

No

Delete Box
Logfiles

Yes

No

No

Yes

No

Read Service
Logfiles

Yes

Yes

Yes

Yes

No

Delete Service
Logfiles

Yes

No

No

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Statistics

Access to
Statistics

Yes

Yes

Yes

Yes

No

Read Box
Statistics

Yes

Yes

Yes

Yes

No

Delete Box
Statistics

Yes

No

No

Yes

No

Read Service
Statistics

Yes

Yes

Yes

Yes

No

Delete Service
Statistics

Yes

No

No

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

DHCP

Access to
DHCP

Yes

Yes

Yes

No

No

Enable
Commands /
deletion of
lease

Yes

Yes

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Access Control
Service

Access to
Access Control
Service

Yes

Yes

Yes

No

No

Enable
Commands /
deletion of
access cache

Yes

No

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

CC Access
Control Service

Access to CC
Access Control
Service

Yes

Yes

Yes

No

No

Enable
Commands

Yes

No

No

No

No

Block Box
Svnc

Yes

No

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Firewall

Access to
Firewall

Yes

Yes

Yes

Yes

No

Terminate
Connections

Yes

Yes

No

No

No

Modify
Connections

Yes

Yes

No

No

No

Kill Handler
Processes

Yes

Yes

No

No

No

Dynamic Rule
Control

Yes

Yes

No

No

No

Toggle Trace

Yes

Yes

No

No

No

View Trace
Output

Yes

Yes

No

No

No

Change
Settings

Yes

Yes

No

No

No

View Ruleset

Yes

Yes

Yes

Yes

No

Manipulate
Access Cache
Entries

Yes

No

No

No

No

Access ATD
tab and
Quarantine

Yes

No

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

VPN

Access to VPN

Yes

Yes

Yes

Yes

No

Terminate VPN
Tunnels

Yes

Yes

No

No

No

Disable/Enable
VPN Tunnels

Yes

Yes

No

No

No

View
Configuration

Yes

Yes

Yes

Yes

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Mail Router

Access to Mail
Router

Yes

Yes

Yes

No

No

Enable
Commands

Yes

No

No

No

No

View Stripped
Attachments

Yes

No

No

No

No

Retrieve Stripp
ed Attachments

Yes

No

No

No

No

Delete Stripped
Attachments

Yes

No

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Virus Scanner

Access to
Virscan Service

Yes

Yes

Yes

No

No

Allow Block
Virus Pattern
Update

Yes

Yes

No

No

No

Allow Manual
Virus Pattern
Update

Yes

Yes

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

Secure Web
Proxy

Access to
Secure Web
Proxy

Yes

Yes

Yes

No

No

Access Cache
Management

Yes

No

No

No

No

Ticket Manage
ment

Yes

Yes

No

No

No

Cert.
Authorities Ma
nagement

Yes

No

No

No

No

XML Services
Management

Yes

No

No

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

HTTP Proxy

Access to
HTTP Proxy

Yes

Yes

Yes

No

No

Box Menu

Software Item

Manager

Operator

Observer

Editor

Administrators

WiFi

Access to WiFi

Yes

Yes

Yes

No

No

Configure Administrative Roles

1.
2.
3.
4.
5.

Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > Administrative Roles.
Click Lock.
In the Roles section, click + to create a new role. You can also edit and modify an existing entry.
Enter a Name for the role (only numbers are allowed) and click OK. The Roles configuration window opens.
To provide the administrative role with access to a service,
a. Select the Access to <service name> check box.
b. Click Set/Edit to configure detailed permissions for the service and click OK.
It is recommended that you grant the Show Map permission in the CC Control Module section to every admin
role. Admins that do not have this permission will get an error message immediately after they log into the Barracuda
NG Control Center.

6. Click OK.
7. Click Send Changes and Activate.
You can now assign the administrative role to an administrative user profile (see How to Configure Administrative Profiles).
Apply the Administrative Role to a Profile

1.
2.
3.
4.
5.
6.

Click the ADMINS tab.


Right click the admin profile in the list and select Lock.
Edit the profile.
Select the administrative role from the Roles list. (If you just want to assign specific roles, clear the Allow All Operations check box.)
Click OK.
Click Activate.

The administrative user can now view and edit settings and services on the Barracuda NG Control Center according to their assigned roles.

How to Configure Administrative Profiles


en
Administrative profiles define the authentication setup for admin users and specify which ranges/clusters, services and configuration areas the
users can access on a Barracuda NG Control Center and its managed Barracuda NG Firewall systems. When c reating an administrative profile
assign the administrative scope (e.g., range and cluster) to the user and specify the login details. Then you assign a configuration level to the
profile and set the service permissions and restrictions by applying one or several administrative roles. Administrative profiles are extendable,
scopes and permissions can be added at any time by configuring further instances.
In this article:
en
Step 1. Assign the Administrative Scope
Step 2. Configure Authentication Settings
Local Authentication
External Authentication
Step 3. Configure Access Permissions and Restrictions
Step 4. (Optional) Define Node Properties
Create new Admin Instances to Add Scope and Permissions to Existing Profiles
Step 1. Assign the Administrative Scope

Add an administrator account and select the range and cluster to which the user should have access.
1.
2.
3.
4.

Open the ADMINS tab.


Click New Entry.
Enter a Name for the account. This is the user login name.
From the Range list, select which ranges the admin should be able to access.
If you select -ALL- , the user has access to all ranges and clusters.
If you select -Linked-Only-, you can customize the administrative scope by selecting specific range and clusters from the Links l
ists in the Administrator window.
5. From the Cluster list, select which clusters that the admin can access.
If you select -ALL- , the administrative scope is widened to all clusters within the selected range.
6.

6. Click OK.
The administrative scope is now defined for the user and the Administrator configuration window opens for further configuration.
Step 2. Configure Authentication Settings

When using external authentication, you must also configure the authentication scheme that is used on the Infrastructure Services >
Authentication Service pages for the Barracuda NG Control Centers box layer and on all Barracuda NG Firewalls that are managed
by the Barracuda NG Control Center. For more information, see Authentication.
You can use either local or external authentication for admin users:
Local Authentication

When creating an admin account using local authentication, configure the following settings in the Administrator window (To edit an existing
admin profile, right click the profile, select Lock All Instances and edit it .):
1.
2.
3.
4.
5.
6.

On the Administrator page, select Local (No external Authentication) from the External Authentication list.
Enter the Full Name and Password for the user in the General section.
Click the Details tab.
Specify the password settings in the Password Parameters section.
Click OK.
Click Activate.

External Authentication

When creating an admin account using external authentication, configure the following settings in the Administrator window (To edit an existing
admin profile, right click the profile, select Lock All Instances and edit it .):
1.
2.
3.
4.
5.
6.

On the Administrator page, select the authentication scheme from the External Authentication list. E.g., MS Active Directory.
Click the Details tab.
Select the applicable authentication method from the Authentication Level list.
When selecting Key or Password or/AND Key, you must import the Public Key.
Click OK.
Click Activate.

Step 3. Configure Access Permissions and Restrictions

Specify the configuration and access level and assign administrative roles to the account. The default levels for config tree nodes are 99 or lower
for read access, and 2 or lower for write access. Usually, the write level is lower than the read level.
1. In the Administrator configuration window, click the Administrator tab. (To edit an existing admin profile, right click the profile, select Lo
ck All Instances and edit it.)
2. Specify the Configuration Level for the user in the Operative Settings section. 2 or lower means write access, 99 or lower means read
access (see also Barracuda NG Control Center Admins).
3. Assign one or several administrative roles,
Select the role from the Roles list and click Add. (For more information on administrative roles, see How to Configure
Administrative Roles), or
Select the Allow all Operations check box to grant permission for all administrative role operations. This overrides all
administrative roles that have been assigned to the administrator.
4. To grant permission for shell level access, select an option from the Shell Level list. You can select:
No Login Shell access is denied.
Standard Login A llows

access on the OS layer via a default user account (home directory: user/p

hion/home/username).
Restricted Login Permits access via a restricted shell (rbash) with limitations (e.g., specifying commands containing slashes,
changing directories by entering cd, ). A restricted login confines any saving action to the users home directory.
5. Click OK.
6. Click Activate.
Your admin user can now log into the Barracuda NG Control Center using the credentials specified in their profile and view or edit the services
and settings defined in the assigned administrative roles.

