doc1. Overview - Barracuda Campus
download 
Report Transcription
1. Overview - Barracuda Campus
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Release Notes 6.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2 Release Notes 6.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3 Release Notes 6.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Virtual Systems (Vx) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1 How to Deploy a Barracuda NG Vx OVA Image on VMware Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.2 How to Deploy a Barracuda NG Vx using Barracuda NG Install on a VMware Hypervisor . . . . . . . . . . . . . . . . . . . . . 1.2.2.3 How to Deploy the Barracuda NG Vx on a Citrix XenServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.4 How to Deploy the Barracuda NG Vx on an Opensource Xen Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.5 How to Deploy the Barracuda NG Vx on KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.6 How to Deploy the Barracuda NG Vx on Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Public Cloud Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.1 How to Deploy the Barracuda NG Firewall in Azure via the Preview Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.2 How to Deploy the Barracuda NG Firewall in Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.3 How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.4 How to Create a Azure Image from a VHD Disk Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.5 How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.6 How to Deploy the NG Firewall on VMware vCloud Air . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.1 How to Configure an ISP with Static IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.2 How to Configure an ISP with Dynamic IP Addresses (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.3 How to Configure an ISP with xDSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.3.1 How to Configure an ISP with xDSL using PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.3.2 How to Configure an ISP with xDSL using PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.4 How to Configure an ISP with UMTS/3G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.4.1 How to Display the Barracuda UMTS Modem IMEI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.5 How to Configure an ISP with ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.6 How to Configure Link Balancing and Failover for Multiple WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1.7 How to Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway . . . . . . 1.4.2 How to Activate Network Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.3 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.3.1 How to Add a Direct Attached Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.3.2 How to Configure Gateway Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.3.3 How to Configure Source-Based Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.3.4 How to Configure Linux Standard Multipath Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.4 How to Change the Management IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.5 How to Use IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.6 How to Make a Barracuda NG Firewall Centrally Manageable Without a Barracuda NG Control Center . . . . . . . . . . . . . . . 1.4.7 How to Configure VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.8 How to Add Additional Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.9 How to Configure Ethernet Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.10 Advanced Networking in the Azure Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.11 How to Configure IP Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.12 How to Configure User Defined Routes in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 How to Set Up a High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.2 Transparent Failover for an HA Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.3 Monitoring, Managing, and Rebuilding HA Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.4 How to Perform a Manual High Availability Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.5 How to Configure a High Availability Cluster in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.6 How to Configure a High Availability Cluster in Azure via PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.7 Mail Gateway Synchronization with HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.1 How to License your Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.1.1 How to Activate and License a Standalone Hardware Barracuda NG Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.1.2 How to Activate and License a Standalone Virtual Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.1.3 How to Activate and License a Barracuda NG High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.1.4 Azure Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.2 Protected IP Count Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.3 How to Manually Install License Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10 13 20 27 30 31 32 34 37 44 46 48 51 54 56 64 70 71 76 89 100 103 105 106 108 110 111 113 116 119 121 123 126 128 129 131 132 133 134 135 136 138 140 142 145 146 147 150 151 153 157 159 163 169 170 171 173 178 179 180 182 184 186 190 1.7 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.1 Managing Access for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.1.1 How to Create a New Admin Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.1.2 How to Configure Certificate Based Authentication for the Root User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.1.3 How to Configure System Access for the Service User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.1.4 How to Enable System Access via Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.1.5 How to Change Admin Credentials on Stand-alone NG Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.2 How to Change the Root Password and Management ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.3 How to Configure DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.4 How to Configure DNS Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.5 How to Configure Time Server (NTP) Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.6 How to Set Idle Administrative Session Time Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.7 How to Configure Global HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.8 How to Configure the System Email Notification Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7.9 How to Configure SCEP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.1 How to Configure MSAD Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.2 How to Configure MS-CHAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.3 How to Configure LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.3.1 How to Configure LDAP Authentication for Mac OS X Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.4 How to Configure RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.5 How to Configure TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.6 How to Configure RSA-ACE SercurID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.7 How to Configure MSNT Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.8 How to Configure Barracuda Web Filter Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.9 How to Configure WiFi AP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.9.1 WiFi AP Authentication Aerohive Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.9.2 WiFi AP Authentication Ruckus Wireless Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.9.3 WiFi AP Authentication Aruba Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.10 How to Configure Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.11 How to Configure Explicit Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.12 How to Configure NGF Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.13 How to Configure MSAD DC Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.14 How to Configure TS Agent Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.15 How to Configure Additional Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.16 How to Configure Authentication Service Timeouts and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.9 Virtual Servers and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.9.1 How to Configure Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.9.2 Virtual Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.9.3 How to Configure Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10 NG Firewall Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.1 Access Control Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.1.1 Configuring Access Control Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.1.2 Configuring Access Control Service Trustzones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.1 How to Configure the DHCP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2 Advanced DHCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.1 How to Configure Advanced DHCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.2 How to Configure DHCP Subnets and Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.3 How to Configure DHCP Option Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.4 How to Configure DHCP Parameter Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.5 How to Configure Known Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.6 How to Configure DHCP Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.7 How to Configure DHCP with Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.8 How to Activate Text-Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.9 How to Configure Additional DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.2.10 Example - DHCP Configuration for Two Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.3 How to Configure the DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.2.4 How to Configure a DHCP Relay over a VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.3 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.3.1 How to Configure the DNS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.3.2 How to Configure DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4 Dynamic Routing Protocols (OSPF/RIP/BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.1 How to Install and Configure the OSPF/RIP/BGP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.2 How to Configure BGP Router Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 192 193 197 198 199 200 202 203 205 206 208 209 210 211 214 215 217 219 221 223 224 225 227 228 229 231 233 234 236 239 240 241 242 243 244 245 246 248 251 255 257 258 261 275 276 278 279 280 282 284 286 288 289 290 291 292 296 298 301 303 305 313 315 319 1.10.4.3 How to Configure EBGP Multihop Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.4 How to Configure BGP for Inbound Link Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.5 How to Configure BGP Routing over IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.6 How to Configure BGP Routing over TINA VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.7 How to Configure Inbound Load Balancing and Link Failover with BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.8 How to Configure OSPF Routers and Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.9 How to Configure Network Interfaces for OSPF and RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.10 How to Configure Filter Setup for OSPF and RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.11 How to Configure OSPF Routing over TINA VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.12 How to Enable Debugging for OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.13 How to Configure RIP Router Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.4.14 Example for OSPF and RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1 Forwarding Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.1 Firewall Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.2 Firewall Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.3 Application Control 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.4 How to Configure SSL Interception in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.5 How to Configure Virus Scanning in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.6 How to Configure ATD in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.7 URL Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.8 How to Enforce Safe Search in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.9 How to Enforce YouTube for Schools in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.10 How to Configure Custom Block Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.11 Intrusion Prevention System (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.12 Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.13 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.14 Firewall Plugin Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.15 Firewall Authentication and Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.16 How to Configure ICMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.17 Layer 7 Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.1.18 How to Configure DNS Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.2 Host Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.2.1 Default Host Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.3 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.3.1 Forwarding Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.5.3.2 General Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.6 FTP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.6.1 How to Configure the FTP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.6.2 How to Configure Authentication and Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7 HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.1 How to Set Up and Configure the HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.2 How to Configure Malware Protection in the HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.3 How to Configure ATD in the HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.4 How to Configure the Barracuda Web Security Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.5 How to Configure Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.6 How to Configure Neighbor Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.7 How to Set Up a Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.8 Example - Reverse Proxy for Exchange Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.7.9 How to Configure User Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8 Mail Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1 Mail Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.1 How to Configure the Mail Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.2 How to Configure Extended Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.3 How to Configure POP3 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.4 How to Configure Advanced Mail Gateway Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.5 How to Configure Antivirus Mail Gateway Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.6 How to Configure Content Stripping, Grey Listing, and Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.7 How to Configure Mail Gateway Service Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.8 How to Configure Mail Gateway Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.1.9 How to Configure Custom Mail Gateway Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.2 Mail Gateway Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.2.1 How to Use the Mail Gateway Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.2.2 How to Use the Grey Listing Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.8.2.3 Logs, Statistics, Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 325 327 334 341 346 350 352 354 360 361 363 364 365 367 400 435 457 460 464 469 479 482 484 486 494 509 523 551 567 569 580 582 583 588 589 591 600 601 603 606 608 615 620 624 626 631 635 637 640 648 649 650 653 661 663 666 669 676 678 680 681 682 688 689 1.10.9 SSH Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.9.1 How to Configure the SSH Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.9.2 How to Configure Permission Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.10 SIP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.10.1 How to Configure the SIP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.10.2 How to Configure TLS with SIP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11 Spam Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11.1 How to Configure Spam Filter Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11.2 How to Configure the Spam Filter Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11.3 How to Improve Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11.4 How to Modify the Barracuda RBL Configuration in the SPAM Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11.5 How to Set Up a Training Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.11.6 Spam Filter Database Archiving and Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.12 URL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.12.1 Barracuda NG Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.12.1.1 How to Configure the URL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.12.2 Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.12.2.1 How to Enable the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13 Virus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.1 How to Enable the Virus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.1.1 How to Configure Avira Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.1.2 How to Configure ClamAV Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.2 Advanced Threat Detection (ATD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.2.1 How to Manually Upload Files to ATD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.3 How to Update Virus Patterns Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.13.4 Virus Scanner Integration in the HTTP Proxy and FTP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.1 Authentication, Encryption, Transport, and VPN Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2 Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.1 How to Configure a Client-to-Site Barracuda TINA VPN with Personal Licenses . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.2 How to Configure a Client-to-Site TINA VPN with Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . 1.10.14.2.3 How to Configure a Client-to-Site IPsec VPN with Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . 1.10.14.2.4 How to Configure a Client-to-Site IPsec VPN with PSK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.5 How to Configure a Client-to-Site L2TP/IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.6 How to Configure a Client-to-Site PPTP VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.7 How to Configure an Access Rule for a Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.8 How to Configure a Client-to-Site VPN Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.9 How to Configure Android Devices for Client-to-Site IPsec VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.10 How to Configure Apple iOS Devices for Client-to-Site VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.11 How to Configure Android Devices for Client-to-Site IPsec VPNs with PSK . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.12 How to Configure Apple iOS Devices for Client-to-Site IPsec VPNs with PSK . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.13 How to Configure VPN Authentication for SMS PASSCODE® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.14 How to Use the Barracuda VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.2.15 How to Configure the Azure Connectivity Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3 Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.1 Site-to-Site VPN Encryption and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.2 How to Create a TINA VPN Tunnel between Barracuda NG Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.3 How to Create Access Rules for Site-to-Site VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.4 Examples for TINA VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.5 TINA Tunnel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.6 How to Create an IPsec VPN Tunnel between the Barracuda NG Firewall and a pfSense Firewall . . . . . . . 1.10.14.3.7 How to Configure an IPsec Site-to-Site VPN to a Microsoft Azure VPN Gateway . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.8 How to Configure an IPsec VPN to an AWS VPN Gateway with BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.9 IPsec Tunnel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.10 IPsec Log Messages and Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.11 Traffic Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.12 Dynamic Mesh VPN Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.3.13 WAN Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.4 How to Configure VPN Access via a Dynamic WAN IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.1 How to Configure the NG SSL VPN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.2 Mobile Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.3 How to Configure an Outlook Web Access Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.4 How to Configure a SharePoint Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.5 How to Configure a Generic Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 691 693 695 696 699 700 701 704 707 709 710 711 712 713 715 716 717 718 719 720 722 724 726 727 728 730 731 735 737 741 746 751 757 761 763 764 767 768 770 772 774 778 779 792 793 794 797 798 808 809 815 820 821 825 827 833 843 848 851 853 856 864 865 866 1.10.14.5.6 How to Configure Single Sign On for Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.7 How to Activate Dynamic Rules via SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.8 How to Configure VPN Templates in the SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.9 How to Use and Create Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.10 How to Install the Transparent NG SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.11 How to Set Up the Transparent NG SSL VPN Client for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.12 How to Configure an SSH Resource for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.13 How to Configure a Remote Desktop Resource for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.14 Example SSL VPN Resource Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.15 NG Firewall Configuration for CudaLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.16 How to Configure NAC for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.5.17 How to Configure Client Certificate Authentication for the SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.6 How to Set Up VPN Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.14.6.1 How to Configure OCSP Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.15 Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.15.1 How to Configure a Wi-Fi Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.15.2 How to Configure Wi-Fi Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10.15.3 How to Configure a RADIUS/EAP Server for WiFi authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11 NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.1 Getting Started - NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.2 Getting Started - NG Control Center without CC Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.3 Getting Started - NG Control Center for Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4 Central Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.1 How to Manage Ranges and Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.2 Global Firewall Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.3 How to Add a new Barracuda NG Firewall to the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.4 How to Import an Existing Barracuda NG Firewall into a NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.5 How to Configure a Remote Management Tunnel for Barracuda NG Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.6 How to Move, Copy and Delete Barracuda NG Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.7 Licensing on a NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.7.1 How to Manually Install the Licenses for the Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.7.2 How to Install and Assign Pool Licenses on a Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.7.3 How to Assign and Activate Single Licenses on a Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . 1.11.4.7.4 How to Update or Switch Licenses of Managed NG Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.8 How to Update Barracuda NG Control Center Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.8.1 How to Prepare Repository Linked Box Configurations for Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.9 How to Update the IPS Security Database on the NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.4.10 Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.5 Barracuda NG Control Center Admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.5.1 How to Configure Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.5.2 How to Configure Administrative Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.5.3 How to Configure Administrator Workspaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.5.4 How to Configure System Access for Root Aliases on CC-Managed Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.5.5 How to Change Control Center Credentials for Non-Root Admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.6 GTI Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.6.1 How to Configure VPN GTI Settings for a VPN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.6.2 How to Create a VPN Tunnel with the VPN GTI Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.6.3 How to Add an External VPN Server to the GTI Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.6.4 How to Configure Traffic Intelligence Using the VPN GTI Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.6.5 How to Configure a Dynamic Mesh VPN with the GTI Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.7 Revision Control System (RCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.7.1 How to View and Revert RCS Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.8 Barracuda NG Control Center Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.8.1 How to Configure Statistics Processing and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.8.2 How to Configure Statistics Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.8.3 How to Configure the Statistics Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.8.4 How to Monitor and Recover Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.9 Control Center Syslog Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.9.1 How to Configure the CC Syslog Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.9.2 Example - Configure a Syslog Proxy and CC Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.9.3 Log File Structure and Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.10 Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.10.1 Distributed Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.10.1.1 How to Configure a Distributed Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.10.2 How to Configure a Shared Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 872 873 882 883 885 887 888 889 892 893 895 898 899 900 901 903 908 909 911 918 920 923 925 928 929 930 932 938 939 941 942 943 944 946 949 950 952 954 955 961 963 967 968 970 971 972 975 976 979 990 992 994 996 999 1000 1001 1003 1007 1016 1020 1024 1025 1029 1031 1.11.11 FW Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.12 CC Eventing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.12.1 How to Configure Event Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.12.2 Control Center Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.12.2.1 Operational Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.12.2.2 Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.12.3 How to Delete the Event Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.13 Control Center PKI Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.13.1 How to Configure PKI Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.13.2 How to Configure the PKI Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.13.3 PKI Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.14 Barracuda NG Earth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.14.1 How to Set Up Barracuda NG Earth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.15 Control Center CC Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11.16 NG Control Center Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12 Best Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.1 Best Practice - Web Filtering Features in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.2 Best Practice - Azure Public Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.3 Best Practice - Switch to a Static Internal IP Address in Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.4 Best Practice - How to Handle Incorrect Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.5 Best Practice - Small Barracuda NG Firewall Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.6 Best Practice - How to Protect Against DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.7 Best Practice - High Performance Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.8 Best Practice - Performance Tuning on VMware Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.9 Best Practice - Performance Tuning on KVM Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.10 Best Practice - Changing the VIP Address of a Centrally Managed NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.11 Best Practice - Migrate the NG Control Center to a New Network Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.12 Best Practice - Service Dependencies and Multiple Services of the Same Type on one Virtual Server . . . . . . . . . . . . . . 1.12.13 Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.14 Best Practice - Network Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.15 Best Practice - Core System Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12.16 Best Practice - Evaluate or Demo the Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.13 Implementation Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.13.1 Implementation Guide - VPN Network with Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14 Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.1 How to Configure Audit & Reporting with IPFIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.2 How to Configure Box-Level Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.3 How to Configure CPU Load, Hardware and Disk Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.4 How to Configure the SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.5 PHION-MIB Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.6 How to Configure Revision Control System Monitoring (RCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.7 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.7.1 Log File Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.7.2 Available Log Files and Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.7.3 How to Enable the Firewall Audit Log Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.7.4 How to Configure Syslog Streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.7.5 Log Files: FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.8 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.8.1 How to Configure Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.9 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.9.1 How to Configure Event Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.9.2 How to Configure Access Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.9.3 How to Configure Audit and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.9.4 Logging of Clock Skew Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.10 Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.10.1 How to Configure the Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14.11 Splunk Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.1 Updating Barracuda NG Firewalls and NG Control Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.1.1 How to Download Applications, Updates, and Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.1.2 Migrating to 6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.1.3 How to Update High Availability Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.1.4 How to Update the Barracuda NG Firewall or Control Center via SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.1.5 How to Update the Barracuda NG Firewall or NG Control Center using NG Admin . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.2 How to Generate a System Report for Barracuda Networks Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 1035 1036 1037 1038 1050 1062 1063 1064 1067 1068 1071 1073 1075 1076 1078 1079 1081 1085 1088 1089 1090 1092 1093 1095 1096 1098 1099 1100 1103 1107 1108 1109 1110 1126 1128 1131 1132 1133 1136 1157 1161 1163 1165 1174 1175 1179 1180 1182 1183 1184 1187 1188 1190 1193 1196 1197 1204 1205 1207 1209 1210 1212 1213 1216 1.15.3 Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.1 acpfctrl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.2 admintcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.3 Configuration Files and Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.4 conftool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.5 Dynamic Network Start and Stop Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.6 How to Create PAR or PCA Files on the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.7 ktinactrl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.8 Linux Networking Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.9 mailclt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.10 Maintaining Recipient Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.11 phibstest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.12 phion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.13 phionar and conftool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.14 phionctrl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.15 phionrcscleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.16 showbdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.17 statcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.18 vpnadminclt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.19 How to Perform a Release Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.20 How to Configure SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.21 CLI Commands for Barracuda 3G USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.3.22 Basic Linux Command Line Interface Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.4 How to Configure Cronjobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.5 How to Configure the Bootloader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.6 How to Configure Advanced Barracuda OS System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.7 How to Configure SMS Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.8 Backups and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.8.1 How to Back Up and Restore Your Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.8.2 How to Recover the Barracuda NG Firewall with a USB Flash Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.8.3 How to Restore a Configuration on Appliances After an RMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.8.4 How to Use Active Recovery Technology (ART) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.15.9 IPMI Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16 Management Tools and Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1 Barracuda NG Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.1 NG Admin Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.2 DASHBOARD Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.2.1 DASHBOARD General Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.2.2 DASHBOARD Firewall Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.2.3 DASHBOARD VPN Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.3 CONFIGURATION Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.3.1 Firewall Rule List Interface and Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.3.2 Configuration Pages - Access and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4 CONTROL Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4.1 Server Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4.2 Network Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4.3 Resources Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4.4 Licenses Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4.5 Box Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.4.6 Sessions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5 FIREWALL Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.1 Monitor Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.2 Live Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.3 History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.4 Threat Scan Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.5 ATD Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.6 Audit Log Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.7 Trace Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.8 Shaping Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.9 Users Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.10 Dynamic Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.5.11 Host and Forwarding Rules Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.6 WIFI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.7 VPN Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.8 PROXY Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217 1219 1220 1221 1222 1224 1225 1226 1230 1231 1232 1233 1237 1238 1239 1240 1241 1242 1243 1244 1245 1249 1250 1251 1252 1253 1258 1260 1261 1264 1266 1268 1272 1274 1275 1278 1283 1284 1290 1294 1296 1300 1304 1309 1310 1312 1316 1318 1319 1322 1323 1324 1326 1334 1337 1339 1341 1344 1347 1348 1349 1352 1353 1354 1358 1.16.1.9 LOGS Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.10 STATISTICS Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.11 SSH Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.12 EVENTS Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.13 DHCP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14 CC CONTROL Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.1 CC Status Map Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.2 CC Geo Maps Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.3 CC Configuration Updates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.4 CC File Updates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.5 CC Sessions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.6 CC Barracuda Activation Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.7 CC Floating Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.8 CC Statistics Collection Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.9 CC Remote Execution Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.10 CC Scanner Versions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.11 CC Firmware Update Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.14.12 CC Update Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.15 CC CONFIGURATION Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.16 CC ADMINS Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.17 CC DATABASE Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.18 CC Configuration Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.19 CC VPN GTI Editor User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.1.20 CC FWAUDIT Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.2 Barracuda Report Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.2.1 How to Create Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.3 Barracuda NG Firewall Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.4 CudaLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.4.1 How to Configure CudaLaunch with Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.16.4.2 Using the CudaLaunch VPN Connections for Native Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17 Hardware Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.1 Barracuda NG Firewall F10 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.2 Barracuda NG Firewall F10 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.3 Barracuda NG Firewall F18 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.4 Barracuda NG Firewall F80 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.5 Barracuda NG Firewall F100 / F101 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.6 Barracuda NG Firewall F100 / F101 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.7 Barracuda NG Firewall F180 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.8 Barracuda NG Firewall F200 / F201 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.9 Barracuda NG Firewall F200 / F201 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.10 Barracuda NG Firewall F200 / F201 Revision C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.11 Barracuda NG Firewall F280 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.12 Barracuda NG Firewall F280 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.13 Barracuda NG Firewall F300 / F301 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.14 Barracuda NG Firewall F300 / F301 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.15 Barracuda NG Firewall F380 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.16 Barracuda NG Firewall F400 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.17 Barracuda NG Firewall F400 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.18 Barracuda NG Firewall F600 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.19 Barracuda NG Firewall F600 Revision C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.20 Barracuda NG Firewall F800 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.21 Barracuda NG Firewall F800 Revision B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.22 Barracuda NG Firewall F900 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.23 Barracuda NG Firewall F1000 Revision A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.24 Barracuda NG Control Center C400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.25 Barracuda NG Control Center C610 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.17.26 Barracuda Network Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1359 1361 1363 1364 1367 1368 1369 1371 1373 1375 1377 1379 1381 1383 1385 1389 1390 1394 1396 1399 1401 1402 1404 1407 1410 1416 1418 1422 1426 1428 1431 1435 1438 1441 1444 1447 1450 1453 1456 1459 1462 1465 1467 1470 1473 1476 1479 1483 1487 1491 1496 1499 1503 1507 1511 1513 1515 Barracuda NG Firewall 6.1 Administrator's Guide - Page 9 Overview The Barracuda NG Firewall is a family of hardware and virtual appliances designed to protect your network infrastructure. On top of industry-leading centralized management, highly resilient VPN technology combined with intelligent traffic management capabilities allow the customer to save line costs and increase overall network availability Barracuda NG Firewall The Barracuda NG Firewall is an enterprise-grade, next-generation firewall that was purpose-built for efficient deployment and operation within dispersed, highly dynamic, and security-critical network environments. In addition to next-generation firewall protection, it provides industry-leading operations efficiency and added business value by safeguarding network traffic against line outages and link quality degradation. User identity and application awareness are used to select the best network path, traffic priority, and available bandwidth for business-critical traffic. The Barracuda NG Firewall can transparently move traffic to alternative lines to keep traffic flowing. Barracuda NG Control Center All policies, client, and device settings can be centrally managed and tracked by the Barracuda NG Control Center. This allows the Barracuda NG Firewall to meet enterprise requirements of massive scalability, efficient configuration, and life cycle and license management across dispersed networks, while at the same time offering performance guarantees for business-critical applications. The concept of integrated WAN optimization coupled with industry-leading centralized management results in significantly lower overall operational costs for multi-site deployments. Platform Flexibility The Barracuda NG offers hardware and virtual models in various sizes, from branch offices up to headquarters and data centers. Virtual NG Firewall and NG Control Center can run on a wide range of hypervisors, effortlessly integrating with your existing network and server infrastructure. The Barracuda NG Firewall is designed for deployment across the entire enterprise, including environments using Microsoft Azure and Amazon AWS public clouds. First Steps with the Barracuda NG Firewall and NG Control Center Follow the deployment and getting started guides to get your NG Firewall and NG Control Center up and running: Deployment – Deployment for hardware, virtual and public cloud NG Firewalls and NG Control Centers Getting Started – Follow this guide to get your NG Firewall or NG Control Center integrated in your existing network. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 10 Release Notes Before installing or upgrading to the new firmware version, back up your configuration and read the release and migration notes. If you are updating from a version earlier than 6.0.x, all migration instructions for 5.x and 6.0 also apply. Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes, depending on your current firmware version and other system factors. If the process takes longer, please contact Barracuda Networks Technical Support for further assistance. In these Release Notes: General GPL Compliance Statement Hotfixes Included with Barracuda NG Firewall Version 6.1.3 Improvements Included in Barracuda NG Firewall Version 6.1.3 Known Issues General If you want to update an existing system: When updating from an earlier version to 6.1, the following update path applies: 4.2 > 5.0 > 5.2 > 5.4 > 6.0 > 6.1. Barracuda NG Firewall F100 and F101 models using the ClamAV Virus Scanner may not have enough free disk space for updating. For more information, see Migrating to 6.1. Do not upgrade Barracuda NG Firewalls or NG Control Centers using Xen HVM images to 6.1.0. For more information, see Migrating to 6.1. GPL Compliance Statement This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. Some of the open source components included underlie either the GPL or LGPL, or other similar licensing, which requires all modified or unmodified source code to be made freely available to the public. This source code is available at http://source.barracuda. com. Hotfixes Included with Barracuda NG Firewall Version 6.1.3 Hotfix 736: DNS Server Hotfix 731: Dynamic Routing Hotfix 727: VPN Configurations in CudaLaunch Hotfix 724: Firewall Hotfix 722: Boxconfig Improvements Included in Barracuda NG Firewall Version 6.1.3 Barracuda NG Admin NG Admin now works as expected for Windows usernames in all languages. (BNNGF-34773) The Firewall Audit user interface now also processes and displays purged data that was moved to a custom directory. (BNNGF-23820) In the GTI Editor service list, external VPN servers are now listed in the service list. (BNNGF-26754) FAN rpm values are now displayed in integral numbers. (BNNGF-35773) On the VPN > Client to Site page, you can now enable a CN Name column to show the CN Name of the client certificate. (BNNGF-29310) Input validation for DKIM records has been updated to allow periods FQDNs. (BNNGF-27546) On stand-alone NG Firewalls, the HTTP Proxy tab is now accessible for all admins with the necessary permissions. (BNNGF-22710) On stand-alone NG Firewalls, the ATD tab is now accessible for all admins with the necessary permissions. (BNNGF-35888) Entering multiple comma-separated DNS Server IP addresses in the client-to-site template now works as expected. (BNNGF-35864) Barracuda OS Updated BIND to version 9.9.8P2 to fix security vulnerability CVE-2015-8000. (BNNGF-35608) Updated libuser to fix the following security vulnerabilities: CVE-2015-3245 and CVE-2015-3246 (BNNGF-32316) Updated NTP to fix several security vulnerabilities. (BNNGF-35032) Improved log message for model-specific performance script to: Applying model-specific performance settings Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 11 Firewall SSL Interception domain exceptions now works as expected. (BNNGF-31886) Increased default certificate size generated by SSL Interception to 2048 for non-export restricted firewalls. (BNNGF-33024) Logging for ICMP connections now works as expected. (BNNGF-28753) ICMP replies without ECHO sent to the management IP address are now dropped. (BNNGF-28557) Traffic Shaping now works expected for synced sessions after an HA failover. (BNNGF-28870) If Log Session State Changed is enabled for an access rule matching an ICMP echo request to the management IP address, it is now logged as expected to the firewall log. Blocked ICMP packets are no longer logged twice if Log ICMP Packets is set to Log-All. (BNNGF-30357) The client-to-site Group Policy configuration now displays correctly when setting the screen resolution to medium-125%. (BNNGF-35150) Application Control now works as expected to for SSL-encrypted connections when SSL Interception is disabled. (BNNGF-34855) OSPF/RIP/BGP The OSPF service can now listen correctly on interfaces that were down when the service started. (BNNGF-35732) NG Control Center Create a box wizard now configures Wi-Fi correctly for Barracuda NextGen Firewall F280b, F180, and F80. (BNNGF-35348) HTTP Proxy Activating configuration changes no longer causes the HTTP Proxy to fail in rare cases. (BNNGF-25238) Flushing selected proxy cache entries now works as expected. (BNNGF-23118) VPN Added option to bind the dynamic tunnels to an explicit IP address. (BNNGF-34544) Azure Changing the password of the NG Firewall VM via the Azure web interface now works as expected. (BNNGF-33675) SSL VPN VPN profiles are now imported correctly. (BNNGS-1596) Updated certificates used for provisioning resources. (BNNGS-1505) Known Issues 6.1.3 HA session sync between NG Firewalls using firmware 6.1.3 and 6.2.0 does not work. Miscellaneous NG Control Center: Network > Azure Advanced Networking is displayed in a 6.1 cluster even if the managed NG Firewall is running version 6.1.1 or 6.1.0 that does not support this feature. HTTP Proxy: Custom block pages do not work for the HTTP Proxy when running on the same NG Firewall as the Firewall service. This issue does not occur when running the HTTP proxy service on a second NG Firewall behind the NG Firewall running the Firewall service. SSL VPN: Favorites are not included in the PAR file. SSL VPN: Text fields do not accept the # character. SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts. SSL VPN: User Attributes do not support UTF-8. SSL VPN: The allowed host filter path must be unique. Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account. Safe Search: If Safe Search is enabled, it is not possible to log into YouTube when cookies are disabled. Safe Search: Safe Search is not enforced by Bing when using HTTP. VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NG Firewall via RIP, OSPF, or BGP, a duplicate routing entry is created and the route that was added last is used. VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used. HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations. CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install. ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 12 Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule. Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance. NG Admin: SPoE does not work if an IPv6 virtual server IP address is used. Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually. Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user. Firmware Update: Log messages similar to WARNING: /lib/modules/2.6.38.7-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hw may appear while updating, but can be ignored. Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system. Application Control 2.0 and Virus Scanning: Data Trickling is done only while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files. Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored. Application Control 2.0 and Virus Scanning: It is not currently possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned. Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall. Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No. Barracuda OS: Restoring units in default configuration with par files created on an NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit. VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated. High Availability: IPv6 network sessions might not be established correctly after an HA failover. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 13 Release Notes 6.1.0 Before installing or upgrading to the new firmware version, back up your configuration and read the release and migration notes. If you are updating from a version earlier than 6.0.x all migration instructions for 5.x and 6.0 also apply. Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes, depending on your current firmware version and other system factors. If the process takes longer, please contact Barracuda Networks Technical Support for further assistance. In these Release Notes: General GPL Compliance Statement Hotfixes Included with Barracuda NG Firewall Version 6.1 What´s New in Barracuda NG Firewall Version 6.1 Improvements Included in Barracuda NG Firewall Version 6.1 Known Issues General If you want to update an existing system: When updating from an earlier version to 6.1, the following update path applies: 4.2 > 5.0 > 5.2 > 5.4 > 6.0 > 6.1. Barracuda NG Firewall F100 and F101 models using the ClamAV Virus Scanner may not have enough free disk space for updating. For more information, see Migrating to 6.1. Do not upgrade Barracuda NG Firewalls or NG Control Centers using Xen HVM images to 6.1.0. For more information, see Migrating to 6.1. GPL Compliance Statement This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. Some of the open source components included underlie either the GPL or LGPL, or other similar licensing, which require all modified or unmodified source code to be made freely available to the public. This source code is available on http://source.barracuda. com. Hotfixes Included with Barracuda NG Firewall Version 6.1 Hotfix 663: Security Fix for GHOST Vulnerability Hotfix 678: Barracuda URLfilter Service Timeouts Hotfix 679: BGP Fixes Hotfix 670: HTTP/HTTPS Stability and Performance Improvements and AV Performance on Barracuda NG Firewall F100/F101. What´s New in Barracuda NG Firewall Version 6.1 Dynamic Mesh VPN A Dynamic Mesh VPN network allows you to use the advantages of a fully meshed network without having to provide the resources needed for the large number of static VPN tunnels on every unit. Dynamic tunnels between remote Barracuda NG Firewalls are triggered when traffic is relayed by the VPN hub. If the dynamic tunnel is idle, it is automatically terminated. This whole process is completely transparent to the user. For more information, see Dynamic Mesh VPN Networks. Add VPN Routes to Main Routing Table You can now configure the VPN service to add the VPN routes to the main routing table. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 14 For more information, see Authentication, Encryption, Transport, and VPN Routing. Enforcing Safe Search in the Firewall Protect users behind a Barracuda NG Firewall from undesired content in search results by enabling Safe Search for the access rules handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL when the request is forwarded by the Barracuda NG Firewall. Safe Search is supported for Google, Bing, and Yahoo search engines. For more information, see How to Enforce Safe Search in the Firewall. Enforcing YouTube for Schools in the Firewall The Barracuda NG Firewall can transparently add YouTube for Schools restrictions for all connections the Barracuda NG Firewall forwards to YouTube without the need to configure the clients. YouTube for Schools is configured directly in the access rules matching HTTP and HTTPS traffic connecting to YouTube. For more information, see How to Enforce YouTube for Schools in the Firewall. Custom Block Pages You can customize the block pages for Virus Scanner, URL Filter, Application Control 2.0, and SSL Interception when used in combination with the Forwarding Firewall Service. Each page has a predefined list of placeholder objects that are replaced on-the-fly by the Barracuda NG Firewall when the block page is delivered to the client. HTTP connections blocked by a Deny or Block access rule can be redirected to a HTTP block page. The same feature can also be used to redirect users in the ATD quarantine to the new quarantine page. For more information, see How to Configure Custom Block Pages, How to Create a Block Access Rule and How to Configure ATD in the Firewall. URL Filter Warn and Continue Each URL category in the URL Policy object can be configured to redirect the user to the customizable URL Filter Warning page. After clicking C ontinue the user is allowed to view the website. This action is logged. For more information, see How to Create an URL Filter Policy Object. WiFi AP Authentication The Barracuda NG Firewall can authenticate users by using the authentication information from Aerohive and Ruckus wireless access points. For more information, see How to Configure WiFi AP Authentication. Schedule Objects Schedule objects are used as an additional matching criteria to restrict access rules to specific times and intervals . Schedule objects can be used in host, access, and application rules and provide time granularity in minutes. For more information, see Schedule Objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 15 SSL VPN Web Forwards Improvements Create Web Forwards to allow SSL VPN users to access web-based internal applications. There are predefined web forward types for Outlook Web Access and SharePoint servers as well as generic settings that allow you full control over how the web content is rewritten. For more information, see How to Configure a Generic Web Forward, How to Configure an Outlook Web Access Web Forward and How to Configure a SharePoint Web Forward. SSL VPN User Attributes User attributes are placeholder variables used to personalize Web Forwards or to configure single-sign-on authentication. They are created by the admin and filled in by the end user in either the desktop or mobile portal. For more information, see How to Use and Create Attributes Single Sign On for Web Forwards Web Forwards can be configured to automatically log the user in when accessing Web Forwards requiring authentication. The Barracuda NG Firewall SSL VPN supports HTTP and Form based (POST; GET and JavaScript) authentication. User Attributes allow you to use different user credentials than those used to log into the SSL VPN. For more information, see How to Configure Single Sign On for Web Forwards. SSL VPN Self-Provisioning for VPN Templates The NG SSL VPN service allows the end users to self-provision their VPN client on Windows, OS X or iOS devices. To automatically download and install the configuration, the user must log into one of the NG SSL VPN portals and click the VPN Template provisioning link. VPN Templates can be created for all group policy based Client-to-Site VPN configurations. For more information, see How to Configure VPN Templates in the SSL VPN. Barracuda NG Remote App The Barracuda NG Remote application for Apple iOS provides easy remote access to your Barracuda NG Firewalls and Barracuda NG Control Centers from any place at any time. With the Barracuda NG Remote Application you can: Connect via VPN to a Barracuda Networks demo environment to try/test the application. Create a connection to one or more Barracuda NG Firewall units via a Barracuda NG Control Center. View a Barracuda NG Admin style status map for NG Control Centers and NG Firewalls. View general details for a unit (including uptime, license state, activation state, firmware version, and model and serial number). View the status of a unit (including server/service control, CPU load, system, network control, events, and licenses). View graphics for Box resource usage by memory, data disk usage, and system disk usage. View dynamic graphs for allowed sessions, blocked sessions, and bit/sec throughput. Perform a unit reboot, services restart, network reconnect, and management tunnel rebuild as remote actions. Use full Terminal Access (SSH). Enable and disable dynamic access rules (for example, to provide temporary access to a blocked web application). For more information, see Barracuda NG Firewall Remote. Upcoming Azure and AWS Pay-As-You-Go Images In addition to the BYOL image, Azure and AWS pay-as-you-go images will soon be available via the Azure and AWS Marketplaces. This allows you to pay for your NG Firewall on an hourly basis. For more information, see Licensing. Product Tips Barracuda Networks can now inform customers of important issues such as security vulnerabilities or other important messages for your Barracuda NG Firewall. These notifications are displayed in the Message Board element on the Dashboard. Go to Box > Advanced Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 16 Configuration > Message Board to enable Product Tips. Update Notifications A new Dashboard element contains all available Hotfixes, Firmware and NG Admin updates for your individual NG Firewall. The element displays dependencies and installed updates and hotfixes as well as detailed information for each download. Go to CONFIGURATION > Configuration Tree > Advanced Configuration > Firmware Update to enable the UPDATES element. For more information, see DASHBOARD General Page and How to Update the Barracuda NG Firewall or NG Control Center using NG Admin. Multi-Filter Custom Reports The newest version of the Barracuda Report Creator added support for multiple entries in the filter element of a custom report. This allows you to create custom report data for multiple users, IP addresses, applications, and URL and Application Categories. For more information, see How to Create Custom Reports. Improvements Included in Barracuda NG Firewall Version 6.1 Barracuda NG Admin NG Admin no longer shows a pop-up every 5 seconds when port 806 is not accessible on an NG Control Center. (BNNGF-29355) Entries in the Entries column for connection objects are now displayed in CIDR notation. (BNNGF-29143) NG Admin no longer crashes when opening a trace record. (BNNGF-27752) Barracuda OS HA firewall session sync no longer causes soft-lockups. (BNNGF-27977) Updated OpenSSL to fix several security vulnerabilities (BNNGF-29257) Authentication service (phibs) no longer crashes when a large number of file descriptors are used. (BNNGF-28877) Updated glibc due to security vulnerability CVE-2015-0235. (BNNGF-28018) Updated NTP due to security vulnerabilities CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. (BNNGF-27518) Fixed legacy Management Centers download of OPSWAT pattern updates. (BNNGF-29191) Added disk monitoring to the box level SNMP service. (BNNGF-28202) Added power supply information to the box level SNMP service. (BNNGF-27808) The DC client logout timeout is now in hours instead of days and the default timeout is changed to 24h. (BNNGF-28023) Updated curl and libcurl due to security vulnerabilities CVE-2014-8150 and CVE-2014-8151. (BNNGF-27645) Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 17 TS client now listens on every box IP address. (BNNGF-29175) SSL encrypted syslog streaming now works as expected. (BNNGF-27957) SIP Proxy The SIP Proxy now reacts gracefully when failing to open additional dynamic ports. (BNNGF-29131) URL Filter Updated IP addresses of the URL filter databases in the Barracuda Cloud. (BNNGF-28080) Barracuda NG Web Filter updated with new categories. (BNNGF-28811) DHCP Server Added a new event to be triggered when the number of DHCP leases is exhausted. (BNNGF-27931) Dynamic Routing Service Propagating additional static VPN routes via OSPF when multiple VPN routes are already propagated now works as expected. (BNNGF-29214) Removing the primary route of two redundant BGP routes using special routing tables now works. (BNNGF-29205) Fixed various filtering issues for access lists. (BNNGF-28145) Firewall IPS no longer drops traffic for out-of-window TCP ACKs when in report-only mode. (BNNGF-29062) Enabled virus scanning in the firewall for Barracuda NG Firewall F100 and F101. (BNNGF-28909) Websites now load as expected when TCP Stream Reassembly is disabled and Virus Scanning in the Firewall is enabled. (BNNGF-27649) SSL Interception now works for connections using a one-character CN in its certificate. (BNNGF-27923) HTTP Proxy Updated OpenSSL version used by the HTTP service to fix several security vulnerabilities (BNNGF-29261) Virus scanning in the HTTP Proxy now works in combination with the download progress bar. (BNNGF-27136) Removed HTTP Proxy service from the default configuration for all Barracuda NG Firewall F100 and F101 models. (BNNGF-28930) It is no longer possible to add a certificate that does not match the private key when configuring a reverse proxy with Use SSL set to yes. (BNNGF-27679) Entries in the Excluded Domains for SSL Interception now when both the domain with and without pretended dot (.).(BNNGF-28858) VPN Source routes for the remote networks are now created as expected on the VPN hub. (BNNGF-29053) L2TP clients behind the same NAT device now work as expected. (BNNGF-29476) IPsec Site-to-Site connections using NAT traversal no longer drop when a configuration change is made. (BNNGF-27422) AES encryption with 192bit key length for TINA tunnel no longer cause kernel panic. (BNNGF-27421) Client-to-Site MSAD and OTP (via RADIUS) authentication now work as expected. (BNNGF-29282) Removed legacy WANOpt Master VPN setting. (BNNGF-29719) Virus Scanner Retrieving ATD results now subtracts the time zone correctly. (BNNGF-28326) Fixed potential path traversal exploit for files with a malicious folder structure. (BNNGF-27814) Added a new X-ALERT-DESCRIPTION header. (BNNGF-29287) Disabled and removed ClamAV virus scanning engine for Barracuda NG Firewall F100 and F101. The Avira virus scanning engine is automatically started with the default configuration as a replacement. (BNNGF-28526) SSL VPN Activate Content Rewrite is removed from NG Admin and enabled by default for all Web Forwards. (BNNGF-708) Web Resources were renamed to Web Forwards. (BNNGS-696) Web Forwards with Allowed Hosts now work as expected. (BNNGS-675) Mobile Portal Bar Exemptions now checks only for paths in the URL. (BNNGS-673) Certificate authentication now works as expected. (BNNGS-671) The mobile portal now correctly appends the Launch Path when launching a Web Forward. (BNNGS-615) Fixed connectivity issues for Outlook Web Access 2007 Web Forwards. (BNNGS-605) Logging into the desktop portal using Safari now works as expected. (BNNGS-536) The Settings menu on the desktop and mobile portal is displayed only when needed. (BNNGS-391) VPN connections via the Transparent Agent now work as expected when using Barracuda license files. (BNNGF-25705) Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 18 WiFi The ticketing database is now synced to the HA partner. (BNNGF-27390) Distributed Firewall Creating a ruleset now works as expected. (BNNGF-29091) NG Control Center Added configuration update icon column to the status page of the NG Control Center. (BNNGF-25426) Known Issues 6.1 Amazon AWS/Microsoft Azure: Installing hotfixes or updates via SSH or NG Control Center is currently not possible. Update directly on the unit over NG Admin instead. Virus Scanning in the Firewall: The default MIME types scanned differ for HTTP and HTTPS. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Security Policy and add application/* to the Scanned MIME Types to scan the same MIME types for HTTP and HTTPS. Virus Scanning in the Firewall: File trickling currently does not work for downloads over HTTP. Xen HVM: Updating or Installing Xen HVM virtual NG Firewalls or NG Control Centers to version 6.1 is currently not supported. SSL VPN: Favorites are not included in the PAR file. SSL VPN: Text fields do not accept the # character. SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts. SSL VPN: User Attributes do not support UTF-8. SSL VPN: The allowed host filter path must be unique. WiFi Authentication: In some cases the IP address may be incorrect (0.0.0.0) for the first login of a user. Subsequent logins use the correct IP address. Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account. Safe Search: If safe search is enabled, it is not possible to log in to YouTube when cookies are disabled. Safe Search: Safe search is not enforced by Bing when using HTTPS. Custom Block Pages: Even though access to a blocked website is properly denied, Application or URL Filter block pages are not displayed on the first request for a website blocked by a URL policy object when SSL Interception is enabled. NG Admin: Links from dashboard elements are always opened in Internet Explorer and not in the default browser. VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NG Firewall via RIP, OSPF or BGP, a duplicate routing entry is created and the route that was added last is used. VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used. Miscellaneous HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations. CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install. ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive. Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule. Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance. NG Admin: SPoE does not work if an IPv6 virtual server IP address is used. Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually. Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user. Firmware Update: Log messages similar to WARNING: /lib/modules/2.6.38.7-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hw may appear while updating, but can be ignored. Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system. Application Control 2.0 and Virus Scanning: Data Trickling is only done while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files. Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored. Application Control 2.0 and Virus Scanning: It is not currently possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned. Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, small amount of traffic may already have passed through the firewall. Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 19 scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No. High Availability: IPv6 network sessions might not be established correctly after an HA failover. Barracuda OS: Restoring units in default configuration with par files created on a NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit. VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 20 Release Notes 6.1.1 Before installing or upgrading to the new firmware version, back up your configuration and read the release and migration notes. If you are updating from a version earlier than 6.0.x, all migration instructions for 5.x and 6.0 also apply. Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes, depending on your current firmware version and other system factors. If the process takes longer, please contact Barracuda Networks Technical Support for further assistance. In these Release Notes: General GPL Compliance Statement Hotfixes Included with Barracuda NG Firewall Version 6.1.1 What´s New in Barracuda NG Firewall Version 6.1.1 Updated Available Instance Types for Barracuda NG Firewalls in AWS and Azure Improvements Included in Barracuda NG Firewall Version 6.1.1 Known Issues General If you want to update an existing system: When updating from an earlier version to 6.1, the following update path applies: 4.2 > 5.0 > 5.2 > 5.4 > 6.0 > 6.1. Barracuda NG Firewall F100 and F101 models using the ClamAV Virus Scanner may not have enough free disk space for updating. For more information, see Migrating to 6.1. Do not upgrade Barracuda NG Firewalls or NG Control Centers using Xen HVM images to 6.1.0. For more information, see Migrating to 6.1. GPL Compliance Statement This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. Some of the open source components included underlie either the GPL or LGPL, or other similar licensing, which requires all modified or unmodified source code to be made freely available to the public. This source code is available at http://source.barracuda. com. Hotfixes Included with Barracuda NG Firewall Version 6.1.1 Hotfix 686: Wi-Fi Access Point Authentication Hotfix 687: SSL VPN Generic Web Forwards Hotfix 693: Leap Second Update 2015 Hotfix 697: DHCP Server Restart Policy Hotfix 699: Azure Public Cloud Detection What´s New in Barracuda NG Firewall Version 6.1.1 CudaLaunch Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 21 CudaLaunch offers secure remote access to your organization's applications and data from mobile devices. CudaLaunch is available for iOS and Android devices via the Apple App Store or Google Play Store. Both versions offer the same functionality. Full Device VPN uses the same VPN group policy. CudaLaunch on Android uses the TINA VPN protocol; the iOS app manages the built-in IPsec VPN client. For more information, see CudaLaunch and NG Firewall Configuration for CudaLaunch. URL Filter Overrides The Override feature of the URL Filter grants temporary access to otherwise blocked URL categories. URL categories that are set to the override policy redirect the user to the customizable Override Block page of the URL Filter. The override admin must grant the request for a specified time. When the request has been granted, the user is automatically forwarded to the website. Overrides are always granted for the entire URL category. For more information, see How to Configure URL Filter Overrides and How to Grant URL Category Overrides - User Guide. NAC for SSL VPN and CudaLaunch Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 22 SSL VPN Network Access Control (NAC) limits access to the web portals of the SSL VPN service according to a variety of factors that are not connected to the user. Users who fail the NAC check are not allowed to log in until they have a conforming system. For more information, see How to Configure NAC for SSL VPN. Firmware Update Management on the NG Control Center Similar to standalone units, the Barracuda NG Control Center Firmware Update page is now tied in with the new Barracuda Download Portal. The Download Portal tab displays dependencies for updates and hotfixes as well as detailed information for each download. On the box level of the NG Control Center, go to CONFIGURATION > Configuration Tree > Advanced Configuration > Firmware Update to enable the Download Products tab. For more information, see How to Update Barracuda NG Control Center Managed Systems. Product Tips on the NG Control Center Barracuda Networks can now inform customers of important issues such as security vulnerabilities or other important messages concerning the Barracuda NG Firewalls managed by the NG Control Center. These notifications are displayed in the Product Tips element on the Dashboard. On the box level of the NG Control Center, go to Box > Advanced Configuration > Message Board to enable Product Tips. Interface Dashboard Element Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 23 The Interface element shows the port configuration for your Barracuda NG Firewall. All ports are displayed in the same location and with the same port names as on the physical appliance. For more information, see DASHBOARD General Page. Updated Available Instance Types for Barracuda NG Firewalls in AWS and Azure When deploying the Barracuda NG Firewall in Azure or AWS, you can now choose from an updated list of Instance sizes and types. In Azure, it is now possible to use any Instance size, as long as the license level matches the number of available CPU cores. AWS Instance types have been updated to use the new generation of AWS Instances. These changes apply to both BYOL and PAYG (Hourly) images. For more information, see Public Cloud Hosting. Improvements Included in Barracuda NG Firewall Version 6.1.1 Barracuda NG Admin The Firmware update element no longer causes NG Admin to crash on systems that are located in a time zone with a negative offset. (BNNGF-30967) Improved error handling when receiving invalid responses from the Barracuda Servers while downloading licenses. (BNNGF-30618) Changed the input validation of the YouTube for Schools Token to allow underlines. (BNNGF-31421) Downloading update via the firmware update element now works as expected. (BNNGF-30094, BNNGF-30824) Entering Networks for Site-to-Site tunnels is no longer required. This is required for an OSPF over VPN configuration. (BNNGF-31444) Changed input validation for Site Specific Objects to allow all characters also allowed for Forwarding Firewall Objects. (BNNGF-31040) Generating system reports now works as expected. (BNNGF-31181) The access rule dialog now handles larger system text sizes. (BNNGF-31068) NG Admin no longer crashes in unconfigured GTI Editor. (BNNGF-29676) Session details now contain the URL Category and Application Context. (BNNGF-31665) Copying/Paste and cloning of Schedule objects now work as expected. (BNNGF-31630) Switch to Advanced View is visible again on the Box > Administrators page. (BNNGF-31449) The IPsec tunnel statuses are now displayed on CONTROL > GeoMaps and CONTROL> Status Map. (BNNGF-24002) NG Admin now works as expected on Windows Vista. (BNNGF-30495) Added check to ensure names for GTI Editor groups are unique. (BNNGF-30431) Added column for the serial number to the NG Control Center CONTROL > Status Map. (BNNGF-29850) Using range regular expressions for filtering in NG Admin now works as expected. (BNNGF-20283) Licenses that are about to expire are now displayed in yellow on the CONTROL > Licenses page. (BNNGF-13807) RCS now works as expected on the Security Policy and Response Messages pages. (BNNGF-29819) RCS now works as expected on the Network page when a UMTS/3G modem is configured. (BNNGF-21274) The eventing service is now included in the status displayed on the CONTROL > Status Map page. (BNNGF-29674) Changed input validation to allow - (dash) and _ (underscore) in the shell script editor on the CONTROL > Remote Execution page. (BNNGF-31551) The Firmware Update element now also works with SF licenses. (BNNGF-30056) Pressing delete key repeatedly no longer temporarily removes list items without a page lock. (BNNGF-30091) Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 24 Exporting the Trusted Root Certificate to the clipboard on the Security Policy page now works as expected. (BNNGF-29936) Rate-Max for inbound traffic shaping rates larger than 2047 Mbit on the FIREWALL > Shaping page are now displayed correctly. (BNNGF-28993) Icons in the CONTROL > Network > ARP are now displayed correctly. (BNNGF-27948) Changing the welcome message for the Access Control Service now works as expected.(BNNGF-24005) Barracuda OS Increased the number of supported DHCP WAN connections to twelve. (BNNGF-31523) After updating, controld now restarts if necessary. (BNNGF-30455) Updated libcurl to fix several security vulnerabilities. (BNNGF-39894, BNNGF-30108) installUpdate now writes to the box_Release_update.log file. (BNNGF-31305) Fixed potential issues caused by leap seconds. (BNNGF-31167, BNNGF-31160) Improved event handling for events not reaching the Notification Threshold defined for one week. (BNNGF-28795) Added rpm signature checks to hotfix files and PhionRelCheck. (BNNGF-30551) For Wi-Fi AP authentication, it is now possible to define a subnet or an individual IP address as the access point source network. (BNNGF-30126) Improved memory management of the MSAD DC Client authentication. (BNNGF-29964) Updated default values for the general firewall configuration parameters. (BNNGF-31425) Updated OpenSSL to version 0.9.8zf. (BNNGF-21059) Users authenticating the first time via an Aerohive Wi-Fi access point are no longer assigned a wrong IP address. (BNNGF-30080) It is now possible to migrate virtual servers to VF2000 or higher. (BNNGF-30051) Removed option to use wildcards in the pre-authentication value patterns. (BNNGF-26436) The control daemon now automatically monitors and restarts ntpd. (BNNGF-29702) Product Tips and Firmware Update Element now generate events when new items are available. (BNNGF-29447) Firewall YouTube for Schools now works as expected when accessing YouTube via HTTPS. (BNNGF-31370) Changes to the forwarding firewall ruleset no longer terminate sessions allowed due to a firewall plugin. (BNNGF-25686) The FTP plugin now handles EPRT ftp commands correctly. (BNNGF-30323) YouTube SafeSearch can no longer be deactivated when using the Chrome browser. (BNNGF-30268) Added IP addresses for dlportal.barracudanetworks.com (64.235.151.85 and 95.172.71.5) to the Barracuda Update Servers network object. (BNNGF-29445) The Authentication Timeout when accessing the Barracuda Web Security Service (Flex) is now configurable. (BNNGF-31510) Internal access rules not accessible for the user no longer generate events. (BNNGF-26014) Client-to-Site VPN traffic is no longer blocked when a MAC-based access rule is located before the client-to-site access rule in the ruleset. (BNNGF-29862) The number of network objects that can contain hostnames is no longer limited to 383. (BNNGF-30590) Distributed Firewall Using application objects in the application ruleset now works as expected. (BNNGF-31430) HTTP Proxy The progress bar popup now works as expected. (BNNGF-31782) Handling of URL categorization in the HTTP Proxy service now works as expected. (BNNGF-31126) Files analyzed by ATD are no longer cached by the HTTP Proxy. (BNNGF-27131) Virus Scanner Improved handling of RAR files no longer cause high CPU loads. (BNNGF-29816) Virus patterns are now updated immediately after installing an update or hotfix containing the virus scanner rpm. (BNNGF-29152) Using legacy phion pool licenses in combination with Avira now works as expected. (BNNGF-30304) DHCP Server The DHCP server now listens on both LAN and Wi-Fi interfaces if DHCP subnets are served over both interfaces. (BNNGF-29780) VPN Server Encapsulation for IPsec tunnels using NAT-T is now set correctly. (BNNGF-29755) L2TP tunnels now work as expected when a referenced firewall object is used for the static IP address of the user. (BNNGF-31052) To avoid excessive logging, the default Log Level for WAN Optimization is now set to 0. (BNNGF-30784) SSL VPN Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 25 Checking documents in and out on a SharePoint 2010 server now works as expected. (BNNGF-517) The password attribute value is no longer visible in the browser page source. (BNNGS-1001) You can now remove all permissions from the custom VPN profiles. (BNNGS-999) SSL tunnels associated with generic applications are now correctly scoped to the respective Application. (BNNGF-30333, BNNGS-983) Writing to log file while loading a Web Forward now works as expected. (BNNGS-936) Single Sign-On via JavaScript authentication now works as expected. (BNNGS-935) Tapping Logout now works as expected on iOS and Windows Phone devices. (BNNGS-930) Added input validation to ensure the Allowed Host filter path is unique. (BNNGS-748) Saving and displaying text for User Attributes using the TextArea format now works as expected. (BNNGS-368) Clicking Login button repeatedly after logging in no longer results in a JavaScript error. (BNNGS-240) FTP Gateway Added option to limit the Maximal Workers per Peer to avoid high system load. (BNNGF-21237) Changed the maximum number allowed for Maximal Allowed Workers to 255 and the default value to 128. (BNNGF-30574) OSPF/RIP/BGP Service BGP weight changes now work as expected. (BNNGF-30028) Azure A MAC address change because of a reboot no longer invalidates the license on managed Barracuda NG Firewalls in Azure. (BNNGF-31497) Xen Xen HVM images now work as expected. (BNNGF-28214) Xen HVM images now use the xen-netfront network driver by default if possible. (BNNGF-27392) NG Control Center Managed NG Firewalls running on a Xen hypervisor report their serial number correctly. (BNNGF-31701) Setting Enforce password strength to No password enforcement for NG Control Center admins now works as expected. (BNNGF-27960) NG Control Center admins assigned to an Administrative Role that disallows Create PAR File can no longer create system reports containing PAR files. (BNNGF-21496) Box level configuration for Firmware Update Element and Products tips is now accessible through Set Area Config on the CONTROL > File Upload page on the NG Control Center. (BNNGF-29443) Known Issues 6.1.1 Product Tips: A NG Admin session may temporarily freeze when the Barracuda Update servers are unreachable. Product Tips: Product Tips on the NG Control Center are enabled, even though the Enabled is set to No in the Set Area Config for Pro duct Tips on the CONTROL > File Update page. Do a dummy change set the configuration. This settings also applies to all NG Firewalls managed by the NG Control Center. Opensource Xen HVM: Opensource (Linux) Xen HVM images are currently not supported for firmware 6.1.1. Interface Element: In some cases the interface element may not work correctly on virtual NG Firewalls. Firewall Plugin: The DCERPC firewall plugin module is disabled. Azure: During the update to 6.1.1 the ssh key is regenerated replacing the existing ssh key. Barracuda NG Control Center C610: Verification of the raid rpm signature included in the extra update archive fails, causing phionRelCheck to show a dirty release state. Application Control 2.0: The URL Category Search Engine may not be set to override when URL Filtering is used in combination with SafeSearch. HTTP Proxy: Custom block pages do not work for the HTTP Proxy when running on the same NG Firewall as the Firewall service. This issue does not occur when running the HTTP proxy service on a second NG Firewall behind the NG Firewall running the Firewall service. SSL VPN: Favorites are not included in the PAR file. SSL VPN: Text fields do not accept the # character. SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts. SSL VPN: User Attributes do not support UTF-8. SSL VPN: The allowed host filter path must be unique. Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account. Safe Search: If safe search is enabled, it is not possible to log in to YouTube when cookies are disabled. Safe Search: Safe search is not enforced by Bing when using HTTP. VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NG Firewall via RIP, OSPF or BGP, a duplicate routing entry is created and the route that was added last is used. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 26 VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used. Miscellaneous HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations. CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install. ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive. Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule. Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance. NG Admin: SPoE does not work if an IPv6 virtual server IP address is used. Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually. Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user. Firmware Update: Log messages similar to WARNING: /lib/modules/2.6.38.7-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hw may appear while updating, but can be ignored. Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system. Application Control 2.0 and Virus Scanning: Data Trickling is only done while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files. Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored. Application Control 2.0 and Virus Scanning: It is not currently possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned. Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall. Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No. High Availability: IPv6 network sessions might not be established correctly after an HA failover. Barracuda OS: Restoring units in default configuration with par files created on an NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit. VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 27 Release Notes 6.1.2 Before installing or upgrading to the new firmware version, back up your configuration and read the release and migration notes. If you are updating from a version earlier than 6.0.x, all migration instructions for 5.x and 6.0 also apply. Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks Technical Support. Upgrading can take up to 60 minutes, depending on your current firmware version and other system factors. If the process takes longer, please contact Barracuda Networks Technical Support for further assistance. In these Release Notes: General GPL Compliance Statement Hotfixes Included with Barracuda NG Firewall Version 6.1.2 What´s New in Barracuda NG Firewall Version 6.1.2 Improvements Included in Barracuda NG Firewall Version 6.1.2 Known Issues General If you want to update an existing system: When updating from an earlier version to 6.1, the following update path applies: 4.2 > 5.0 > 5.2 > 5.4 > 6.0 > 6.1. Barracuda NG Firewall F100 and F101 models using the ClamAV Virus Scanner may not have enough free disk space for updating. For more information, see Migrating to 6.1. Do not upgrade Barracuda NG Firewalls or NG Control Centers using Xen HVM images to 6.1.0. For more information, see Migrating to 6.1. GPL Compliance Statement This product is in part Linux-based and contains both Barracuda Networks proprietary software components and open source components in modified and unmodified form. Some of the open source components included underlie either the GPL or LGPL, or other similar licensing, which requires all modified or unmodified source code to be made freely available to the public. This source code is available at http://source.barracuda. com. Hotfixes Included with Barracuda NG Firewall Version 6.1.2 Hotfix 702: TKEY Queries in bind Hotfix 706: VPN Profiles for SSL VPN Hotfix 708: SSL Interception (included in Hotfix 711) Hotfix 711: Cumulative Firewall Hotfix Hotfix 716: DC Client Authentication What´s New in Barracuda NG Firewall Version 6.1.2 Wi-Fi Access Point Authentication for Aruba AP It is now possible to collect authentication information by configuring the Barracuda NG Firewall as a logging server for your Aruba Access Points. For more information, see How to Configure WiFi AP Authentication and WiFi AP Authentication Aruba Configuration Improvements Included in Barracuda NG Firewall Version 6.1.2 Barracuda NG Admin Exporting, Importing, and Merging box licenses from and to the clipboard now works as expected. (BNNGF-30523) Re-enabled option to link the Network configuration to a repository entry. (BNNGF-33037) VPN tunnel status is now displayed correctly on the Status Map. (BNNGF-32645) Exporting, Importing, and Merging HTTP Proxy ACL entries from and to the clipboard now works as expected. (BNNGF-23121) Disabled routes are now displayed in red. (BNNGF-33226) It is now possible to set the IPsec-ID for IPsec tunnels created with the GTI editor. (BNNGF-32705) When restoring from a PAR file, NG Admin no longer locks up when the PAR file is unavailable. (BNNGF-32514) Removing Client-to-Site VPN group policies now works as expected. (BNNGF-31778) Values in the FIREWALL > Audit Log duration columns are now displayed correctly. (BNNGF-32189) Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 28 In the NG Control Center, active tunnels in CONTROL > Geo Maps are now displayed in green to be consistent with the Status Map. (BNNGF-30904) Reputation search for IP addresses in FIREWALL > Live and FIREWALL > History now works as expected. (BNNGF-33440) In the NG Control Center, Reset to Cluster Default now requires a configuration lock. (BNNGF-31851) NG Admin no longer freezes if a large amount of FW Audit data is requested. (BNNGF-31774) Barracuda OS HA sync no longer causes soft lockups if the HA-partner is unavailable. (BNNGF-31427 Updated HP smart array drivers (hspa) to version 3.4.10. (BNNGF-32068) The DC Client now correctly interprets user group information sent by the DC Agent. (BNNGF-33146) DHCP with multiple encapsulated options now works as expected. (BNNGF-32895) Restoring PAR files larger than two GB now works as expected. (BNNGF-31879) The virtual server monitoring state is no longer listed on the CONTROL > Server page if IP Monitoring Policy is set to No. (BNNGF-24160) Updated LSI megaraid driver (megaraid_sas) to version 6.808.12. (BNNGF-32585) Changing duplex settings for interfaces using the netsemi.ko driver now works as expected. (BNNGF-31973) Added source and destination IP address to the box level eventS.log logfile. (BNNGF-32438) Firewall The Firewall service no longer causes a kernel panic due to a race condition in the source object allocation. (BNNGF-32484) Disabling ping for management or service addresses now works as expected. (BNNGF-33169) Parsing compressed HTML pages by IPS now works as expected. (BNNGF-25552) The DNS plug-in now works correctly and no longer crashes. (BNNGF-32456) The Firewall service now correctly processes NAT/PAT operations to address issues with website loading and connection drops in general. (BNNGF-32386) Updated OpenSSL version used for SSL Interception to enable elliptic curve ciphers. (BNNGF-26180) Fixed a memory leak related to delivery of Application Control 2.0 Block Pages. (BNNGF-32838) SSL Interception now works with all imported root certificates. (BNNGF-32771) The Firewall activity log now correctly displays denied and blocked IPv6 sessions. (BNNGF-31750) Distributed Firewall It is now possible to select custom IPS policies for rules in the Global Rules ruleset. (BNNGF-23221) OSPF/RIP/BGP Service Configuration changes no longer deactivate OSPF on vpnr interfaces. (BNNGF-31309) VPN L2TP Client-to-Site VPN now works as expected for Android and iOS devices. (BNNGF-31289) Dynamic Mesh tunnels can now be triggered without a source or destination network if a routed VPN is used. (BNNGF-31213) Added Prevent Tunnel Timeout option to the TI settings of the connection object to be able to choose if the matching traffic is used as a criteria for terminating the dynamic tunnel (BNNGF-32854, BNNGF-21214) Added MD160, SHA256, and SHA512 to the supported hash algorithms for IPsec VPNs. (BNNGF-32702, BNNGF-30929) Fix for a dead loop on the virtual device vpn0 that caused issues when enabling QoS on VPN tunnels. (BNNGF-31717) Dynamic Mesh Tunnels no longer cause an error when a tunnel is destroyed while still in the initiation phase. (BNNGF-32835) IPsec ID Type is now configurable for IPsec Site-to-Site VPN tunnels. (BNNGF-17248) DNS Server TKEY queries are now handled correctly. This fixes security vulnerability CVE-2015-5477. (BNNGF-32391) SSH Proxy Added aes-128-ctr to the allowed cipher list. (BNNGF-32327) HTTP Proxy It is no longer possible to use SSL Interception and the download progress bar in the HTTP Proxy service. (BNNGF-31364) NG Control Center Reassigning pool licenses for phion-legacy and SF-licensed units now works as expected. (BNNGF-31535) Enable Product Tips now shows the correct state on freshly installed NG Control Centers. (BBNNGF-32410) Added Message column to RCS report. (BNNGF-30981) CC Admins using peer IP restrictions and SPoE can now successfully authenticate. (BNNGF-27515) Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 29 Known Issues 6.1.2 NG Control Center: Network > Azure Advanced Networking is displayed in a 6.1. cluster even if the managed NG Firewall is running version 6.1.1 or 6.1.0 that does not support this feature. After importing a PAR file singed by the NG Control Center on a managed NG Firewall a soft network activation is automatically executed. Restart the active network configuration on the CONTROL > Box page to finish the network activation. When a license is changed an automatic soft network activation is executed. 