Step 4. (Optional) Define Node Properties

To change configuration levels in the Barracuda NG Control Center config tree,


1. Lock the configuration node in the config tree.
2. Right-click the node and select Properties.
3. Edit the Read and Write levels in the Administrative Level section.

4. Click Change.
By default, the configuration level for an object is taken from its parent node. If you change a level, it is displayed as 'explicit'. When you change
the level of a parent node, the levels of all nodes below it are also changed. Be aware that nodes with status 'explicit' must be changed manually.
Create new Admin Instances to Add Scope and Permissions to Existing Profiles

To grant an administrative user different permissions or roles on further administrative scopes (ranges or clusters),
1.
2.
3.
4.
5.

Open the ADMINS tab.


Right-click the user.
Click lock all instances.
Right click the user again and select create new instance.
Edit the settings as described in the above configuration sections.
When assigning clusters to an existing administrative profile, do not choose the 'linked only' option as this will generate an error
message. Instead, choose a single cluster.

6. Click OK.
7. Click Activate.

The administrative profile is now displayed in a tree structure, showing all instances when expanded.

How to Configure Administrator Workspaces


en
In the Barracuda NG Control Center, administrators can create and customize workspaces to include often used configuration nodes from the
config tree. Each workspace can either be shared with all administrators or assigned to specific administrators. To edit a workspace, create
directories and labels to organize its configuration nodes. You can also edit and move the configuration nodes. To back up and restore a
workspace, save it to a configuration file.
In this article:
en
Before you Begin:
Create a Workspace
View a Workspace
Lock a Workspace
Add a Configuration Node
Edit a Workspace
Modify a Node
Back Up and Restore a Workspace
Before you Begin:

Before administrators can create, view, and customize their workspaces, they must be

given permissions to do so. In the Administr

ative Roles configuration, assign the parameter CC Configuration Module to the user and select the Create/
Remove Workspaces and/or Change Workspaces check box in the CC Config Permissions settings. For
more information, see How to Configure Administrative Roles.
Create a Workspace

1. Open the CONFIGURATION tab.


2. Right-click Multi-Range and select Create Workspace.
3. In the Workspace Settings window, enter the following settings:
Short Name The internal name of the workspace.
Label The visible name of the workspace.
Admins to use the workspace A

comma- or space-delimited list of administrators who are permitted to

use the workspace. You can use wildcard characters such as "*" (asterisk) and "?" (question mark) to define ranges of
matching administrator names.
Admins to change the workspace A

comma- or space-delimited list of administrators who are permitted


to change the workspace. You can use wildcard characters such as "*" (asterisk) and "?"
(question mark) to define ranges of matching administrator names.
These administrators must also have the Change Workspace permission set within their Administrative Role setting
s.
When left blank, the workspace is only editable by its creator.
IP addresses/networks to use the workspace IP

4.

addresses and network ranges from which


administrators can use the workspace. When left blank, the workspace can be accessed from
anywhere.
Click OK.

View a Workspace

To view a workspace, click the Workspaces tab in the right pane of the CONFIGURATION page and select the workspace. If you can not find
this section, move your mouse to the right of the screen and click/drag the line towards the middle.

If you are already viewing a workspace but want to switch to another workspace view, right-click the active workspace's root node, select Show
Workspaces, and then select the new workspace view.
Lock a Workspace

To edit a workspace, you must first lock it.


1. Switch to the workspace view.
2. Right-click the workspaces root node and select Lock Workspace for Modifications.

2.

While the workspace is locked, the background changes to yellow. To unlock the workspace, right-click its root node and select Unlock
Workspace.
Add a Configuration Node

Before you can add a node to a workspace, you must first lock the workspace. You can lock multiple workspaces at a time.
1. Open the CONFIGURATION tab. If you are already in the workspace, navigate back to the config tree by clicking Configuration Tree fro
m the Workspaces tab in the right menu of the Configuration Tree page.
2. In the config tree, right-click the required node, select Add Node to Workspace, and then select the workspace where you want to add
the node.

3. In the Enter Name window, enter a display name for the node and then choose to either remain in the configuration tree view or switch to
the workspace view.
4. After adding all of the required nodes to the workspace, switch to the workspace view.
5. Right-click the workspaces root node and select Activate Workspace Changes.

Edit a Workspace

After creating a workspace, you can edit its settings. You can also create directories and labels to organize its configuration nodes.
1. Lock the workspace in the workspace view.
2. Right-click the workspaces root node and select one of the following options to edit the workspace:
Create Directory Creates a directory. In the Enter Name window, enter the name for the directory and click OK.

Create Label Creates a label to partition the workspace into different sections. You can move nodes before or after the label.
Edit Workspace Properties Reopens the Workspace Settings window so you can edit the workspace properties.
Refresh Workspace Reloads the workspace.
Delete Workspace Deletes the workspace.
Show this Workspace on Startup Loads the workspace view instead of the configuration tree when you log into the
Barracuda NG Control Center and click the CONFIGURATION tab.
Show Tree on Startup Loads the configuration tree when you log into the Barracuda NG Control Center and click the CONFI
GURATION tab.
3. Right-click the workspaces root node and select Activate Workspace Changes.
Modify a Node

You can modify workspace nodes by removing, renaming, and moving them.
1. Lock the workspace in the workspace view.
2. Right-click the node and select one of the following options:
Remove Node Removes the node.
Rename Node Renames the node. In the Enter Name window, enter the new name for the node and then click OK.
Mark Node for Move Moves the node. The node is then marked by a red icon. Then right-click a label or another node and
choose to move the marked node before or after it. You can also right-click a directory and move the node into it.
3. Right-click the workspaces root node and select Activate Workspace Changes.
Back Up and Restore a Workspace

You can create a configuration file to back up and restore your workspace.
1.

Lock the workspace in the workspace view.

2. Right-click the workspaces root node and select one of the following options:
Save Workspace to File Saves the workspace into a configuration file.
Load Workspace from File Restores a workspace from a saved configuration file.
Loading a workspace overwrites the currently active workspace.

How to Configure System Access for Root Aliases on CC-Managed Units


en
On Barracuda NG Firewalls that are managed by a Barracuda NG Control Center, the system access configuration lets you specify authentication
and access control settings for your root and service users (see Managing Access for Administrators). You can also create root aliases with
similar access rights than the user root (except console access).
Configure System Access for Root Aliases

1.
2.
3.
4.
5.
6.

Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.


From the Configuration Mode menu, select Switch to Advanced View.
In the left menu, select Advanced System Access.
Click Lock.
To add root aliases, click + in the Root Aliases table.
For each entry, specify the following settings:
a. Select the Authentication Mode for the root alias. When possible, use keys instead of passwords.
b. Enter the Password for the root alias if applicable.
c. If applicable, import the public RSA key for controlled Barracuda NG Admin logins. Do not use unencrypted private keys!
d. Click OK.
7. Click Send Changes and Activate.
With an appropriate authentication mode, the Barracuda NG Firewall authenticates a root alias admin via public key cryptography. To configure
key-based SSH login (controlled and automated) for non-root users on a system that is administered by a Barracuda NG Control Center, edit the
Public Key section for the administrator in the Admins tab. For more information, see How to Configure Administrative Profiles.

CC Eventing
The Barracuda NG Control Center generates events for system processes and CC services and processes events from its administered
Barracuda NG Firewall systems. Some events are generated by default, some are configured according to system and service requirements. On
the Barracuda NG Control Center, e vent forwarding is based on communication between the Box Event module running on the operative
Barracuda NG Firewall (box) and the CC Event Service module running on the Barracuda NG Control Center. The event severity defines both
how urgent or critical an event is and the classification of the event. The notification type specifies if a server or client action (such as executing a
program or sending emails and SNMP traps) is be performed by the Barracuda NG Firewall or Barracuda NG Control Center when an assigned
event occurs.
In this article:
Viewing and Managing Events
Configure Event Notifications
Configure Access Notifications

Viewing and Managing Events


From the Barracuda NG Control Center EVENTS tab, you can view a list of all available event types. The event monitor lists all events that have
been generated by the CC services and all events that were propagated from the managed Barracuda NG Firewall systems. The mevent (Master
Event) service only processes events that are generated by the Barracuda NG Firewall gateways. To view events generated by the Barracuda NG
Control Center box, log into the Barracuda NG Control Center on box level and open the EVENTS tab .

Configure Event Notifications


Due to the hierarchical structure of the Barracuda NG Control Center, events can be configured on several levels, depending on the requirements
of your security policy. You can define global, range-specific, cluster-specific, or box-specific event settings and configure notifications for the
following event types:
Operational Events Operative influences to the system, such as a high system load or low memory capacity.
Security Events Possible security vulnerabilities and attacks, such as port scans or incorrect login attempts.
You can assign severity levels and properties to each event. The propagation of Barracuda NG Firewall events to the Barracuda NG Control
Center must be configured in the box configuration.
For more information, see How to Configure Event Notifications.

Configure Access Notifications


Each system-access attempt poses a potential security risk. To keep track of successful or unsuccessful system-access attempts on the
Barracuda NG Control Center, you can adjust notifications on a per service and per administrator basis. The Barracuda Networks model provides
multiple notification schemes that let you link an administrator with a particular service-specific notification setting:
Service Default Default notification settings for all Barracuda Networks and system services capable of allowing access to the system.
These settings are always in effect for user root. The same applies to all system-only users.
Silent Automatically assigned to invisible users ha and master. The scheme suppresses notifications for successful access attempts.
Unsuccessful attempts are treated according to the Service Default scheme.
Type 1, 2, 3 Multi-admin option, freely customizable.
Access control settings assign particular notification types to each Barracuda NG Firewall service or otherwise relevant system service (for
example, SSHd or console login). Notifications for success and failure events can usually be configured individually, except for one notable
exception - direct system access failure or access by an unknown user will always trigger an event.
To configure access notifications on a managed Barracuda NG Firewall unit, proceed with the steps described in How to Configure Access
Notifications.

How to Configure Event Notifications


en
On the Barracuda NG Control Center, you can configure various settings for specific system events, such as event notifications that can be sent
to you via email or SNMP trap messages. Global event settings are applied to all events that are being propagated from the Barracuda NG
Firewalls to the Barracuda NG Control Center, unless you have also defined range or cluster event settings. Range event settings are used if
multiple ranges requiring individual event settings are defined in the Config Tree. Cluster event settings are used for multiple clusters requiring
individual event settings. Box event settings are only applied to events that are processed by the event system of a Barracuda NG Firewall.
In this article:
en

NDFE

NG Control Center Troubleshooting


The following troubleshooting tips may help correct some common errors.
The Barracuda NG Control Center cannot send configuration updates
'Authentication Failed' message when logging into a Barracuda NG Firewall
You have locked yourself out of the managed NG Firewalls after changing the CC IP addresses or certificates

The Barracuda NG Control Center cannot send configuration updates


If the Barracuda NG Control Center cannot send a configuration update to a Barracuda NG Firewall, the gateway might be offline. In this case, the
Barracuda NG Control Center keeps attempting to send the update. The waiting period between attempts is increased after each update failure.
After twenty failed attempts, the waiting period is increased to one hour. On the Control > Configuration Updates page, you can manually send
the update. Right-click the Barracuda NG Firewall and select Update Now.

'Authentication Failed' message when logging into a Barracuda NG Firewall


If you receive an 'Authentication Failed' message when you log directly into a Barracuda NG Firewall from the Control > Status Map page, you
might need to change the root password. To change the root password for a Barracuda NG Firewall, click the CONFIGURATION tab. In the
Config Tree, navigate to the Barracuda NG Firewall, expand the box, and double-click Administrative Settings. In the Root Password section,
change the root password. If the root password is linked from a repository, you must change the password in the repository object.

You have locked yourself out of the managed NG Firewalls after changing the CC IP addresses or certificates
Authentication Levels for Control Center - Box Communication

Since the Barracuda NG Admin uses the same communication protocol as the NG Control Center, this setting applies to any Barracuda
NG Admin-based login attempt with the user master.
As stated above, the Control Center-box trust relationship is governed by private/public key technology. Thus, in a working environment, the NG
Control Center knows its boxes, and the boxes recognize the NG Control Center as their one and only authority. The default level of
authentication is that a box and its NG Control Center identify themselves by their keys and IP addresses. This means that the Control Center
does not send any configuration data to untrusted boxes, and no box accepts data from an untrusted source. If, however, the Barracuda NG
Control Center does not have a valid license (and, therefore, no certificate) or major migrations are made, it might be necessary to reduce the
authentication level for a short period to establish a new trust relationship. Depending on which component is the untrusted one, this has to be
done either on the Barracuda NG Control Center (Control > Configuration Updates > Untrusted Update checkbox selected) or on the box itself
to make the unit accept the incoming data.
Setting
No Authentication

Level
-1

Meaning and effect


Anything goes. The system allows any
attempt to send or retrieve configuration
data.
Use only if necessary and change
back as soon as possible.

Check IP address or key

Login is accepted if either IP address or the


key challenge is successful. (still quite
insecure)

Check IP address

Login is accepted if demanded IP address is


at hand. (still quite insecure)

Check key

Login is accepted if key challenge is


successful.

Check IP address and key

This is the default setting and should remain


as such if there is no need to lower the
security level temporarily.

Admin

The name of the administrator who made changes for the


configuration version.

Peer

The IP address of the administrator who made changes for the


configuration version. If the same IP address is entered multiple
times within a firewall rule, the RCS Report window may display
incorrect change history even if the change was correctly deployed.

Monitoring and Reporting


You can right-click the RCS Report columns and select any of the following options to modify the column view or print the report:
Details Opens the RCS Report Detail window, which displays the column information in a more readable format (recommended for
multi-line entries).
Expand and Expand All Expands a selected node or all nodes.
Collapse and Collapse (All) Collapses a selected node or all nodes.
Print (Visible Only, Landscape/Portrait) Prints the display as it is displayed. You can print the report in landscape or portrait
orientation. Landscape is recommended.
Print (All, Landscape/Portrait) Prints all the information in the report. You can print the report in landscape or portrait orientation.
Landscape is recommended.
The toolbar on the bottom of the RCS Report window offers the following functionalities:
Search String In this empty field, you can enter the string you want to search for. Wildcards are not supported.
<< Find / Find >> Navigate up and down the report to find the specified search string.
Import / Export Export

the report into a *.prp file for archiving purposes or import an archived prp file.
<< Prev / Next >> Navigate between the selected configuration versions.

Revert an RCS Version


With RCS, you can revert a configuration page to a previous version. You cannot retrieve RCS versions for VPN settings.
1. On the configuration page, click RCS and select Retrieve versions.
2. In the RCS Versions window, select the required configuration version and click Choose. The configuration page header displays the
selected version.
3. Click RCS and select Accept Version.
4. In the window that opens with a message asking if you want to accept and activate the selected version, click Yes.
5. Click Send Changes and Activate.