6.1.1 Opensource Xen HVM: Opensource (Linux) Xen HVM images are currently not supported for firmware 6.1.2. Firewall Plugin: The DCERPC firewall plugin module is disabled. Azure: During the update to 6.1.2, the ssh key is regenerated and replaces the existing ssh key. Application Control 2.0: The URL Category Search Engine may not be set to override when URL Filtering is used in combination with SafeSearch. HTTP Proxy: Custom block pages do not work for the HTTP Proxy when running on the same NG Firewall as the Firewall service. This issue does not occur when running the HTTP proxy service on a second NG Firewall behind the NG Firewall running the Firewall service. SSL VPN: Favorites are not included in the PAR file. SSL VPN: Text fields do not accept the # character. SSL VPN: The mobile navigation bar is missing from servers entered in the Allowed Hosts. SSL VPN: User Attributes do not support UTF-8. SSL VPN: The allowed host filter path must be unique. Safe Search: In some cases, YouTube safety mode does not work when logged in with a Google account. Safe Search: If Safe Search is enabled, it is not possible to log into YouTube when cookies are disabled. Safe Search: Safe Search is not enforced by Bing when using HTTP. VPN Routing: When a duplicate route to an already existing VPN route in the main routing table is announced to the NG Firewall via RIP, OSPF or BGP, a duplicate routing entry is created and the route that was added last is used. VPN Routing: Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used. Miscellaneous HTTP Proxy: Custom Cipher String and Allow SSLv3 settings only apply to reverse proxy configurations. CC Wizard: The CC Wizard is currently not supported for NG Control Centers deployed using NG Install. ATD: Only the first URL in the Quarantine Tab that leads to a quarantine entry is displayed, even if the User and/or IP address downloaded more than one infected file.This can be dangerous if the first downloaded file is a false-positive. Firewall: It is not possible to join a join.me session if SSL Interception and Virus Scanning is enabled in the matching access rule. Firewall: Using SSL Interception in combination with URL Filtering and category exemptions may result in degraded performance. NG Admin: SPoE does not work if an IPv6 virtual server IP address is used. Barracuda OS: Provider DNS option for DHCP connections created with the box wizard must be enabled manually. Terminal Server Agent: It is not currently possible to assign connections to Windows networks shares to the actual user. Firmware Update: Log messages similar to WARNING: /lib/modules/2.6.38.7-9ph5.4.3.06.x86_64/kernel/drivers/net/wireless/zd1211rw/zd1211rw.ko needs unknown symbol ieee80211_free_hw may appear while updating, but can be ignored. Attention: Amazon AWS/Microsoft Azure: Performing Copy from Default of Forwarding Firewall rules currently locks out administrators from the unit and requires a fresh installation of the system. Application Control 2.0 and Virus Scanning: Data Trickling is done only while the file is downloaded, but not during the virus scan. This may result in browser timeouts while downloading very large files. Application Control 2.0 and Virus Scanning: If the Content-Length field in HTTP headers is missing or invalid, the Large File Policy may be ignored. Application Control 2.0 and Virus Scanning: It is not currently possible to perform virus scanning for chunked transfer encoded HTTP sessions such as media content streaming. Barracuda Networks recommends excluding such traffic from being scanned. Application Control 2.0 and Virus Scanning: In very rare cases, if the SSL Interception process is not running, but the option Action if Virus Scanner is unavailable is set to Fail Close, a small amount of traffic may already have passed through the firewall. Application Control 2.0 and Virus Scanning: In rare cases, Google Play updates are sometimes delivered as partial updates. These partial updates cannot be extracted and are blocked by the virus scanning engine. The engine reports The archive couldn't be scanned completely. Either create a dedicated firewall rule that does not scan Google Play traffic, or set Block on Other Error in Avira Archive Scanning to No. High Availability: IPv6 network sessions might not be established correctly after an HA failover. Barracuda OS: Restoring units in default configuration with par files created on an NG Control Center may result in a corrupt virtual server. Instead, copy the par file to opt/phion/update/box.par and reboot the unit. VPN: Rekeying does not currently work for IPsec Xauth VPN connections. The VPN tunnel terminates after the configured rekeying time and needs to be re-initiated. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 30 Deployment The Barracuda NG Firewall and Barracuda NG Control Center is available as a hardware appliance, virtual system, or can be deployed in the public cloud (NG Firewall only). Hardware Deployment – Continue with the Hardware Deployment Guide. Virtual Deployment – Continue with the Virtual Systems(Vx) Deployment Guide. Cloud Deployment – Continue with the Public Cloud Deployment Guide. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 31 Hardware The Barracuda NG Firewall is available in multiple hardware models to meet different networking requirements, ranging from the Barracuda NG Firewall F10 for small or home offices to the Barracuda NG Firewall F1000 for large data centers. Step 1. (Optional) Install the NG Firewall or NG Control Center in a Rack Some Barracuda NG systems are desktop sized, the larger models can be mounted in a standard size racks. For more information, see Rack Installation for Barracuda Appliances. Step 2. Management Ports The management port for the Barracuda NG Firewall differs depending on the model. Connect the management port to the network the management PC is in. Hardware System Management Port WAN Port Barracuda NG Firewall F10 - F30x Port 1 Port 4 Barracuda NG Firewall F400 - F600 Port 1 - Barracuda NG Firewall F800 MGMT port - Barracuda NG Firewall F900 MGMT port - Barracuda NG Firewall F1000 MGMT port - Step 3. Complete the Quick Start Guide Every Barracuda NG Firewall or NG Control Center appliance is shipped with the Quick Start Guide. Complete all the steps listed in the Quickstart Guide for the Standard Deployment Mode. Next Steps To start log-in and configuration of your Barracuda NG, see Getting Started. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 32 Virtual Systems (Vx) The Barracuda NG Vx can be deployed on VMware, Xen, KVM, and Hyper-V hypervisors using the virtual images provided by Barracuda Networks. Each Barracuda NG Vx comes with one virtual network adapter. Virtual Systems are classified by a "capacity" number in the model name that defines the number of protected Firewall IPs, SSL-VPN users, VPN users and Proxy users (AV and Webfilter). For specialized installations, use Barracuda NG Install and a generic Barracuda NG ISO image to deploy a custom configuration. In this article: Sizing your Virtual Machine VMware ESXi Citrix Opensource Linux Xen KVM Hyper-V Performance Considerations Sizing your Virtual Machine Your Vx license limits the amount of supported CPU cores you can use for your virtual Barracuda NG Vx. Storage and RAM can be sized to fit your needs and are not limited by the license of the Barracuda NG Vx. Vx Virtual System Number of Licensed Cores Minimum Storage [GB] Minimum Memory [GB] NG Firewall VF25, VF50, VF100, VF250, VF500, VF1000 2 80 2 NG Firewall VF2000 4 80 2 NG Firewall VF4000 8 80 2 NG Firewall VF8000 16 80 2 NG Control Center VC400 No core limitation 125 2 NG Control Center VC610, VC820 No core limitation 250 2 VMware ESXi Supported Versions – VMware ESX(i) version 3.5 or above Image Format – *.ova Max Number of virtual network adapters – 10 To deploy the Barracuda NG Vx on your VMware hypervisor, download the NG Firewall or NG Control Center image from the Barracuda Networks Download Portal. If you want to deploy using the standard configuration, use the OVA image. If you want a custom configuration, download the generic Barracuda NG Vx ISO image and Barracuda NG Install to carry out the deployment. To deploy a Barracuda NG Vx on a VMware ESXi server, see How to Deploy a Barracuda NG Vx OVA Image on VMware Hypervisors or How to Deploy a Barracuda NG Vx using Barracuda NG Install on a VMware Hypervisor. Citrix Supported Versions – Citrix XenServer 6.2 or above Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 33 Image Format – *.hvm.xva (PVHVM) or *.pv.xva (PV) disk images. Max Number of virtual network adapters – 7 Xen images come in a PVHVM (mix of fully virtualized and paravirtualized drivers) or PV (only paravirtualized drivers) version. If your Citrix XenServer supports PVHVM, it is recommended to use the PVHVM image for near-native performance. Download images from the Barracuda Networks Download Portal. To deploy a Barracuda NG Vx on a XenServer, see How to Deploy the Barracuda NG Vx on a Citrix XenServer. Opensource Linux Xen Supported Versions – XenServer 4.X or above Image Format – Linux script (.sh) script containing PVHVM or PV disk images. Max Number of virtual network adapters – 7 Xen images come in a PVHVM (mix of fully virtualized and paravirtualized drivers) or PVM (only paravirtualized drivers) version.It is recommended to use the PVHVM image for near-native performance. Download the installation package to match your Linux Xen hypervisor from the Barracuda Networks Download Portal. To deploy a Barracuda NG Vx on a XenServer, see How to Deploy the Barracuda NG Vx on an Opensource Xen Server. KVM Supported Versions – KVM 5.4.2 and above Image Format – *.kvm.zip Max Number of Virtual Network Adapters – up to 28 (depending on the configuration and number of devices in the VM configuration) KVM uses a different approach for attaching devices to the virtual machine. It uses an emulated PCI controller with 32 slots. 5 slots are permanently occupied by necessary system components and disk controller. The remaining 27 slots can be freely assigned to other devices, including networks adapters. The KVM image for the Barracuda NG Vx uses the virtio paravirtualized network adapters for best performance. To deploy a Barracuda NG Vx on a KVM hypervisor, see How to Deploy the Barracuda NG Vx on KVM. Hyper-V Virtual Disk Format – *.vhd Max Number of Virtual Network Adapters – up to 8 network adapters + up to 4 additional "legacy network adapters" Barracuda Networks offers a Virtual Disk you can use to install the Hyper-V version of the Barracuda NG Firewall. Download the virtual disk from the Virtual Appliance Download Page. To deploy a Barracuda NG Vx on a Hyper-V hypervisor, see How to Deploy the Barracuda NG Vx on Hyper-V. Performance Considerations When choosing which hypervisor to use, Barracuda Networks recommends using VMware ESXi hypervisors for network-intensive tasks, and KVM hypervisors for units with high disk load. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 34 How to Deploy a Barracuda NG Vx OVA Image on VMware Hypervisors If you are deploying the Barracuda NG Vx in a high performance environment or require support for VLANs, do not deploy using the OVA packages. Instead, create a custom configuration using Barracuda NG Install. For more information, see How to Deploy a Barracuda NG Vx using Barracuda NG Install on a VMware Hypervisor. To ease deployment, the Barracuda NG Vx units are available as prebuilt OVA images that can be imported into your VMware hypervisor. You do not need to create or configure a virtual machine (VM). Before deploying the Barracuda NG Vx unit, verify that the host system meets the minimum storage requirements and review the resource recommendations for the production system. You can deploy the Barracuda NG Vx unit using either the VMware vSphere Client or the VMware OVF Tool (ovftool). In this article: Before You Begin Use the VMware vSphere Client Step 1. Download and Import the OVA Image Step 2. Turn On and Configure the Barracuda NG Vx Unit Use the VMware OVF Tool Next Step Before You Begin For information regarding the sizing of your CPU, disk, and RAM, see Virtual Systems (Vx). Before you start the Barracuda NG Firewall Vx for the first time, assign a manual MAC address to the first virtual network interface. This lets you move the VM later without invalidating your license. For more information, see Best Practice - Performance Tuning on VMware Hypervisors. Download the VMware OVA image from the Barracuda Download Portal. Use the VMware vSphere Client Step 1. Download and Import the OVA Image 1. Download the OVA image for your Barracuda NG Firewall or Barracuda NG Control Center from your Barracuda Networks Account. 2. Connect to your VMware hypervisor using the vSphere client. 3. Click File > Deploy OVF Template. 4. In the deployment wizard, click Browse and select the OVA image. Click Next to proceed. 5. Enter a name for the virtual machine to be created. Click Next to proceed. 6. Select the datastore that the Barracuda NG Vx unit should be installed on. When you import an OVA file with VMware 4.1 and later, you are offered the Thin provisioned format setting that lets you change the VM size. If you choose to reduce the VM size, do not choose a value below 50 GB for VFxxx or a value below 100 GB for VC400, VC610, or VC820. Barracuda Networks recommends that you select Thick provisioned format. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 35 7. Map to the required network in your existing inventory and then click Next to proceed. 8. After the deployment wizard summarizes all your settings, click Finish to start the deployment process. After successful deployment, the Barracuda NG Vx unit is displayed in your VMware hypervisor inventory list. 9. Select the Barracuda NG Vx unit from the list on the left and edit settings such as Disk Provisioning with appropriate values. Step 2. Turn On and Configure the Barracuda NG Vx Unit 1. Turn on the Barracuda NG Vx unit and click the Console tab of the virtual machine. The Barracuda NG Vx unit begins to boot. For a basic network configuration, the Barracuda NG Vx unit launches the Active Recovery Technology menu. 2. Select Basic Configuration, enter the following network settings, and then press F3 to save your changes: Hostname – The desired hostname for your Barracuda NG Vx unit. Management IP – The IP address that your Barracuda NG Vx unit should be reachable through. Netmask – The subnet mask in dotted quad notation. For example, 255.255.255.0. Default Gateway – The IP address of the next hop device that serves as an access point to another network. 3. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 36 3. When the window opens to announce that your configuration changes were saved, press any key to continue. 4. Select Reboot to restart the Barracuda NG Vx unit with the new network configuration. Use the VMware OVF Tool 1. Download the VMware OVF Tool from vmware.com. Use the following command: ovftool -datastore=datastorename ovaimage vi://server-ip where: datastore – The name for the data store. ovaimage – The path and name of the OVA file. server-ip – The IP address for the virtual appliance. 2. Configure the resources pool and the network mapping within the VMware virtual machine settings. 3. Using Barracuda NG Admin, connect to the virtual appliance for configuration. Use the latest version of Barracuda NG Admin. If you configure the Barracuda NG Firewall with a version of Barracuda NG Admin that is older than the firewall version, you might lose configuration data. Next Step After you deploy the Barracuda NG Vx unit, continue with Getting Started and optionally Best Practice - Performance Tuning on VMware Hypervisors. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 37 How to Deploy a Barracuda NG Vx using Barracuda NG Install on a VMware Hypervisor The OVA package uses a default configuration that may not be suitable for your deployment. If you want to use multiple network interfaces, a different type of network adapter, or a bigger size for the virtual disk, use Barracuda NG Install to create the custom configuration files that you need to deploy the Barracuda NG Vx with your specific settings. In this article: Before You Begin Step 1. Create Configuration Files with Barracuda NG Install Step 2. Create a Floppy Image with WinImage Step 3. Create a New Virtual Machine Step 4. Power On the Barracuda NG Vx Virtual Machine Next Step Before You Begin From the Barracuda Download Portal, download the following: The ISO image for the Barracuda NG Firewall Vx version that you want to install. There is only one ISO for the Barracuda NG Firewall and Barracuda NG Control Center. Barracuda NG Install for the firmware version that you are going to install. Download and install WinImage or a comparable utility to create flp floppy images. You must install the Visual C++ Redistributable for Visual Studio 2012 on your computer to use Barracuda NG Install. Decide on the sizing requirements for your Barracuda NG Vx. For more information, see Virtual Systems (Vx). Step 1. Create Configuration Files with Barracuda NG Install Create the configuration files with Barracuda NG Install. 1. Start Barracuda NG Install. 2. Select the Full wizard mode, and then click Next. 3. On the Box Type Settings page, select the Product Type and Hardware Model for your virtual appliance. You can configure Barracud a NG Virtual Appliances and Barracuda NG Control Centers. After making your selections, click Next. 4. On the Systems Settings page: a. Enter the following settings: Hostname – Enter a hostname (e.g., Barracuda NG Firewall VF50). Timezone – Select the timezone that the appliance is in. Keyboard Layout – Select the keyboard layout for the console of the Barracuda NG Vx. DNS – Enter the DNS servers for your network. Domain Suffix – Enter the domain that your appliance is in. Use NTP & IP – Enable NTP and enter the IP address for the NTP server. b. Click Next. 5. On the Partition Settings page: a. In the Fixed Disk Capacity field, enter the virtual disk size in gigabytes. Barracuda Networks recommends that you use disks Copyright © 2015, Barracuda Networks Inc. 5. Barracuda NG Firewall 6.1 Administrator's Guide - Page 38 a. that are at least the sizes recommended in Firewall Settings. b. Click Suggest to adjust the partitions to your disk size. c. Click Next. 6. On the Network Device Settings page: a. Select the existing eth0 network card in the Network adapters table and click Delete. b. Click Add and then specify these settings in the NIC reseller list window: Reseller – Select VMware. Network adapter – Select vmxnet3 virtual NIC. Number – Select the number of network interfaces. c. Click OK. d. Double-click the eth0 network interface in the Network Adapter table and then specify these settings in the NIC adapter configuration window: Management IP address – Enter the IP address that you want to use as the management IP address. Subnet mask – Enter the subnet mask. (Optional) Configure an Additional Gateway route. e. Click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 39 f. Click Next. 7. On the Security Settings page, enter the Password and Service Login Password and then click Next. 8. On the Software Packages page, click Next. 9. On the Script Settings page, enter the destination for your configuration files in the Save to field. 10. Click Next. 11. Click Finish. After the configuration files are successfully created, a message appears. The following configuration files are created in the destination that you selected: Step 2. Create a Floppy Image with WinImage Add the configuration files that you created with Barracuda NG Install to a floppy image FLP file. You will attach this image to the VMware virtual machine during installation. 1. 2. 3. 4. Start WinImage. Locate the configuration files that you created with Barracuda NG Install. Select all the Barracuda NG Install configuration files and drag them to the WinImage window. In the Format selection window, select 1.44 MB from the Standard format list and then click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 40 5. In the Inject window, click Yes. 6. Click the Save icon. 7. In the Save as window: a. Select Virtual floppy Image (*.vfd,*.flp) from the Save as type list. b. Enter a File name with the .flp extension (e.g., NGInstallFloppy.flp). Otherwise, WinImage saves the floppy image with the .vfd extension, which cannot be used by the VMware hypervisor. c. Click Save. Step 3. Create a New Virtual Machine On the VMware server, create a new virtual machine for the Barracuda NG Vx. 1. Using VMware vSphere Client, log into your VMware hypervisor. 2. Right-click the VMware server that you want to deploy the Barracuda NG Vx image on and select New Virtual Machine. The Create New Virtual Machine window opens. 3. On the Configuration page, select Typical and then click Next. 4. On the Name and Location page, enter a Name for the virtual machine (e.g., BarracudaNGFirewallVF50) and then click Next. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 41 5. On the Storage page, select the datastore where the virtual disk should be created and then click Next. 6. On the Guest Operating System page: a. From the Guest Operating System list, select Linux. b. From the Version list, select Other 2.6.x Linux (64-bit). c. Click Next. 7. On the Network page: a. Select the number of network interfaces from the How many NICs do you wan to connect list. The number must match the number of network interfaces that you selected in Step 1. Create Configuration Files with Barracuda NG Install. You can only add four network interfaces in the Create New Virtual Machine wizard. If you need more than four virtual network interfaces, add the additional NICs by editing the finished virtual machine configuration. VMware limits the number of virtual network interfaces per guest OS to 10. b. For every NIC, specify these settings: Network – Select the virtual network that the virtual interface will connect to. Adapter – Select VMXNET 3. The adapter must match the Barracuda NG Install configuration. Barracuda Networks recommends using the VMXNET3 driver. Connect at Power On – Select this check box to connect the NIC to the VM. c. Click Next. 8. On the Create a Disk page: a. Enter the Virtual disk size. For more information, see Firewall Settings. b. Select Thick Provision Eager Zeroed. c. Click Next. 9. On the Ready to Complete page, click Finish. Depending on your virtual disk size, it can take a couple of minutes for the VM to be Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 42 9. created. You can view the status of the Create Virtual Machine task in the Recent Tasks pane at the bottom of the vSphere Client win dow. 10. Right-click the VM that you created and then select Edit Settings. 11. In the Virtual Machine Properties window: a. Configure the Memory and CPUs according to your Barracuda NG Vx model. Do not assign more than the licensed number of vCPUs to your virtual machine. For more information, see Licensing. b. Click OK. Your virtual machine is now listed in the left pane under the VMware server that you created it on. Step 4. Power On the Barracuda NG Vx Virtual Machine Connect the Barracuda NG Vx ISO and the floppy image to the virtual machine for the automated installation. 1. Using VMware vSphere Client, log into your VMware hypervisor. 2. Power on your Barracuda NG Vx virtual machine. 3. From the taskbar, click the CD icon ( ), click CD/DVD Drive 1, and then select Connect to ISO image on local disk. 4. Select the Barracuda NG Vx ISO file on the local hard disk and then click Open. 5. Press Ctrl + Alt + Ins to reboot the VM. 6. At the Welcome to Barracuda NG Firewall boot prompt, press any key except <Enter> to stop the 10 second timeout. 7. From the taskbar, click the Floppy icon ( ) and select Connect to floppy image on local disk. 8. From your local hard disk, select the floppy image (e.g., NGInstallFloppy.flp) that you created in Step 2. Create a Floppy Image with WinImage. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 43 9. Press Enter to start the installation. 10. After the installation completes, press Enter to reboot. Next Step After you deploy the Barracuda NextGen F-Series Vx unit, continue with Getting Started and optionally Best Practice - Performance Tuning on VMware Hypervisors. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 44 How to Deploy the Barracuda NG Vx on a Citrix XenServer The Barracuda NG Vx is available as a fully virtualized or paravirtualized image for your Citrix XenServer version 6.0 or above. Before deploying the Barracuda NG Vx unit, verify that the host system meets the minimum storage requirements and review the resource recommendations for the production system. In this article: Before you Begin Step 1. Deploy Citrix XenServer Image Step 2. Configure the Barracuda NG Vx Unit on First Boot Next Step Before you Begin For information regarding the sizing of your CPU, disk, and RAM, see Virtual Systems (Vx). Download the Citrix PV (paravirtualized) or HVM (fully virtualized) xva image from the Barracuda Download Portal. Step 1. Deploy Citrix XenServer Image 1. Launch Citrix XenCenter. 2. From the File menu, choose Import VM. 3. Browse to the xva file. E.g., GWAY-5.4.2-108-VFxxx-pv.xva 4. 5. 6. 7. Click Next. Select the Home Server (Citrix XenServer) to deploy the Barracuda NG Firewall on. Click Next. Select the storage repository. Note: Verify that there is enough free space on the storage repository. For more information, see Firewall Settings. 8. Click Import. 9. Select the MAC Address for the virtual network adapter and if needed add more network adapters. (optional) Before you start the Barracuda NG Firewall Vx for the first time, assign a manual MAC address to the first virtual network interface. This lets you move the VM later without invalidating your license. 10. Click Next. 11. Review the import settings and click Finish. Step 2. Configure the Barracuda NG Vx Unit on First Boot Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 45 You need to connect to the console of the VM to enter the minimal network configuration. 1. Launch Citrix XenCenter. 2. In the left pane click on the Barracuda NG Vx VM and select the Console tab. You can now see the console of the virtual Barracuda NG Vx. 3. When the Barracuda NG VM has started the Active Recovery Technology (ART) menu is launched. 4. Select Basic Configuration, enter the following network settings, and then press F3 to save your changes: Hostname – The desired hostname for your Barracuda NG Vx unit. Management IP – The internal IP address for your Barracuda NG Vx unit. This IP address must be reachable from your PC. E.g., 192.168.200.200 Netmask – The subnet mask. E.g., 255.255.255.0 Default Gateway – The IP address of the next hop device that serves as and access point to another network. E.g., 192.168. 200.1 5. Press F3 to save the configuration. 6. Select Reboot. The Barracuda NG Vx will restart with the new network configuration. Next Step After you deploy the Barracuda NG Vx unit, continue with Getting Started. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 46 How to Deploy the Barracuda NG Vx on an Opensource Xen Server If you are using an open source Xen hypervisor use the Xen images to deploy your Barracuda NG Vx. To deploy on a Citrix XenServer, see How to Deploy the Barracuda NG Vx on a Citrix XenServer. To ease deployment the Barracuda NG Vx are available as script containing an XML configuration file and the virtual disk. Before deploying the Barracuda NG Vx unit, verify that the host system meets the minimum storage requirements and review the resource recommendations for production systems. In this article: Before you Begin Step 1. Import and Start the Barracuda NG Vx VM Step 2. Configure the Barracuda NG Vx Unit on First Boot Next Step Before you Begin For information regarding the sizing of your CPU, disk, and RAM, see Virtual Systems (Vx). Download and install a VNC viewer. Configure the virtual networking on the Xen host server. Use a network bridge for best performance. Download the Xen HVM or PV images from the Barracuda Download Portal. Step 1. Import and Start the Barracuda NG Vx VM Execute the install script to deploy the image on the opensource Xen Server. 1. Log into the Xen server server with root permissions. 2. Copy the Barracuda NG Firewall Vx Xen install file to the Xen host server (e.g., install.GWAY-6.0.0-135-VFxxx.xen.sh). 3. Make the file executable chmod +x install.GWAY-6.0.0-135-VFxxx.xen.sh 4. Start the install script. ./install.GWAY-6.0.0-135-VFxxx.xen.sh 5. 6. 7. 8. 9. (optional) Enter the name and path you want the image file deployed to. Press Enter to use the default value. (optional) Enter the path for the configuration file. Press Enter to use the default value. Choose non-sparse deployment for production deployments, sparse for testing purposes. Enter the domain name for the deployment. Press Enter to accept the default value suggested Enter the MAC for virtual network interface. Press Enter to accept the default value suggested. Your license is bound to this MAC address. Changing the MAC address will result in a invalid license. You can now use xm to import and start the virtual Barracuda NG Firewall Vx. Adapt the network configuration of your Xen VM to your hypervisor. Step 2. Configure the Barracuda NG Vx Unit on First Boot Connect to the console of the VM to enter the minimal network configuration. 1. Use a VNC client to connect to the IP address of the Xen host server. A console appears and displays the screen output of the Barracuda NG Vx that is running on the Xen server. For a basic network configuration, the Active Recovery Technology (ART) menu la unches. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 47 2. Select Basic Configuration, enter the following network settings, and then press F3 to save your changes: Hostname – A hostname for your Barracuda NG Vx unit. Management IP – The internal IP address for your Barracuda NG Vx unit. This IP address must be reachable from your PC (e.g., 192.168.200.200). Netmask – The subnet mask (e.g., 255.255.255.0). Default Gateway – The IP address of the next hop device that serves as an access point to another network (e.g., 192.168.20 0.1). 3. Press F3 to save the configuration. 4. Select Reboot. The Barracuda NG Vx restarts with the new network configuration. Next Step After you deploy the Barracuda NG Vx unit, continue with Getting Started. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 48 How to Deploy the Barracuda NG Vx on KVM The KVM version of the Barracuda NG Vx is available as a pre-built image for your KVM hypervisor. Before deploying the Barracuda NG Vx unit, verify that the host system meets the minimum storage requirements and review the resource recommendations for the production system. In this article: Before You Begin Step 1. Import and Start the Barracuda NG Vx VM Step 2. Configure the Barracuda NG Vx Unit on First Boot Next Step Before You Begin For information on the sizing of your CPU, disk, and RAM, see Virtual Systems (Vx). Download and install a VNC viewer. Configure the virtual network on the KVM host server. Download the KVM image for the Barracuda NG Vx from the Barracuda Download Portal. Step 1. Import and Start the Barracuda NG Vx VM Execute the install script to deploy the image and use virsh to define and start the virtual machine. 1. Log into the KVM host server with root permissions. 2. Copy the Barracuda NG Firewall Vx KVM install file KVM host server (e.g., install.GWAY-5.4.4-071-VFxxx.kvm.sh). 3. Make the file executable chmod +x install.GWAY-5.4.4-071-VFxxx.kvm.sh 4. Start the install script. ./install.GWAY-5.4.4-071-VFxxx.kvm.sh 5. (optional) Enter the name and path you want the image file deployed to. Press Enter to use the default value. 6. (optional) Enter the path for the configuration file. Press Enter to use the default value. 7. Choose non-sparse deployment for production deployments, sparse for testing purposes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 49 8. Enter the domain name for the deployment. Press Enter to accept the default value suggested 9. Enter the MAC for virtual network interface. Press Enter to accept the default value suggested. Your license is bound to this MAC address. Changing the MAC address will result in a invalid license. 10. (optional) Depending on the network configuration of your KVM host you must adapt the network settings in the xml configuration file. Per default the configuration file is stored in /etc/libvirt/qemu. 11. Connect to the virtual console. virsh --connect qemu:///system 12. Import the configuration file. define /etc/libvirt/qemu/GWAY-5.4.4-071-VFxxx-pv 13. Start the virtual machine. start GWAY-5.4.4-071-VFxxx-pv The virtual Barracuda NG Firewall Vx is now running on the KVM hypervisor. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 50 Step 2. Configure the Barracuda NG Vx Unit on First Boot Connect to the console of the VM to enter the minimal network configuration. 1. Use a VNC client to connect to the IP address of the KVM host server. A console appears and displays the screen output of the Barracuda NG Vx that is running on the KVM server. For a basic network configuration, the Active Recovery Technology (ART) menu l aunches. 2. Select Basic Configuration, enter the following network settings, and then press F3 to save your changes: Hostname – A hostname for your Barracuda NG Vx unit. Management IP – The internal IP address for your Barracuda NG Vx unit. This IP address must be reachable from your PC (e.g., 192.168.200.200). Netmask – The subnet mask (e.g., 255.255.255.0). Default Gateway – The IP address of the next hop device that serves as an access point to another network (e.g., 192.168.20 0.1). 3. Press F3 to save the configuration. 4. Select Reboot. The Barracuda NG Vx restarts with the new network configuration. Next Step After you deploy the Barracuda NG Vx unit, continue with Getting Started and optionally Best Practice - Performance Tuning on KVM Hypervisors . Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 51 How to Deploy the Barracuda NG Vx on Hyper-V The Barracuda NG Vx is available as a virtual machine for your Microsoft Hyper-V hypervisor. Before deploying the Barracuda NG Vx, verify that the host system meets the minimum storage requirements and review the resource recommendations for the production system. In this article: Before you Begin Step 1. Create a New Virtual Machine Step 2. Configure the Barracuda NG Vx Unit on First Boot Next Step Before you Begin For information regarding the sizing of your CPU, disk, and RAM, see Virtual Systems (Vx). Download the Barracuda NG Vx VHD virtual disk image from the Barracuda Download Portal. Copy the VHD virtual disk image to the Microsoft Hyper-V server. Step 1. Create a New Virtual Machine Create a virtual machine using the sizing recommendations for your model of the Barracuda NG Vx. 1. Launch Hyper-V Manager. 2. Right click on your Hyper V server and Select New > Virtual Machine. The New Virtual Machine Wizard opens. 3. Enter the Name. E.g., Barracuda NG Vx 4. Click Next. 5. Enter the amount of memory in MB. E.g., 2048 6. Click Next. 7. Select the virtual network from the Connection drop down. 8. Click Next. 9. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 52 9. Select Use an existing virtual disk and enter the Location of the VHD file. 10. Click Next. 11. Review the Summery and click Finish. You can now launch the Barracuda NG Vx by selecting the virtual machine and clicking Start in the right pane. Step 2. Configure the Barracuda NG Vx Unit on First Boot You need to connect to the console of the VM to enter the minimal network configuration. 1. Launch Hyper-V Manager. 2. In the Virtual Machines pane double click on the Barracuda NG Vx VM. The console of the virtual Barracuda NG Vx opens. 3. When the Barracuda NG VM has started the Active Recovery Technology (ART) menu is launched. 4. Select Basic Configuration, enter the following network settings, and then press F3 to save your changes: Hostname – The desired hostname for your Barracuda NG Vx unit. Management IP – The internal IP address for your Barracuda NG Vx unit. This IP address must be reachable from your PC. E.g., 192.168.200.200 Netmask – The subnet mask. E.g., 255.255.255.0 Default Gateway – The IP address of the next hop device that serves as and access point to another network. E.g., 192.168. 200.1 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 5. Press F3 to save the configuration. 6. Select Reboot. The Barracuda NG Vx will restart with the new network configuration. Next Step After you deploy the Barracuda NG Vx unit, continue with Getting Started. Copyright © 2015, Barracuda Networks Inc. 53 Barracuda NG Firewall 6.1 Administrator's Guide - Page 54 Public Cloud Hosting The growth of cloud computing capabilities and services has driven more data into places where traditional IT security cannot reach - into the datacenters of public cloud providers. Cloud-based deployments can be in the form of a private cloud, where the Barracuda NG Firewall can act as a gateway device, or in a public or hybrid cloud. You can secure instances in a public or hybrid cloud by deploying a Barracuda NG Firewall as a virtual security device within your cloud environment. The Barracuda NG Firewall uses application and user awareness combined with advanced bandwidth management to optimize WAN performance and reliability, thereby securely handling all incoming traffic for the backend server instances. Microsoft Azure Cloud Microsoft Azure is a public cloud service. The Barracuda NG Firewall integrates into your Microsoft Azure virtual network by creating a network security gateway between Internet-facing endpoints and your virtual machines. Microsoft Azure Small and Medium instances use one virtual network interface with a dynamic IP address per virtual machine and can be deployed via web interface or a Microsoft PowerShell script. Large a nd Extra Large instances support two and four network interfaces, respectively, and must be deployed via PowerShell. There are two types of images available in the Marketplace: Bring-Your-Own-License (BYOL) and an hourly rate (PAYG). The Barracuda NG Firewall Azure can be deployed on any Azure pricing tier. The NG Firewall license is bound to the number of CPU cores. Barracuda Networks recommends the following Azure pricing tiers: License Azure Pricing Tier Number of CPU Cores Number of NICs NG Firewall Level 2 A1 1 1 NG Firewall Level 4 A2 2 1 NG Firewall Level 6 A3 4 up to 2 NG Firewall Level 8 A4 8 up to 4 NG Control Center A1 - A4 n/a 1 Use the deployment method matching your required feature set: Azure Preview Portal – BYOL and PAYG images. Limited to one network interface. For more information, see How to Deploy the Barracuda NG Firewall in Azure via the Preview Portal. Azure Portal – BYOL image only. For more information, see How to Deploy the Barracuda NG Firewall in Microsoft Azure. PowerShell – BYOL and PAYG images. High Availability deployments, multiple network interfaces, advanced Azure networking features. For more information, see How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell or How to Configure a High Availability Cluster in Azure via PowerShell. Amazon Web Services (AWS) Amazon AWS offers both virtual private and public cloud services. If you are deploying a virtual private cloud, the Barracuda NG Firewall AWS will act as a gateway device, just like in a traditional network. Internal IP addresses in the VPC can be static or dynamic; public IPs (Amazon Elastic IPs) are then mapped to the internal Network Interfaces. The AMI uses one dynamic Network Interface as a default configuration. Up to 9 additional Amazon Network Interfaces can be added, depending on the instance type with a total of up to 100 network interfaces per VPC. These network interfaces can be connected to subnets in the virtual private cloud, with each subnet containing server instances hosted in a different Availability Zone of your choice. There are two types of images available in the Marketplace: Bring-Your-Own-License (BYOL) and an hourly rate (PAYG). Starting with 6.1.1 both image types are only available in HVM virtualization type. The Barracuda NG Firewall AWS is available in four different sizes: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 55 NG Firewall License Amazon Instance Type Number of vCPUs Number of NICs IP addresses per Interface Level 2 m3.medium 1 up to 2 4 Level 4 m3.large 2 3 10 c3.large (recommended) 2 3 10 m3.xlarge 4 4 10 c3.xlarge 4 4 15 m3.2xlarge 8 4 30 c3.2xlarge 8 4 15 Level 6 Level 8 To deploy a Barracuda NG Firewall in an Amazon Virtual Private Cloud, see How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud. VMware vCloud Air VMware vCloud Air is a public cloud solution based on the VMware vSphere hypervisor. vCloud Air seamlessly integrates with your local VMware setup and features. The Barracuda NG Firewall can act as a gateway device in the cloud, just like in a traditional network. A public IP address of the virtual datacenter is mapped to the internal IP address of the NG Firewall so all traffic passes through the NG Firewall VM. Standard VMware OVA images and Vx licenses are used for deployment. Just like for standard VMware virtual machines there is a ten network adapter limit. It is also possible to deploy a Barracuda NG Control Center using the standard OVA images. For more information on Vx licensing, see Licensing. To deploy a Barracuda NG Firewall in the VMware vCloud, see How to Deploy the NG Firewall on VMware vCloud Air. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 56 How to Deploy the Barracuda NG Firewall in Azure via the Preview Portal The Barracuda NG Firewall firmware version 6.1 is no longer available in the Microsoft Azure Marketplace. Deploy the version 6.2.1 instead. For more information, see How to Deploy an F-Series Firewall in Microsoft Azure using Azure Portal and ARM. To deploy the Barracuda NG Firewall with advanced networking features such as multiple Network Interfaces, you must use Azure PowerShell scripts. For more information, see How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell Microsoft Azure charges apply. For more information, see the Microsoft Azure Pricing Calculator. The Barracuda NG Firewall Azure can be deployed as a virtual machine in the Microsoft Azure cloud. You can use up-to-date Application Control, user awareness, integrated malware protection, and VPN services to securely manage all traffic in your virtual network. You can choose between two images in the Azure Marketplace: Barracuda NextGen Firewall (BYOL) – These images use licenses purchased directly from Barracuda Networks. Barracuda Networks offers a 30-day evaluation license. Barracuda NextGen Firewall (Hourly) – These images do not need to be licensed separately. Licensing fees are included in the hourly price of the Instance. All charges are billed directly through your Microsoft Azure account. Barracuda NextGen Control Center for Microsoft Azure (BYOL) – These images use licenses purchased directly from Barracuda Networks. Barracuda Networks offers a 30-day evaluation license. In this article Video Before you Begin Step 1. Create a NG Firewall or NG Control Center VM in Azure Step 3. Verify SpoE is enabled in Barracuda NG Admin Step 4. Log into your Barracuda NG Firewall or NG Control Center Next Steps NG Firewall BYOL Image NG Firewall PAYG NG Control Center for Microsoft Azure: Video Watch the following video to see a short walkthrough of this deployment. Videos are not visible in the PDF export. Before you Begin Create a Microsoft Azure account. (BYOL images only) Purchase a Barracuda NG Firewall or NG Control Center for Microsoft Azure license or register to receive an evaluation license from the Barracuda Networks Evaluation page. Step 1. Create a NG Firewall or NG Control Center VM in Azure Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 1. 2. 3. 4. 57 Go to the Azure Preview Portal: https://portal.azure.com In the upper left-hand corner, click NEW. In the Create column, click Compute. In the Compute column, click Azure Marketplace. 5. In the Security + Identity column, search for Barracuda NextGen Firewall or NextGen Control Center 6. Select the image you want to deploy from the list. a column with the image name opens. 7. Click Create. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 58 8. In the Create VM column, enter the following settings: Host Name – Enter the hostname for the Barracuda NG Firewall. User Name – Enter a random username. The Barracuda NG Firewall ignores this setting. All authentication settings (password/SSH key) are applied to the root user. Authentication Type – Click on Password. Password – Enter the password for your Barracuda NG Firewall. This password is used for the root user. Pricing Tier – Click to select the pricing tier. For more information, see Public Cloud Hosting. 9. (optional) Click Optional Configuration to configure static IP addresses, storage account, and/or Endpoints. NG Firewall images create the following Endpoints: Endpoint Name Protocol Public Port Internal Port MGMT TCP 807 807 TINA VPN UDP UDP 691 691 TINA VPN TCP TCP 691 691 SSH TCP RANDOM 22 NG Control Center images require/create the following Endpoints. If you are deploying the Endpoint Name Protocol Public Port Internal Port MGMT Box Level TCP 807 807 MGMT CC Level TCP 806 806 Remote MGMT VPN TCP 692 692 SSH TCP RANDOM 22 10. (optional) Click Resource Group to select an exiting Resource group. By default, a new resource group using the hostname is created. 11. (optional) Click Subscription to select the Azure subscription. If you previously selected a resource that is already bound to a subscription, this setting can no longer be changed. 12. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 59 12. (optional) Click Location to select the datacenter the Barracuda NG Firewall is deployed to. If you previously selected a resource that is already bound to a location, this setting can no longer be changed. 13. Click Create 14. In the Buy column, click Buy. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 60 Wait for the Barracuda NG Firewall or NG Control Center VM to be created. You can follow the progress in the Notification Section or on the dashboard. Step 3. Verify SpoE is enabled in Barracuda NG Admin Use the latest version of Barracuda NG Admin. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 61 You must enable SPoE to be able to connect. 1. Launch NG Admin. 2. In the upper left-hand corner, click Options and select Settings. 3. In the Client Settings section, verify that the checkbox for SPoE as default is ticked. Step 4. Log into your Barracuda NG Firewall or NG Control Center Locate the public IP of the NG Firewall or NG Control Center VM you just launched. 1. Go to the Azure Preview Portal: https://portal.azure.com 2. Click on your Barracuda NG Firewall in the Dashboard of the preview portal or in the Browse section. 3. Identify the DNS Name or IP address of the Barracuda NG Firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 62 4. Launch Barracuda NG Admin. 5. Select Box. 6. Enter the login information: Management IP – Enter the DNS name or Virtual IP address. Username – Enter root. Password – Enter the password you set during deployment. 7. Click Log In. You are now successfully logged in to your Barracuda NG Firewall. Next Steps NG Firewall BYOL Image (BYOL VMs only) Enter the license token and serial number that you received from Barracuda Networks. To use two Barracuda NG Firewalls in a high availability (HA) cluster, see How to Configure a High Availability Cluster in Azure. To use Public Instance Level IPs, Reserved IPs, or other advanced Azure networks setups, see Advanced Networking in the Azure Cloud. To change to a static network interface and internal IP address, see Best Practice - Switch to a Static Internal IP Address in Microsoft Azure To continue setting up your Barracuda NG Firewall, see Getting Started. NG Firewall PAYG To use two Barracuda NG Firewalls in a high availability (HA) cluster, see How to Configure a High Availability Cluster in Azure. To use Public Instance Level IPs, Reserved IPs, or other advanced Azure networks setups, see Advanced Networking in the Azure Cloud. To change to a static network interface and internal IP address, see Best Practice - Switch to a Static Internal IP Address in Microsoft Azure Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 63 To continue setting up your Barracuda NG Firewall, see Getting Started. NG Control Center for Microsoft Azure: To change to a static network interface and internal IP address, see Best Practice - Switch to a Static Internal IP Address in Microsoft Azure To use Public Instance Level IPs, Reserved IPs, or other advanced Azure networks setups, see Advanced Networking in the Azure Cloud. To continue setting up your Barracuda NG Control Center, see Getting Started - NG Control Center for Microsoft Azure. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 64 How to Deploy the Barracuda NG Firewall in Microsoft Azure Only Barracuda NG Firewall BYOL images are available when deploying via Azure Portal. For more information, see Public Cloud Hosting. The Barracuda NG Firewall Azure can be deployed as a virtual machine in the Microsoft Azure cloud. You can use up-to-date Application Control 2.0, user awareness, integrated malware protection, and VPN services to securely handle and manage all traffic in your virtual network. Microsoft Azure charges apply. For more information, see the Microsoft Azure Pricing Calculator. In this article Before you Begin Step 1. Create an Azure Virtual Network Step 2. Launch the Barracuda NG Virtual Machine Instance Step 3. Configure Barracuda NG Admin Next Steps Before you Begin Create a Microsoft Azure account. Get a Barracuda NG Azure license from the Barracuda Networks Evaluation page: 1. From the Select a Product list, select Barracuda NextGen Firewall under the Public Cloud Solutions category. 2. From the Select Edition list, select the Level that you want. 3. Complete and submit the rest of the form. You will receive an email containing your serial number and license token. Step 1. Create an Azure Virtual Network 1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com) 2. In the left pane, click NETWORKS. 3. In the bottom left corner, click + NEW. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 65 4. Click CUSTOM CREATE. The CREATE A VIRTUAL NETWORK window opens. 5. Enter a unique NAME. E.g., AzureVirtualNet 6. Select a LOCATION. The virtual network can only be used for Azure VMs in this geographic region. E.g., West Europe 7. 8. 9. 10. Click Next. (Optional) Select or enter your DNS SERVERS. Click Next. On the Virtual Network Address Space configure the ADDRESS SPACE: STARTING IP – Enter the first IP address of the address space you want to use. E.g., 10.0.0.0 CIDR – Select the subnet mask for the virtual network. The maximum number of VMs for a virtual network are listed in parentheses. E.g., /16 (65536) 11. Add a SUBNET STARTING IP – Enter the fist IP address of the subnet. E..g, 10.0.21.0 CIDR – Select the subnet mask for the subnet. E.g., /24 (256) 12. Click FINISH. The virtual network is now listed in VIRTUAL NETWORKS. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 66 Step 2. Launch the Barracuda NG Virtual Machine Instance 1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). 2. In the left pane, click VIRTUAL MACHINES. 3. Click NEW in the bottom left-hand corner. 4. Click FROM GALLERY. The CREATE A VIRTUAL MACHINE windows opens. 5. In the search bar on the top left enter Barracuda NG Firewall. The Barracuda NG Firewall 6.1 image is displayed in the Featured column. 6. From the FEATURED column in the middle pane, select Barracuda NG Firewall 6.1. 7. Click NEXT. 8. Enter the following settings in the Virtual machine configuration: VIRTUAL MACHINE NAME – Enter the name for the virtual Barracuda NG Firewall (e.g., BNG). The name must be unique in the domain. SIZE – Select an instance level that matches your Barracuda NG Firewall Azure license (e.g., Level 2 (1 CPU cores), Level 4 (2 CPU cores)). NEW USER NAME – This entry is not used by the Barracuda NG Firewall. You may enter a random username. PASSWORD – Select PROVIDE A PASSWORD and enter the root password for the Barracuda NG Firewall. After deploying your Barracuda NG Firewall the initial, three day, grace period starts. You must complete licensing during the initial grace period or the unit will switch into demo mode and the default root password (ngf1r3wall) is enabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 67 9. Click Next. 10. Enter a CLOUD SERVICE DNS NAME The name must be unique for the used domain. (e.g., barracudaNG60). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 68 11. Enable Barracuda NG Admin access to the new Barracuda NG Firewall instance by adding the following endpoints: NAME PROTOCOL PUBLIC PORT PRIVATE PORT SSH TCP 22 22 NG Admin TCP TCP 807 807 12. Click FINISH. Step 3. Configure Barracuda NG Admin You must use the latest version of Barracuda NG Admin to connect to your Barracuda NG Firewall Azure. Enable support for Microsoft Azure in NG Admin. 1. Launch NG Admin. 2. In the upper left hand corner, click Options and select Settings. 3. In the Client Settings section, verify that the check box for SPoE as default is ticked. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 69 Next Steps You can now connect to your Barracuda NG Firewall in the Microsoft Azure cloud. On the Barracuda NG Firewall, enter the license token and serial number that you received from Barracuda Networks. To use two Barracuda NG Firewalls in a high availability (HA) cluster, see How to Configure a High Availability Cluster in Azure. To use Public Instance Level IPs, Reserved IPs, or other advanced Azure networks setups, see Reserved, Static and Public IP Addresses in the Azure Cloud using ASM To continue setting up your Barracuda NG Firewall, see Getting Started. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 70 How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 71 How to Create a Azure Image from a VHD Disk Image To create your own custom Barracuda NG Firewall or NG Control Center images from the VHD disk images available in the Barracuda Download Portal, you must upload the VHD file to your Azure storage account. Then, you can create a custom image using the uploaded disk image. In this article Before You Begin Step 1. Create an Azure Storage Account Step 2. Create a Storage Container Step 3. Upload the Barracuda NG Firewall Azure VHD Image Step 4. Create a Virtual Machine from a VHD Image Next Steps Before You Begin Download and install the latest version of Azure PowerShell. Download the Barracuda NG Firewall or NG Control Center VHD disk image from the Barracuda Download Portal: https://dlportal.barrac udanetworks.com Step 1. Create an Azure Storage Account Create the storage account and a container as the upload destination. 1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). 2. In the left pane, click STORAGE. 3. In the bottom left corner, click + NEW. The Storage Account window opens. 4. Click Quick Create, and configure the following settings: URL – Enter a unique URL. Location/Affinity Group – Select your Location. E.g., West Europe Replication – Select Geo-Redundant. 5. Click CREATE STORAGE ACCOUNT. The storage account is ready when its status changes from Creating to Online. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 72 Step 2. Create a Storage Container You must create a storage container because you cannot create virtual machine images from files that are uploaded to the root directory of the storage account. 1. 2. 3. 4. 5. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). In the left pane, click STORAGE. Click the storage account that you created in Step 1. Click on the CONTAINERS tab. Click CREATE A CONTAINER. 6. Enter a NAME for the container (e.g., vhd). 7. From the ACCESS list, select Private. 8. Click the check mark icon ( ). Step 3. Upload the Barracuda NG Firewall Azure VHD Image Upload the Barracuda NG Firewall Azure VHD image to a Microsoft Azure storage container. You only need to import the publishsettings file when using Azure PowerShell for the first time. 1. Launch the Azure PowerShell. 2. At the PS prompt, download your Azure Publish Settings file: Get-AzurePublishSettingsFile 3. Your default browser opens. Save the publish settings file. 4. Import the publishsettings file by typing: Import-AzurePublishSettingsFile c:\path-to-settingsfile\settingsfile.publishsettings 5. Verify the Azure account subscription by typing: Get-AzureSubscription Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 73 6. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). 7. On the DASHBOARD page of the storage account, click Storage in the left pane and get the URL of the Blob destination (e.g., http:// techlib.blob.core.windows.net). 8. Upload the VHD to your Azure storage container by typing: Add-AzureVhd -Destination <BLOBS-URL/container/FILENAME.vhd> -LocalFilePath <path-to-vhd-file/filename.vhd> Upload the VHD to a storage container. Microsoft Azure does not allow a virtual machine to be created from a VHD file in the root ($root) directory. Step 4. Create a Virtual Machine from a VHD Image Create a virtual image from the uploaded VHD image. 1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). 2. In the left pane, click VIRTUAL MACHINES. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 74 3. Click IMAGES. 4. Click CREATE AN IMAGE. 5. In the Create an image from a VHD window: a. Enter the NAME for the virtual image (e.g., BNG). b. Either enter the VHD URL, or click the folder icon to select the image that you uploaded in Step 3 from the storage container. c. From the OPERATING SYSTEM FAMILY list, select Linux. d. Select the check box to confirm that the Microsoft Azure Linux Agent has been run on the virtual machine associated with the VHD. 6. Click the checkmark icon ( ). You can now select your custom Barracuda NG Firewall or NG Control Center image when deploying the VM. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Next Steps How to Deploy the Barracuda NG Firewall in Azure via the Preview Portal How to Deploy the Barracuda NG Firewall in Microsoft Azure How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell Copyright © 2015, Barracuda Networks Inc. 75 Barracuda NG Firewall 6.1 Administrator's Guide - Page 76 How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud The Barracuda NG Firewall can run as a virtual appliance in the Amazon cloud as a gateway device for Amazon EC2 instances in an Amazon Virtual Private Cloud (VPC). Follow the steps in this article to deploy the Barracuda NG Firewall in an Amazon VPC. Amazon AWS charges apply. For more information, see Amazon's monthly pricing calculator at http://calculator.s3.amazonaws.com/cal c5.html. In this article: Before you Begin Step 1. Set Up the Amazon VPC Cloud Step 2. Create an Internet Gateway Step 3. Create Subnets Step 3.1. Create the Private Subnet Step 3.2. Create the Public Subnet Step 4. Set Up Amazon Security Groups and Network ACLs Step 4.1. Create a Security Group for Barracuda NG Admin Access Step 4.2. Configure a Security Group for the Private Subnetwork Step 4.3. Set Up the Network ACLs Step 5. Deploy a Barracuda NG Firewall in an Amazon EC2 Instance Start the Amazon Launch Instance Wizard Launch Instance Wizard Step 1: Choose AMI Launch Instance Wizard Step 2: Choose Instance Type Launch Instance Wizard Step 3: Configure Instance Launch Instance Wizard Step 4: Add Storage Launch Instance Wizard Step 5: Tag Instance Launch Instance Wizard Step 6: Configure Security Group Launch Instance Wizard Step 7: Review Deactivate the Source/Destination Check Step 6. Allocate and Associate an Amazon Elastic IP Address to the Barracuda NG Firewall EC2 Instance Step 7. Create and Attach a Network Interface Step 8. Create Route Tables Step 8.1. Create a Route Table for the Private Network Step 8.2. Create a Route Table for the Public Network Step 9. Add Amazon Network Interface to the Barracuda NG Firewall Instance Additional Information Troubleshooting Tips Next Steps Before you Begin Before you deploy the Barracuda NG Firewall in the Amazon VPC: Get an Amazon Web Service (AWS) account. Get a Barracuda NG Firewall Vx license. The Barracuda NG Firewall AMI itself is free (BYOL = Bring Your Own License). Choose the country and availability zone in which you want to create the Amazon VPC. All instances and services must be in the same availability zone. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 77 Step 1. Set Up the Amazon VPC Cloud The Amazon VPC is a smaller, isolated version of the public Amazon Elastic Compute Cloud (EC2). The VPC is restricted to its own /16 network subnet. Create a VPC in the 192.168.0.0/16 subnet. 1. 2. 3. 4. Go to the Amazon Web Services Console (https://console.aws.amazon.com). In the Compute & Networking section, click VPC - Isolated Cloud Resources. In the left pane of the VPC console, click Your VPCs. Create a VPC with the following settings: CIDR Block – Enter 192.168.0.0/16. Tenancy – Select Default. 5. Click Yes, Create. Your VPC is now listed on the Your VPCs page. Step 2. Create an Internet Gateway Create an Internet gateway to enable devices in the Amazon VPC to access the Internet. 1. 2. 3. 4. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, click Internet Gateways. Click Create Internet Gateway. In the Create Internet Gateway window, click Yes, Create. 5. Select the new Internet gateway, and then click Attach to VPC. 6. Select the VPC that you created in Step 1 (e.g., vpc-b0a9a0db (192.168.0.0/16)), and then click Yes, Attach. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 78 The Internet gateway is now associated with the Amazon VPC. Step 3. Create Subnets Create two /24 subnets inside the Amazon VPC: A public network that connects the dhcp (eth0) interface of the Barracuda NG Firewall to the Internet gateway. A private network for the eth1 interface on the Barracuda NG Firewall and the EC2 instances in the VPC. Step 3.1. Create the Private Subnet 1. 2. 3. 4. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, click Subnets. Click Create Subnet. In the Create Subnet window, configure the following settings: VPC – Select the VPC with the 192.168.0.0./16 subnet (e.g., vpc-abcd1234568 (192.168.0.0/16)). Availability Zone – Select the availability zone that your VPC is in (e.g., eu-west-1a). CIDR Block – Enter 192.168.200.0/24. 5. Click Yes, Create. Step 3.2. Create the Public Subnet 1. 2. 3. 4. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). Click Subnets. Click Create Subnet. In the Create Subnet window, configure the following settings: VPC – Select the VPC with the 192.168.0.0./16 subnet (e.g., vpc-abcd1234568 (192.168.0.0/16)). Availability Zone – Select the availability zone that your VPC is in (e.g., eu-west-1a). CIDR Block – Enter any 192.168.XX.0/24 subnet, except for 192.168.200.0/24 (e.g., you can enter 192.168.10.0/24). 5. Click Yes, Create. The private (192.168.200.0/24) and public (192.168.10.0/24) subnets are now in your VPN. Step 4. Set Up Amazon Security Groups and Network ACLs To secure incoming and outgoing connections to the VPC, set up the following features: Security Groups – Act as stateful firewalls that control traffic to one or more Amazon EC2 instances. Every instance must be associated with one or more security groups. With security groups, you can only allow specific connections; by default, connections are blocked. Network ACLs – Act as a stateless firewall that controls traffic going in and out of a subnet. With network ACLs, you can allow and block connections. By default, an Amazon network ACL blocks all traffic. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 79 For more information on Amazon security groups and network ACLs, see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Secu rity.html. Step 4.1. Create a Security Group for Barracuda NG Admin Access 1. 2. 3. 4. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, expand SECURITY and then click Security Groups. Click Create Security Group. In the Create Security Group window, configure the following settings: Name – Enter NGSecurityGroup. Description – Enter Access for NG Admin. VPC – Select the VPC from the list (e.g., vpc-b0a9a0db). 5. Click Yes, Create. 6. Select NGSecurityGroup. 7. In the lower pane, click the Inbound tab. 8. Add rules with the following settings to allow inbound traffic for the SSH daemon and ping: Create a new Rule Source SSH 0.0.0.0/0 All ICMP 0.0.0.0/0 DNS 0.0.0.0/0 9. Add custom rules with the following settings to allow inbound traffic for Barracuda NG Admin (port 807), the VPN service (port 691), and the management tunnel (port 692): Create a new Rule Port range Copyright © 2015, Barracuda Networks Inc. Source Barracuda NG Firewall 6.1 Administrator's Guide - Page 80 Custom TCP rule 807 0.0.0.0/0 Custom UDP rule 807 0.0.0.0/0 Custom TCP rule 691-692 0.0.0.0/0 Custom UDP rule 691-692 0.0.0.0/0 10. Create additional rules for all services running on the Barracuda NG Firewall and all services forwarded for EC2 Instances in the Amazon VPC (e.g., port 80/443 for web servers, port 25 for SMTP, etc.). 11. Click Apply Rule Changes. All inbound rules are now listed under the Inbound tab of the security group. Step 4.2. Configure a Security Group for the Private Subnetwork Instances in the private subnetwork are only accessed by connections passing through the Barracuda NG Firewall EC2 instance. Configure the default security group to only allow traffic that is coming from the NGSecurityGroup. 1. 2. 3. 4. 5. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, expand SECURITY and then click Security Groups. Select the default security group. In the lower pane, click the Inbound tab. Add rules with the following settings to allow incoming traffic for the default security group coming from the NGSecurityGroup and for traffic within in the default security group. Rule Rule Settings To allow incoming traffic from the NGSecurityGroup. Create a new Rule – Select All Traffic. Source – Enter the group ID for NGSecurityGroup (e.g., sg -cf49bca0). You can find the group ID by selecting the NGSecurityGroup security group and then clicking the Detai ls tab. To allow incoming traffic from the default security group. Create a new Rule – Select All Traffic. Source – Enter the group ID for the default security group (e.g., sg-ae4ebbc1). You can find the group ID by selecting the default security group and then clicking the Det ails tab. 6. Click Apply Rule Changes. 7. Click the Outbound tab. 8. Add the following rules to allow all outgoing traffic coming from the default security group going to the NGSecurityGroup or for traffic within the default security group. Rule Rule Settings To allow outgoing traffic to the NGSecurityGroup. Create a new Rule – Select All Traffic. Source – Enter the group ID for NGSecurityGroup (e.g., sg -cf49bca0). You can find the group ID by selecting the NGSecurityGroup security group and then clicking the Detai ls tab. To allow outgoing traffic within the default security group. Create a new Rule – Select All Traffic. Source – Enter the group ID for the default security group (e.g., sg-ae4ebbc1). You can find the group ID by selecting the default security group and then clicking the Det ails tab. 9. Click Apply Rule Changes. The default security group now lets all traffic pass between the two security groups. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 81 Step 4.3. Set Up the Network ACLs By default, network ACLs block all incoming and outgoing traffic. To use the Barracuda NG Firewall instead of the Amazon network ACL, add rules to allow all inbound and outbound traffic. To use the Barracuda NG Firewall as a gateway device, allow all traffic into the private network. 1. 2. 3. 4. 5. 6. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, expand SECURITY and then click Network ACLs. Click Create Network ACL. Select the VPC with the 192.168.0.0./16 subnet (e.g., vpc-abcd1234568 (192.168.0.0/16)), and then click Yes, Create. Click the Inbound tab. Add a rule with the following settings to allow inbound traffic. Traffic Rule Settings Inbound Create a new Rule: All Traffic Rule #: 100 Source: 0.0.0.0/0 Allow/Deny: ALLOW 7. Click the Outbound tab. 8. Add a rule with the following settings to allow outbound traffic. Traffic Rule Settings Outbound Create a new Rule: All Traffic Rule #: 100 Source: 0.0.0.0/0 Allow/Deny: ALLOW The network ACL now permits all traffic on all ports in and out of the subnets. All hosts in the private network are protected by the Firewall service running on the Barracuda NG Firewall. Step 5. Deploy a Barracuda NG Firewall in an Amazon EC2 Instance In the Amazon VPC that you created in Step 1, launch an Amazon EC2 instance with the Barracuda NG Firewall AMI image. Note that the Barracuda NG Firewall AMI image is EBS backed, so powering down the Barracuda NG Firewall EC2 instance will not result in data loss. The Barracuda NG Firewall will be launched with one dynamic DHCP interface. More Network interfaces are added after launching the Instance. The Amazon Launch Instance wizard guides you through the following steps: Start the Amazon Launch Instance Wizard 1. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 82 1. Go to the Amazon Web Services EC2 console (https://console.aws.amazon.com/ec2/home). 2. Click Launch Instance. Launch Instance Wizard Step 1: Choose AMI 1. Click on AWS Marketplace in the left navigation. 2. Enter Barracuda NextGen in the search box and click Search. 3. Click Select next to the Barracuda NG Firewall image you want to install (e.g., Barracuda NextGen Firewall BYOL or hourly ). Launch Instance Wizard Step 2: Choose Instance Type 1. Select an EC2 instance type. Verify that the number of CPUs for your license matches the number of vCPUs of the EC2 instance type. 2. Click Next: Configure Instance Details. Launch Instance Wizard Step 3: Configure Instance 1. 2. 3. 4. From the Network list, select the VPC created in Step 1 (e.g., vpc-b0a9a0db (192.168.0.0/16)). From the Subnet list, select the 192.168.XX.0/24 subnet created in Step 3.2 (e.g., subnet-f6a8a19d (192.168.10.0/24)). Select the Enable termination protection check box. (Optional) To improve I/O performance, enable EBS-optimized instance. 5. Click Next: Add Storage. Launch Instance Wizard Step 4: Add Storage 1. (Optional) If you want the EBS volumes to be deleted after the Barracuda NG Firewall EC2 instance has been terminated (deleted), select the Delete on Termination check boxes. 2. (Optional) Enter a larger Size for the /dev/sdf EBS volume. 3. (Optional) To improve the I/O performance of your EC2 instance, select Provisioned IOPS from the Volume Type list. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 83 4. Click Next: Tag Instance. Launch Instance Wizard Step 5: Tag Instance 1. (Optional) Add tags to identify your EC2 instance. 2. Click Next: Configure Security Group. Launch Instance Wizard Step 6: Configure Security Group 1. From the Assign a security group list, select Select an existing security group. 2. Select the NGSecurityGroup that you created in Step 4.1 from the list of Security Group (e.g., sg-cf49bca0- NGSecurityGroup). 3. Click Review and Launch. 4. In the Warning window, click Continue. Launch Instance Wizard Step 7: Review 1. Click Launch. 2. In the Select an existing key pair or create a new key pair window: Select Proceed without a key pair. Click the check box to acknowledge that you will not be able to connect to this instance unless you already know the password built into the AMI. 3. Click Launch Instances. Deactivate the Source/Destination Check 1. Click View Instances. 2. Right-click the Barracuda NG EC2 instance that you just created, and then select Change Source/Dest. Check. 3. Click Yes, Disable. Your EC2 Instance appears in the EC2 list. After the instance is up, the State and Status Checks change to green. Step 6. Allocate and Associate an Amazon Elastic IP Address to the Barracuda NG Firewall EC2 Instance Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 84 The private IP address assigned to the external interface (eth1) on the Barracuda NG Firewall instance is not yet reachable from the Internet. Create and attach an Amazon Elastic IP Address (EIP) to the external network interface. 1. 2. 3. 4. 5. 6. 7. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, click Elastic IPs. Click Allocate New Address. From the EIP used in list, select VPC. Click Yes, Allocate. Select the new EIP, and then then click Associate Address. In the Associate Address window, configure the following settings: Instance – Select the Barracuda NG Firewall instance (e.g., i-2adb8d65 (Barracuda NG Firewall 5.4.2)). Private IP address – Select the IP address in the public subnet that you created in Step 3.2 (e.g., 192.168.10.89*). 8. Click Yes, Associate. Your EIP is now listed with the instance ID and ENI ID associated with the Barracuda NG Firewall instance. Step 7. Create and Attach a Network Interface Create a Network Interface in the private subnet. This interface will be registered as eth1 on the Barracuda NG Firewall. 1. 2. 3. 4. Go to the Amazon Web Services EC2 console (https://console.aws.amazon.com/ec2/home). In the left pane, click on Network Interfaces. Click Create Network Interface. Configure the Network Interface with the following settings: Subnet – Select the private subnet (192.168.200.0/24) you created in Step 3.1. E.g., subnet-e8a8a183 Private IP - Enter a free IP in the private subnet This IP will not be used as the management IP E.g., 192.168.200.200 Security Group – Select the NG Security Group created in Step 4.1 5. Click Yes, Create. The Network Interface is now listed in the Network Interface list 6. Select the Network Interface you just created and click Attach. 7. Select the Barracuda NG Firewall EC2 instance you created in step 5. E.g. i-2adb8d65 Barracuda NG Firewall (running) 8. Click Yes, Attach. Copyright © 2015, Barracuda Networks Inc. 8. Barracuda NG Firewall 6.1 Administrator's Guide - Page 85 9. Right click on the Network Interface you just created and select Change Source/Dest. Check. 10. Disable the Source/Dest. check. 11. Click Save. 12. Go to the Amazon Web Services EC2 console (https://console.aws.amazon.com/ec2/home). 13. Right-click on the Barracuda NG Firewall Instance and click Reboot. You must reboot the Barracuda NG Firewall after adding additional Network Interfaces to make sure that the NG Firewall will detect and assign the correct network interface number to the new Elastic Network Interface. Step 8. Create Route Tables Create two routing tables to route the networks: A table to route traffic in the private network to the internal interface on the Barracuda NG Firewall. A table to route traffic from the Barracuda NG Firewall's external interface to the Internet gateway. These route tables ensure that all traffic in the VPC passes through the Barracuda NG Firewall. Step 8.1. Create a Route Table for the Private Network Route all traffic in the private network to the eth1 interface on the Barracuda NG Firewall. 1. 2. 3. 4. 5. 6. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, click Route Tables. Click Create Route Table. Select the VPC with the 192.168.0.0./16 subnet (e.g., vpc-abcd1234568 (192.168.0.0/16)), and then click Yes, Create. From the list of route tables on the page, select the route table that you just created. In the lower pane, click the Routes tab and then add a routing entry with the following settings: Destination – Enter 0.0.0.0/0. Target – Select Enter network interface ID, and then select the network interface in the private subnet you created in Step 7 (e.g., eni-f39b8d87). To find the network interface ID, go to the AWS EC2 console and click Network Interfaces. The network interface is in the 192.168.200.0/24 subnet. 7. Click Add. 8. Click the Associations tab. 9. From the Select a subnet list, select the 192.168.200.0/24 subnet (e.g., subnet-d79be8bf (192.168.200.0/24)). 10. Click Associate. 11. Click Yes, Associate to confirm the association. Step 8.2. Create a Route Table for the Public Network Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 86 Route traffic from the Barracuda NG Firewall's external interface to the Internet gateway that you created in Step 2 . 1. 2. 3. 4. 5. 6. Go to the Amazon Web Services VPC console (https://console.aws.amazon.com/vpc/home). In the left pane, click Route Tables. Click Create Route Table. Select the VPC with the 192.168.0.0./16 subnet (e.g., vpc-abcd1234568 (192.168.0.0/16)), and then click Yes, Create. From the list of route tables on the page, select the route table that you just created. In the lower pane, click the Routes tab and then add a routing entry with the following settings: Destination – Enter 0.0.0.0/0. Target – Select the Internet gateway that you created in Step 2 (e.g., igw-6e81f206). 7. Click Add. 8. Click the Associations tab. 9. From the Select a subnet list, select the 192.168.XX.0/24 subnet that you created in Step 3.2 (e.g., subnet-2429574c (192.168.10.0./24)). 10. Click Associate. 11. Click Yes, Associate to confirm the association. Your Barracuda NG Firewall instance is now reachable from the Internet. Step 9. Add Amazon Network Interface to the Barracuda NG Firewall Instance Add the second Amazon Network interface to the Barracuda NG Firewall Instance. 1. Reboot the Barracuda NG Firewall Instance, to correctly detect the new Network Interface. 2. With Barracuda NG Admin, log into the Barracuda NG Firewall. Use the following settings: Management IP: The Amazon Elastic IP address that you created in Step 6 (e.g., 54.229.198.60). Login: root Password: <your Instance ID> (e.g., i-2adb8d65) You have three days initial grace period to license your Barracuda NG Firewall, after that the default password (ngf1r 3wall) also authenticates the root user. 3. Open the CONTROL > Network page. 4. Ensure that there are two network interfaces listed: dhcp and eth1. if the second network interface is listed as eth0, reboot the Barracuda NG Firewall. 5. 6. 7. 8. 9. 10. Open the CONFIGURATION > Configuration Tree > Box > Network page. In the left pane click on Interfaces. Click Lock. Double Click on 10dynmod entry in the Network Interface Cards list. The Network Interface Cards: 10dynmod window will open. Select 2 from the Number of Interfaces drop down menu. Click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 87 11. Click Send Changes. The eth1 interface is now listed in the Physical Interface list. 12. In the left pane click on Routing. 13. Click on + in the Main Routing Table section. The Routes windows opens. 14. Enter a Name for the route. E.g., privateVPCSubnet. 15. Configure the route with the following settings: Target Network Address – Enter the destination address for the private subnet: 192.168.200.0/24 16. 17. 18. 19. 20. 21. 22. 23. Route Type – Select directly attached network from the drop down. Interface Name – Select eth1 Trust Level – Select Trusted Click OK. Click Send Changes and Activate. Open the CONTROL > Box page. In the left pane in the Network section click Activate new network configuration. The Network Activation window opens. Click on Failsafe. Open Server Properties page for the S1 virtual server (CONFIGURATION > Full Configuration > Virtual Servers > S1 > Server Properties). Click Lock. Enter the IP address you assigned to the Amazon Network Interface in Step 8. in Second-IP [IP2]. E.g., 192.168.200.200 Do not change the First IP for the virtual server S1. You will lock yourself out if you do. 24. Select yes from the Reply to Ping drop down. 25. Click Send Changes. 26. Click Activate. Additional Information Do not delete the default virtual server S1. By deleting the virtual server, the application redirect rule that lets you connect to the Barracuda NG Firewall EC2 is removed. When you add additional IP addresses to network interfaces or virtual servers on the Barracuda NG Firewall, you must also add these IP addresses to the respective Amazon network interfaces as additional IP addresses. Depending on the Amazon EC2 instance type used, there are limitations on the number of IP addresses that you can assign to a single Amazon network interface. To patch or update the Barracuda NG Firewall EC2 instance firmware, it is recommended that you use the Barracuda NG Admin graphic interface and not the SSH shell. Troubleshooting Tips If you cannot activate the network after attaching an additional Amazon Network Interface make verify that the network interface numbering is correct. E.g., eth1 not eth0 if a dhcp device is already present. Reboot the Barracuda NG Firewall instance for the interface numbers to be assigned correctly. If you cannot connect to the other Amazon EC2 instances in the private subnet, check the following settings: Network Interfaces – Mismatch between the IP address assigned to the network interface on the Barracuda NG Firewall and the Amazon Network Interface associated with it. Security Groups – If the settings for the Security Group are too restrictive, the traffic will be blocked by the Amazon firewall. For debugging purposes, introduce a Security Group policy allowing all traffic in and out, and all traffic between the two security groups. Network ACLs – If the rules in the Amazon network ACLs are too restrictive, traffic going into the subnet will be blocked by the Amazon firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 88 Routing Tables – Verify that the Amazon network interface associated with eth1 on the Barracuda NG Firewall is the default gateway for the private subnet and that the private subnet is associated with the correct routing table. If you cannot connect to the Internet from the Barracuda NG firewall, check the following settings: Security Groups – If the settings for the Security Group are too restrictive, the traffic will be blocked by the Amazon firewall. For debugging purposes, introduce a Security Group policy allowing all traffic in and out, and all traffic between the two security groups. Network ACLs – If the rules in the Amazon Network ACLs are too restrictive, traffic going into the subnet will be blocked by the Amazon firewall. Routing Tables – Verify that the Amazon Internet Gateway (igw) is the default route and that the public subnet is associated with the correct routing table. Next Steps To continue setting up the Barracuda NG Firewall, you can proceed with the following tasks: Task Instructions License the Barracuda NG Firewall. How to Activate and License a Standalone Virtual Barracuda NG Firewall After the deployment you have an initial grace period of three days to license your Barracuda NG Firewall. After that the root user will also be able to log in with the default (ngf1r3wall) password. Complete the Getting Started guide for the Barracuda NG Firewall. Getting Started Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 89 How to Deploy the NG Firewall on VMware vCloud Air VMware vCloud Air is a public cloud platform built on VMware vSphere/ESXi hypervisors. The infrastructure is split into multiple logical units: Datacenter Location – Choose from multiple worldwide VMware datacenters. Virtual Datacenter – The security and virtualized network for the VMs is handled on this level. vApp – A collection of VMs and other vApps that host a multi-tier application, its policies and service levels. VM – In our case, this is the individual Barracuda NG Firewall Vx Instance running in the cloud. Use the standard Vx OVA images and Vx licenses for the Barracuda NG Firewall and NG Control Center. Create a routed frontend network and up to 9 additional isolated backend networks. The VMware Edge Gateway of the virtual datacenter is then configured to allow only inbound and outbound traffic through the NG Firewall VM. In this article Before you Begin Step 1. Create Virtual Datacenter Step 2. Create Frontend and Backend Networks Step 3. Upload the Barracuda NG Firewall Vx image Upload via OVF Tool Uploading via Browser Step 4. Create a vApp and Deploy the Barracuda NG Firewall VM in the vApp Step 5. Add Additional Network Adapters Step 6. Set the Management IP Address Step 7. Configure Edge Gateway Firewall Rules and Routes Step 7.1. Add Public IP address to the Edge Gateway Step 7.2. Add NAT Rules Step 7.3. Add Firewall Rules Performance Tuning Next Steps Before you Begin Download the Barracuda NG Firewall Image. Create a vCloud Air Account. Use vCloud with a compatible 32-bit browser with the latest VMware Remote Console plugin. For more information, see VMware Knowledge Base. (Optional) If you do not want to upload the OVA image via a browser, download and install the VMware OVF Tool. Step 1. Create Virtual Datacenter Create the Virtual Datacenter in a VMware datacenter of your choice. 1. Log in to the VMware vCloud. 2. Select Virtual Private Cloud OnDemand. 3. Select the Virtual Private Cloud Location. 4. Click + next to Virtual Data Centers. The New Virtual Datacenter window opens. 5. Enter the Name. 6. Click Create Virtual Data Center. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 90 Step 2. Create Frontend and Backend Networks Create the frontend and backend networks for the Barracuda NG Firewall. Due to the limit of 10 network adapters per VM, you can use up to 9 backend networks. 1. Log into the VMware vCloud. 2. Open your Virtual Datacenter. 3. Click on the Networks tab. 4. Click New Network. The Add Network window opens. 5. Enter the settings for the frontend network: Name – Enter a name. E.g., Frontend IP Range – Enter the first and last IP address of the IP range for the virtual machines. Optional: Click + to add multiple IP ranges. Subnet Mask – Enter the netmask. E.g., 255.255.255.0 Gateway to route through – Select a gateway. Address to assign to gateway – Enter the IP address that should be used for the default gateway in this network. The gateway may not be on the IP Range. 6. Click Add Network. 7. Repeat steps 4 - 6 for each backend network. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 91 For every network you create, a tile is added to the Network tab. Step 3. Upload the Barracuda NG Firewall Vx image You can upload the Barracuda NG Firewall OVA image via browser plugin or command line OVF tool. Upload via OVF Tool Use the command line tool to upload your OVA image to a catalog. If you want to use a dedicated catalog, you must create it before uploading via the OVF tool. 1. Open the command prompt or terminal. 2. Upload the OVA with the following command: ovftool [OVA-FILE] [VCLOUD-LOCATOR] C:\Program Files\VMware\VMware OVF Tool> ovftool.exe OVA_FILE vcloud://username:password@host:port?org=vCLOUD_ORGANISATION_NAME&vapp=vAPP_NAME& catalog=CATALOG_NAME&vappTemplate=vAPP_TEMPLATE_NAME&vdc=VDC_NAME Uploading via Browser Verify that you are using a compatible browser and that the VMware Client Plugin is allowed to run. 1. Log into the VMware vCloud. 2. Open your Virtual Datacenter. 3. Click New Virtual Machine. 4. Click Create my Virtual Machine from Scratch. The VMware vCloud Director opens in a new tab. 5. Click the Add vApp from OVF icon. 6. Select Local file or enter the download URL of the Barracuda NG Firewall OVA image. When using a URL, the OVA image download is not uploaded directly from the source URL. All traffic (download and upload) passes through your computer. 7. Click Next. 8. Review the details of the OVA and click Next. 9. Enter Name and Description. 10. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 92 10. Select the Virtual Datacenter. 11. Click Next. 12. Select SSD-Accelerated from the Storage Policy dropdown. 13. Click Next. 14. Enter a Computer Name and select the frontend Network. 15. Click Next. 16. Select the Number of virtual CPUs cores per socket to match your Barracuda NG Firewall license. For more information, see Licensing . 17. Enter the Total Memory for the virtual machine. Use at least 1 GB per CPU core. 18. Enter 80 GB as the Disk0 size. 19. 20. 21. 22. Click Next. Click Finish. The vCloud Director Login window opens. Enter your User name and Password. Click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 93 Follow the upload progress in the popup window. Uploading the OVA will take some time. Step 4. Create a vApp and Deploy the Barracuda NG Firewall VM in the vApp 1. 2. 3. 4. Log in to the VMware vCloud. In the left menu, click on your Virtual Datacenter. Click New Virtual Machine. The New Virtual Machine on YOUR VIRTUAL DATA CENTERS window opens. Click Create My Virtual Machine from Scratch. The VMware vCloud Director opens in a new tab. 5. Click on the Build new vApp icon ( ). The New vApp pop-over opens. 6. Enter a Name for the vApp. 7. Select the VDC from the Virtual Datacenter list. 8. Click Next. 9. Select the Image you uploaded in Step 3 from the catalog and click Add. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 94 10. Click Next. 11. (Optional) Change the Name for the virtual machine. This is the full name, not the computer name. E.g., Barracuda NG Firewall VF2000 12. In the Storage Policy column select SSD-Accelerated. 13. Click Next. 14. Enter the Computer Name. E.g., NGFW1 15. In the Network column, select the Frontend network you created in Step 3 16. In the IP Assignment column, select Static-Manual and enter an IP address from the IP range of the frontend network. 17. Click Next. 18. Click Next. 19. Review the settings and click Finish. The NG Firewall vApp is now displayed in the vApps list. Step 5. Add Additional Network Adapters By default, the NG Firewall is deployed with one VMXNET3 network adapter. Add an additional network adapter for each backend network. The VM must be powered off to add additional network adapters. 1. Click on the Barracuda NG Firewall vApp created in Step 4. 2. Right-click on the NG Firewall VM and click Properties. The Virtual Machine Properties pop-over opens. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 3. 4. 5. 6. 95 Click on the Hardware tab. Select Show network adapter type. In the NICs section, click Add. Configure the NIC you just added: Network – Select one of the backend networks you created in Step 4. Adapter Type – Select VMXNET 3. IP Mode – Select Static - Manual and enter an IP address from the IP range of the backend network. 7. Click OK. You can now power on the Barracuda NG Firewall VM. Step 6. Set the Management IP Address Configure the management IP address on the console of the Barracuda NG Firewall. 1. 2. 3. 4. Go to the vCloud Director. In the left menu, click on vApps. Click on the Console icon in the vApps list. The console opens in a separate window. For a basic network configuration, the Barracuda NG Vx unit launches the Active Recovery Technology menu. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 96 5. Select Basic Configuration, enter the following network settings, and then press F3 to save your changes: Hostname – Enter the desired hostname. Management IP – Enter the IP address in the frontend network you assigned to the first NIC in Step 6. Netmask – The subnet mask in dotted quad notation. For example, 255.255.255.0. Default Gateway – Enter the gateway IP address you configured in Step 4 for the frontend network. 6. When the window opens to announce that your configuration changes were saved, press any key to continue. 7. Select Reboot to restart the Barracuda NG Firewall with the new network configuration. Step 7. Configure Edge Gateway Firewall Rules and Routes Configure the routing and firewall rules for the Edge Gateway to allow access to the NG Firewall via a public IP address. Step 7.1. Add Public IP address to the Edge Gateway Use the public IP address for all traffic into and out of the Virtual Datacenter. 1. 2. 3. 4. 5. 6. Log in to the VMware vCloud. In the left menu, click on your Virtual Datacenter. Click on the Gateways tab. Click on the Gateway tile. Click on the Public IPs tab. Click Add IP Address. 7. Click Add. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 97 It may take a couple of minutes for the public IP to be displayed in the list. Step 7.2. Add NAT Rules Create two NAT rules to redirect incoming traffic to the IP address of the NG Firewall in the frontend network and to rewrite the source IP of outgoing connections with the public IP address. 1. 2. 3. 4. 5. 6. Log into the VMware vCloud. In the left menu, click on your Virtual Datacenter. Click on the Gateways tab. Click on the Gateway tile. Click on the NAT Rules tab. Click Add NAT Rule. The New NAT Rule on gateway pop-over opens. 7. Create a NAT rule to rewrite the source IP address with the public IP address for all outgoing connections of the NG Firewall: Type – Select SNAT. Original (Internal) Source – Enter the IP address of the NG Firewall in the frontend network you configured in step 4. Translated (External) Source – Select the public IP address you just created from the dropdown. Settings – Check Enable this rule. 8. Click Next. 9. Click Add. 10. Create a NAT rule to redirect all incoming traffic to the internal IP address of the NG Firewall in the frontend network: Type – Select DNAT. Original (External) IP – Select the public IP address you just created from the dropdown. Protocol – Select Any. Original Port – Select Any. Translated (Internal) IP/Range – Enter the IP address of the NG Firewall in the frontend network you configured in step 4. Translated Port – Select Any. Settings – Check Enable this rule. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 98 11. Click Next 12. Click Finish. Step 7.3. Add Firewall Rules By default, everything is blocked. Create a firewall rule to permit traffic to and from the IP address of the Barracuda NG Firewall in the frontend network. 1. 2. 3. 4. 5. 6. 7. Log into the VMware vCloud. In the left menu, click on your Virtual Datacenter. Click on the Gateways tab. Click on the Gateway tile. Click on the Firewall Rules tab. Click Add Firewall Rule. Create a firewall rule to allow traffic with the public IP address as the destination: Name – Enter a descriptive name. E.g., IN Settings – Check Enable this rule. Protocol – Select Any. Source – Select Any. Destination – Select Specific CIDR, IP or IP Range and enter the public IP address your created in step 7.1. 8. Click Next. 9. Click Add. 10. Create a firewall rule to allow traffic from the IP address of the Barracuda NG Firewall in the frontend network to the Internet. Name – Enter a descriptive name. Settings – Select Enable this rule. Protocol – Select Any. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 99 Source – Select Any. Destination – Select Specific CIDR, IP or IP Range and enter the public IP address your created in step 7.1. 11. Click Add. 12. Click Finish. You can now access your Barracuda NG Firewall in the VMware vCloud via the public IP address configured in Step 7.1. Performance Tuning You can increase performance by enabling jumbo frames for your VMXNET3 adapters. Open the CONFIGURATION > Configuration Tree > Box > Network page and increase the MTU for the network interfaces to 8950. Jumbo frames are enabled by default on the vSwitches in vCloud Air. Next Steps Activate the license of the Barracuda NG Firewalls. For more information, see How to Activate and License a Standalone Virtual Barracuda NG Firewall. Add the additional network adapters to the Barracuda NG Firewall configuration. For more information, see How to Add Additional Network Interfaces. Configure direct attached routes for the additional network interfaces. For more information, see How to Add a Direct Attached Route. Add one IP address per network to the virtual server IP addresses. For more information, see Virtual Servers and Services. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 100 Getting Started If you are deploying a Barracuda NG Control Center with the CC Wizard, see Getting Started - NG Control Center. When deploying a Barracuda NG Firewall, basic settings need to be made before the system can be used in production. There are some differences, depending on the deployment option you choose (hardware, virtual, or public cloud). Before you Begin Make sure you completed the steps listed in the deployment articles, depending on which platform you are deploying the Barracuda NG Firewall on: Hardware – Complete Hardware deployment and the included Quick Start Guide. The Quick Start Guide is included in the box for every Barracuda NG Firewall. Your PC must be connected to the management port of the NG Firewall and use an IP address in the 192.168.200.0/24 range. Do not use 192.168.200.200 because this IP address is the default management IP address of the Barracuda NG Firewall. Virtual (Vx) – Complete the deployment steps in Virtual Systems (Vx) for your hypervisor. Public Cloud – Complete the steps in Public Cloud Hosting for your public cloud provider. Step 1. Prepare the Client To connect to the Barracuda NG Firewall, you must use the Barracuda NG Admin application. The application is a standalone, portable executable. Always use the latest version of NG Admin. You can download it from the Barracuda Download Portal. For more information on the system requirements and NG Admin, see Barracuda NG Admin. Step 2. Log into the Barracuda NG Firewall Connect to your Barracuda NG Firewall using Barracuda NG Admin: 1. Launch Barracuda NG Admin. 2. In the Log In window, select Box. 3. Enter the Management IP, Username, and Password: Management IP Address Username Default Password Hardware 192.168.200.200 root ngf1r3wall Virtual (Vx) Set during deployment root ngf1r3wall Public Cloud - Amazon AWS Elastic IP pointing to the Barracuda NG Instance root Instance ID of your Barracuda NG Instance E.g., i-0aaaa123 Public Cloud - Microsoft Azure <your cloud service>.clouda pp.net or Virtual IP (VIP) for the cloud service root 4. Click Log In. The Authentication Check window opens. 5. Click Trust. Copyright © 2015, Barracuda Networks Inc. Set during deployment If not set during deployment: ngf1r3wall Barracuda NG Firewall 6.1 Administrator's Guide - Page 101 5. Step 3. Configure Basic Settings The box wizard can only be used on hardware units. If you are deploying a virtual Barracuda NG Firewall system, you must configure the time zone and change the password manually. Step 3.1 Complete the Wizard for the Barracuda NG Firewall If you are using a hardware appliance, the wizard helps you configure basic settings during deployment. Follow the instructions for the Standard Deployment Mode. Skip this step if you are connected to a Barracuda NG Firewall in the public cloud because these settings were already configured during deployment. Step 3.2 Configure the Time Zone and Change the Root Password for the Virtual Barracuda NG Firewall When using a virtual Barracuda NG Firewall, complete the following tasks: Task Link Change the password How to Change the Root Password and Management ACL Set the time zone Step 1 in How to Configure Time Server (NTP) Settings (optional) Change the management IP address How to Change the Management IP Address Step 4. Configure an Internet Connection If you are deploying a Barracuda NG Firewall that must connect to the Internet via ISP, configure the Internet connection. If your Barracuda NG Firewall can already access the Internet via Management interface, you can skip this step. The Barracuda NG Firewall F10 to F30x already have a preconfigured DHCP interface on port 4. Complete the configuration for your type of Internet connection: Internet Connection Type Link Static IP address How to Configure an ISP with Static IP Addresses Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 102 DHCP How to Configure an ISP with Dynamic IP Addresses (DHCP) xDSL (PPP, PPPoE and PPTP) How to Configure an ISP with xDSL UMTS/3G How to Configure an ISP with UMTS/3G ISDN How to Configure an ISP with ISDN Step 5. Activate and License your Barracuda NG Firewall To license your Barracuda NG Firewall, the NG Admin application must be able to connect to the Internet directly or via proxy. For hardware appliances you only need to activate the unit; licenses are automatically downloaded and installed afterwards. For virtual and public cloud systems you must enter a license token before activating your unit. If you are licensing a Barracuda NG Firewall that is to be used in a high availability cluster, it is important to activate the secondary unit first. For more information, see How to Activate and License a Barracuda NG High Availability Cluster. License Installation Link Hardware 1. Fill out the activation form. 2. Licenses are downloaded and installed automatically. 3. For Barracuda NG Firewall F10 - F30X, preconfigured services must be enabled manually. How to Activate and License a Standalone Hardware Barracuda NG Appliance Virtual (Vx) + Public Cloud 1. Enter the license token. 2. Fill out the activation form. 3. Licenses are downloaded and installed automatically. How to Activate and License a Standalone Virtual Barracuda NG Firewall Step 6. Configure Administrative Settings Configure the Barracuda NG Firewall to use your preferred DNS and NTP servers. To receive email notifications from selected services, you must configure a recipient email address. Link DNS Servers How to Configure DNS Settings NTP Servers Step 2 in How to Configure Time Server (NTP) Settings System Email Notification Address How to Configure the System Email Notification Address Next Steps If you are deploying a Barracuda NG Control Center, continue with Getting Started - NG Control Center without CC Setup Wizard. Continue with the steps below to set up the system according to your needs. Link Configure VLANs, routing and add additional network interfaces. Network Create and configure the virtual server. Virtual Servers and Services How to Configure Virtual Servers Create and configure services (e.g., Forwarding Firewall, VPN,...). NG Firewall Services How to Configure Services Configure external authentication servers. Authentication Configure administrator accounts. Managing Access for Administrators Create a high availability cluster High Availability Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 103 Network The box layer network subsystem of the Barracuda NG Firewall and NG Control Center provide all basic features related to network connectivity, such as WAN connections, network traffic, routing, or VLAN. Connecting to the Internet - WAN Connections Routing VLAN Management IP Address Network Interfaces IPv6 Advanced Network Configurations Connecting to the Internet - WAN Connections The Barracuda NG Firewall supports various types of Internet connections. If multiple ISP connections are used, the Barracuda NG Firewall offers granular control over link and loadbalancing either on a per-access rule basis or via route metric. You can configure the following Internet connections: Static IP addresses Dynamic IP addresses (DHCP) xDSL with PPPoE and PPTP UMTS/3G using the external Barracuda USB Modem ISDN For more information, see WAN Connections Routing Routing tables are used to store the best path to a remote network. The Barracuda NG Firewall uses the routing tables to forward traffic to the correct interfaces, next hop gateways, or VPN tunnels. The destination, route metric, and source address (optional) of an IP packet is used to determine which route matches and where the packet is forwarded to. For more information, see Routing. VLAN VLANs allow you to split one physical network interface into several virtual LANs. The physical interface behaves as if it were several interfaces, and the switch behaves as if it were multiple switches. The Barracuda NG Firewall can use up to 256 VLANs on one physical network interface and a maximum of 4096 VLANs globally. For more information, see How to Configure VLANs. Management IP Address The management IP address is used to connect and manage the Barracuda NG Firewall or the box level of the NG Control Center. It is located on box level and is thus independent from the virtual server and services running on the Barracuda NG Firewall. Routes for the management network are automatically introduced and do not need to be configured separately. The management IP address can be changed to match you network. For more information, see How to Change the Management IP Address. Network Interfaces Hardware systems are automatically configured with the correct number of network ports and interfaces. For hardware systems with Barracuda network modules or virtual systems, it may be necessary to add additional network interfaces. These network interfaces must also be added to the configuration of the Barracuda NG Firewall. If you are planning to use VLANs, make sure to use Barracuda network modules or virtual network adapters that use kernel modules with VLAN support. For more information, see How to Add Additional Network Interfaces IPv6 The Barracuda NG Firewall supports the use of IPv6 for selected services. Enable IPv6 for the Barracuda NG Firewall or NG Control Center to accept IPv4 and IPv6 traffic. For more information, see How to Use IPv6 Advanced Network Configurations Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 104 How to Configure Ethernet Bundles How to Make a Barracuda NG Firewall Centrally Manageable Without a Barracuda NG Control Center Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 105 WAN Connections The Barracuda NG Firewall supports all commonly used WAN connection types. You can set up static, DHCP, xDSL, UMTS/3G, and ISDN WAN connections to connect your network to the Internet. Link failover and balancing can be configured either on a per-access rule basis by using custom connection objects or in a more basic configuration via route metrics. You can also select different Internet connections based on the application type. Static Internet Connections If your ISP assigns a static IP address or network to your Internet connection, configure a static Internet connection to connect the Barracuda NG Firewall to the Internet. You must add a route on box layer for the network port the ISP is connected to. The connection becomes active when the assigned IP address or IP address within the assigned network is configured as virtual server IP address or if the unit is remote managed a additional IP address is defined on box layer. For more information, see How to Configure an ISP with Static IP Addresses. DHCP Connections If the IP address is assigned dynamically by your ISP via a DHCP server, the Barracuda NG Firewall acts as a DHCP client. The Barracuda NG Firewall supports up to six concurrent DHCP connections. No extra routing rules need to be configured for DHCP connections. For more information, see How to Configure an ISP with Dynamic IP Addresses (DHCP). xDSL Connections The Barracuda NG Firewall supports xDSL connections using PPP, PPTP, and PPPoE. Because some xDSL providers periodically disconnect your xDSL modem from the network, xDSL link management automatically introduces and deactivates routes as required. For more information, see How to Configure an ISP with xDSL. UMTS/3G Connections Configure UMTS/3G WAN connections for locations without a terrestrial Internet connection, mobile offices or as backup lines. You must use a supported USB UMTS modem, such as the external Barracuda USB modem, for UMTS/3G connections. For information on setting up the Barracuda USB modem, see the Barracuda USB Modem Quick Start Guide (PDF). For information on how to configure UMTS/3G connections, see How to Configure an ISP with UMTS/3G. ISDN Connections The Barracuda NG Firewall ISDN configuration provides flexible dial-in options, dynamic DNS support, channel bonding (mppp), and usage of a second S0 bus with a different phone number. ISDN connections can be used with static or dynamic IP addresses. For more information, see How to Configure an ISP with ISDN. Link Balancing and Failover Configure link balancing and failover to optimize usage of two or more WAN connections. Use custom connection objects to select the optimal connection for the traffic handled by that access rule. You can define multiple connection objects, each with a different failover or link balancing policy. You can also use route metrics for basic link failover functionality. For information on link balancing for multiple WAN connections, see How to Configure Link Balancing and Failover for Multiple WAN Connections . For information on link balancing for two DHCP connections, see How to Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 106 How to Configure an ISP with Static IP Addresses If your Internet connection is using static IP addresses or entire network ranges assigned by your ISP, you must create routing entries on box level and then assign the IP address(es) to the virtual server. Choose the network type Untrusted to automatically create a default route (0.0.0.0/0) for the connection. In this article: Before you Begin Step 1. Add a Direct Route Step 2. Network Activation Step 3. Add the Static IP Address to a Virtual Server Verify the Network Configuration Before you Begin Connect the network equipment installed by your provider to an unused port (not the management port) of your Barracuda NG Firewall. Step 1. Add a Direct Route Create a direct attached route entry to create the network on box level of the Barracuda NG Firewall. Be sure to create the route on the port the ISP is plugged into. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select Routing. Click Lock. In the Main Routing Table, click + to add a new route. Enter a Name for the route and click OK. 6. In the Target 7. 8. 9. 10. 11. Network Address field, enter the IP address of the target network. E.g.,: 62.99.0.0/24 Select directly attached network as the Route Type. From the Interface Name list, select the port the ISP is connected to. E.g.,: port 2. If the default route will be introduced in an environment where multiple dynamic links are available, specify a Route Metric. Select Untrusted as the Trust Level. Enter the Default Gateway IP address. E.g.,: 62.99.0.254 12. Click OK. 13. Click Send Changes and Activate. Step 2. Network Activation After you create or change basic network configurations such as routing, you must activate your new network configurations. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Soft. The 'Soft Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Your route is now displayed as a disabled route (grey "x" icon) in CONTROL > Network. Step 3. Add the Static IP Address to a Virtual Server Assign the individual WAN IP addresses you want to use to the virtual servers on the Barracuda NG Firewall. By introducing the external IP addresses on the virtual server, you can use a high availability (HA) cluster to transfer the WAN address to the secondary unit and still be reachable under the same IP address. In our example, you would enter 62.99.0.221 in the virtual Server Properties (CONFIGURATION > Full Configuration > Virtual Servers > your virtual server) as the First-IP, Second-IP or Additional IP address. For more information, see Virtual Servers and Services. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 107 Verify the Network Configuration Open the CONTROL > Network page to verify that all network routes have been introduced successfully. Verify the WAN IP addresses are displayed with a green status icon and that the introduced routes are available in the tables Main and Default and that the default route is directing traffic through your ISP connection. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 108 How to Configure an ISP with Dynamic IP Addresses (DHCP) If your ISP assigns the IP address via DHCP server, configure a DHCP interface on the port the ISP is plugged into. The Barracuda NG Firewall supports up to six DHCP connections. You can operate a DHCP connection in active or standby mode. In active mode, the link is automatically brought up during the network activation process. In standby mode, the link is dormant until it is activated by a command line script. For each link, you can configure separate connection details, and routing and monitoring settings. If multiple DHCP connections to a remote network or Internet use the same remote gateway, only one of these connections can be active at the same time. In this article: Before you Begin Step 1. Create a DHCP Connection Step 2. (optional) Configure Dynamic DNS for the DHCP link Step 3. Configure Routing Settings Step 4. Configure Connection Monitoring Step 5. Activate the Network Changes Operating a DHCP Link in Standby Mode Before you Begin Before creating the Internet connection, verify which port you are using to connect to your ISP. This port is subsequently used exclusively for the DHCP connection. No other IP addresses or routes may use it. The port is renamed to dhcp. Step 1. Create a DHCP Connection 1. 2. 3. 4. 5. 6. 7. 8. Go to CONFIGURATION > Configuration Tree > Box > Network). In the left menu, select xDSL/DHCP/ISDN. Click Lock. Set DHCP Enabled to Yes. In the DHCP Links table, click + to add an entry. Enter a name for the link and click OK. The DHCP Links window opens. Select the interface the ISP is connected to in the DHCP Interface list. E.g., eth1 or port 3 If you want to use the DNS servers provided by your ISP, set Use Provider DNS to Yes. Step 2. (optional) Configure Dynamic DNS for the DHCP link 1. 2. 3. 4. 5. (optional) Enable Use Dynamic DNS if you are using a dyndns.org account for dynamic DNS: Click Set. The Dynamic DNS Params window opens. Select a dynamic DNS Service Type. For information about available DynDNS service types, see http://dyn.com/dns/. Enter the Dyn DNS Name that was registered at dyndns.org. Enter User Access ID and Password for accessing the server as defined during registration at dyndns.org. Changing the MX setting is not recommended. If required, see www.dyndns.org for detailed information. 6. Click OK. Step 3. Configure Routing Settings Configure the routes and routing tables for the DHCP link. 1. In the Routing section, Disable Own Routing Table to route all traffic to the target networks through this DHCP interface, or Enable Own Routing Table to specify which networks should be routed through the interface. a. Copyright © 2015, Barracuda Networks Inc. 1. Barracuda NG Firewall 6.1 Administrator's Guide - Page 109 a. Add the Source Networks (IP/mask notation; for a single host, enter 32 as netmask (e.g. 192.168.0.55/32). b. Enable Clone Routes to clone the dynamic routes to the main or default table. This setting is useful for setups where application-based selection (explicit binding in a firewall rule) of a traffic path is supposed to coexist with link failover (proxy dynamic). 2. Enable Create Default Route to automatically introduce the default route assigned by the provider. When disabling Create Default Route, specify the Target Networks that will be reachable through the interface. If your route should be set dynamically when the DHCP connection is established, add 0.0.0.0/0 to the Target Networks table. 3. 4. 5. 6. Select Advertise Route when using dynamic routing protocols such as OSPF/RIP/BGP. Select Untrusted as the Trust Level. Specify the route preference number in the Route Metric field if multiple ISP connections are available. Enable GRE with Assigned IP if you want to create a PPTP server listening on the dynamic IP address. Step 4. Configure Connection Monitoring The connection is monitored by pinging a remote IP address every 20 seconds. When the remote reachable IP does not answer to two ICMP probes, the connection is either terminated or the routing metric is increased, depending on which Unreachable Action is set. If the connection is terminated, the Barracuda NG Firewall will attempt to connect until the connection is re-established successfully. 1. (optional) In the Reachable IPs table, add at least one target IP address that will be regularly pinged to monitor the availability of the connection. Target IP addresses must be accessible only via the DHCP connection. 2. (optional) Select the Unreachable Action to be taken if the connection cannot be established. The following options are available: a. Restart – Restarts the DHCP connection. b. Increase-Metric – Changes the preference for DHCP routes until the probe succeeds. 3. 4. Click OK. Click Send Changes and Activate. The DHCP link is now listed in DHCP Links. Step 5. Activate the Network Changes You must activate the network changes to bring up the ISP connection with a dynamic IP address. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Soft. The 'Soft Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Your DHCP connection is now established and the IP address assigned by your ISP is visible on the CONTROL > Network page. All status icons next to the DHCP link are green, indicating an active connection. If the DHCP connection is your primary uplink, the default route uses the connection information from your DHCP interface. If more than one default route is present, the connection with the lowest route metric is used. Operating a DHCP Link in Standby Mode In standby mode, activation and subsequent monitoring of the link must be triggered externally. Standby mode also combines HA setups for HA DHCP connections. In standby mode, 1. The involved routes are set to pending state, and it is not checked whether they are established. 2. The configuration is completely run through, but the connection is not established. Connections are handled from the command-line interface via a server-side script: Start all DHCP connections - /etc/phion/dynconf/network/openxdhcp start & Stop all DHCP connections - /etc/phion/dynconf/network/openxdhcp stop & Start an explicit DHCP connection - /etc/phion/dynconf/network/openxdhcp start *linkname* & Stop an explicit DHCP connection -/etc/phion/dynconf/network/openxdhcp stop *linkname* & Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 110 How to Configure an ISP with xDSL An xDSL connection is a tunneled connection using Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP), d epending on your ISP. The Barracuda NG Firewall can handle up to four xDSL connections. The WAN IP address assigned by the ISP can be dynamic or static, depending on your ISP. Before you Begin To use Dynamic DNS, you must have an active account at www.dyndns.org. For more information on DynDNS, see http://dyn.com/dns/. To use the xDSL connection as part of a PPP multilink bundle, your ISP must support PPP multilink connections. If your ISP supports synchronous PPP mode, using it can result in higher PPP performance. The performance gain is achieved only in some cases and depends on your and your ISPs setup. Enabling synchronous PPP without support of the remote server causes an unstable connection and massive performance loss. Configuring an ISP with xDSL Configure an xDSL connection using PPPoE or PPTP as the tunneling protocol, depending on your ISP: How to Configure an ISP with xDSL using PPPoE How to Configure an ISP with xDSL using PPTP Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 111 How to Configure an ISP with xDSL using PPPoE Point-to-Point Protocol over Ethernet (PPPoE) provides an easy solution for high-speed access services by using broadband modems. Configure an xDSL connection using PPPoE that uses the configuration parameters supplied by your ISP. PPPoE requires no special configuration to the access network. Each PPP session learns the Ethernet address of the remote peer and creates a unique session identification (ID). In this article: Before you Begin Step 1. Configure Link Properties Step 3. Configure Authentication Step 4. Configure Routing Settings Step 5. Configure Connection Monitoring Step 6. Activate Network Changes Operating a xDSL Link in Standby Mode Troubleshooting Before you Begin Connect the Ethernet port of the ISP modem to a free port of your Barracuda NG Firewall. Depending on the modem, a standard Ethernet cable or a crossover cable must be used. Contact the ISP or vendor of the xDSL modem for more information. Step 1. Configure Link Properties Specify the properties for the DHCP link and define the transport protocol for PPP. 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select xDSL/DHCP/ISDN. Click Lock. Set xDSL Enabled to Yes. In the XDSL Links table, click + to add an entry. Enter a name for the xDSL link (no special characters) and click OK. The xDSL Links window opens. Select the Connection Type to specify the transport protocol for PPP. (optional) Enter the Static Local and Gateway IP address if your ISP does not assign it automatically. Select the Ethernet Interface the xDSL modem is attached to. PPPoA and PPPoE and Bridged Ethernet are only useable with a legacy-integrated ADSL modem. Step 3. Configure Authentication Most ISPs require authentication information to connect. These configuration settings are provided by your ISP. If no authentication is required, set Authentication Method to NONE. 1. 2. 3. 4. 5. 6. 7. 8. In the Authentication section, select the Authentication Method. Default: PAP_or_CHAP Enter the User Access ID (PPP username) assigned by your ISP. If provided by your ISP, enter the User Access Sub-ID. The # and @ symbols are generated automatically. The complete user ID is formatted as follows: [user_id]#[access_sub_id]@[provider_name], e.g., 000xxxxxxxxx520069204717#[email protected] Enter the Access Password assigned by your ISP. If you want to use your ISPs DNS servers, select Use ProviderDNS. To use dynamic DNS, select Use Dynamic DNS and click Set. The Dynamic DNS Params window opens. a. Select a dynamic DNS Service Type. For information on DynDNS service types, see http://www.dyndns.com/services/. b. Enter the Dyn DNS Name that was registered on dyndns.org. c. Enter the User Access ID and Password for accessing the dyndns.org service. Click OK. Step 4. Configure Routing Settings Configure whether to create a default route, dynamic routing, and the route metric. 1. Set Create Default Route to YES to automatically create a default route via this xDSL connection. 2. If you are using dynamic routing protocols like OSPF/RIP/BGP, enable Advertise Route. 3. Enter a Route Metric if multiple dynamic links are available. The link with the lowest route metric is automatically chosen if more than one default route is available. Step 5. Configure Connection Monitoring Configure log settings and define target IP addresses that will be regularly pinged to monitor the availability of the connection. Each target IP address is pinged every 20 seconds (2 ICMP packets each). If there is no response, the link is re-established. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 112 1. In the Connection Monitoring section, select the Monitoring method: LCP – If ping fails, the dial-in daemon is probed directly via LCP. ICMP – The Barracuda NG Firewall probes the Reachable IPs and, if there is no response, the gateway. StrictLCP – No ICMP probing occurs. 2. Enter one or more Reachable IPs to monitor the availability of the connection. The target IP addresses should only be accessible via the xDSL connection. 3. Select the Unreachable Action to be taken if the connection cannot be established. The following options are available: Restart – Restarts the xDSL connection. Increase-Metric – Changes the preference for xDSL routes until the probe succeeds. 4. Click OK. 5. Click Send Changes and Activate. Step 6. Activate Network Changes You must activate the network changes to bring up the xDSL connection. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Your xDSL connection is now active and the IP address assigned by your ISP is visible on the CONTROL > Network page. All status icons next to the ppp1 interface are green, indicating an active connection. If the xDSL connection is your primary Internet connection, the default route pointing to the ppp1 interface is also created. If more than one default route is present, the connection with the lowest route metric is used. Operating a xDSL Link in Standby Mode If required, e.g., for maintenance purposes, you can enable Standby Mode in the link configuration. In standby mode, the activation and subsequent monitoring of the link must be triggered externally. Standby mode also lets you combine HA setups for HA xDSL connections. In standby mode, 1. The involved routes are set to pending state, and it is not checked whether they are established. 2. The configuration is completely run through, but the connection is not yet established. Connecting is handled from the Command-Line Interface via a server-side script that is used for starting and stopping the connection with corresponding command lines: Start all xDSL connections - /etc/phion/dynconf/network/openxdsl start & Stop all xDSL connections - /etc/phion/dynconf/network/openxdsl stop & Start an explicit xDSL connection - /etc/phion/dynconf/network/openxdsl start <linkname> & Stop an explicit xDSL connections - /etc/phion/dynconf/network/openxdsl stop <linkname> & <linkname> is the name of the configuration entry in the xDSL Links list: Troubleshooting In some cases, especially in combination with PPPoE acceleration, the segment size of the packets going into the tunnel might be too big. Set the MSS (Maximum Segment Size) to 1350 and clear DF bit to yes in the Advanced Settings tab for all access rules handling incoming and outgoing traffic for the PPPoE connection. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 113 How to Configure an ISP with xDSL using PPTP xDSL connections can also use the Point-to-Point Tunneling Protocol (PPTP). You can operate the xDSL connection in active or standby mode. In standby mode, the activation and subsequent monitoring of the link must be triggered externally. In this article: Before you Begin Step 1. Create a xDSL Connection Step 2. Configure Connection Details Step 3. Configure Authentication Step 4. Configure Routing Settings Step 5. Configure Connection Monitoring Step 6. Activate Network Changes Operating a xDSL Link in Standby Mode Before you Begin Connect the xDSL modem to a port on the Barracuda NG Firewall. Verify that you have all the necessary configuration information provided to you by your ISP. Step 1. Create a xDSL Connection Enable xDSL and create a new xDSL connection. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select xDSL/DHCP/ISDN. In the Configuration Mode menu, select Switch to Advanced. Click Lock. Enable xDSL. In the xDSL Links table, click + to add an entry. Enter a name for the link (no special characters) and click OK. The xDSL Links window opens. Enable Synchronous PPP if supported by your ISP and applicable to your network environment. Select PPTP as the Connection Type. Enter the Static Local and Gateway IP address if your ISP does not assign it automatically. Step 2. Configure Connection Details Enter the PPTP configuration settings you received from your ISP. 1. Enter the Modem IP address or the IP address of the PPTP server in the PPTP Connection Details section. 2. Select the applicable option from the Local IP Selection list: Static – The local address is used. Select, if your provider expects you to use a static IP address. Enter the Local IP address that is used to establish a connection with the specified modem IP address. You must use a local IP address that is already configured. This address is used for local GRE protocol registration with the local firewall. DHCP – Your provider first assigns a local net via DHCP through which the DSL modem is then reached. The path to the modem is selected according to current routing. Dynamic – The device selects the address that is provided by routing to reach the PPTP server. This address is then reported to the firewall engine for GRE registration. In the Required DHCP Link field, enter the name of the DHCP section that this xDSL link relies upon for providing a routing path to the specified modem IP address. 3. Add the IP address of the gateway in the Gateway to Modem IP field if the xDSL modem or PPTP server is not directly attached to the gateway. A gateway route will automatically be created for PPTP. This setting and the Required DHCP Link setting are mutually exclusive. Step 3. Configure Authentication 1. In the Authentication section, select the Authentication Method for the connection. 2. In the User Access ID field, enter the principal account name (PPP username) assigned by your provider. 3. Enter the User Access Sub-ID if provided. The # and @ symbols are generated automatically. The complete user ID is formatted as follows: [user_id]#[access_sub_id]@[provider_name], E.g., 000xxxxxxxxx520069204 717#[email protected] 4. Enter the PPP Access Password assigned by your ISP. 5. If you want to use your ISPs DNS server, select Use ProviderDNS. 6. If you are using dynamic DNS, select Use Dynamic DNS. a. Click Set. The Dynamic DNS Params window opens. b. Copyright © 2015, Barracuda Networks Inc. 6. Barracuda NG Firewall 6.1 Administrator's Guide - Page 114 b. Select a dynamic DNS Service Type. For information about available DynDNS service types, see http://www.dyndns.com/servic es/. c. Enter the Dyn DNS Name that was registered at dyndns.org. d. Enter the User Access ID and Password for accessing the server as defined during registration at dyndns.org. 7. Click OK. Step 4. Configure Routing Settings Configure the routes and routing tables for the xDSL link. For PPP multilink bundles, the routing settings of the primary link are adopted for the bundled link. 1. In the Routing section, enable Create Default Route. This automatically introduces a default route for the xDSL link. 2. If you are using dynamic routing protocols, enable Advertise Route. For more information, see OSPF/RIP/BGP. 3. Enter the Route Metric. If multiple routes to the same destination are available, the Barracuda NG Firewall selects the route with the lowest route metric. If this route becomes unavailable, the route with the second lowest route metric is automatically selected. Default: 50 Step 5. Configure Connection Monitoring Configure log settings and define target IP addresses that will be regularly pinged to monitor the availability of the connection. Each target IP address is pinged every 20 seconds (2 ICMP packets each). If there is no response, the link is re-established. 1. In the Connection Monitoring section, select the Monitoring method: LCP – If pings are not answered, the Barracuda NG Firewall uses LCP to probe the dial-in daemon directly. ICMP – The Reachable IPs are periodically pinged - if there is no response, the gateways are probed. StrictLCP – No ICMP probing occurs. 2. Add at least one target IP address to the Reachable IPs table. The target IP addresses must be accessible only via the xDSL connection. 3. Select the Unreachable Action to be taken if the connection cannot be established. The following options are available: Restart – Restarts the xDSL connection. Increase-Metric – Increases the metric for the xDSL connection, so that a backup connection (which now has the lowest metric) is chosen until the healthcheck targets are reachable again. 4. Click OK. 5. Click Send Changes and Activate. Step 6. Activate Network Changes You must activate the network changes to bring up the xDSL connection. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Your xDSL connection is now active and the IP address assigned by your ISP is visible on the CONTROL > Network page. All status icons next to the ppp1 interface are green, indicating an active connection. If the xDSL connection is your primary Internet connection, the default route pointing to the ppp1 interface is also created. If more than one default route is present, the connection with the lowest route metric is used. Operating a xDSL Link in Standby Mode If required, e.g., for maintenance purposes, you can enable Standby Mode in the link configuration. In standby mode, the activation and subsequent monitoring of the link must be triggered externally. Standby mode also lets you combine HA setups for HA xDSL connections. In standby mode, 1. The involved routes are set to pending state, and it is not checked whether they are established. 2. The configuration is completely run through, but the connection is not yet established. Connecting is handled from the Command-Line Interface via a server-side script that is used for starting and stopping the connection with corresponding command lines: Start all xDSL connections - /etc/phion/dynconf/network/openxdsl start & Stop all xDSL connections - /etc/phion/dynconf/network/openxdsl stop & Start an explicit xDSL connection - /etc/phion/dynconf/network/openxdsl start <linkname> & Stop an explicit xDSL connections - /etc/phion/dynconf/network/openxdsl stop <linkname> & <linkname> is the name of the configuration entry in the xDSL Links list: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 115 Barracuda NG Firewall 6.1 Administrator's Guide - Page 116 How to Configure an ISP with UMTS/3G For locations without land-based Internet connection, or as a backup in case the land-based ISP connections fail, you can use a UMTS/3G broadband modem to connect to a 3G network. Configure the connection settings and introduce a network route via the 3G WAN interface. You can operate the UMTS link in active or standby mode. With active mode, the link is automatically brought up with the network activation process. When operating the link in standby mode, the link is manually brought up and down by a command script. In this article: Before you Begin Step 1. Configure Connection Details Step 2. Configure Authentication Step 3. Configure Routing Settings Step 4. Configure Connection Monitoring Step 5. Activate Network Changes Operating an UMTS/3G Link in Standby Mode Before you Begin Connect a supported (e.g., Barracuda 3G Modem) to the USB port of the Barracuda NG Firewall. You need the APN configurations settings for your mobile broadband provider. (optional) PIN code to unlock your SIM card. Step 1. Configure Connection Details Configure the settings for your UMTS card and specify the connection details. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select UMTS/3G. Click Lock. Set UMTS/3G Enabled to Yes. To use the 3G modem as a backup connection, set Standby Mode to Yes. Standby connections must be started by a command line script. For more information, see Operating an UMTS/3G Link in Standby Mode. 6. Select your UMTS/3G modem from the UMTS/3G Modem Card list. E.g., Barracuda 3G Modem 7. Select the interface associated with the UMTS card from the Modem Interface list. 8. Enter the Access Point Name (APN) as suggested by your provider. 9. 10. If your SIM card has a PIN code to unlock, enter the SIM PIN. If required, enter the Phone Number. (Do not enter the # sign.) If your mobile broadband provider does not assign a number that ends in 1, switch to Advanced Configuration Mode and change the Context Identifier setting in the PDP Context section accordingly. Step 2. Configure Authentication Select an authentication method and enter the PPP credentials provided by your ISP. You can also set up dynamic DNS. 1. 2. 3. 4. 5. In the Authentication section, select the Authentication Method that is used for the connection. In the User Access ID field, enter the principal account name (PPP username) assigned to you by your provider. If your provider assigned a sub-ID to you, enter it in the User Access Sub-ID field. Do not enter the # sign. Enter the PPP Access Password assigned to you by your ISP. Select Use ProviderDNS to use the DNS servers assigned by your provider. To use dynamic DNS, select Use Dynamic DNS and click Set. The Dynamic DNS Params window opens. a. Select a dynamic DNS Service Type. For information on DynDNS service types, see http://www.dyndns.com/services/. b. Enter the Dyn DNS Name that was registered on dyndns.org. c. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 117 c. Enter the User Access ID and Password for accessing the dyndns.org service. 6. Click OK. Step 3. Configure Routing Settings Configure the routes and routing tables for the UMTS link. 1. In the Routing section, Disable Own Routing Table to only insert routes in the main and default tables, or Enable Own Routing Table to use policy routing. With policy routing, a new table named 'umts1' is introduced to the main routing table where UMTS routes are inserted. a. To use the IP address dynamically assigned by your ISP as the source network for policy routing, select Use Assigned IP. Until the ISP has successfully assigned an address, the rule uses 0.0.0.0 as a source address. b. In the Source Networks table, add source networks or single hosts that will point to the 'umts1' table (IP address/netmask notation; for a single host, enter 32 as netmask (e.g., 192.168.0.55/32). 2. Enable Create Default Route to automatically introduce the default route assigned by the provider. When disabling Create Default Route, you must add Target Networks that are supposed to be reachable through this link. 3. Use the Remote Peer IP override mechanism if your provider does not assign a remote gateway IP address. 4. If your default route should be set dynamically when the xDSL connection is established, add 0.0.0.0/0 to the Target Networks table. 5. When the OSPF/RIP/BGP service is used, select Advertise Route. 6. Select a Trust Level to define which IP address types are counted by the firewall for traffic on this interface. 7. Enable Clone Routes to clone the dynamic routes to the main or default table if Create Default Route is disabled. This setting is useful for setups where application-based selection (explicit binding in a firewall rule) of a traffic path is supposed to coexist with link failover (proxy dynamic). 8. Specify a Route Metric to assign a preference number to the routes to the specified target networks or if multiple dynamic links are available. To use your UMTS uplink as a backup connection (provider failover), enter a value larger than 0. 9. Enable GRE with Assigned IP to register the assigned IP address for IP protocol 47. Step 4. Configure Connection Monitoring Configure connection monitoring by entering a list of health check targets that are only reachable through this connection. Should the ping to these health check targets fail, the Barracuda NG Firewall will terminate and reestablish the connection until the monitoring target IP addresses are reachable again. 1. In the Connection Monitoring section, select the Monitoring method: LCP – If ping fails, the dial in daemon is probed directly via LCP. ICMP – The Barracuda NG Firewall probes the Reachable IPs and. if there is no response, the gateway. StrictLCP – No ICMP probing occurs. 2. Enter one or more Reachable IPs to monitor the availability of the connection. The target IP addresses should only be accessible via this connection. Do not use the Modem Error Policy setting for USB modems such as the Barracuda M10 USB modem. To reset the bus for PCMCIA type modems on persistent error conditions, select Reset-Modem. 3. Select the Unreachable Action to be taken if the connection cannot be established. The following options are available: Restart – Restarts the connection. Increase-Metric – Changes the preference for UTMS/3G routes until the probe succeeds. 4. Click OK. 5. Click Send Changes and Activate. Your UMTS/3G connection is now active and the IP address assigned by your ISP is visible on the CONTROL > Network page. All status icons next to the ppp5 interface are green, indicating an active connection. If the UMTS/3G connection is your primary uplink, the default route pointing to the ppp5 interface is also created. If more than one default route is present, the connection with the lowest route metric is used. Step 5. Activate Network Changes You must activate the network changes to bring up the xDSL connection. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Your xDSL connection is now active and the IP address assigned by your ISP is visible on the CONTROL > Network page. All status icons next to the ppp1 interface are green, indicating an active connection. If the xDSL connection is your primary uplink, the default route pointing to the ppp1 interface is also created. If more than one default route is present, the connection with the lowest route metric is used. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 118 Operating an UMTS/3G Link in Standby Mode Enable Standby Mode in the link configuration if the UTMS/3G connection is used as a backup connection. In standby mode, the activation and subsequent monitoring of the link must be triggered externally. Standby mode also lets you combine HA setups for HA UMTS/3G connectio ns. 1. The UMTS/3G routes are set to pending, and the Barracuda NG Firewall does not check whether they are established. 2. The configuration is completely run through but the connection is not yet established. Standby connection can only be started by a command line script. Example usage: Start UMTS connections - /etc/phion/dynconf/network/openumts start first & Stop UMTS connections - /etc/phion/dynconf/network/openumts stop first & To enable link operation in standby mode, 1. On the UMTS/3G page, enable Standby Mode. 2. Select Register in Standby. This accelerates the dial-in process when the link is fully activated. 3. In the UMTS/3G Connection Details, enable Active GSM Channel to register on the 3G network. No data connection is established when registering on the 3G network. 