Logs
en

The Barracuda NG Firewall generates log events for system processes on the box layer and, if present, for the virtual server layer and each
configured service. To limit the size of a single log file, the Barracuda NG Firewall creates a new log file for each service every four hours. All log
files are stored in plain text in the system's /var/phion/logs directory and can be viewed and filtered conveniently with the log viewer in the
Barracuda NG Admin application. For information on how to view and filter log file entries, see the LOGS Tab.
The /var/phion/logcache directory contains the Log Access Files (*.laf) for internal log file processing only. These are BDB (Berkeley DB)
files that are suitable for fast access to large log files. Intervention via the command line is generally not recommended. To view the contents of
the .laf files, use the showbdb utility.

DO NOT write, rename or put any files into this directory. Editing the contents of this directory may cause logs to be displayed
incorrectly.

<S1>\<SSH>\<SSH>

Displays log files created by the SSH Proxy


service, providing information about SSH
configuration and processes, including target
access details etc.

<S1>\<SSH>\sshd

Displays informational log files about SSH


Proxy sessions, providing traffic related
details such as server listening ports and IP
addresses.

Secure Web Proxy

<S1>\<S-PROXY>

Displays log files created by the Secure Web


Proxy and informs about web filtering
processes and actions such as allowing and
denying URL requests if configured.

Access Control Service

<S1>\<Access Control>\<SSH>

Provides log files created by the Access


Control service and shows information about
access control policy processing and
monitored actions and registry checks
according to the configured log level.

SSH Proxy

How to Enable the Firewall Audit Log Service


en
The Barracuda NG Firewall generates Audit Log entries for both local and/or forwarding traffic. The Firewall Audit Info viewer is accessible by
selecting the Firewall tab and clicking the Audit Log icon in the ribbon bar. The local Audit Info viewer is available on every Barracuda NG
Firewall generating a Firewall Audit logfile.
Enable Audit Logs

Activate the generation of Firewall Audit data:


1.
2.
3.
4.
5.
6.
7.
8.
9.

Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > General Firewall Configuration.
In the left menu, select Audit and Reporting.
Expand the Configuration Mode menu and select Switch to Advanced View.
Click Lock.
In the Log Policy section enable Generate Audit Log.
Click Set next to Audit Log Data.
Select Regular Logfile from the Audit Delivery drop-down.
Click OK.
Click Send Changes and Activate.

Firewall Audit data is stored locally by default, but may be forwarded to the Barracuda NG Control Center or to a dedicated Barracuda NG Firewall
running the Firewall Audit Log service for central audit log file collection. For

more information, see FW Audit.

How to Configure Syslog Streaming


en
The syslog streaming configuration defines the handling of log files. Log messages of managed NG Firewalls can be transmitted to the NG
Control Center Syslog service, but they can just as well be transmitted to any other system designed for log file collection or to another Barracuda
NG Firewall.

In this article:
en
Enable the Syslog Service
Configure Logdata Filters
User Defined Log Groups
List of Available Box Module Names
List of Available CC-managed Box Modules
List of Available Single Box Module Names
List of Available Control Center-Module Names (CC Box)
List of Available Reporter Module Names (Reporter Box)

Configure Logstream Destinations


SSL Encapsulation
Log Data Tagging
Configure Logdata Streams
Enable the Syslog Service

Enable the Barracuda NG Firewall to stream log files to external syslog devices like the Barracuda NG Control Center or a 3rd party syslog server
. When using SSL for log file streaming, export the certificate and key for SSL based authentication.
1.
2.
3.
4.

Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
Click Lock.
Enable the Syslog service.
When using SSL for log file streaming, you may require a certificate different from the key and certificate by which the box is routinely
identified:
a. Select Switch to Advanced View in the left Configuration Mode menu.
b. Disable Use Box Certificate/Key.
c. Export the certificate and key. This certificate needs to be imported on the destination server for SSL based authentication.
5. Click Send Changes and Activate.
Configure Logdata Filters

Define profiles specifying the log file types to be transferred / streamed.


1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
2. In the left menu, select Logdata Filters.
3. Expand the Configuration Mode menu and select Switch to Advanced View.
4. Click Lock.
5. Click the + icon to add a new entry.
6. Enter a descriptive name in the Filters dialog and click OK.
7. In the Data Selection table, add the log files to be streamed. You can select:
Fatal_log Log contents of the fatal log (log instance name: fatal)
Firewall_Audit_Log The log contents of the firewall's machine readable audit data stream. Whether data is streamed into the
Firewall_Audit_Log has to be configured in the General Firewall Configuration settings on box-level, section Audit Log
Handling > Audit-Delivery: Syslog-Proxy (see: FW Audit). The log instance name corresponding to Syslog-Proxy selected will
be trans7.
Panic_log log contents of the panic log (log instance name: panic)
When Log-File is selected in the firewall's configuration, the data will go into a log file named Box->Firewall->audit (whi
ch means the instance is named box_Firewall_audit) and thus this filter setting is not applicable. The pertinent one
then would be a selection of category Firewall within the box selection portion of the filter.
8. In the Affected Box Logdata section, define

what kind of box logs are to be affected by the syslog daemon from

the Data Selection list.


9. When chosing Selection (default),
a. Click the + icon next to Data Selection to add an entry.
b. Enter a descriptive name for the group and click OK. The Data Selection window opens.
c. Add the Log Groups for selection or select Other and specify an explicit selection. For more information, see User Defined Log
Groups.
d. Set a Log Message Filter. When chosing Selection,
Add the explicit log type to the Selected Message Types table.
e. Click OK.
10. In the Affected Service Logdata section, define what kind of logs created by services are to be affected by the syslog daemon from the
Data Selection list.
11. When chosing Selection (default),
a. Click the + icon next to Data Selection to add an entry.
b. Enter a descriptive name for the group and click OK. The Data Selection window opens.
c. In the Log Groups table, add the server and services where log messages are streamed from, or select Other and specify a
more granulated selection. For more information, see User Defined Log Groups
d. Set a Log Message Filter. When chosing Selection,
Add the explicit log type to the Selected Message Types table.
e.

Events

Events
Security and Operational Events
All security and operational events are classified according to their severity and notification type.For more information, see Operational Events and
Security Events.

Viewing and Managing Events


The event monitor lists all events generated on the Barracuda NG Firewall. Icons and fonts indicate the type and importance of the events on the
list, helping you determine which actions must be taken. You can view event properties, delete events, filter and refresh the list of events. Some
events, such as error events or events that are displayed in black bold text, require acknowledgement. If an event has an alarm, you can alsoeither
reset or disable the alarm.
For more information, see the NG Admin Events tab.

Configure Event Settings


The Eventing configuration page in the config tree displays all available event types. From this page, you can assign severity levels and
notifications to each event type, edit all available severity levels and add or edit notification types. Each notification specifies a server or clientaction
(such as executing a program or sending emails and/or SNMP traps) to be performed by the Barracuda NG Firewall when an assignedevent
occurs. Server actions are performed by a Barracuda NG Firewall, client actions are performed by the MS Windows client that BarracudaNG Admin
is running on.
For more information, see How to Configure Event Settings.

Access Control
Each system access attempt poses a potential security risk. By configuring access control notifications, you can keep track of successful or
unsuccessful system access attempts. Active notifications make it more difficult than simple log file based accounting for potential intruders to
conceal their actions.
For more information, see How to Configure Access Notifications.

Event Propagation
The firewall audit service allows propagating firewall events to a Barracuda NG Control Center. Firewall Audit data is stored locally by default, but
may be forwarded to the Barracuda NG Control Center or to a dedicated Barracuda NG Firewall running the Firewall Audit Log service for central
audit log file collection.

For more information, see How to Enable the Firewall Audit Log Service.

How to Configure Event Settings


enEach Event is assigned a severity level. The severity defines how urgent or critical an event is. Security events are classified by a severity ID of
1,2, or 3. Operative events are classified by a severity ID of 6, 7, or 8. You can also configure a server or client action (such as executing a
programor sending emails and SNMP traps) to be performed when the event occurs and specify whether a specific event or all events should be
propagated to a Barracuda NG Control Center.
In this article:
en
Configure Event SettingsEvent Settings
Events Tab
Severity Tab
Notification Tab
Basic Tab
Configure Event Settings

1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Eventing.
2. Click Lock.
3. Specify your event settings.
a.
b. To search for a specific event, enter its ID number in the Lookup field at the bottom of the page.

Maintenance
en

Barracuda Networks offers a multitude of instructions, tools and features to maintain your Barracuda NG Firewall environment:
System reports for support purposes
Update and migration instructions
Command line interface commands and scripts

In this Section
Updating Barracuda NG Firewalls and NG Control Centers
How to Generate a System Report for Barracuda Networks Technical Support
Command-Line Interface
How to Configure Cronjobs
How to Configure the Bootloader
How to Configure Advanced Barracuda OS System Settings
How to Configure SMS Control
Backups and Recovery
IPMI Appliance Management

Updating Barracuda NG Firewalls and NG Control Centers


en

Depending on whether you are updating a standalone or managed unit with or without high availability, you must complete different update
processes.
Updating a Standalone Barracuda NG Firewall or Barracuda NG Control Center

You can update a standalone Barracuda NG Firewall or Barracuda NG Control Center with Barracuda NG Admin or via SSH on the command
line.
How to Update the Barracuda NG Firewall or NG Control Center using NG Admin
How to Update the Barracuda NG Firewall or Control Center via SSH
Updating a Barracuda NG Firewall or Barracuda NG Control Center in a High Availability Setup

Additional considerations have to be made when updating a Barracuda NG Firewall or Barracuda NG Control Center in a high availability cluster.
For more information, see How to Update High Availability Clusters.
Updating Barracuda NG Firewalls Managed by a Barracuda NG Control Center

A Barracuda NG Control Center can automatically execute updates of the Barracuda NG Firewalls that it manages. The update file is uploaded to
the Barracuda NG Control Center and then distributed by update group. You can choose which units are upgraded and set the time at which the
upgrade is started.
Because all Barracuda NG Firewalls in a cluster must have the same firmware version, you must upgrade all the Barracuda NG
Firewalls in a cluster at the same time. Migrate the cluster configuration after updating the units.
For more information, see How to Update Barracuda NG Control Center Managed Systems.

How to Download Applications, Updates, and Hotfixes


en
To download the updates, hotfixes, or updates Applications for your Barracuda NG Firewall or NG Control Center use Update element on the
DASHBOARD for standalone NG Firewalls, or the download the files directly from Barracuda Cloud Control, for NG Control Center and managed
NG Firewall updates.
In this article:
en
Download from the Update DASHBOARD Element

Download Barracuda NG Admin from Barracuda Cloud Control


Download Barracuda NG Install from Barracuda Cloud Control
Download Updates and Hotfixes from Barracuda Cloud Control
Download from the Update DASHBOARD Element

The UPDATES dashboard element shows all available and installed updates, hotfixes and applications for your Barracuda NG Firewall. Click on
the download icon to download the update. Use the FILTER option to quickly find the desired update or hotfix. Click on the file to open the
description.
Available All available updates and updates for this NG Firewall as well as update notifications for NG Admin, NG Report Creator and
Barracuda Network Access Client.
Installed Previously installed updates and hotfixes.

Download Barracuda NG Admin from Barracuda Cloud Control

Always check that you are not using an Barracuda NG Admin that is older than the NG Firewall or NG Control Center firmware. As NG Admin is
backward compatible, it is recommended to use the latest version. E.g., You can configure any 4.2, 5.0, 5.2, 5.4, 6.0 or 6.1 NG Firewall or NG
Control Center with NG Admin 6.1.
1.
2.
3.
4.
5.
6.

Log in to Barracuda Cloud Control.


Click Support and then click Access downloads for products.
Select Barracuda NG Firewall from the list of products.
From the Download Category list, select Administration App (NG Admin).
In the search results, click the plus sign (+) next to the version of Barracuda NG Admin that you want to download.
After the download entry expands, click Download File.

Download Barracuda NG Install from Barracuda Cloud Control

Barracuda NG Install creates the installation USB sticks used to reinstall Barracuda NG Firewall hardware appliances.
1. Log in to Barracuda Cloud Control.
2. Click Support and then click Access downloads for products.
3.

3.
4.
5.
6.

Select Barracuda NG Firewall from the list of products.


From the Download Category list, select Installation App (NG Install).
In the search results, click the plus sign (+) next to the version of Barracuda NG Install that you want to download.
After the download entry expands, click Download File.

Download Updates and Hotfixes from Barracuda Cloud Control

From your Barracuda Networks Account, you can download updates and hotfixes for the Barracuda NG Firewall:
Updates Used for upgrades to newer releases.
Patches Up to firmware 5.4 patches for minor releases are available. For example 5.4.5 to 5.4.6 Starting with 6.0 only update packages
are available.
Hotfixes Hotfixes include time critical bug fixes, such as security vulnerabilities.
1. Log in to Barracuda Cloud Control.
2. Click Support and then click Access downloads for products.

3. Select Barracuda NG Firewall from the list of products.


4. If you want to download an update:
a. From the Download Category list, select Update Package.
b. In the search results, click the plus sign (+) next to the update that you want to download.
c. After the download entry expands, click Download File.
5. If you want to download a hotfix or patch:
a. From the Download Category list, select Hotfix / Patch.
b. In the search results, click the plus sign (+) next to the hotfix or patch that you want to download.
c. After the download entry expands, click Download File.

Migrating to 6.1
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.

How to Update the Barracuda NG Firewall or Control Center via SSH


en
This article provides instructions on how to update a Barracuda NG Firewall or Control Center via SSH.
It can be faster to update a system via SSH, especially for systems that are based on a flash drive or have slower hardware.
To update your system via SSH:
1. Make sure that the /phion0/packages/ directory does not contain any files such as an older minor release or a patch package. The
directory should only contain the kl, os, ph, sa, and tgz subdirectories.
2. Copy the update package or patch into the /phion0/packages/ directory on your NG Firewall or Control Center. The package path and
file name must not contain whitespace characters.
3. In the Barracuda NG Admin SSH client, you can also transfer the file onto the system by changing into the /phion0/packages/ directory
and clicking Send File.
4. Type phionUpdate.
Wait for the update to finish. Depending on your system hardware, the upgrade can take anywhere from 10 minutes (on a fast system) to 60
minutes (on a flash unit). The Barracuda NG Firewall will reboot after the upgrade process.
Do not interrupt the update. During this process, the system boots and disconnects several times. As soon as the system is
successfully updated, the combined major, minor, and build number for the new version is displayed on the console. For example:
Barracuda NG Firewall release 6.0.x-xxx
You can also log back into the system using SSH or Barracuda NG Admin. On the Dashboard page, you can confirm the system
version and status.

How to Update the Barracuda NG Firewall or NG Control Center using NG Admin


en
If you want to install updates or patches on your Barracuda NG Firewall and NG Control Center, you can use the Install Update feature in NG
Admin.
On slower units with flash-based storage (e.g., Barracuda NG Firewall F10, F100/101), updating via Barracuda NG Admin can take
significantly more time than updating via the command line.
For more information, see How to Update the Barracuda NG Firewall or Control Center via SSH.
Step 1. Download the Update
You can download the update packages from the UPDATES dashboard element, or directly from Barracuda Cloud Control.
Download via Update Element in NG Admin Dashboard

The Update element is disabled by default. Enable the element to see all available updates, hotfixes, and NG Admin updates in the dashboard
element. The update element is not available for managed NG Firewalls.
1.
2.
3.
4.

Go to CONFIGURATION > Configuration Tree > Advanced Configuration > Firmware Update.
Click Lock
In the Update Notification section set Enable to yes.
(optional) Enter the Check Interval in minutes.

5.
6.
7.
8.

Click Send Changes and Activate.


Go to the DASHBOARD.
In the UPDATES element, locate the update or hotfix.
Click the download icon. Your default browser opens and starts to download the update file.

Download from Barracuda Central

Go to Barracuda Cloud Control and download the update or hotfix. For more information, see How to Download Applications, Updates, and
Hotfixes.
Step 2. Updating with NG Admin
1. Go to CONTROL > Box.
2. In the left menu, expand the Operating System section and click Install Update.

3. Select the update file. (e.g., update.GWAY.5.4.3-153.tgz)

4. Click Yes to start the update.

5. Wait for the update to finish.

Your unit reboots after the update is finished.

Send Status Message

Gets status information for the system


(model, serial number, temperature, free
RAM, load average, dynamic links status).
Send:

Execute Custom Script

status <password>

Executes a custom bash script that is defined in the Custom Script table. Send: custom
<password>

SMS Event Notifications


The following events are associated with SMS control:
Event

Description

[135]Resource Limit Pending

Less than 50 % of the maximum command value remains.

[136]Resource Limit Exceeded

The maximum command counter has been reached or has been


exceeded.

[4111]Authentication Failure Warning

The ACL does not match.

[4112]Authentication Failure Alert

Password authentication failure and/or unsuccessful command


match.

[4126]Remote Command Execution Alert

Successful authentication and command is accepted.

Backups and Recovery


en

To back up and restore configurations for the Barracuda NG Firewall or the Barracuda NG Control Center, a Portable Archive (PAR) file
containing all configuration settings is used.
The following items are backed up in PAR files:
Configuration data
Licenses
CC global admin accounts (only on CC)
X.509 certificates from the CC PKI (only on CC)
Revision Control System data (only on CC)
The following items are NOT backed up and must be backed up separately:
Log files of the Barracuda NG Firewall and Control Center (CC)
Statistics Data
Eventing Database
Spamfilter learning database
Mail Gateway queue data

In this Section
How to Back Up and Restore Your Systems
How to Recover the Barracuda NG Firewall with a USB Flash Drive
How to Restore a Configuration on Appliances After an RMA
How to Use Active Recovery Technology (ART)

How to Back Up and Restore Your Systems


en
To back up and restore your system, you must create a Portable Archive (PAR) file. Barracuda NG Firewalls using firmware 6.0.1 or later can also
create encrypted PCA files to store the system configuration.
File Type

PAR File

Comment

Restore Configuration via

PAR

uncompressed, unencrypted
archive file

This is the default option.

NG Admin, /opt/phion/update/,
USB Stick when using NG Install

PGZ

compressed, unencrypted
archive file

Can only be created via NG


Admin.

NG Admin, /opt/phion/update

PCA

encrypted archive file

Barracuda NG Firewall and NG


Control Center version 6.0.1 and
above.

NG Admin, if the password is set


to the serial number of the
appliance you can also restore
via /opt/phion/update/ or USB
stick when using NG Install

In this article:
Standalone Barracuda NG Firewall
Barracuda NG Control Center
Managed Barracuda NG Firewall

Standalone Barracuda NG Firewall

Create a PAR or PCA file to back up and restore the configuration of a standalone Barracuda NG Firewall.
Back Up the Barracuda NG Firewall

1. Go to CONFIGURATION > Configuration Tree.


2. Right-click Box and select Create PAR file. The Save As window opens.
3. Select the archive type:
PAR File (*.par) (default)
Compressed PAR File (*.pgz)
Encrypted PAR File (*.pca)
4. If you selected Encrypted PAR file, the Password window opens.
5. Click Use Serial Number or enter the Password manually.
PCA archives with manual passwords can not be used to reinstall your Barracuda NG Firewall or NG Control Center via NG
Install or update the configuration via /opt/phion/update. Decrypt the archive manually for these operations. For more
information, see phionar and conftool.

Restore the Barracuda NG Firewall

1.
2.
3.
4.
5.
6.

Go to CONFIGURATION > Configuration Tree.


Right-click Box and select Restore from PAR file. Select the required PAR / PGZ / PCA file.
If you are using a PCA file, enter the Password and click OK.
Click Activate.
Go to CONTROL > Box.
In the left navigation pane, expand Operating System and click Firmware Restart. Click Yes to confirm that you want to restart the
subsystem.
7. Expand Network and click Activate new network configuration.
8. Select one of the following network configuration activation modes:
a. If the new management IP address and management port are different from the ones currently configured on the appliance, click
Force.
b. If you are continuing to use the same management IP address and management port, click Failsafe.
PAR files can also be created from the CLI. For more information, see How to Create PAR or PCA Files on the Command Line. If the
PAR file should be used for the setup process, copy the PAR file to the USB flash drive that you will use for installation. You can only
copy one PAR file on the USB flash drive. You must name the file as box.par.

Barracuda NG Control Center

Two PAR files are needed to back up your Barracuda NG Control Center: The box layer box.par and the

Back Up the Barracuda NG Control Center Box Layer

To back up the Barracuda NG Control Center you must create a PAR file for the box layer and the archive.par for the Control Center
configuration.
1.
2.
3.
4.

Log in the Box Layer of the NG Control Center.


Go to CONFIGURATION > Configuration Tree.
Right-click Box and select Create PAR file. The Save As window opens.
Select the archive type:
PAR File (*.par) (default)
Compressed PAR File (*.pgz)
Encrypted PAR File (*.pca)
5. If you selected Encrypted PAR file, the Password window opens.
6. Click Use Serial Number or enter the Password manually.
The box.par file is saved to your local hard drive.
Back Up the Barracuda NG Control Center Configuration

1.
2.
3.
4.
5.

Log in to the NG Control Center.


Go to CONFIGURATION > Configuration Tree.
Right-click the Multi-Range and select Create PAR file.
The Save As window opens.
Select the archive type:
PAR File (*.par) (default)
Compressed PAR File (*.pgz)
Encrypted PAR File (*.pca)
6. If you selected Encrypted PAR file, the Password window opens.
7. Click Use Serial Number or enter the Password manually.
The archive.par file is saved to your local hard drive.
Restore the Barracuda NG Control Center Box Layer

To restore the Barracuda NG Control Center:


1.
2.
3.
4.
5.
6.
7.

Log into the box layer of the NG Control Center.


Go to CONFIGURATION > Configuration Tree.
Right-click Box and select Restore from PAR file. Select the required PAR / PGZ / PCA file.
If you are using a PCA file encrypted with a manual password, enter the Password and click OK.
Click Activate.
Go to CONTROL > Box
In the left navigation menu, expand Operating System and click Firmware Restart. Click Yes to confirm that you want to restart the
subsystem.
8. Expand Network and click Activate new network configuration.
9. Select one of the following network configuration activation modes:
a. If the new management IP address and management port are different from the ones currently configured on the appliance, click
Force.
b. If you are continuing to use the same management IP address and management port, click Failsafe.
Restore the Barracuda NG Control Center Configuration

1.
2.
3.
4.

Log in to the NG Control Center.


Go to the CONFIGURATION > Configuration Tree page. If you are prompted with warning messages, click no.
Right-click Multi-Range and select Restore from PAR file.
Select the required archive.par file.
If you are restoring the configuration of a Barracuda NG Control Center that has been reinstalled after a system crash, you must also
restore the configurations of the appliances that it manages.

Managed Barracuda NG Firewall

To back up and restore the configuration of a Barracuda NG Firewall that is managed by the Barracuda NG Control Center, you must create a
PAR file in the Barracuda NG Control Center and then recover the managed Barracuda NG Firewall directly.
Back Up the Managed Barracuda NG Firewall

1.
2.
3.
4.
5.

Log into the Barracuda NG Control Center.


Click the CONFIGURATION tab.
In the Configuration Tree, navigate to the range and cluster for the Barracuda NG Firewall.
Expand Boxes, right-click the Barracuda NG Firewall, and select Create PAR file for box.
Select the archive type:
PAR File (*.par) (default)
Compressed PAR File (*.pgz)
Encrypted PAR File (*.pca)
6. If you selected Encrypted PAR file, the Password window opens.
7. If you selected Encrypted PAR file, click Use Serial Number or enter the Password manually.
8. Save the PAR file to your local hard drive.
Restore the Managed Barracuda NG Firewall

1. Log into the Barracuda NG Firewall.


2. Go to the CONFIGURATION > Configuration Tree page.
3. Right-click Box and select Restore from PAR file. Select the PAR or PCA file you previously created for this NG Firewall in the NG
Control Center.
4. If you are using a PCA file encrypted with a manual password, enter the Password and click OK.
5. Click OK to confirm the Emergency Override warning message.
6. Click Activate.
7. Go to the CONTROL > Box page.
8. In the left navigation pane, expand Operating System and click Firmware Restart. Click Yes to confirm that you want to restart the
subsystem.
9. Expand Network and click Activate new network configuration.
10. Select one of the following network configuration activation modes:
a. If the new management IP address and management port are different from the ones currently configured on the appliance, click
Force.
b. If you are continuing to use the same management IP address and management port, click Failsafe.

How to Recover the Barracuda NG Firewall with a USB Flash Drive


en
To recover the Barracuda NG Firewall, format a USB flash drive and import the Barracuda NG ISO image to the drive. You can also include
PAR/PCA files and hotfixes. If you are including a PCA file, make sure that the password for the PCA file is set to the serial number of your
hardware appliance.
If you include hotfixes, they are installed in alphabetical order after the firmware in the post-install section. A reboot is required after hotfix
installation.
In this article:
en
Before You Begin
Step 1. Prepare the USB Flash Drive for Installation
Step 2. (Optional) Install Hotfixes
Step 3. Install the Barracuda NG Unit
Before You Begin

Before installing the Barracuda NG Firewall, you must have the following:
Empty USB flash drive that is at least 2 GB.
Barracuda NG Installer application.
Barracuda NG ISO image.
You must install the Visual C++ Redistributable for Visual Studio 2012 on your computer to use Barracuda NG Install.
(optional) PAR or PCA file.
You can download the Barracuda NG Installer and Barracuda NG ISO image from your Barracuda Cloud Control.

Step 1. Prepare the USB Flash Drive for Installation

To format the USB flash drive with the Barracuda NG ISO image and any required PAR file:
1. Insert the USB flash drive into an available USB port on your client.
2. Launch Barracuda NG Installer with administrative privileges.
3. Select Auto Installation USB Flash Drive as the wizard mode.
If you are also installing hotfixes, the Auto Installation USB Flash Drive mode is required.
4.
5.
6.
7.
8.
9.

Click Next.
From the Write to USB flash drive list, select Yes.
From the Save to list, select your USB flash drive.
Click Next.
Select the Format USB flash drive check box.
If you want to install the unit with an existing configuration backup, click Modify in the Installation Mode Settings section and import the
appropriate PAR or PCA file.
You can only use PCA files that were encrypted using the serial number of the appliance as the password. Decrypt the PCA file
if a manual password was used or the serial number does not match the password of the PCA file. For more information, see p
hionar and conftool.

10.
11.
12.
13.

Click Next.
In the Installation Mode Settings section, click Import and import the Barracuda NG ISO image.
Click Next. The installation details window opens.
Click Finish. The files are written to the USB flash drive.
In the window that opens with a message asking you to format the USB flash drive, click cancel.

14. When the USB Drive Formatted Successfully window opens, click OK. The USB flash drive is now prepared for installation.
Step 2. (Optional) Install Hotfixes

If you also want to install hotfixes:


1. On the formatted USB flash drive, create the following directory:
/appliance/hotfixes
2. In the hotfixes directory, add the hotfixes. It is recommended that you rename the hotfixes with prefixes, such as 01_ and 02_.
Step 3. Install the Barracuda NG Unit

To install the Barracuda NG unit:


1.
2.
3.
4.
5.

Safely remove the USB flash drive from your client.


Plug the USB flash drive into your Barracuda NG unit and then power the unit on.
The successful installation is indicated by an acoustic signal.
Remove the USB flash drive from your Barracuda NG Firewall and reboot the unit.
Launch Barracuda NG Admin and log into the Barracuda NG Firewall.

How to Restore a Configuration on Appliances After an RMA


en
The following article describes how to restore a configuration backup (PAR file) on a Barracuda NG Firewall appliance with another hardware
revision model. This is necessary if your appliance is replaced with a newer revision model of the same product type. E.g.: F400 Rev. A and F400
Rev. B. This typically occurs in RMA cases if your appliance is replaced by Barracuda's hardware refresh program.
In this article:
en
General
Standalone Units
High Availability Clusters

General

Before you can restore a new Barracuda NG Firewall unit, a configuration backup of the production unit must be created. The backup can then be
used to restore the current configuration on a new hardware unit. For information on how to back up and restore configurations, see Backups and
Recovery. After restoring the configuration on the new NG Firewall unit, the Hardware Model must be adjusted to match the appliance revision of
the new unit. This is necessary because different hardware models typically come with newer network interfaces and thus require appropriate
drivers. If the hardware model is not set correctly, the network modules may not be available after restoring the appliance.
Standalone Units

1.
2.
3.
4.
5.
6.
7.
8.
9.

Log into the new Barracuda NG Firewall unit.


Restore the configuration backup as described in Backups and Recovery, and activate the new configuration.
Go to CONFIGURATION > Configuration Tree > Box > Box Properties > Identification.
Click Lock.
From the Hardware Model list, select the appropriate model revision.
Click Send Changes and Activate.
Go to the CONTROL > Box page.
In the left navigation pane, expand Network and click Activate new network configuration.
Select Force as the activation mode.

High Availability Clusters

SCENARIO 1 - The primary unit is running, and the secondary unit was replaced by a new model.
Step 1: Log into the primary unit, configure the secondary unit, and create a PAR file for restoring the secondary unit.
1. Log into the primary unit.
2. Go to CONFIGURATION > Configuration Tree > HA Box and double-click Box Properties.

3. Click Lock.
4. In the Product and Model section, choose the correct Hardware Model for the replaced unit (secondary) and edit the remaining entries
according to the appliance model.
5. Click Send Changes and Activate.
6. Go to CONFIGURATION > Configuration Tree > HA Box and double-click HA Network.
7. Click Lock.
8. In the Management IP and Network section, set the Management IP of the new HA partner (secondary).
9. Click Send Changes and Activate .
10. On the CONFIGURATION > Configuration Tree page, right-click Box and select Create PAR file for HA box.
Step 2: Restore the secondary unit
1. Log into the secondary unit.
2. On the CONFIGURATION > Configuration Tree page, right-click Box and select Restore from PAR file.
3.

3.
4.
5.
6.

Go to the CONTROL > Box page.


In the left navigation pane, expand Network and click Activate new network configuration.
Select Failsafe as the activation mode.
In the left navigation pane, expand Operating System and click Reboot Box.

SCENARIO 2 - The secondary unit is running, and the primary unit was replaced by a new model.
Step 1: Log into the secondary unit, configure the primary unit, and create a PAR file for restoring the primary unit.
1. Log into the secondary unit.
2. Go to CONFIGURATION > Configuration Tree > HA Box and double-click Box Properties.

3. Click Lock.
4. In the Product and Model section, choose the correct Hardware Model for the replaced unit (primary) and edit the remaining entries
according to the appliance model.
5. Click Send Changes and Activate.
6. Go to CONFIGURATION > Configuration Tree > HA Box and double-click HA Network.
7. Click Lock.
8. In the Management IP and Network section, set the Management IP of the new HA partner (primary).
9. Click Send Changes and Activate.
10. From the Config Tree, right-click Box and select Create PAR file for HA box.
Step 2: Restore the primary unit
1.
2.
3.
4.
5.
6.

Log into the primary unit.


On the CONFIGURATION > Configuration Tree page, right-click Box and select Restore from PAR file.
Go to CONTROL > Box.
In the left navigation pane, expand Network and click Activate new network configuration.
Select Failsafe as the activation mode.
In the left navigation pane, expand Operating System and click Reboot Box.

How to Use Active Recovery Technology (ART)


en
With Active Recovery Technology (ART), you can perform basic system configurations and recovery operations outside the Barracuda OS. From
the ART menu, you can:
Reinstall the Barracuda NG Firewall.
Test the system hardware (CPU, RAM, HDDs).
Retrieve system hardware information.
Start a basic command-line interface.
Change basic system configurations (hostname, management IP address, network routes).
ART is based on a very small Linux system. You can access it via the following methods:
Serial console The default connection speed for the serial console is 19200 baud.
SSH Use the SSH client in Barracuda NG Admin or another SSH client.

LCD display On systems with an LCD display and keypad. Before using the LCD display, deactivate serial access. On the CONFIGUR
ATION > Administrative Settings page, set Serial Access to no.
When you first boot the Barracuda NG Firewall after installation or firmware update, you cannot access ART for 10 to 45 minutes
(depending on the appliance model) while it generates the system configuration. To see if the according process (buildarttree) is still
running, refer to the Resources Page.
If the process was interrupted by a reboot of the system, it needs to be started manually. Launch the buildarttree script in the /boot/art
directory.
In this article:
en
Entering the ART Menu
Enter ART After Rebooting the System
Enter ART While the System Boots Up
The ART Menu
Changing the Firmware Version Used by ART
Entering the ART Menu

You can enter the ART menu after you reboot the Barracuda NG Firewall or while the system boots up.
Enter ART After Rebooting the System

1. Go to the CONTROL > Box page.


2. In the left navigation pane, expand Operating System and click Reboot Box.

3. In the Reboot window, select the Reboot into Active Recovery Technology check box and click OK.
To boot the NG Firewall into ART on the Command-Line Interface:
touch /boot/art.lock
reboot

Enter ART While the System Boots Up

1. When the "+++press any key to enter ART+++" message is displayed on the screen, press any key on your keyboard.
2. When prompted, press 1 to enter the ART menu.

2.

You must enter the ART menu as root.

The ART Menu

If you are not using the SSH client in Barracuda NG Admin, make sure that your SSH client correctly forwards all functions keys to the
serial console. If you are using PuTTY, enable Xterm R6 support in the PuTTY keyboard settings.
To navigate through the ART menu options, use the arrow and Esc keys. To select options, press the Enter key. You can select any of the
following ART menu options via the serial console:

When accessed via SSH, the ART menu additionally features a Reboot option:

Test hard disk drive Evokes a hard disk check tool. If bad blocks are found, you can only repair the hard disk file system with the
command-line interface.
Test CPU Performs a load test of all available CPUs.
Get hardware info Displays all system information that is stored in a hidden partition, such as the serial number, initial installation
date, etc.
Test RAM Evokes a RAM checking utility. The entire RAM cannot be tested because the ART OS is stored on a part of the RAM.
System recovery Reinstalls the system with a previously saved system configuration. For systems with a hard disk drive, an
installation *.iso image and PAR file on a dedicated partition of the disk drive are used. Optionally, an *.iso image on a USB flash drive
can also be used. For flash-only systems, a USB flash drive is required.
Configuration reset
Start shell

Reboot Only available via SSH; use this option instead of Exit to save your configuration changes and reboot the unit.
Exit Save and exit ART. Will only reboot the unit when accessed via the serial console. When accessed via SSH, use Reboot instead.
Saving and Recovering a System Configuration with ART
It is highly recommended that you save a working configuration of the Barracuda NG Firewall for ART. When you recover the system with ART,
this configuration will be used.
Flash-based systems like the Barracuda NG Firewall F10 and F10x do not have a partition that is dedicated to storing the files required
for recovering the system. For these systems, you must use a USB flash drive to save and recover your system configuration with ART.
On the USB flash drive, save and rename the required PAR file as box.par. Save and rename the required firmware ISO image as netfe
nce.iso.
Save a System Configuration for ART
1. Log into the Barracuda NG Firewall.
2. Go to the CONTROL > Box page.
3. In the left navigation pane, expand Operating System and click Save Current Config for ART.
Recover a System Configuration with ART
If you did not save a system configuration for ART, the Barracuda NG Firewall will be reinstalled with the default factory settings.
1. Enter the ART menu.
2. Select System recovery.
The Barracuda NG Firewall will be reinstalled with the firmware version that it was shipped with.
Setting Only Basic Configuration Parameters using ART
Use this function with care. Modifying these important basic system configuration parameters is a massive operational modification and
may prevent you from accessing your unit via Barracuda NG Admin and/or SSH.
It is possible to set a few important basic configuration parameters using the ART Basic Configuration menu. To enter this menu, perform the
following steps:
1. At the command line, enter: setip

Note that the command is indeed spelled setip , not setup.


2. An ART screen appears as shown in the figure below. Now, using the arrow keys and Enter, select Basic Configuration.

3. Modify the Hostname, Management IP, Netmask, and/or Default Gateway fields as needed followed by pressing F3 to save the
changed values.
4. Select Reboot to reboot the unit so that the changed values become effective.
Changing the Firmware Version Used by ART

ART always uses the firmware version that is shipped with the Barracuda NG Firewall. After reinstalling your system with a new firmware version,
you must update ART to use the same firmware version. Use the command line via the SSH client in Barracuda NG Admin or another SSH client.
1. At the command line, change to the /art directory. Enter: cd /art
2. Upload the required firmware ISO image to the Barracuda NG Firewall. If you are using the SSH client in Barracuda NG Admin, click Sen
d File.
3. Rename the uploaded ISO file as netfence.iso and overwrite the existing ISO image. At the command line, enter: lt;your-iso-file>
netfence.iso
4. Change the file permission: enter chmod 755 netfence.iso.
Using ART with the Barracuda NG Control Center
You must enable ART before using it with the Barracuda NG Control Center. Go to the CONFIGURATION > Box Properties page. In
the left navigation pane, expand Configuration and click Operational. From the ART Network Activation list, select yes.
For Barracuda NG Firewalls that are managed by the Barracuda NG Control Center, you can initiate remote management tunnels from the ART
menu. You can also access the management IP address, VIP, default route, and remote management tunnel. If the system has an Internet
connection, you can also connect to the management IP address and VIP via SSH.
ART only makes the default route and the route's dynamic network link available. ISDN or 3G links are not available.

Use this function with care. Modifying these important basic system configuration parameters is a massive operational modification and
may prevent you from accessing your unit via Barracuda NG Admin and/or SSH.

También podría gustarte