4. Click Send Changes and Activate. You can now use the command line scripts listed above to enable the UMTS/3G connection. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 119 How to Display the Barracuda UMTS Modem IMEI If you want to get the IMEI and/or software version information of an attached USB UMTS modem (M10/M11), you can do so on the command line using minicom. Step 1. Change the Minicom Serial Port to the UMTS Modem 1. Connect to your Barracuda appliance on the shell as the root user. 2. Stop the UMTS connection with the command: [root@ng:~]# /etc/phion/bin/openumts stop 3. Start the minicom setup with the command: [root@ng:~]# minicom -s The text-based minicom menu is displayed. 4. Select Serial port setup. 5. Select A >Serial Device and change this to /dev/ttyUSB2 or /dev/ttyUSB1 depending on which USB port the modem is connected to. 6. Press Enter. 7. Select Save setup as dfl. 8. Select Exit from Minicom. This setting is now configured as default for minicom. Step 2. Enter the AT Command to Display the Modem Details 1. Start minicom with the default settings: [root@ng:~]# minicom 2. Enter the AT command: ATI. If you want the software version also enter Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page AT+LCTSW The output will be shown as follows: 3. To leave minicom, press Ctrl+a and z and select q to exit. Step 3. Restart the UMTS Connection Restart the UMTS connection: [root@ng:~]# /etc/phion/bin/openumts start Copyright © 2015, Barracuda Networks Inc. 120 Barracuda NG Firewall 6.1 Administrator's Guide - Page 121 How to Configure an ISP with ISDN The Barracuda NG Firewall supports up to four ISDN connections. The ISDN connection is initiated at startup or in Dial-On-Demand mode when used as a backup connection. In this article: Before you Begin Step 1. Create and Configure the ISDN Connection Step 2. Configure Authentication Step 3. Configure Connection Monitoring Step 4. Activate Network Changes Operating an ISDN Link in Standby Mode Before you Begin Verify that you have the necessary configuration information provided to you by your ISP. Before configuring channel bonding (=mppp), verify that your provider supports this feature. Step 1. Create and Configure the ISDN Connection Enter the properties for the ISDN modem card and configure connection details. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select xDSL/DHCP/ISDN. Click Lock. Set ISDN Enabled to Yes. To use the ISDN modem as a backup connection, set Standby Mode to Yes. Standby connections must be started by a command line script. For more information, see Operating an ISDN Link in Standby Mode 6. 7. 8. 9. 10. 11. 12. 13. Click Set next to ISDN Settings. The ISDN Settings window opens. Select your card type from the ISDN Modem Card list. Enter the Provider Phone Number that has been given to you by your provider. Select the applicable Encapsulation Mode. The following modes are available: SyncPPP (default) – Bit-oriented transfer protocol. RawIP – No PPP; IP addresses must be specified manually. This mode can only be used with static IP addresses. Select the Dial Mode. If set to Dial-On-Demand, specify Idle Hangup Time to automatically disable the link when it is not used anymore. Enable Use Channel Bonding if applicable and supported by your ISP: a. Click Set next to Channel Bonding Settings and adjust the on-demand bandwidth allocation for the second channel. b. Enable Use 2nd S0 Bus if a 2nd S0 is required. c. Click Set next to Parameters for 2nd S0 Bus and configure the settings. If you want to restrict the time when the ISDN connection can be established, set Dial Allowed From / Until. If your ISP assigned your connection a static address, disable Dynamic Address Assignment and enter the Static IP/Mask and Static Gateway IP address. Step 2. Configure Authentication Select an authentication method and enter the credentials provided by your ISP. 1. 2. 3. 4. In the Authentication section, select the Authentication Method that is used for the connection. Enter the User Access ID, Sub-ID, and Password assigned by your provider. Do not enter the # sign. If required, enter the Provider Name, which is appended to your User Access ID. Select Use ProviderDNS to use the DNS servers assigned by your provider. 5. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 122 5. When using dynamic DNS, select Use Dynamic DNS and click Set. The Dynamic DNS Params window opens. a. Select a dynamic DNS Service Type. For information about available DynDNS service types, see http://www.dyndns.com/servic es/. b. Enter the Dyn DNS Name that was registered at dyndns.org. c. Enter the User Access ID and Password for accessing the server as defined during registration at dyndns.org. Step 3. Configure Connection Monitoring Configure connection monitoring by entering a list of health check targets that are only reachable through this connection. Should the ping to these health check targets fail, the Barracuda NG Firewall will terminate and reestablish the connection until the monitoring target IP addresses are reachable again. 1. In the Connection Monitoring section, select the Monitoring method: LCP – If ping fails, the dial-in daemon is probed directly via LCP. ICMP – The Barracuda NG Firewall probes the Reachable IPs and, if there is no response, the gateway. StrictLCP – No ICMP probing occurs. 2. Enter one or more Reachable IPs to monitor the availability of the connection. The target IP addresses should only be accessible via this connection. 3. Select the Unreachable Action to be taken if the connection cannot be established. The following options are available: Restart – Restarts the connection. Increase-Metric – Changes the preference for ISDN routes until the probe succeeds. 4. Click OK. 5. Click Send Changes and Activate. Step 4. Activate Network Changes You must activate the network changes to bring up the xDSL connection. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Your ISDN connection is now active and the IP addresses assigned by your ISP are visible on the CONTROL > Network page. The status icons next to the ISDN interface are green, indicating an active connection. If the ISDN connection is your primary uplink, the default route pointing to the ISDN interface is also created. If more than one default route is present, the connection with the lowest route metric is used. Operating an ISDN Link in Standby Mode Enable Standby Mode in the ISDN configuration if you want to use the ISDN connection as a backup uplink. In standby mode, activation and subsequent monitoring of the connection must be triggered externally. Standby mode also lets you combine HA setups for HA ISDN connections. 1. The ISDN routes are set to pending, and the Barracuda NG Firewall does not check whether they are established. 2. The configuration is completely run through but the connection is not yet established. Standby connection can only be started by a command line script. Example usage: connection start: /etc/phion/dynconf/network/isdnrestart & connection stop: /etc/phion/dynconf/network/wipeisdn & Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 123 How to Configure Link Balancing and Failover for Multiple WAN Connections If you are using two DHCP connections from the same carrier that is using the same remote network and gateway, see How to Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway. If you are using two or more ISP connections, you can use outbound link and load balancing to balance the traffic between the different Internet connections. If one ISP goes down, the traffic will be routed over the remaining connection. Basic link failover functionality can be achieved by using different route metrics. A better solution is to use custom connection objects to distribute the load and/or configure failover for different links. Using custom connection objects allows you to decide on link balancing on a per-access rule basis. For this article, we assume we are using a mix of one static and one dynamic (DHCP) Internet connection. In this article: Step 1. Configure the WAN Connections Step 2. Add a Source Based Route Step 3. Configure Link Monitoring Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback) Step 5. Apply the Connection Object Step 6. (optional) Configure Notifications Step 1. Configure the WAN Connections Configure your WAN connections: For information on setting up an ISP with static IP address assignment, see How to Configure an ISP with Static IP Addresses. For information on setting up an ISP with dynamic DHCP IP address assignment, see How to Configure an ISP with Dynamic IP Addresses (DHCP) . This configuration uses the following example settings for both WAN connections: ISP IP Address Gateway Network Interface ISP 1 62.99.0.69 62.99.0.254 port 3 ISP 2 dynamically assigned dynamically assigned dhcp For WAN connections with dynamic address assignment (e.g. ,DHCP), verify that you enable the settings Own Routing Table, Use Assigned IP , Create Default Route, and Clone Routes in the configuration. Step 2. Add a Source Based Route Configure the source routes for both connections to avoid IP packets from being sent via the wrong ISP line. For DHCP connections, the routes are already introduced automatically by the DHCP client. For ISP connections with static IP addresses, configure a source-based route. 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select Routing. Click Lock. In the Source Based Routing section, click + to add a new route. Enter a Name for the route and click OK. In the Source Networks table, add the network for which the routing table is consulted., e.g., 62.99.0.0/24 7. In the Routing Table Contents section, click + to configure the route. 8. In the Target Network Address field, enter 0.0.0.0/0. 9. Select unicast as the Route Type. 10. Enter the Gateway IP address, e.g., 62.99.0.254 11. 12. 13. 14. Click OK. Select postmain as the Table Placement option. Click OK. Click Send Changes and Activate. Step 3. Configure Link Monitoring For the dynamic Internet connection, configure link monitoring for both routes (default and source based) to monitor IP addresses beyond the ISP gateway. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select xDSL/DHCP/ISDN. In the Configuration Mode menu, select Switch to Advanced View . Click Lock. Edit the DHCP link. 6. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 124 6. In the Connection Monitoring section, add a target IP address to be used for monitoring into the Reachable IPs table. This address must be reachable only via the DHCP connection. 7. Click OK. 8. Click Send Changes and Activate. After you configure your routes, you must activate your new network configurations. 1. Go to CONTROL > Box. 2. In the left menu, expand Network and click Activate new network configuration. 3. Select Failsafe. A Network Configuration Reconfigured message will appear. Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback) The Barracuda NG Firewall can perform link failover and link cycling using multiple connections. The failover and load balancing policy used in the custom connection object defines how the traffic is routed: Link Balancing with Fallback – Traffic is always routed over the primary uplink as long as it is available. If the main uplink fails, the secondary uplink is used. Random Link Balancing – Sessions are distributed randomly according to the weight of the connections. If one of the connections fails, traffic is routed through the other available connections as defined in the connection policy. Sequential Link Balancing – The Source IPs are sequentially cycled through, factoring in the weight defined for each uplink. The Barracuda NG Firewall remembers the sources/destination of active sessions and will reuse the same connection if a similar connection is established. Create a custom connection object for link balancing and failover: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, click on Connections. 4. Right-click and select New. The Edit/Create a Connection Object window opens. 5. Enter a Name for the connection object. E.g., LBFailover 6. Select From Interface as the NAT Address. 7. In the Interface Name field, enter the port the ISP 1 is connected to. E.g. , port3 or dhcp 8. In the Failover and Load Balancing section, select one load balancing/failover Policy: a. FALLBACK (Fallback to alternative Source Addresses) Select either Interface or source IP address for each Internet connection. Enter the interface or source IP address for the connection. b. SEQ (Sequentially cycle Source Addresses) Select either Interface or source IP address for each Alternative connection. Enter the interface or source IP address for each connection. Enter the Weight factor. This value determines how the load is distributed between the different connections. c. RAND (Random Source Addresses) Select either Interface or source IP address for each Alternative connection. Enter the interface or source IP address for each connection. Enter the Weight factor. This value determines how the load is distributed between the different connections. 9. Click OK. 10. Click Send Changes and Activate. Step 5. Apply the Connection Object Use the object for all access rules handling outgoing traffic. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit an access rule handling outgoing traffic. E.g., LAN-2-INTERNET 4. Select the custom connection object created in Step 4 from the Connection Method list. 5. Click OK. 6. Click Send Changes and Activate. Step 6. (optional) Configure Notifications You can configure the Barracuda NG Firewall to send SNMP traps or email notifications in case one of the ISP connections fails. Depending on what kind of notification you want to send, change the notification ID for: 62 (Route Changed) 64 (Route Disabled) For more information, see Events. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 125 You are now load balancing and/or using failover for all outgoing connections, which are handled by access rules using the custom connection object. If needed, you can define multiple custom connection objects and use them to control which ISP connections are used by a specific network or IP address. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 126 How to Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway Only use this setup if you are using two WAN connections that are using the same remote network and gateway IP address . For all other setups, see How to Configure Link Balancing and Failover for Multiple WAN Connections When using two Internet connections from the same ISP, both links cannot be active at the same time if they are connecting to the same remote network and using the same remote gateway IP address. Since it is not possible to have two default routes each using the same remote gateway, the backup uplink must be used in standby mode only and used if the primary connection goes down. A second virtual server is used to monitor the primary uplink. When the primary uplink becomes unavailable, a script is executed to activate the secondary uplink. Lowering the route metric of the secondary uplink ensures that the backup uplink is used. When the primary uplink becomes available again (probing is successful), a script will place the secondary uplink into standby again. In this article: Step 1. Configure Two DHCP Connections Step 2. Create an Additional Virtual Server Step 3. Create a Host Firewall Rule Step 1. Configure Two DHCP Connections Configure two DHCP WAN connections. For more information, see How to Configure an ISP with Dynamic IP Addresses (DHCP). For the primary and secondary DHCP uplink, use the following settings: Setting Primary DHCP Connection Secondary DHCP Connection Link Active yes yes Standby Mode no yes Route Metric 100 99 Step 2. Create an Additional Virtual Server Create an additional virtual server and configure a monitoring policy of the virtual server to execute a custom script in case of failure / success. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > your box. Right-click Virtual Servers and select Create Server. Enter a Server Name. In the First-IP [IP1] field, enter 127.0.0.10 5. Click Next. 6. From the IP Monitoring Policy list, select all-OR-all-present. 7. In the Monitored IPs I table, add the IP address to be monitored. This is typically an IP address in the Internet or from your ISP that indicates that a connection to the Internet is available. 8. Click Next. 9. In the Start Script field, add the following script for the secondary DHCP uplink: /epb/openxdhcp stop <secondary DHCP uplink name> 10. In the Stop Script field, add the following script for the secondary DHCP uplink: /epb/openxdhcp start <secondary DHCP uplink name> By default, DHCP02 is the name for the uplink. In the following scripts, replace <secondary DHCP uplink name> with the name that you specified for your secondary DHCP uplink. 11. Click Finish. If the monitoring IP address is available again, the virtual server starts and disables the secondary DHCP uplink by executing the the start script. If the monitoring IP address is unreachable, the virtual server stops and enables the secondary DHCP uplink by executing the stop script. Step 3. Create a Host Firewall Rule Create a Host Firewall rule to make sure that IP address probing is always done through the primary DHCP uplink (using the DHCP interface). 1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Host Firewall Rules. 2. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 2. 3. 4. 5. 6. 127 Click Lock. Select the Outbound rule set on top of the rule list. Right-click in the rule list and select New > Rule. Select Pass as the action. Enter a name for the rule. For example, ISP-Fallback. 7. Specify the following settings that must be matched by the traffic handled by the access rule: Source – Select All-LocalIPs Destination – Enter the IP address to be monitored. Service – Select ICMP 8. In the left pane, select the Object Viewer check box. The Object Viewer window opens. 9. Open the Connections tab and create the connection object: a. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens. b. Enter a Name for the connection object. E.g., Fallback c. From the NAT Address list, select From Interface. d. In the Interface Name field, enter dhcp e. Click OK. 10. In the Edit Rule window, select the new connection object in the Connection Method section. 11. Click OK. 12. Drag and drop the new access rule in the rule set so no rule above it matches the traffic you want to forward. 13. Click Send Changes and Activate. You can now see the active routes of the primary uplink and the pending route of the secondary uplink. If the primary uplink goes down, the virtual server is stopped and the stop script is executed - activating the secondary uplink. When the primary connection is available again, the virtual server executes the start script, which places the secondary link into standby mode again. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 128 How to Activate Network Changes After changing the configuration of the network subsystem, you must activate the new network configuration. There are three types of network activation: Failsafe – A backup of the existing configuration is created, and the new network configuration is activated. If the connection to NG Admin is established successfully after activation, the network activation is complete. If it fails, the network configuration is reverted to the previously working state. During activation in failsafe mode, the whole network system is shut down and the Barracuda NG Firewall is briefly unreachable. All active connections are terminated. Force – In this activation mode, the new network configuration is activated without making a backup of the old configuration. If the new network configuration does not work, there is no fallback mechanism. During activation in Force mode, the whole network system is shut down and the Barracuda NG Firewall is briefly unreachable. All active connections are terminated. Soft – Only use the Soft activation mode to add a route to an existing network configuration. All other network configuration changes cannot be activated in Soft mode. During activation in this mode, the network system is not shut down and firewall connections are not interrupted. Alternatively, you can soft activate a new network configuration and reboot the Barracuda NG Firewall or NG Control Center for the network configuration changes to take effect. Activate the Network Configuration 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Click on the desired activation mode. After activation, the network may briefly show an error state until all connections are established. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 129 Routing Routing tables are used to store the best path to a remote network. The Barracuda NG Firewall uses the routing tables to forward traffic to the correct interfaces, next hop gateways, or VPN tunnels. Routes are first evaluated by destination, route metric (preference) and. optionally, source address of an IP packet and then by the scope (network size) to determine which routes matches. Two routes of the same scope (e.g., /24) and metric can not be created. The Management IP address always uses a preference of 0. If two routes with different preferences exist, the route with the lower preference is chosen. E.g., 10.0.10.0/25 (preference 10) is preferred over 10.0.10.0/25 (preference 100) If two routes with the same preference exist to a destination the route with the smaller subnet mask is used. E.g., 10.0.10.0/24 is preferred over 10.0.0.0/16 VPN routes are source-based routes by default. If single routing table is enabled in the VPN Settings, VPN routes are inserted with a preference of 10. For more information, see Authentication, Encryption, Transport, and VPN Routing. Directly Attached Network Routes (Direct Routing) Gateway Routes (Next Hop Routing) Multipath Routing Source-Based Routes (Policy Based Routing) Directly Attached Network Routes (Direct Routing) Define how to reach networks that are directly plugged in to a port (virtual or physical) of the Barracuda NG Firewall. To define a directly attached network route, you must enter: Target network in CIDR Format – E.g., 172.16.0.0/24 Interface – The network interface on the Barracuda NG Firewall the network is attached to. E.g., eth2 or port 2 After you have introduced the directly attached route and activated the network, the route is in a pending state. Pending routes are marked with the icon in CONTROL > Network and are not active. When an suitable source network address (virtual server IP or additional IP address on box level) has been introduced, the route becomes active and the icon is displayed for the route. In the example above, you must create a direct route for the ISP issued 62.99.0.0/24. To reach the Internet, a gateway route (see below) must be created. If you enter the optional gateway IP address when creating the direct attached route, the default gateway route is created automatically. You do not need to create a directly attached route for the network the management IP address is in. This route is created automatically when the management IP address is configured. For setup instructions, see How to Configure Direct Routes. Gateway Routes (Next Hop Routing) To reach networks that cannot be directly accessed, you must define gateway routes. A common gateway route is the default route (0.0.0.0/0), which will forward all packets not belonging to one of the trusted networks to the remote gateway provided by the ISP. Before adding a gateway route, a direct route must be configured. Otherwise, you cannot contact the next hop IP address. To define a gateway route, you must enter: Target network – Target network in CIDR format. E.g., 0.0.0.0/0 for the default route Next hop address – IP Address of the gateway device the traffic is sent to. E.g., 62.99.0.254 After adding the gateway route, you must initiate a Soft network activation for the route to become active ( n CONTROL > Network) For setup instructions, see How to Configure Gateway Routes. Multipath Routing The Barracuda NG Firewall supports standard Linux multipath routing and Firewall-assisted multipath routing. Standard Linux multipath routing balances does not offer dead next hop detection or session packet balancing. Simple redundancy by next hop detection can be provided by adding multiple routing entries with different route preference numbers. Firewall-assisted multipath routing supports per packet balancing between next hops and dead next peer detection and is configured in the Forwarding Firewall service. Copyright © 2015, Barracuda Networks Inc. i Barracuda NG Firewall 6.1 Administrator's Guide - Page 130 For setup instructions, see: How to Configure Multipath Routing How to Configure Linux Standard Multipath Routing Source-Based Routes (Policy Based Routing) Source-based or policy routing is a way to implement more complex routing scenarios. The implementation provided by the Barracuda NG Firewall only uses a subset of the functional scope of policy routing. The source address used to establish a connection determines whether or not a routing table is consulted. Because the firewall configuration (on a per rule basis) lets you specify the address with which an allowed connection is established, policy routing represents an extremely powerful instrument to manage routing on the NG Firewall in complex topologies. VPN tunnels make use of policy routing. Policy routing rules assign an IP address range (source addresses) to a named routing table. These rules are organized in an ordered list, so that each rule is associated with a preference number. Routing decisions are made by evaluating the ruleset starting with lowest preference number rule. The first ruleset (route table) that matches the source IP address is chosen. If a matching route to the desired destination address is found in the table, the route is applied. Otherwise, the Barracuda NG Firewall continues to evaluate the routing tables (rules) until a match is found. If none of the rules match, the destination is unreachable. For setup instructions, see How to Configure Source-Based Routes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 131 How to Add a Direct Attached Route Direct attached routes are routing entries for network that can be reached from an interface of the Barracuda NG Firewall without having to use a next hop gateway. In this article: Before you Begin Step 1. Configure a Direct Route Step 2. Activate the Network Configuration Next Steps Before you Begin Connect the network to a port of the Barracuda NG Firewall. Do not use the management port. Step 1. Configure a Direct Route Add a route for the direct attached network. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, click Routing. Click Lock. In the Routes table, click + to add a route: Name – Enter a name. Target Network Address – Enter the network in CIDR format. E.g., 62.99.0.0/24 Route Type – Select direct attached network. Interface Name – Select the interface you used to connect to the network. E..g, eth1 Trust Level – Select the trust level. Your network will automatically be connected to the corresponding network objects. Use Un trusted for WAN connections, Trusted for LAN connections. (optional) Advertise Route – To propagate this network route via the OSPF/RIP/BGP service, select Yes. For more information, see Dynamic Routing Protocols (OSPF/RIP/BGP) 5. Click OK. 6. Click Send Changes and Activate. Step 2. Activate the Network Configuration After you have configured the network route, you must activate your new network configuration. 1. Go to CONTROL > Box. 2. In the left menu, expand Network and click Activate new network configuration. 3. Select Soft. The Soft Activation Succeeded message is displayed after your new network configurations have been successfully activated. The direct attached route is now displayed as pending on the CONTROL > Network page. To make the route active, you must use one of the IP addresses in the network as a virtual server IP address (default) or as an additional IP address (remote units). Next Steps Default: You must use at least one IP address from the network as a virtual server IP address. If you are using a high availability setup, these virtual server IP addresses will be transferred to the secondary NG Firewall in case of a failure. In case of remote access: If you are using the Barracuda NG Firewall via remote management tunnel, add the IP address to the Additi onal IP addresses (CONFIGURATION > Configuration Tree > Box > Network). IP addresses assigned on box level are not synced to the HA partner. When using the IP address on box level, the route will remain active even if the virtual server is running on the other NG Firewall in the HA cluster. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 132 How to Configure Gateway Routes Gateway routes are defined for all networks that are not directly attached to a port of the Barracuda NG Firewall. The Barracuda NG Firewall will forward all traffic with the configured destination to the gateway (next hop) IP address specified in the gateway route. For example the default route (0.0.0.0/0), which will route all traffic to the ISP gateway IP address is a gateway route. Step 1. Configure a Gateway Route 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. From the Configuration menu in the left navigation pane, click Routing. Click Lock. In the Routes table click + to add a gateway route: Name – Enter a name. Target Network Address – Enter the network in CIDR format. E.g., 0.0.0.0/0 for the default route Route Type – Select gateway. Gateway – The gateway IP address. E.g., 62.99.0.254 Trust Level – Select the trust level. Use Untrusted for WAN connections, (optional) Advertise Route – To propagate this network route via the dynamic routing service, select Yes. For more information, see Dynamic Routing Proctocols (OSPF/RIP/BGP) 5. Click OK. 6. Click Send Changes and Activate. Step 2. Activate the Network Configuration After you have configured the network route, you must execute your new network configuration. 1. Go to CONTROL > Box. 2. In the left menu, expand Network and click Activate new network configuration. 3. Select Soft. The "Soft Activation Succeeded" message is displayed after your new network configurations have been successfully activated. The gateway route is now active on the CONTROL > Network page. If the remote gateway no longer answers ARP request, the route is placed in a pending state until the gateway is reachable again. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 133 How to Configure Source-Based Routes Source-based routing, often referred to as policy routing, is used when the source IP address of the connection determines, in part or completely, which route is used. Source-based routing can be used to ensure that traffic is sent via a specific connection. For each source-based routing entry, a routing table for that specific IP address/network is created and consulted when traffic from that network comes in. Step 1. Create a Source-Based Route 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, click Routing. Click Lock. In the Source Based Routing section, add or edit an entry for your route in the Routing Rules table: a. Name – Enter a name. E.g., route1 b. Source Networks – Add the source IP address or network. E.g., 10.0.10.0/24 c. Routes – Click + to add a route table entry for the source network. Target Network Address – Enter the target network IP address. E.g., 0.0.0.0/0 Route Type – Select unicast, multipath or throw. If throw is selected, the route lookup will end once the first matching route is found. Gateway (only for unicast routes) – Enter the IP address of the remote gateway. Multipath Gateway (only for multicast routes) – Enter the Multipath Gateway and Weight Number (Metric) for each route. Packet Load Balancing (only for multicast routes) – If needed, enable packet load balancing. Route Metric (only for unicast routes) – Enter the route metric for the gateway route. Advertise Route – Select YES if you want to use dynamic routing service. For more information, see Dynamic Routing Protocols (OSPF/RIP/BGP). 5. Select where the route table is placed, before (premain) or after (postmain) the main routing table. 6. Click OK. 7. Click Send Changes and Activate. Step 2. Activate the New Network Configuration After you have configured the network route, you must execute your new network configurations. 1. Go to CONTROL > Box. 2. In the left navigation pane, expand Network and then click Activate new network configuration. 3. Select Failsafe. The Failsafe Activation Succeeded message is displayed after your new network configurations have been successfully activated. 4. Click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 134 How to Configure Linux Standard Multipath Routing Barracuda Networks recommends using ACPF-assisted multipath routing. For more information, see How to Configure Multipath Routing. The Barracuda NG Firewall supports Linux standard multipath routing. Simple redundancy by next hop detection is provided by adding multiple routing entries with different route metrics. Linux-based standard multipath routing provides source IP-based balancing between next hops. Once the source destination combination is in the routing cache, this combination will stay on the selected next hop IP address. For dead next hop detection per ARP request or session packet balancing, use ACPF-assisted multipath routing. Step 1. Add a Linux Standard Multipath Route 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, click on Routing. In the left menu, expand Configuration Mode and click on Switch to Advanced Mode. Add an entry to the Routes table. Enter the Target Network Address. E.g., 192.168.100.0/24 6. Click + to add Multipath Gateways and provide the following Information: Multipath Gateway – Next hop IP address of the multipath route. Weight Number – Weight number of path (valid range from 1 - 100). Assigned Source IP – The assigned source IP address. 7. Click OK. 8. Click Send Changes and Activate. Step 2. Activate Network Configuration 1. 2. 3. 4. Go to CONTROL > Box. In the left menu, expand Network and click Activate new network configuration. The Activate Network window opens. Click Soft. The Activation Succeeded window opens. Click OK. Open the CONTROL > Network page. If a green icon ( ) is displayed in the first column for the multipath route, the route is active. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 135 How to Change the Management IP Address When deploying the Barracuda NG Firewall in your network, you might have to change its management IP (MIP) address. After changing the management IP address, you must activate the new network configuration. Step 1. Change the MIP Address Change the management IP address to match your existing network addresses. 1. 2. 3. 4. 5. 6. 7. Go to CONFIGURATION > Configuration Tree > Box > Network. Click Lock. In the Management IP and Network section, enter the new Management IP (MIP). Select the Associated Netmask for your network from the list. (optional) Set Responds to Ping to yes. Set Use for NTPd to yes. Click Send Changes and Activate. Step 2. (optional) Change or Add Gateway Route If the client from which you are connecting to the Barracuda NG Firewall is not in the same network as the Barracuda NG Firewall, you must create or change a gateway route to be able to access the Barracuda NG Firewall after changing the management IP address. You do not need to add a route if your client is in the same network as the new management IP address. For more information, see How to Configure Gateway Routes. Step 3. Network Activation After you create or change basic network configurations, you must activate your new network configuration: 1. 2. 3. 4. Go to CONTROL > Box. In the left menu, expand the Network section and click Activate new network configuration. Select Force. The 'Force Activation Succeeded' message is displayed after your new network configuration has been activated. Restart Barracuda NG Admin. A few moments after activating your network configuration changes, you will be able to log into the Barracuda NG Firewall with the new MIP address. If you are using a static IP, verify that the management PC can reach the new MIP. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 136 How to Use IPv6 The Barracuda NG Firewall supports IPv6 along with its predecessor IPv4. By default, IPv6 is disabled and only traffic from IPv4 networks is accepted. When IPv6 is enabled, the Barracuda NG Firewall accepts both IPv4 and IPv6 traffic. IPv6 addresses can only be used via NG Admin and not via command line tools. To configure IPv6 services, you must first assign IPv6 addresses to the interfaces. IPv6 is supported for the following services: Firewall Service Virus Scanner DNS Service DHCP Service DHCP Relay Dynamic Routing: OSPF/RIP/BGP SNMP Service Mail Gateway NG Firewall Management In this article: IPv6 Advantages and Address Notation Enabling IPv6 Assigning IPv6 Addresses IPv6 Advantages and Address Notation The main advantage of IPv6 is that it provides a larger address space than IPv4. IPv6 uses 128-bit IP addresses, compared to 32-bit IP addresses used by IPv4. IPv6 supports varied addressing types (unicast, anycast, multicast, link-local, sitelocal, and global). IPv6 addresses can be associated with one or more interfaces. IPv6 addresses are represented as eight 16-bit hexadecimal blocks separated by colons (:). For example: FEDC:0000:0000:0000:FEDC:E4BF:0100:0010 You can omit leading zeros within each 16-bit hexadecimal block. For example, you can write 0 instead of 0000, 100 instead of 0100, and 10 inst ead of 0010. You can compress the zeros further with double colons (::). However, you can only use double colons once to compress an IPv6 address, either in the beginning, middle, or end of the address. For example: FEDC::FEDC:E4BF:100:10 is equivalent to FEDC:0000:0000:0000:FEDC:E4BF:100:10 Enabling IPv6 By default, IPv6 is disabled. To enable IPv6: 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. Click Lock. In the IPv6 section, set Enable IPv6 to Yes. Reboot your Barracuda NG Firewall. To synchronize the IPv6 configuration for Barracuda NG Firewalls that are part of a cluster in the Barracuda NG Control Center, you must enable IPv6 on all of the systems in the cluster. Assigning IPv6 Addresses Before configuring IPv6 services, you must assign IPv6 addresses to the interfaces. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select IP Configuration. Click Lock. From the Configuration Mode menu in the left navigation pane, click Switch to Advanced View. In the Additional IPv6 Addresses table, add an entry for the interface. In the entry settings, specify the interface name and its IPv6 address. 6. Click Send Changes and Activate. 7. Activate the network changes on the CONTROL > Box page. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page You can now connect to an IPv6 network. Copyright © 2015, Barracuda Networks Inc. 137 Barracuda NG Firewall 6.1 Administrator's Guide - Page 138 How to Make a Barracuda NG Firewall Centrally Manageable Without a Barracuda NG Control Center If you are managing only one or two remote Barracuda NG Firewalls and are not using a Barracuda NG Control Center, use Site-to-Site VPN tunnels to securely manage the remote units. Exchange the box certificates to authenticate the Site-to-Site VPN tunnel. In this article: Step 1. Export the Public Key Step 2. Configure a Site-to-Site Tunnel at the VPN Server Peer Step 3. Configure Remote Access Step 1. Export the Public Key Export the box identification certificate from the remote box. The certificate is used to authenticate the remote Barracuda NG Firewall. 1. Go to CONFIGURATION > Configuration Tree > Box > Identity. 2. From Box Private Key, click Ex/Import and select Export Public to Clipboard. Step 2. Configure a Site-to-Site Tunnel at the VPN Server Peer Configure the Site-to-Site VPN tunnel on the central unit. The remote management tunnel is a site-to-site tunnel. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site. 2. Click Lock. 3. Right-click the table and select New TINA tunnel. 4. Enter a name for the tunnel. 5. Under the Local Networks tab, select Passive from the Call Direction list. 6. In the Network Address section, enter the LAN and any other connected private subnets you wish to connect from, and click Add. 7. Click the Local tab. 8. In the IP Address or Interface used section, select or enter the external IP address which the remote box will connect to (reference: first or second server IP, or select Explicit List (ordered) and enter below). 9. Click the Peer Identification tab. 10. From Public Key, click Ex/Import and select Import from Clipboard. If necessary, change Identity > Identification Type: Public Key. 11. Click the Identify tab. 12. From the Server Protocol Key list, click Ex/Import and select an RSA key or create a new key. Keys in the dropdown menu are created/imported under VPN Settings > Service Certificates/Keys. 13. In the Server Protocol Key section, export the public key to clipboard. 14. Click the Remote tab. 15. In the Remote Peer IP Addresses field, enter either 0.0.0.0/0 (if the remote partner uses a dynamic IP), or the external IP of the remote partner (if static), and click Add. 16. Click the Remote Networks tab. 17. Choose a free IP address for your virtual IP (VIP) address, enter this address in the Remote Network section, and click Add. The VIP may be either routed (it is within a network range not used on either local or remote sites) or it may be part of the local LAN connected to your central firewall. In this case, you must create a Proxy ARP to be able to connect (see: How to Create Proxy ARP Objects). Do not use the remote Management IP from the remote LAN. 18. Click OK. 19. Click Send Changes and Activate. For more information about TINA tunnels, see How to Create a TINA VPN Tunnel between Barracuda NG Firewalls. Step 3. Configure Remote Access Configure the remote partner to connect to the central firewall: 1. 2. 3. 4. 5. 6. 7. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select Management Access. In the left menu, expand Configuration Mode, and click Switch to Advanced. Click Lock. From the Enable Tunnel list, select yes. In the Virtual IP (VIP) field, enter the VIP address chosen in Step 2.17. From Tunnel Details, click Set. a. From VPN Server Key, click Ex/Import and select Import from Clipboard. b. Copyright © 2015, Barracuda Networks Inc. 7. Barracuda NG Firewall 6.1 Administrator's Guide - Page 139 b. In the VPN Server table, add the point of entry to reach the central gateway (defined under step 2.8). c. In the Remote Networks table, add the remote LANs (defined under step 2.7). d. Add an IP address of the central firewall to the list of Reachable IPs. This IP address will be used as probing target to keep the tunnel alive. If no probing target is defined, the tunnel will be restarted periodically. 8. Click OK. 9. Click Send Changes and Activate. Go to VPN > Status and verify that the site-to-site tunnel is ACTIVE in the state column. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 140 How to Configure VLANs VLANs allow you to split one physical network interface (with one MAC address) into several virtual LANs. The physical interface behaves like several interfaces, and the switch behaves like multiple switches. VLANs are useful when not enough network interfaces exist on the unit. The Barracuda NG can use up to 256 VLANs on one physical network interface and a maximum of 4096 VLANs globally. The VLAN interfaces are named <physical interface>.<VLAN id> (e.g., eth2.200). Only tagged traffic is handled by the Firewall - traffic on the physical interface is discarded. You must use a properly configured 802.1q VLAN capable switch and NICs that use one of the following kernel modules that are capable of 802.1q VLAN tagging on the Barracuda NG Firewall: The interface label is formatted as <interface-name>.<VLAN ID>:<Virtual Server Name>. Verify that the length of the label does not exceed 15 characters. E.g., port10.1111:S01 would be a valid 15 character interface label. Intel 100 MBit: Intel 100 MBit Driver by Intel (e100.o) Intel 100 MBit Driver by Intel (certified by Compaq) (e100compaq.o) Intel 1000 MBit: Intel 1000 MBit Driver by Intel (e1000.o) Intel 1000 MBit Driver by Intel (e1000e.o) Intel 1000 MBit PCI-e Driver by Intel (igb.o) Intel 10000 MBit: Intel 10000 MBit Driver by Intel (ixgb.o) Intel 10000 MBit PCI-e Driver by Intel (ixgbe.o) Broadcom 1000 MBit: Broadcom 1000 MBit Netextreme I Driver (tg3.o) Broadcom 1000 MBit Netextreme II Driver (bnx2.o) Realtek: Realtek RLT8139 (8139too.o) VMware: VMXnet3 (vmxnet3.o) KVM virtio (virtio.o, virtio-net.o) In this article: Step 1. Add a VLAN interface Step 2. Create a Direct Route for the VLAN Step 3. Activate the New Network Configuration Next Steps Step 1. Add a VLAN interface 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select Virtual LANs. Click Lock. Add an entry in the VLAN table: Name – Enter a name and click OK. Physical VLAN Interface – Select the physical interface that will host the VLAN. E.g., eth2 VLAN Tag – Enter the VLAN tag that was configured on the switch port the physical interface is plugged in to. E.g., 200 Header Reordering – This setting makes the virtual interface seem like a real Ethernet interface. Keep disabled for better performance. Enable if you are experiencing problems with network services, such as DHCP running in the VLAN. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 141 5. Click OK. 6. Click Send Changes and Activate. Step 2. Create a Direct Route for the VLAN Add a direct attached route for the VLAN network. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select Routing. Click Lock. In the Routes table, add an entry for the VLAN route. Specify the following settings: Target Network Address – Enter the network used on the VLAN. E.g.,192.168.8.10 Route Type – Select directly attached network. Interface Name – Select the virtual interface matching the VLAN and target network address. E.g., eth2.200 5. Click OK. 6. Click Send Changes and Activate. Step 3. Activate the New Network Configuration If you activate the network in failsafe mode, a short network interruption occurs, which may require a maintenance window. It is possible to carry out the network activation for VLAN interfaces without interruption by using the command line. Failsafe activation with temporary network connectivity disruption: 1. 2. 3. 4. Go to CONTROL > Box. In the left navigation pane, expand Network and then click Activate new network configuration. Select the Failsafe mode. To verify that the VLAN interface and its pending direct route were successfully introduced, go to CONTROL > Network. Soft activation without temporary network connectivity disruption: 1. Change to the command-line interface and execute the following commands for each configured VLAN on device eth<n> with corresponding <VLAN-ID>: /etc/phion/bin/vconfig add eth<n> <VLAN-ID> ip link set eth<n>.<VLAN-ID> up 2. Activate the network configuration by clicking the Soft activate button. Next Steps The virtual network interfaces can be used just like physical network interfaces. The virtual network interfaces are now listed on the CONTROL > Network page. If you want to combine VLANs and bridging, see Bridging. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 142 How to Add Additional Network Interfaces When you add network modules to Barracuda appliances or virtual network adapters to virtual systems, you must add these network interfaces to the network configuration of your Barracuda NG Firewall. Every Barracuda NG Firewall model has its own set of interface names (naming eth<n>, port<n>, LAN<n>, etc.). You must have the product and model configured correctly in the Box Properties configuration before adding additional network interfaces. Hardware appliances are automatically configured with the correct network interfaces. When adding additional network interfaces to a Barracuda NG Firewall Vx on a VMware hypervisor, check the order of the network adapters after rebooting. You may have to change the assigned virtual switch in the VMware configuration if the new network adapter has not been placed last in the configuration. In this article: Before you Begin Step 1. Add Network Interface(s) Step 2. Activate Network Changes Interface Parameters Description Before you Begin Find out which network driver is needed for your network adapter/interface. Step 1. Add Network Interface(s) Add the additional network interfaces to the Barracuda NG Firewall. 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left pane, click Interfaces. Expand the Configuration Mode menu, and then click Switch to Advanced. Click Lock. In the Network Interface Cards table, add or edit an entry for the NIC. For more information on the NIC settings, see the following Interf ace Settings section. To dynamically update the settings in the Physical Interfaces table, select yes from the Interface Computation list. The physical interface settings are updated whenever the network configuration is changed. Otherwise, you must manually update settings. In the Physical Interfaces table, add or edit an entry for your physical interface. For more information on the physical interface settings, see the following Interface Settings section. In the Internal Interface Configuration table, add loopback equivalent devices. Click Send Changes and Activate. Step 2. Activate Network Changes You must activate the network changes to add the network devices. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully activated. The Barracuda NG Firewall can now send traffic over the new network interfaces. Interface Parameters Description Network Interface Cards Table Descriptions of the settings that you can configure in the Network Interface Cards table: Setting Description Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Driver Module Name 143 The driver that is used for the NIC. Only recommended cards are listed. If you require a card that is not listed, see the list of supported NICs to verify that your card is supported. To manually enter the card name, select the Other check box and enter the card name in the Dri ver Module Name field. If you are using a Marvel network adapter that requires the sk98lin_cb.o interface, interface naming must begin with eth1. The eth0 interface is NOT supported. Number of Interfaces The number of NIC interfaces that can be used simultaneously. This indicates the number of ports and not the number of cards of the particular type. For example, one dual-port NIC counts as two interfaces, but one combo-type card with support for three different connectors (for example, BNC, AUI, RJ45) counts as one because only one connection is active at one time. If you enter 0, the module is not loaded. Driver Options (Advanced Configuration Mode) This setting is used with module-based driver support. Note that several interface-specific option strings may be added to this table. They are formatted as: key=value1 … valueN with N being the number of interfaces. Fallback Enabled (Advanced Configuration Mode) (Advanced Configuration Mode) Activates an alternative NIC driver that is defined via the Fallback Module Name and Fallback Driver Options settings. This setting might be helpful during and after updating sequences. If the primary driver does not work, the fallback driver is used. If the fallback driver does not work, both drivers are loaded. Fallback Module Name/Fallback Driver Options (Advanced Configuration Mode) (Advanced Configuration Mode) The fallback driver to be used for the NIC. Only recommended cards are listed. If you require a card that is not listed, see the list of supported NICs to verify that your card is supported. Activate Driver Enable or disable the driver. NIC Type NIC type. This information is used for logical consistency checks. In conjunction with the specified number of interfaces, it is possible to check whether a particular interface may be referenced in some of the other sections. Available NICs: Ethernet. Driver Type (Advanced Configuration Mode) (Advanced Configuration Mode) Specifies if driver support is module-based or kernel-based. Default is Loadable_Module. Ethernet MTU The MTU size for an Ethernet NIC. Packets exceeding this value are fragmented when sent. This MTU is used as the default value for all existing interfaces. To specify an MTU for an interface, edit its MTU s etting in the Physical Interfaces table. MTUs can also be set for virtual LANs, box network, additional networks, and standard routing. The maximum accepted MTU of the next hop is used. Example 1: If you have a NIC with MTU size 1500 and a Standard Route with MTU size 2000, the valid MTU size is 1500. Example 2: If you have a NIC with MTU size 2000 and a Standard Route with MTU size 1500, the valid MTU size is 1500. Physical Interfaces Table Setting MTU Description The MTU for the interface. This setting overrides the MTU that is entered in the Network Interface Cards table. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Availability 144 If nothing else has been configured, all recognized interfaces are generally available by default. Interfaces can be claimed for exclusive use by xDSL (Connection Type: PPPOE) and DHCP links (see How to Configure an ISP with Dynamic IP Addresses (DHCP)). When an interface has been claimed as Modem Interface or DHCP Interface, its usage is set to status Reserved. If an interface is claimed by multiple services concurrently, its usage status is set to Overbooked. Interfaces marked as overbooked cannot work properly. They will not be available for any of the configured services. References An interface that has not been claimed by a service is flagged with n one. Interfaces claimed by xDSL or DHCP links are flagged with xdsl or dhcp, respectively, followed by the link name as specified in the xDSL/DHCP configuration area when creating the link. For example, xdsl::xDSLLinkName. Name of NIC The NIC name as specified in the Network Interface Cards table. NIC Type The NIC type as specified in the Network Interface Cards table. Used Driver The driver module driver name as defined in the Network Interface Cards table. Enable Autonegotiation If the driver module does not support static network speed and duplex mode settings, select no in order to manually enter these settings. Speed and duplex mode options that cannot be steered through the NIC driver are manually set to a static value via the ethtool utility. Forced Speed [Mpbs] The static network speed for the NIC. To manually set the forced speed, enable autonegotation and select 10, 100, or 1000 Mbps. Duplex Mode The static duplex mode for the NIC. To manually set the duplex mode, enable autonegotation and select half or full. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 145 How to Configure Ethernet Bundles Ethernet bundles combine multiple physical ports to a single virtual link to increase the physical bandwidth available for the connection. You also increase the fault tolerance of the Ethernet link because the connection will continue to work even if one link fails. The Ethernet bundles feature is also known as "Etherchannels," "Link Aggregation", "Trunking," or "Bonding" depending on the vendor. You can create a maximum of 16 Ethernet bundles on a Barracuda NG Firewall. Ethernet bundles can be operated in one of the following modes: Balance-RR – In this mode (round-robin policy), as many configured slave interfaces as possible are activated. The kernel will distribute network traffic sent to the master interface sequentially to all slave interfaces involved. In a similar fashion, inbound traffic to any of the slave interfaces is directed to the master interface. Active Backup – In this mode (active backup policy), at least two interfaces are required with only a single slave interface being active at any one time. A prolonged failure of the link check on the active interface will trigger the activation of a backup slave interface. Only the link status is monitored, not if actual traffic can be transmitted over the connection. Balance-XOR – Link is chosen by calculating the hash out of the source/destination MAC (Layer 2) combined with the IP addresses (Level 3). Depending on the hash, a interface is selected. This ensures that sessions from the same interface always use the same link from the Ethernet bundle. Broadcast – Everything is transmitted on all slave interfaces. 802.3ad Link Aggregation – Uses the LACPDU protocol to negotiate automatic bundling links. The directly connected devices must also support LACPDU. In this article: Step 1. Configure an Ethernet Bundle Step 2. Activate the Network Configuration Next Steps Step 1. Configure an Ethernet Bundle Create the virtual bond interface and add the physical network interfaces. You must also choose the operations mode. 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, select Ethernet Bundles. Click Lock. In the Ethernet Bundles table, click +. Enter a descriptive Name. Click OK. The Ethernet Bundles window opens. Specify the following settings: Bundled Interface – Select a bond interface. E.g., bond0 Bundled Interfaces – Click + and double-click the physical interfaces you want to include in the Ethernet bundle. Operation Mode – Select how traffic is distributed between the interfaces. LACPDU Packet Rate (802.3ad Link Aggregation only) – Select how fast (every second) or slow (every 30seconds) LACPDU packets are sent to the switch. Hashing Policy (802.3ad Link Aggregation only) – Select how traffic is split over the slave links. Layer2 – Selects the link based on destination MAC addresses. Layer2+3 – Uses a mix of MAC addresses and IP addresses and, thus, also works for routed traffic. Traffic to the same IP address always ends up on the same link. Link Check Mode – Select if the link availability is checked in Compatibility (default) or Efficiency mode. Link Check (ms) – Enter the interval in milliseconds for checking the link state of the slave interfaces. Default: 100msec Activation Lag(ms) – Enter the time in milliseconds to delay the activation of a backup slave interface. Has to be a multiple of the link check interval. Deactivation Lag (ms) – Enter the time in milliseconds to delay the deactivation of a link. It has to be a multiple of the link check interval. 7. Click OK. 8. Click Send Changes and Activate. Step 2. Activate the Network Configuration Complete the network activation to activate the new Ethernet bundle interface. 1. Go to CONTROL > Box. 2. In the left menu, expand the Network section and click Activate new network configuration. 3. Select Failsafe. The 'Failsafe Activation Succeeded' message is displayed after your new network configurations have been successfully activated. Next Steps Go to CONTROL > Network and verify that the bond0 interface is listed and active ( Copyright © 2015, Barracuda Networks Inc. ). Barracuda NG Firewall 6.1 Administrator's Guide - Page 146 Advanced Networking in the Azure Cloud Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 147 How to Configure IP Tunneling In most cases it is better to use Site-to-Site VPN tunnels instead of IP tunnels. You can introduce simple point-to-point tunnels with generic routing (GRE) or plain IP in IP encapsulation. IP tunnels are established at the box level and do not support peer authentication or encryption. In this article: Configure an IP Tunnel IP Tunnel Settings Configure an IP Tunnel 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, expand Configuration Mode and click Switch to Advanced. In the left menu, click IP Tunneling. Click Lock . In the Tunnel Configuration table, click + to add an IP tunnel. Enter a Name. Click OK. The Tunnel Configuration window opens. Enter the IP tunnel settings. For more information on the settings, see the IP Tunnel Settings section below. Click OK. Click Send Changes and then click Activate . IP Tunnel Settings Setting Description Encapsulation Mode The encapsulation mode for the tunnel. You can select: Tunnel TTL (Optional) The TTL for encapsulated tunnel traffic. To use the standard behavior of TTL inherit and Nopmtudisc (no path MTU discovery), leave this field blank. Set Multicast Flag To set the multicast flag for the tunnel interface, select yes. Source IP Type The source IP type. You can select: GRE(47) – Default mode. Generic routing encapsulation. IPinIP(4) – Plain IP in IP encapsulation. ServerIP – The source IP address is provided by a server. BoxIP – A local source IP address is used. You must specify the local source IP address in the following Source IP field. Without a local source IP address, the system cannot use the tunnel for local traffic. Source IP If you selected BoxIP from the Source IP Type list, enter a local source IP address in this field. Specify a routable source IP address if the box itself will use the tunnel. The IP address is activated on the tunnel interface. Source Mask The netmask for the source IP address. A non-zero mask specifies a local network. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Route Metric 148 If more than two routes exist for a target, enter a preference number for the route if one of the following scenarios also applies: You do not want to use policy routing for tunneling. Thus, the respective tunnel routes go either into the main or default table (whenever the target network must be 0.0.0.0/0). You want to use policy routing but plan to assign the routes to an existing table. It is not a good idea to introduce redundant routes to a target network with a direct route being the preferred path. Remote End IP The IP address of the remote tunnel end. Make sure that this IP address can be accessed from the local tunnel end that is specified in the following Local End IP field. Check Reachability To check the reachability of the remote tunnel end from the local tunnel end, select yes. If this check fails, the tunnel is not introduced. If verification is active already, you will not be able to send configuration changes. To disable this check, select no. Disable this check when the remote tunnel end is only accessible via a VPN route. Local End IP The IP address of the local tunnel end. Make sure that you have already introduced this IP address in the network configuration of the system. Trust Level Specifies the IP address type that is counted by the firewall for traffic on this interface. You can classify the interface as one of the following: Unclassified Trusted DMZ Untrusted Internal01 Internal02 Target Networks In this table, specify target networks that must be accessible through the tunnel. Use IP/mask notation. Add the target networks of routes that rely on the tunnel interface. Each specified target will rely on a corresponding direct route. Advertise Route To advertise this route via dynamic routing protocols when the OSPF/RIP/BGP service is used, select yes. Use Policy Routing To specify a routing table for tunnel routes from specific source networks, select yes. You can then configure the following policy routing settings: Table Placement, Use Table, and Source Networks. Table Placement If you are using policy routing, specify where the table should be placed. You can select postmain (default), premain, or existing. Select existing if you want to use an existing table and specify the table in the following Use Table field. The rule preference of this table will be inherited. Use Table If you selected existing from the Table Placement list, specify the policy routing table in this field. Do not specify the local, main, or default tables. For each source network defined, an appropriate rule pointing to this table (with the table's original preference) is also appended. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Source Networks 149 If the route from a network or single host must be looked up in the policy routing table specified in the Table Placement setting, add it to this table. By default, the policy routing table uses the same name as the one that you entered for the tunnel configuration entry. However, you may assign the routes to another table. Use IP/mask notation. For a single host, you must enter 32 as the netmask. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 150 How to Configure User Defined Routes in Azure Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 151 High Availability A standalone system is typically set up in an HA cluster from one of the following configuration scenarios: It is an existing standalone Barracuda NG Firewall, to which a second NG Firewall is added for high availability. It is one of two existing standalone Barracuda NG Firewalls that are to be configured into a single HA pair. It is part of an HA pair that is to be installed from scratch. In this case, install the new system and then set it up in HA mode. It is important to configure switches and routers properly to work in conjunction with an HA setup. Most important is the ARP cache time or ARP timeout of the networking equipment. When the secondary unit starts its services, it uses the same IP addresses (except for the management IP address) as the primary unit, but with different MAC addresses. With an infinite timeout configured, the secondary unit would never be reached, because the MAC address would be resolved to the wrong port. With a timeout of 300 seconds, the secondary unit would not be reached for 5 minutes and the HA concept would not fulfill its purpose. The recommended setting lies between 30 and 60 seconds. Also note that the number of ARP requests will increase with a higher timeout. In this article: HA Monitoring without a Private Uplink HA Monitoring with a Private Uplink Designing an HA System HA Monitoring without a Private Uplink In an HA system with no private uplink, alive packets and status information are transferred over the network that the management IP addresses belong to. For example, in the following diagram, the HA state is exchanged via the 10.0.8.0/24 network. When the switch "dies", the connection between the HA partners also breaks, and the secondary unit starts its servers although the primary unit is still alive. When the switch is reactivated, for around 1 second, both units are up and duplicate IP addresses are online until the primary unit stops its servers. HA Monitoring with a Private Uplink In an HA cluster with a private uplink, one network interface is dedicated for HA purposes. An example of this setup is displayed in the figure below. There are some routing specialties (host routes) to route the HA traffic via the private uplink. A failover route must also be configured to make sure that the units can reach each other via both routes. The private uplink should be a direct connection with a crossover cable so that it is independent from a further hardware component (switch/HUB). The subnet for the uplink should be a 2-bit network. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 152 Designing an HA System Example IP Addresses Primary Unit Secondary Unit Management IP 10.0.8.112 / eth0 10.0.8.113 / eth0 FW Server IP 10.0.8.100 Further Network (Private Uplink) 192.168.0.1/30 / eth2 192.168.0.2/30 / eth2 The route the heartbeat takes is configured via the parameter group Translated HA IP (CONFIGURATION > Box > Infrastructure Services > C ontrol). In the example settings, the heartbeat is configured to use both the 10.0.8.0/24 network AND the private uplink to send heartbeats. Translated HA IP Alternative HA IP Usage Policy Primary Unit 10.0.8.113 192.168.0.2 Use-Both Secondary Unit 10.0.8.112 192.168.0.1 Use-Both Configure the Translated HA IP and Alternative HA IP on the primary and secondary unit. These IP addresses are used in the default firewall rules for HA synchronization that allow HA traffic between both HA partners. The HA IP address must be a Management IP address. Otherwise, the control daemon does not listen on the alternative HA IP, causing heartbeat and sync to fail. If you are running an HA setup with different appliance revisions, ensure that both physical ports of the private uplink are using identical port labels. Otherwise, HA synchronization may fail. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 153 How to Set Up a High Availability Cluster Both of the systems that you set up in a high availability (HA) cluster must be the same model and firmware version. For instructions on how to configure an HA cluster using different revisions of the same appliance model, see How to Restore a Configuration on Appliances After an RMA. A high availability (HA) cluster can transparently failover to the secondary unit if your primary unit goes down unexpectedly or requires maintenance . You can set up an HA cluster on a Barracuda NG Control Center or a standalone HA cluster. A standalone HA cluster includes two standalone Barracuda NG Firewalls or two Barracuda NG Control Centers. To protect against failure of network components, you can use a dedicated private link as a secondary HA connection. In this article: Standalone Barracuda NG Firewall HA Cluster Set Up an HA Cluster in the Barracuda NG Control Center Configure a Private Uplink Check Virtual Server HA Status Standalone Barracuda NG Firewall HA Cluster Before you Begin Connect the primary unit and secondary unit to a network switch. Verify the Product Type in the Box Properties and Server Properties match your appliance. Step 1. (Virtual NG Firewalls only) Verify the Product Type Set the product type matching your license if you are using a virtual Barracuda NG Firewall. This is not necessary on hardware appliances. 1. 2. 3. 4. Open the Box Properties page (Configuration > Full Configuration > Box). Click Lock. Select the Barracuda NG Firewall Model from the Product Type list. E.g., NG Firewall VF50 Select the Barracuda NG Firewall Model from the Hardware Type list. 5. Click Send Changes and Activate. Step 2. Create the DHA Unit On the primary unit, create DHA configuration for the secondary unit. 1. Open the Configuration > Full Configuration page. 2. Right-click Box and select Create DHA box. At the bottom of the Config Tree, the HA Box configuration node is added. 3. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 154 3. Open the HA Network page (Configuration > Full Configuration > Box > HA Box). 4. Enter the Management IP (MIP) for the secondary unit. 5. Click Send Changes and Activate. Step 3. Create the PAR File for the Secondary Unit On the primary unit, export the PAR file for the secondary unit. 1. 2. 3. 4. On the primary unit, create the PAR file: Go to the Config > Full Config page. From the Config Tree, right-click Box and select Create PAR file for HA box. Save the PAR file to your local hard disk drive. Step 4. Import the PAR File on the Secondary Unit On the secondary unit, import the boxha.par PAR file created on the primary unit: 1. 2. 3. 4. 5. Open the Configuration > Full Configuration page. From the Config Tree, right-click Box and select Restore from PAR file. Click OK. Select the boxha.par file created in Step3 and click OK. Click Activate . Step 5. Activate the New Network Configuration for the Secondary Unit On the secondary unit, activate the network configuration. 1. 2. 3. 4. Go to the Control > Box page. In the left navigation pane, expand Network and click Activate new network configuration. Select Failsafe as the activation mode. In the left menu, expand Operating System and click Reboot. Step 6. Select the Active and Backup Unit on the Primary Unit In the virtual server settings of the primary unit, select where the virtual server should be running. 1. 2. 3. 4. Open the Server Properties page (Configuration > Full Configuration > Box > Virtual Server > your virtual server ). Click Lock. Verify that the Product Type matches your license. To run the virtual server on the primary unit per default: a. Active Box – Select This-Box. b. Backup Box – Select Other-Box. 5. To run the virtual server on the secondary unit per default: From the Active Box list, select HA-Box. From the Backup Box list, select Other-Box or No-Backup if you do not want this virtual server to be part of the high availability cluster. Consider the limitations described in Best Practice - Service Dependencies and Multiple Services of the Same Type on one Virtual Server before using multiple virtual servers on one NG Firewall. 6. Click Send Changes and Activate. Step 7. Install Licenses You must install licenses on both units. For instructions, see How to Activate and License a Barracuda NG High Availability Cluster. Set Up an HA Cluster in the Barracuda NG Control Center Before you Begin Select two Barracuda NG Firewalls in the same cluster. Set up an HA Cluster 1. 2. 3. 4. 5. 6. Log into the Barracuda NG Control Center. Open the Config page. From the Config Tree, expand Multi-Range and navigate to the cluster that contains your HA units. Create a virtual server. Open the Server Properties page. In the Virtual Server Definition section, define the primary unit and secondary unit. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 155 6. Primary Box – The active system. Secondary Box – The HA partner. 7. Click Send Changes and Activate. The primary and secondary servers are created and configured as HA partners on both units. Figure 3. Virtual Server Settings for an HA Cluster on the Barracuda NG Control Center Configure a Private Uplink After setting up an HA cluster, you can also configure a private uplink for it. For the private uplink, you must configure a 2-bit network as a subnet and provide exclusive network devices for the private uplink. To configure a private uplink, complete the following steps on the primary unit: These steps use the example IP addresses from the following figure: Figure 4. HA Cluster with Private Uplink Before You Begin To avoid any errors when you configure the private uplink, connect the primary unit and secondary unit with a crossover cable. Step 1. Define Alternative HA IP Addresses 1. 2. 3. 4. 5. 6. 7. Open the Network page (Config > Full Config > Box > Network). Click Lock. From the Configuration Mode menu in the left navigation pane, click Switch to Advanced View. In the Additional Local IPs section, add the IP address for the unit in the additional subnet. For example, 192.192.192.1. From the Responds to Ping and Management IP lists, select yes. Click OK. Click Send Changes and Activate. Step 2. Activate the Private Uplink 1. Open the Control page (Config > Full Config > Box > Infrastructure Services). 2. Click Lock. 3. In the HA Monitoring Parameters section, add entries for the primary unit and secondary unit. In each entry, specify these settings: Translated HA IP – Enter the original management IP address (for example: 10.0.10.20). Alternative HA IP– Enter the additional local network IP of the unit (for example: 192.192.192.1). 4. Click OK. 5. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 156 5. Click Send Changes and Activate. Figure 5. HA Monitoring Settings on Both HA Units Step 3. Add the Alternative HA IP to the ACL List To grant administrative access rights for alternative HA IP address usage, add the alternative HA IP address to the ACL list: 1. 2. 3. 4. Open the Administrative Settings page (Config > Full Config > Box > Administrative Settings). Click Lock. In the Access Control List section, add the alternative HA IP address. Click Send Changes and Activate. Check Virtual Server HA Status Check the server status on both HA units to verify that the virtual servers have been correctly assigned. 1. On the primary unit: Go to the Control > Server page. In the Server Status table, verify that the virtual server is correctly assigned. The Status column must display primary. The Stat us HA Partner column must display standby. 2. On the secondary unit: Go to the Control > Server page. In the Server Status table, verify that the virtual server is correctly assigned. The Status column must display standby. The Stat us HA Partner column must display primary. When the primary unit goes down, the secondary unit changes its status to primary and replaces the primary unit with all its functionalities. Depending on whether your primary unit is running or down, the Control > Server page displays as follows: Primary Unit State Secondary Unit State N/A - Primary unit down Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 157 Transparent Failover for an HA Firewall An HA system can be used for load balancing to exploit all features that are available through the Barracuda NG Firewall architecture. Use transparent failover to synchronize the forward packet sessions (inbound and outbound TCP, UDP, ICMP-Echo, and OTHER-IP-Protocols) of the Firewall server between the two HA partners. Transparent failover is enabled by default and activated per rule. For transparent failover, both HA partners must have identical network configurations, except for the NICs, which may differ. The assignment of the interfaces must be identical. For example, if the ISP is connected on eth0 and the DMZ is on eth1, the same interface must be used on the partner unit to connect to the ISP and DMZ. Unsynchronized Components Certain components are not HA-synced. These are listed in the table below: Module or Component Sub Components Firewall Local sessions Stream sessions WANOPT sessions SSL decryption sessions Sessions using a box IP address as dynamic bind IP address Sessions using a box IP address as redirection target Sessions for which HA synchronization was disabled in the Adv anced Rule Settings VPN Service IPSec tunnels Access Control Service All Eventing All Logging All Box Statistics All Home Directories (Admins) All SMS Messages All Synchronizing Procedure Synchronization can be carried out via dedicated HA uplink or, alternatively, via the LAN connection. Synchronization traffic is transmitted by AES-encrypted UDP packets, so-called sync packets, on port 689. The AES keys are created by using the BOX RSA Keys and renewed every 60 seconds. Only a small amount of synchronization traffic is necessary for synchronizing via LAN connection. Sync traffic is kept at a minimum by synchronizing only sessions and not each packet. Due to the characteristics of the TCP protocol (SYN, SYN-ACK, …), only existing established TCP connections are synchronized. When the synchronization takes place during the TCP handshake, the handshake must be repeated. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 158 The synchronizing procedure takes place immediately (if possible). If synchronization packets are lost, up to 70 sessions per second are synchronized. Depending on the system availability, the behavior differs: If the partner unit is inactive/rebooted - Sometimes it may happen that the backup unit is not available and, therefore, does not respond to the sync packets (for example, for maintenance reasons). In this case, the active unit stops synchronizing. As soon as the partner unit reappears, the active unit checks whether the other one was rebooted or has an obsolete session state and resynchronizes all necessary sessions. If the active unit reboots without a takeover - The Firmware Restart button was clicked. The acpf and sockets are gone, but the unit is not rebooted physically. In this case, the partner unit recognizes that its session state is obsolete and removes all synchronized sessions. Takeover Procedure When the HA unit on which the firewall runs does not respond to the heartbeat (Control UDP 801), takeover is initiated after a delay of 10 to 15 seconds. This delay is necessary because of potentially low network performance. During this time, no service is available. When the unit stays inactive, the synchronized sessions on the second unit are activated and all connections are available again. Again, the TCP protocol must be mentioned separately. The backup unit does not have the current TCP sequence numbers. In case of a takeover, the sequence number is not checked for correctness. As soon as the connection has traffic, the sequence number is known to the former backup unit, and the sequence number check is performable again. The missing sequence number on the backup unit also results from the fact that TCP connections that were taken over but have since had no traffic cannot be reset in a clean way. Terminating the session via the Terminate Session button removes the connection but does not send a TCP Reset (TCP-RST) signal. Configuration In each firewall rule, you can edit a Transparent Failover active/inactive setting that defines whether sessions that are affected by this rule must be synchronized. For more information, see Advanced Access Rule Settings. Monitoring To view the status of sessions, go to the Firewall > Status page. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 159 Monitoring, Managing, and Rebuilding HA Clusters Manage configuration updates and monitoring for your HA clusters. Configuration changes on the primary firewall are transferred instantly to the secondary firewall. The sync status can be viewed from Barracuda NG Admin. If the primary firewall fails, configuration changes must be made on the secondary firewall. After the primary firewall is re-established, synchronization must be started manually. In this article: Check Virtual Server HA Status HA Sync Status Setup Emergency Override Manually Synchronize a Stand-alone HA Pair Manually Synchronize a Stand-alone HA Pair in the NG Control Center Configure IP Address and Service Monitoring Check Virtual Server HA Status Check the server status on both HA firewalls to verify that the virtual server is running on the primary firewall. 1. On the primary firewall: Go to CONTROL > Server. In the Server Status table, verify that the Status column displays primary and the Status HA Partner column displays standby . The virtual server status color must be green. 2. On the secondary firewall: Go to CONTROL > Server. In the Server Status table, verify that the Status column displays standby and the Status HA Partner column displays primary . If the virtual server is running on the secondary firewall, you must initiate a manual HA failover. For more information, see How to Perform a Manual High Availability Failover. HA Sync Status Setup Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 160 1. Go to CONFIGURATION. 2. Expand the State Info drop-down list in the upper right-hand corner and click HA Sync. 3. In the HA Box Synchronization window, you have the option to trigger the following tasks: Do Update – Performs an incremental update. Do Complete Update – Performs a complete update. Discard Update – Discards the changes. This is needed when the two HA partners are in an inconsistent state. Refresh – Refreshes the window to see actual changes (completion of update). This function is deactivated if the HA system is managed by a NG Control Center. You can only trigger HA box synchronization via the Configuration Update page on the NG Control Center. For more information, see CC Configuration Updates. Emergency Override If the primary firewall fails, configuration changes must be made on the secondary firewall using the Emergency Override mode. 1. Log into the secondary firewall. 2. From the Configuration Tree, right-click Box (Backup) and select Emergency Override. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 161 3. When prompted, click Yes to enable the Emergency Override mode. When the Emergency Override mode is active, the box icon is highlighted in yellow. The Emergency Override mode is activated only for the current session. It must be reactivated for every new session. 4. Lock and edit your configurations. 5. Click Send Changes and Activate. Manually Synchronize a Stand-alone HA Pair After the connection to the primary firewall is re-established, synchronization must be re-started manually. The following steps assume that services are still active on the secondary firewall. 1. On the primary firewall, go to CONFIGURATION. 2. From the service bar, expand the State Info icon and click HA Sync. 3. Select the Clear Dirty Status button. A restart of the Control Service or the CC-Conf Service can cause HA synchronization disruption. The synchronization process stops with the following error message: HA sync pending PAR ready (13223 kb) COMPLETE update; Can't send PAR file: - SYNC DIRTY: refuse PAR file: box itself has a pending HA update. In case of disruption, the .par file used in the synchronization process is not deleted from the file system in the final step. This disturbs the following synchronization process. Use the button Clear Dirty Status in the HA Sync window to restart HA sync. 4. 5. 6. 7. 8. 9. 10. 11. Open the Configuration Tree on the secondary firewall and click HA Sync. Enter the IP addresses of the HA partners into the IP address fields of the HA Box Synchronization window. Click Do Update to transfer the configuration from the secondary firewall to the primary firewall. Enter the IP address of the primary firewall into the HA Partner IP field. Enter the IP address of the secondary firewall into the Sender IP to use field. Select the Change Address check boxes to the right of both fields. Click Do Complete Update. Block services on the secondary firewall so that the primary firewall can regain normal operation status. Manually Synchronize a Stand-alone HA Pair in the NG Control Center Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 162 Only configuration changes on the primary firewall are transferred instantly to the secondary firewall. In Emergency Override mode, manually synchronize configurations from the secondary firewall to the primary firewall. (The following steps assume that services are still active on the secondary firewall.) 1. 2. 3. 4. 5. 6. 7. 8. 9. On the primary firewall, select the Clear Dirty Status button. Open the Configuration Tree on the NG Control Center and click HA Sync. Enter the IP addresses of the HA partners into the IP address fields of the HA Box Synchronization window. Click Do Update to transfer the configuration from the secondary firewall to the primary firewall. Enter the IP address of the primary firewall into the HA Partner IP field. Enter the IP address of the secondary firewall into the Use Sender IP field. Select the Change Address check boxes to the right of both fields. Click Do Complete Update. Block services on the secondary firewall so that the primary firewall can regain normal operation status. Configure IP Address and Service Monitoring To enable handling of failure conditions and to guarantee a quick takeover of services when a box or networking component becomes unavailable, configure the monitoring of IP addresses and services on the Virtual Server layer. For more information, see Virtual Server Monitoring . Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 163 How to Perform a Manual High Availability Failover In an HA setup, the primary NG Firewall stays active until a serious problem occurs. If virtual servers and services must be shut down (for example, for system maintenance), you can do a manual failover to transfer all virtual servers to the secondary (backup) unit. Block the virtual server on the primary unit to shut down the Control service. The Control service will send a signal to the secondary unit that tells it to start its virtual server. Then, stop the virtual server on the primary unit to enable the Control service to restart it automatically if the secondary unit goes down. This mechanism works identically for an HA pair that is managed by a Barracuda NG Control Center and a stand-alone HA pair. In this article: Perform a High Availability Failover when the Primary Unit is Active Before You Begin Step 1. Block the Virtual Server on the Primary Unit Step 2. Put the Primary Firewall in Standby Perform a High Availability Failover when the Secondary Unit is Active Before You Begin Step 1. Block the Virtual Server on the Secondary Unit Step 2. Put the Secondary Firewall in Standby Perform a High Availability Failover when the Primary Unit is Active Block the virtual server on the primary unit to shut down the Control service and initiate the failover. After the failover start the control service for the primary firewall to be able to take over the virtual server in case of failure. Before You Begin On the primary firewall, go to the Control > Server page and verify the Status is primary. On the secondary firewall, go to the Control > Server page and verify the Status is standby. If the Status is blocked, click Stop Server. Step 1. Block the Virtual Server on the Primary Unit 1. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 164 1. Log into the primary unit. 2. Go to the Control > Server page. 3. In the Server Status section, select the virtual server and click Block Server. On the primary firewall, the virtual server Status column shows block. On the secondary firewall, the virtual server Status shows secondary. The virtual server is now running on the secondary firewall. The primary firewall is blocked and cannot take over the virtual server in case the secondary firewall fails. Primary Firewall Secondary Firewall Step 2. Put the Primary Firewall in Standby Stop the virtual server on the primary firewall, to be able to take over the virtual server in case the secondary firewall fails. 1. Log into the primary firewall. 2. Go to CONTROL > Server. 3. In the Server Status section, select the virtual server and click Stop Server. Copyright © 2015, Barracuda Networks Inc. 3. Barracuda NG Firewall 6.1 Administrator's Guide - Page 165 On the primary firewall, the virtual server Status column shows down. On the secondary firewall, the virtual server Status shows secondary. The virtual server is still running on the secondary firewall. The primary firewall is ready to take over the virtual server in case the secondary firewall fails. Primary Firewall Secondary Firewall Perform a High Availability Failover when the Secondary Unit is Active To perform a manual failover when the secondary unit is active, block and stop the virtual server on the secondary unit. Before You Begin On the primary firewall, go to the Control > Server page and verify the Status is down. If the Status is blocked, click Stop Server. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 166 On the secondary firewall, go to the Control > Server page and verify the Status is secondary. Step 1. Block the Virtual Server on the Secondary Unit 1. Log into the secondary firewall. 2. Go to the Control > Server page. 3. In the Server Status section, select the virtual server and click Block Server. On the secondary firewall, the virtual server Status column shows block. On the primary firewall, the virtual server Status shows primary. The virtual server is now running on the primary firewall. The secondary firewall is blocked and cannot take over the virtual server in case the primary firewall fails. Primary Firewall Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 167 Secondary Firewall Step 2. Put the Secondary Firewall in Standby Stop the virtual server on the secondary firewall, to be able to take over the virtual server in case the primary firewall fails. 1. Log into the secondary firewall. 2. Go to CONTROL > Server. 3. In the Server Status section, select the virtual server and click Stop Server. On the secondary firewall, the virtual server Status column shows standby. On the primary firewall, the virtual server Status shows primary. The virtual server is still running on the primary firewall. The secondary firewall is ready to take over the virtual server in case the primary firewall fails. Primary Firewall Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Secondary Firewall Copyright © 2015, Barracuda Networks Inc. 168 Barracuda NG Firewall 6.1 Administrator's Guide - Page 169 How to Configure a High Availability Cluster in Azure Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 170 How to Configure a High Availability Cluster in Azure via PowerShell Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 171 Mail Gateway Synchronization with HA You can configure mail gateway synchronization for a Barracuda NG Firewall in an HA cluster. In this article: Automatic Email Synchronization Manual Email Synchronization after an HA Takeover Step 1. Connecting Step 2. Check for Undelivered Mails Step 3. Copy the Spool Directory Step 4. Copy the vscan Directory (optional) Step 5. Initiating Delivery Manually Step 6. Removing the Obsolete Mails Step 7. Exit Automatic Email Synchronization Automatic email traffic synchronization is quite similar to the transparent failover that is available for the Forwarding Firewall (see Transparent Failover for an HA Firewall). When mails are spooled, they are synchronized on the HA partner after a maximum of 10 seconds. However, the synchronization procedure itself is one-way only. That means that changes made to the mail log and envelope on the partner unit are lost when the primary unit takes back the mail gateway. When synchronized mail is delivered, it is deleted on the HA partner. If a synchronization attempt fails, it is stored in a transaction log for pending actions and is retried as soon as possible. Manual Email Synchronization after an HA Takeover During an HA takeover, the mail gateway service on the server of the secondary unit starts and performs the mail delivery. After successful recovery of the primary unit, the server of the primary unit takes over mail delivery again and the mail gateway running on the secondary unit stops delivering mail. If the HA takeover happens during mail delivery, mail delivery might not be finished because some mail could be left in the mail queue of the secondary HA server. In other words, HA takeover can be initiated while the spooling process of mails is active. This occurs especially during heavy loads when lots of emails are processed by the mail gateway service. In this case, you must manually move leftover mail from the secondary unit to the primary HA partner and initiate the delivery so that no mail is lost after an HA takeover. The following description shows step-by-step what must be done in such a case: While connected via SSH, do not enter any commands unless you know exactly what you are doing. Step 1. Connecting Establish a connection to the secondary HA unit using Barracuda NG Admin. Now select SSH from the unit menu and log into the secondary HA unit as root. Change to the spool directory of the mail gateway by using the following command line: cd /var/phion/spool/mgw/<server_service>/spool/ For <server>, type in the name of the server, and for <service>, type in the name of the mail gateway service you have configured when introducing the service. Step 2. Check for Undelivered Mails This check is done by listing the content of the spool directory. Therefore, enter the following command: ls -l If the result of this command is Total 0, there are no undelivered mails left, and it is not necessary to continue. In this case, type "exit" to close your SSH session. However, if there are files with the extension .body and .env, continue with the next step. Step 3. Copy the Spool Directory Copy all files to the mail input directory of the active (primary) mail gateway service. To do so, use the following command line: scp * IP:/var/phion/spool/mgw/<server>_ <service>/input/ The parameter <IP> indicates the box management IP of the primary HA unit where the mail gateway service is active. You will be prompted to enter the root password of the primary unit. Step 4. Copy the vscan Directory (optional) If the virus scanning for mails is active, it is necessary to copy this directory, too. Therefore, change to the vscan directory of the mail gateway by using the following command line: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 172 cd ../vscan/ Now copy all files to the mail input directory of the active (primary) mail gateway service. To do so, use the following command line: scp * <IP>:/var/phion/spool/mgw/<server>_ <service>/input/ Step 5. Initiating Delivery Manually As soon as Step 3 and Step 4 (optionally) are complete, the manually initiated delivery can be started on the primary HA unit. For this purpose, you need a SSH session to the active unit. This session is established by using the following command line: ssh <IP> For <IP>, type in the box management IP of the primary HA unit where the mail gateway service is active. You will be prompted to enter the root password of the primary unit. After that, the prompt of the primary unit appears. Now initiate the mail insertion and delivery of the copied mail in the input directory: /bin/kill -s SIGUSR2 <server>_<service> For <server>, type in the name of the server, and for <service>, type in the name of the mail gateway service you have configured at the time you introduced the service on the unit. Note that these names are case sensitive. This command inserts the imported mails from the input directory to spooling process of the active mail gateway, and performs the delivery. Active mail jobs in the current spooling queue are not affected by this action. In order to verify that the mails have really been inserted, check the mail gateway logs through Logs > servername > servicename > mailgw. For each newly inserted mail, a log file entry, containing the text "SPOOLER new mail inserted (id=########-######-########)", is generated. After that, normal delivery of inserted mails is initiated and can be checked via the operative mail gateway GUI (MailGW). Step 6. Removing the Obsolete Mails After successful delivery, remove mails left in the /spool/and /vscan/ directories of the inactive mail gateway on the secondary unit to avoid duplicate delivery. To do so, terminate the SSH session to the primary unit by entering exit. The system prompt of the secondary unit now appears displaying the message: Connection to <IP> closed. Repeat Step 1 if the bash prompt of the secondary unit does not contain the path /var/phion/spool/mgw/<server>_<service>/spool (for example, in case you changed to a different directory). Now remove all mails in the current directory by using the following command within the /spool/ directory of the secondary unit: rm * -f Using this command permanently removes all files in the current directory. Make sure that you have not changed to another directory before entering rm * -f. If Step 4 was performed, it is also necessary to remove obsolete mails from the /vscan/ directory. Step 7. Exit Enter the command exit to terminate the SSH session. This concludes the email synchronicity after HA handover. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 173 Licensing If you are licensing a NextGen Control Center, a managed F-Series Firewall, or are using pool licenses, see Licensing on a NG Control Center. Single licenses for the NextGen Firewall F-Series and Control Center are bound to the MAC address of the first network interface. In this article: Barracuda NextGen Firewall F-Series Base Licenses Hardware Appliances Virtual Systems Public Cloud Systems Microsoft Azure and Amazon AWS Pay-As-You-Go Licenses Cold Standby Licensing Subscription Licenses Barracuda Energize Updates Malware Protection Advanced Threat Detection Legacy SSL VPN and Access-Control-Server-Based NAC Barracuda Remote Access Basic Barracuda Remote Access Premium Barracuda NG Web Filter Barracuda NG Web Security Instant Replacement Service Barracuda Web Security Service NextGen Control Center Licensing Next Steps Barracuda NextGen Firewall F-Series Base Licenses The F-Series Firewall base license gives you a next-generation firewall with the following features: Application Control reporting SSL Interception (available on all models, except F10 and F100) WAN optimizations (compression, Traffic Intelligence, QoS, Data Caching) Unlimited number of VPN clients (Client-to-Site Barracuda TINA and IPsec VPN) You can purchase the F-Series Firewall in three different versions: Base License Type Installed On Hardware License NextGen Firewall F-Series hardware appliance License Bound to MAC licenses Pool licenses Virtual License VMware Hypervisors Citrix XenServer Xen Server KVM Server Microsoft Hyper-V vCloudAir MAC licenses Pool licenses Cloud License - Azure Microsoft Azure MAC licenses (BYOL) Pay-As-You-Go Hourly Rate Cloud License - AWS Amazon AWS MAC licenses (BYOL) Pay-As-You-Go Hourly Rate Software License (legacy phion customers only) Standard Hardware MAC licenses Pool licenses Hardware Appliances A NextGen F-Series Firewall or Control Center hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit. There are no capacity restrictions for hardware appliances. The only restriction is the system performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (AV+Webfilter) are included. SSL VPN and SSL Interception is Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 174 included with every F-Series Firewall, except for the F10, VF10, F100, and F101 models. Virtual Systems Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected Firewall IPs, SSL-VPN users, VPN users, and HTTP Proxy users (Virus scanning and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (NextGen Firewall VF10 - VF500). NextGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your NextGen Firewall or Control Center Vx. If you assign more CPU cores than covered by the license, the license state will be displayed as expired. Legacy phion licenses do not distinguish between virtual and hardware licenses and also differ from Barracuda VF licenses. Users behind the HTTP proxy service and Client-to-Site VPN users are not factored into the capacity number. Legacy phion licenses require an additional license for Client-to-Site VPN. If you cannot adjust the number of CPU cores in your hypervisor, it might be necessary to configure the bootloader to use the number of licensed CPU cores. For more information on how to configure the bootloader, see How to Configure the Bootloader. The following table displays the capacity and the number of CPU cores for each NextGen Firewall Vx: Model Capacity Licensed Number of CPU Cores VF10 10 1 VF25 25 2 VF50 50 2 VF100 100 2 VF250 250 2 VF500 500 2 VF1000 unlimited 2 VF2000 unlimited 4 VF4000 unlimited 8 VF8000 unlimited 16 There might be limitations to the number of the network interfaces you can connect to you virtual host, depending on the license of your virtualization platform. Please check with your platform vendor. Public Cloud Systems F-Series Firewalls deployed in the Amazon AWS or Microsoft Azure public clouds are not restricted to a capacity. Performance is only limited by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. Microsoft Azure and Amazon AWS Pay-As-You-Go Licenses You can choose to pay an hourly rate for the public cloud F-Series Firewall. The pay-as-you-go license is generated and bound to the VM or Instance on the first boot. The Pay-As-You-Go license includes the following services: Forwarding Firewall VPN Service All services included in the Basic Remote Access Subscription All services included in the Premium Remote Access Subscription SSH Proxy DNS DHCP DHCP Relay FTP Gateway Dynamic Routing (If managed by a Control Center) Distributed Firewall Microsoft Azure Instance sizes: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 175 Level 2 – Small (1 core, 1.75GB memory) Level 4 – Medium (2 cores, 3.5GB memory) Level 6 – Large (4 cores, 7GB memory) Level 8 – Extra Large (8 cores, 14GB memory) Amazon AWS Instances sizes Level 2 – m1.small (1 vCPU core) Level 4 – c1.medium (2 vCPU cores) Level 6 – m1.xlarge (4 vCPU cores) Level 8 – c1.xlarge (8 vCPU cores) Cold Standby Licensing For redundancy, you can purchase an F-Series Firewall without a license and use it as a cold standby replacement. If the production unit fails, call Barracuda Networks Technical Support to transfer the license to the stand-by unit and continue normal operations. Subscription Licenses In addition to the base license, you can add the following subscriptions to use your firewall to its fullest extent. Barracuda Energize Updates This license is mandatory for the first year, for every F-Series Firewall. The following features are included with Barracuda Energize Updates: 24x5 technical support. Application Control 2.0 Firmware updates Application Control 2.0 definition updates IPS/IDS engine and signature updates Barracuda Web Filter SSL-VPN Web Forward template updates File Content definition updates Malware Protection Enables the Virus scanner service.This license is available for all F-Series Firewalls except F10 and VF10. Advanced Threat Detection Enables ATD. A malware subscription license is required. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATD Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply. Model Burst Limit (files/min) Files per Month F18, F80, F180, F200, F201, F300, F301 5 108 000 F280 10 216 000 F380 12 260 000 F400 15 324 000 F600 25 540 000 F800 35 750 000 F900 50 1 000 000 AWS/Azure Level 2 5 108 000 AWS/Azure Level 4 10 216 000 AWS/Azure Level 6 15 324 000 AWS/Azure Level 8 35 750 000 VF25 2 43 200 VF50 5 108 000 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 176 VF100 10 216 000 VF250 15 324 000 VF500 20 432 000 VF1000 25 540 000 VF2000 30 648 000 VF4000 35 750 000 VF8000 50 1 000 000 Legacy SSL VPN and Access-Control-Server-Based NAC Enables the SSL VPN and classic policy-server-based NAC service. Includes unlimited concurrent SSL VPN sessions and one CudaLaunch session. Barracuda Remote Access Basic Enables the SSL VPN service and NAC support. For F-Series Firewalls deployed in Azure/AWS, this subscription is included in the Energize Updates subscription. Remote Access subscriptions are available for NextGen Firewall F80 and larger as well as all NextGen Firewall Vx models. Included SSL-VPN Features Browser based access via desktop and mobile portals. SSL-VPN-based server-side NAC VPN Templates for SSL VPN Included Network Access Client Features Windows Personal FW Windows Health Check via Access Control Service. User Session Limits Unlimited concurrent SSL VPN user sessions. One concurrent Client-to-Site VPN session by the same user. One CudaLaunch session. Barracuda Remote Access Premium A Remote Access Basic Subscription is included in the Remote Access Premium subscription. Remote Access subscriptions are available for NextGen Firewall F80 and larger as well as all NextGen Firewall Vx and public cloud models. For PAYG F-Series Firewalls in AWS and Azure, this subscription is automatically included. Included SSL-VPN Features Browser based access via desktop and mobile portals. SSL-VPN-based server-side NAC VPN Templates for SSL VPN Included Network Access Client Features Windows Personal FW Windows Health Check via Access Control Service. CudaLaunch iOS Android Central Management of accessible resources and VPN provisioning User Session Limits Unlimited concurrent SSL VPN user sessions. Unlimited concurrent CudaLaunch sessions. Multiple concurrent Client-to-Site VPN sessions by the same user. Barracuda NG Web Filter Enables the Barracuda NG Web Filter service, which can use both online and offline databases. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 177 Barracuda NG Web Security Enables the Barracuda URL Filter service, and can use both online and offline databases and the antivirus service. Instant Replacement Service Instant replacement service includes the following features: Replacement unit shipped next business day. 24x7 technical support. Hardware refresh every four years. Barracuda Web Security Service To use Barracuda Web Security Service, an additional subscription is required. For more information, see How to Configure the Barracuda Web Security Service. NextGen Control Center Licensing Barracuda NextGen Control Center licenses scale by the number of F-Series Firewalls that can be managed by the Control Center. The High Availability license is included with the VC820 Global Edition model and can be purchased as an add-on for all other models. Model System Type Number of Managed Firewalls Tenants (Ranges) Configuration Groupings (Clusters) HA License Additional Tenants C400 Hardware Recommendatio n: 20 1 1 Optional n/a VC400 Virtual Recommendatio n: 20 1 1 Optional n/a C610 Hardware Recommendatio n: 200 1 No limit Optional n/a VC610 Virtual Recommendatio n: 200 1 No limit Optional n/a VC820 Virtual Recommendatio n 1000+ only limited by hardware 5 (additional tenants optionally available) No limit Included Optional Next Steps To install the NextGen Firewall F-Series or Control Center licenses, see: How to License your Barracuda NG Firewall Licensing on a NG Control Center Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 178 How to License your Barracuda NG Firewall You must complete licensing during the initial three-day grace period. If unlicensed after three days, the Barracuda NG Firewall or NG Control Center switches to demo mode and the default root password (ngf1r3wall) is enabled, even if you have already changed the password. Licenses are bound to the MAC address of the network interface the management IP is on. For more information on license types, see Licensing. Barracuda NG Hardware Appliance Licensing Hardware appliances only need to be activated. Following activation, the licenses are downloaded automatically. For more information, see How to Activate and License a Standalone Hardware Barracuda NG Appliance Barracuda NG Vx Licensing Virtual units are activated by entering the serial number and license token you received from Barracuda Customer Services. After activation, the licenses are downloaded automatically. Licensing for Barracuda NG Firewalls deployed in one of the public cloud services are also licensed using a license token and serial number. For more information, see How to Activate and License a Standalone Virtual Barracuda NG Firewall Barracuda NG High Availability Cluster Licensing When licensing units in a high availability cluster, it is important to activate the secondary unit first. The secondary unit will not download any licenses after activation. Instead, it waits for the primary unit to be activated. The primary unit downloads the licenses for both units and installs the license on the secondary unit via HA sync. For more information, see How to Activate and License a Barracuda NG High Availability Cluster Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 179 How to Activate and License a Standalone Hardware Barracuda NG Appliance To automatically download and install the license on your Barracuda NG hardware unit, connect to the system using Barracuda NG Admin. NG Admin transmits the serial number of your unit to the Barracuda Licensing service and initiates the activation process. After completing the customer information form and accepting the EULA, your license is activated and automatically downloaded and installed on your unit. Before you Begin NG Admin must be able to connect to the Barracuda Licensing Servers on the Internet. Automatically Download and Activate your Licenses 1. Log into the Barracuda NG Firewall using NG Admin. Default Login Credentials Default User: root Default Password: ngf1r3wall 2. (optional) Complete the Getting Started Wizard. For more information, see Getting Started. 3. The activation process is initiated automatically after 30 seconds. You can also start the process manually by clicking on the blue arrow. After downloading the licenses, a browser window with the activation form opens. 4. Fill out the customer form, accept the License Agreement, and then click Activate. After the activation process successfully completes, you will receive a notification email from Barracuda Networks Customer Services. If you are using a high availability setup, your secondary Barracuda NG unit waits for the license to be activated and then receives the license from the primary unit. Your Barracuda NG hardware appliance is now licensed and activated. Check Control > Licenses to see which licenses are installed on your unit. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 180 How to Activate and License a Standalone Virtual Barracuda NG Firewall After deploying your virtual Barracuda NG Vx, you must license your VM. Licenses are bound to the virtual MAC address assigned to the first network adapter of your VM. To initiate an activation, you need to enter the license token you received by email after purchasing your license. In this article: Before you Begin Step 1. Enter the License Token Step 2. Check the License Status Before you Begin To license your Barracuda NG Vx system, you need the license token you received by email from Barracuda Network Customer Services. NG Admin must be able to connect to the Internet. Step 1. Enter the License Token 1. Log into the Barracuda NG Vx using NG Admin. Default Login Credentials Default User: root Default Password: ngf1r3wall 2. Click the DASHBOARD tab. In the License section on the General page, the License State is displayed as DEMO mode. As long as the Barracuda NG Firewall is not licensed, the License State is displayed as DEMO mode. 3. Click the arrow icon next to the Activation State entry and select Activate. The product activation window opens. 4. Fill out the activation form. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 5. 6. 7. 181 (Optional) Choose the option Save your customer data for later activations. Click Activate. After the activation process successfully completes, you will receive a notification email from Barracuda Networks. The Barracuda NG Firewall automatically downloads and installs the purchased licenses. The license state on the Dashboard > General page displays: Step 2. Check the License Status Go to the CONTROL > Licenses page and verify that all your purchased licenses are listed in the Active Licenses table. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 182 How to Activate and License a Barracuda NG High Availability Cluster For a high availability cluster, each unit must have its own licenses. Both units must be joined in an HA cluster before activating the licenses, and NG Admin must be able to connect to the Internet. You must activate the licenses for the secondary unit before activating the licenses for the primary unit. In this article: Before You Begin Step 1. Activate the Secondary Unit Step 2. Activate and License the Primary Unit Step 3. Verify the License Status on your High Availability Units Troubleshooting Before You Begin Create an HA cluster by following the instructions described in How to Set Up a High Availability Cluster. Step 1. Activate the Secondary Unit Depending on which type of deployment you are using, complete one of the following activation procedures: Hardware Unit – How to Activate and License a Standalone Hardware Barracuda NG Appliance Virtual or Cloud Unit – How to Activate and License a Standalone Virtual Barracuda NG Firewall if you are using Barracuda NG Vx units. After NG Admin activates the unit, it recognizes its HA partner status and waits for the licenses to be activated and downloaded to the primary unit. After the licenses have been successfully retrieved, a notification window appears, and the Activation State switches to Current. Step 2. Activate and License the Primary Unit Depending on which type of deployment you are using, complete one of the following activation procedures: Hardware Unit – How to Activate and License a Standalone Hardware Barracuda NG Appliance Virtual or Cloud Unit – How to Activate and License a Standalone Virtual Barracuda NG Firewall if you are using Barracuda NG Vx units. Following activation, licenses for the primary and secondary units are downloaded to the primary unit. The secondary unit automatically receives its license via HA Sync. Step 3. Verify the License Status on your High Availability Units Both units in the HA cluster are now licensed. Verify that all your purchased licenses are listed on the Status > Licenses page and that the status is Normal box operation. Troubleshooting Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 183 Activating the primary unit prior to the secondary unit prevents the primary unit from retrieving the secondary unit's licenses. Reboot the primary unit and perform a complete HA update to download and install the licenses correctly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 184 Azure Licensing By default, hardware and virtual NG Firewall licenses are bound to the MAC address of the first network interface. In Azure, MAC addresses may change either when the VM is moved to a different host due to maintenance work, or when the VM is stopped and, upon restart, is assigned a new host with a different MAC address. This causes problems for the traditional licensing approach. As a solution, Microsoft assigns a unique 128bit identifier called Azure Unique ID to each new Azure VM. This ID does not change if the VM is stopped or moved to a different host. It will change, however, if a snapshot is used to create a new instance. Both the PAYG and BYOL images bind their licenses to the Azure ID. In this article Bring Your Own License Considerations Hourly or Pay-As-You-Go License Considerations Bring Your Own License Considerations To license a BYOL image, you must purchase a license from Barracuda Networks that matches the Azure pricing tier. Upon activation, the license is bound to the Azure Unique ID and the MAC address at the time of licensing. This MAC address is stored internally. If the physical MAC address of the VM changes, the stored internal MAC address is used and the license validates as long as the Azure Unique ID does not change. To see the UUID and MAC address the license is bound to, go to the CONTROL > Licensing page. The MAC addresses in the HostID column may differ from the MAC in the Host IDs section if the underlying physical MAC address of the host has changed. Hourly or Pay-As-You-Go License Considerations The license is generated on first boot and bound to the Azure Unique ID of the Azure VM. License cannot be regenerated if the Azure ID changes. Once the PAYG license has been generated, it can only be used on this Instance. It is not possible to use the same PAYG license on a new PAYG image because the Azure IDs will not match. All licenses are included in the base license. The Host ID column of the CONTROL > Licensing page shows the UUID of the PAYG license that must match with the UUID in the HOST IDs section: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 185 Barracuda NG Firewall 6.1 Administrator's Guide - Page 186 Protected IP Count Policies Barracuda NG Firewall VF and SF units are licensed based on the number of IP addresses being protected by the gateway. For more information, see Licensing. This article explains the algorithms that are used to count the protected IP addresses. It also provides instructions on how to specify counting policies when creating and configuring firewall rules. In this article: Viewing the Number of Protected IPs Counting Policies General Case Uncounted IP Addresses Redirected Destination Site-to-Site VPN Client-to-Site VPN SSL VPN Specifying Counting Policies Protected and Unprotected Realms - General Overview: Viewing the Number of Protected IPs To view the number of protected IP addresses for a Barracuda NG Firewall, go to the FIREWALL > Dynamic page and click the Protected IPs t ab. The table on this page provides information on the number of active licensed IP addresses. For more information on the FIREWALL > Dyna mic page, see Dynamic Page. Counting Policies The following sections describe how IP addresses are counted for each type of connection. General Case Generally, the protected IP address counted is either the source or destination address, based on a comparison of the classification of incoming Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 187 and outgoing interfaces. The valid preference is the following: 1. 2. 3. 4. Internal (LAN) DMZ Unspecified External For example, if the realm weight is the same from Internal01 to Internal02, the source IP address is counted. The same applies, vice versa, from Internal02 to Internal01. Classification of Incoming and Outgoing Interfaces: Incoming Outgoing Trusted / Internal01/02 DMZ Unclassified Untrusted Trusted / Internal01/02 Src Src Src Src DMZ Dst Src Src Src Unclassified Dst Dst Src Src Untrusted Dst Dst Dst Src On the Network page, you can specify the realm category of an IP address: 1. Go to CONFIGURATION > Configuration Tree > Box > Network. 2. Click Lock. 3. In the IP Address Configuration table, double-click the IP address entry and select the realm weight from the Trust Level list. For more information on configuring IP addresses, see Network. Uncounted IP Addresses The following IP addresses are NOT taken into account: Source AND destination are site-to-site tunnel addresses (VPN relaying - VPN Tunnels in Star-Shaped Topologies). Destination is a broadcast or multicast address. Firewall rule results in a Block or Deny action. Customers with legacy phion SF licenses, VPN users, and HTTP Proxy users are also not counted. Any communication directed to the services running on the Barracuda NG Firewall gateway itself is not counted: Mail Gateway DNS Server/Forwarder DHCP Server Redirected Destination If a redirection of the destination IP address is performed by the firewall rule (Dst NAT or Map), the translated destination IP address is counted as protected. Policy for Redirected Destination: Site-to-Site VPN The counting preference of protected IP addresses for Site-to-Site VPN tunnels is specified as follows: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 188 Source is counted as a protected IP address if the destination is routed via the tunnel. Destination is counted as a protected IP address if the source originates from the tunnel. If both options apply, neither source nor destination is counted. For more information on site-to-site tunnels, see Site-to-Site VPN. Example Policy for Site-to-Site tunnels: Client-to-Site VPN Each client connected to a Client-to-Site VPN counts as one protected IP address. SSL VPN The number of protected IP addresses is taken from the client database and from configured resources such as the DMZ network. For more information, see SSL VPN. Counting is specified as follows: Source is counted as a protected IP address if the destination is routed via the tunnel. Destination is counted as a protected IP address if the source originates from the tunnel. If both options apply, neither source nor destination is counted. Specifying Counting Policies When creating or configuring firewall rules, you can also specify IP address counting policies in the Advanced Access Rule Settings. 1. In the left navigation pane of the firewall rule editor window, click Advanced from the Views menu. 2. In the Miscellaneous section, select one of the following options from the Policy list: Count Source IP – Source is chosen as the protected IP address if the rule explicitly requests it. Count Destination IP – Destination is chosen as the protected IP address if the rule explicitly requests it. The source and destination are interchanged if the rule matches on reverse. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 189 Barracuda NG Firewall 6.1 Administrator's Guide - Page 190 How to Manually Install License Files If automatic license retrieval is not possible or you received the license files (*.lic) directly from Barracuda Networks Technical Support, install these licenses manually on your Barracuda NG Firewall or Barracuda NG Control Center. Manual License Installation Import your licenses from the lic license files. The lic files can also be in a zip archive. 1. Go to CONFIGURATION > Configuration Tree > Box > Box Licenses. 2. Click Lock. 3. In the Licenses section, click + and select Import from Files or Import from zipped Archive. 4. 5. 6. 7. Select your license files and click Open. Click OK to close the Certificate View window. Accept the End User License Agreement and click OK. Click Send Changes and Activate. Verify Installed Licenses Open the CONTROL > Licenses page and verify that all licenses are installed successfully. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 191 Administration You can use already existing services in your network, such as DNS, NTP or SCEP servers, when deploying the Barracuda NG. The Barracuda NG Firewall supports multiple administrator accounts and restricting access based on source IP address or network. Administrators An administrator account on a Barracuda NG Firewall contains multiple parameters that specify the permissions and restrictions for an administrator. Administrator rights are split into predefined administrative roles, defining which services an administrator is allowed to use and which operations the administrator is allowed to perform within the different services. For more information, see Managing Access for Administrators. Changing the Root Password and Management ACLs The Management ACL specifies which IP addresses can access the system. In the system access configuration, you can also change the password for the root user. For more information, see How to Change the Root Password and Management ACL. Administrative Session Time Limits Session timeouts mitigate the security risk from authenticated, unsupervised connections to the NG Firewall by defining the session time-out for idle administrative sessions. After the session has been terminated, the admin has to log in again. For more information, see How to Set Idle Administrative Session Time Limits. DNS Introduce either a network DNS server or a DNS server assigned by your ISP on the Barracuda NG Firewall. When resolving DNS requests, the Barracuda NG Firewall can alter the response (DNS Interception) and redirect or block queries for specific domains by using black and whitelisting. You can use the same namespace internally and externally and redirect external clients to use one IP address, and internal clients to use an internal path to the same hostname (Split DNS). DNS queries can be forwarded to or cached from the DNS server. For more information, see How to Configure DNS Settings and How to Configure DNS Interception. NTP You can define one or more NTP server(s) to act as a master clock for the Barracuda NG Firewall. The current time on the system is synchronized via Network Time Protocol (NTP). Time settings apply to all time-related services on the Barracuda NG Firewall and affect data accounting, logging, and event notifications. Correct time settings are also important for HA synchronization. For more information, see How to Configure Time Server (NTP) Settings Global HTTP Proxy Settings To configure the Barracuda NG Firewall to connect to the Internet via a proxy server, specify global connection and authentication settings for your system. For more information, see How to Configure Global HTTP Proxy. Email Notifications Some services, such as the virus scanner, can send email notifications. You can configure the email address and the SMTP server used to for email notifications. For more information, see How to Configure the System Email Notification Address. SCEP The SCEP (Simple Certificate Enrollment) protocol supports secure certificate issuing. You can configure the NG Firewall to use a SCEP server to use in TINA or IPsec Site-to-Site VPN tunnels. For more information, see How to Configure SCEP Settings. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 192 Managing Access for Administrators On a standalone Barracuda NG Firewall system, the administrative concept offers different administrative roles with special access rights and restrictions. Initially, every Barracuda NG Firewall is managed by the user root who has unlimited access rights to the entire system when logged into the interface or serial console.The user root has the ability to grant system access to other administrators who, depending on the assigned user rights, are allowed or denied to perform certain operations on the Barracuda NG Firewall. Admin Accounts Create Administrator accounts on your standalone Barracuda NG Firewall or for the box level of the Barracuda NG Control Center. Every administrative user is assigned one of the preconfigured admin roles. For more information, see How to Create a New Admin Account. Authentication Root and administrative users are authenticated either through a certificate containing an RSA key or a password. A combination of password and key is also possible. For more information, see How to Create a New Admin Account and How to Configure Certificate Based Authentication for the Root User. Default User Accounts Every Barracuda NG Firewall has a root and service user by default. The service user is used to grant limited console access to the NG Firewall for support purposes. The service user is disabled by default. For more information, see How to Configure System Access for the Service User. Serial Access Management and terminal access to the Barracuda NG Firewall is possible, via the serial interface COM1, by using a terminal emulation program or when connected to a dial-in modem. For more information, see How to Enable System Access via Serial Console. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 193 How to Create a New Admin Account Admin profiles specify which configuration areas and tasks administrative users can access and change on a standalone Barracuda NG Firewall or Barracuda NG Control Center on box level. Admin users can log into the system using the credentials specified in their profile and view or edit the services and settings defined in the administrative roles assigned to them. In this article: Administrative Roles Create an Administrator Profile Administrative Roles Admin users can view or edit settings and services on the Barracuda NG Firewall according to their assigned roles. Click here for administrative role permissions and restrictions Box Menu Software Item Mail Security Audit Cleanup No No Yes No No Update Pattern Yes No No Yes No No Disable/Enab le Pattern Update Yes No No Yes No No Software Item Manager Operator Mail Security Audit Cleanup Yes No No Yes Yes No Create a DHA box Yes No No No No No Create a PAR file Yes No No No No No Create a repository Yes No No No No No Create a server Yes No No No No No Create a service Yes No No No No No Kill configuration sessions Yes No No No No No HA synchronizat ion Yes No No Yes No No Config Box Menu Operator Yes Antivirus Box Menu Manager Software Item Manager Operator Mail Security Audit Cleanup Yes Yes No Yes No No Activate new network configuratio n Yes Yes No No No No Block a server Yes Yes No No No No Block a service Yes Yes No No No No Control Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Box Menu Time control Yes No No No No No Delete Wild Route Yes Yes No No No No Import license Yes No No No No No Kill sessions Yes Yes No No No No Firmware Restart Yes Yes No No No No Reboot/Shut down Box Yes Yes No No No No Remove license Yes No No No No No Restart network configuratio n Yes Yes No No No No Show license Yes Yes No No No No Start a server Yes Yes No No No No Stop a server Yes Yes No No No No Software Item DHCP GUI commands Box Menu Software Item Manager Operator Mail Security Audit Cleanup Yes Yes No No No No Yes Yes No No No No Manager Operator Mail Security Audit Cleanup Yes Yes No Yes Yes Yes Confirm events Yes Yes No No No Yes Delete events Yes No No No No Yes Mark events as read Yes Yes No No No Yes Set events to silent Yes Yes No No No Yes Stop alarm Yes Yes No No No Yes Events Box Menu 194 Software Item Manager Operator Mail Security Audit Cleanup Yes Yes No Yes Yes No Access to trace tab Yes No No Yes No No Remove entries from cache Yes No No Yes No No Firewall Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Box Menu Terminate connections Yes Yes No Yes No No Create dynamic rules Yes Yes No Yes No No Kill a process Yes Yes No Yes No No Modify connections Yes Yes No Yes No No Modify traces Yes No No Yes No No Toggle traces Yes No No Yes No No View rules Yes No No Yes No No Software Item Access Control Service Box Menu Operator Mail Security Audit Cleanup No No Yes Yes Yes Delete resource logs (box_) Yes No No No No Yes Delete service logs Yes No No No No Yes Read resource logs (box_) Yes No No Yes Yes Yes Read service logs Yes No No Yes Yes Yes Software Item Manager Operator Mail Security Audit Cleanup Yes No Yes No Yes No GUI commands Yes No Yes No No No View Stripped Attachments Yes No Yes No Yes No Retrieve Stripped Attachments Yes No Yes No No No Delete Stripped Attachments Yes No Yes No No No Mail Box Menu Manager Yes Logs Box Menu 195 Software Item Manager Operator Mail Security Audit Cleanup Enable Commands Yes No No Yes No No Block Sync Yes No No Yes No No Software Item Manager Operator Mail Copyright © 2015, Barracuda Networks Inc. Security Audit Cleanup Barracuda NG Firewall 6.1 Administrator's Guide - Page 196 SSL-Proxy Access Cache Management Yes No No Yes No No Ticket Management Yes No No Yes No No Cert Authorities Management Yes No No Yes No No XML Services Management Yes No No Yes No No Create an Administrator Profile 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Administrators. Click Lock. In the Administrators section, click + to add an administrator account. Enter a unique Name for the account and click OK. The Administrators window opens. Do NOT use the following names because they are reserved by the system: master, ha, root, bin, adm, daemon, lp, system, sync, shutdown, halt, mail, operator, nobody, support, uucp. 5. Enter the Full Name of the administrator or a description for the account. 6. In the Assigned Roles table, add the appropriate administrative roles for the user. For a description of roles, see the Administrative Roles section. 7. If you wish to grant permission for shell level access, select an option from the System Level Access list. You can select: No OS Login – Shell access is denied. Standard OS Login – Allows access on the OS layer via a default user account (home directory: user/phion/home/username). Restricted OS Login – Permits access via a restricted shell (rbash) with limitations (e.g., specifying commands containing slashes, changing directories by entering cd, …). A restricted login confines any saving action to the user's home directory. 8. Select the Authentication Level that is required to access a system. 9. If external authentication is required, select the corresponding method from the External Authentication field. 10. When using a password, select the corresponding scheme from the Password Validation list. 11. Enter the External Login Name for the authentication scheme if it is different than the admin account name. 12. Enter the password for the Barracuda NG Admin login. When creating an account, the new password must be entered in both the Curre nt and New fields, even though the password has not yet been created. The password must be confirmed by re-entering it in the Confir m field. 13. Import the Public RSA Key if required. 14. If required, use the Peer IP Restriction table to set an access restriction on IP address and/or subnet level on which Barracuda NG Admin runs. 15. From the Login Event list, select how a login is recorded. You can select. Service Default (default) – refers to the settings made within the Barracuda NG Control Center Access Notification (see How to Configure Access Notifications). Silent – suppresses any event notification. 16. Click Send Changes and Activate. Your admin user can now log into the Barracuda NG Firewall or Barracuda NG Control Center box and view or edit the services according to their assigned roles. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 197 How to Configure Certificate Based Authentication for the Root User Login and authentication of the administrative user root on a Barracuda NG Firewall are processed using a two-factor authentication mechanism. The authenticity of the admin workstation is verified using a preferably encrypted certificate. In addition, the administrator has to authenticate himself or herself using a personal password. When creating new administrator profiles, Barracuda Networks recommends using certificates/keys instead of passwords whenever possible to avoid the exchange of security-relevant information when authenticating via public-key cryptography. Certificates in PEM format cannot be used on Barracuda NG Firewall systems. In this article: Creating and Importing Certificates Configure Certificate Based Authentication Creating and Importing Certificates Create a certificate on the Barracuda NG Firewall using Barracuda NG Admin: 1. 2. 3. 4. Open the OPTIONS tab in the top left corner of the screen and select Settings. Expand the Certificates and Private Keys section. Click Create New Certificate/Key. Fill in the certificate details (e.g., Country, State, Name, Expiring date) and click OK. The certificate is generated by using Microsoft Strong Cryptographic Provider v1.0 and can be imported from the Microsoft Certificate Management Store. It is displayed in the certificates list and provides key information in the Hash and Public Key column. Configure Certificate Based Authentication To configure certificate authentication for the root user, import the root public RSA key. If a key for automated SSH login is required, add it to the authorized root keys. 1. 2. 3. 4. 5. 6. 7. 8. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. From the Configuration Mode menu, select Switch to Advanced View. In the left navigation pane, click Advanced System Access. Click Lock. Select the Authentication Mode for system access. Import the Root Public RSA Key for the root user. In the Authorized Root Keys field, enter the public keys that are assigned to your root user in OpenSSH format, one key per line. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 198 How to Configure System Access for the Service User In some cases, you need to provide console access to an unprivileged administrator. The service user is disabled by default, as long as the license is valid or within the grace period. The service user is displayed as user phion when logged in. Configure System Access for the Service User Enable and set a password for the service user. 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click System Access. From the Configuration Mode menu, select Switch to Advanced View. Click Lock. In the Service Password section, enter the password for the service user. Uncheck the Disable Service User checkbox. As long as the service user is enabled, it is possible to log into the console of your Barracuda NG Firewall with the following credentials: phion / service user password. 7. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 199 How to Enable System Access via Serial Console You can configure several access types for the serial console of your Barracuda NG Firewall. Access via serial console is enabled for 'console only' by default. The following access types are available: ConsoleOnly (COM1) – Enables system access using a terminal emulation program such as hyperterm via the serial interface COM1 (terminal emulation: ansi; baud rate: 19200). Management Only – Enables system access with the Barracuda NG Admin application via COM1. The default Mgmt Baud Rate setting is 57600. Console (COM1) And Management – Enables serial and management access. The default Mgmt COM Port setting is COM1. The default Mgmt Baud Rate setting is 57600. DialinModem – Enables console access via a 56k dial-in modem. Configure Serial Console Access To enable system access via serial console, 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings page. In the left menu, click System Access. Click Lock. Enable Serial Access if you want to provide console access. To edit serial access settings, Click Edit in the Serial Settings section. Select the applicable access type from the Access Types list and adjust the settings if required. For example, enter the modem details in the Modem Init String field. 7. Click OK. 8. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 200 How to Change Admin Credentials on Stand-alone NG Firewalls In the NG Admin settings, you can configure the password and key for administrators of stand-alone NG Firewalls. In this article: Change Password for Non-Root Admins Change Administrator Key for Non-Root Admins Change Password for Non-Root Admins Change the password used to authenticate when connecting to a stand-alone firewall. 1. 2. 3. 4. 5. In the top left of NG Admin, click OPTIONS and select Settings. Expand Admin and CC Settings. Click the list below the Admin and CC Settings and select Change Admin Credentials for Local Admin (Single Box). Enter the management IP address as the Box IP Address. In the Change Administrator Password section enter: Login Name Old Password New Password and Confirm 6. Click Change Password. Change Administrator Key for Non-Root Admins Change the client certificate used to authenticate when connecting to a stand-alone firewall. 1. 2. 3. 4. 5. 6. In the top left of NG Admin, click OPTIONS and select Settings. Expand Admin and CC Settings. Click the list below the Admin and CC Settings and select Change Admin Credentials for Local Admin (Single Box). Enter the management IP address as the Box IP Address.Change the Administrator Key: In the Change Administrator Key section enter the Login Name and Password. Click Import Public and upload the new certificate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 7. Click Change Admin Key. Copyright © 2015, Barracuda Networks Inc. 201 Barracuda NG Firewall 6.1 Administrator's Guide - Page 202 How to Change the Root Password and Management ACL Restricting access to the management interface of the Barracuda NG Firewall is important for network security. Barracuda Networks strongly recommends changing the root password after the first login. Use the management access control list to whitelist IP addresses that are allowed to connect via NG Admin to the Barracuda NG Firewall or NG Control Center. In this article: Change the Root Password Manage the Management Access Control List Change the Root Password 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click System Access. Click Lock. In the Root Password section, enter the password for the root user. Passwords can consist of small and capital characters, numbers, and non alpha-num symbols. Barracuda NG Admin rates the password strengh according to the entered caracters. For more information, see the NG Admin password strength policy in Co nfiguration Pages - Access and Controls. 5. Click Send Changes and Activate. Manage the Management Access Control List Enter the IP addresses or networks for which access to the management IP on TCP ports 22 (secure shell) and 800-820 is granted. Access from all other addresses to these port/addresses are denied. By default, access is allowed from an arbitrary address. Changing the ACL does not terminate active admin sessions. To enforce ACL changes, manually terminate active sessions on the FIREWALL > Sessions page. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click System Access. Click Lock. In the Access Control List section, click + and add the IP addresses from which the Barracuda NG Firewall can be administered. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 203 How to Configure DNS Settings The Barracuda NG Firewall can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names installed in its configuration. With local DNS caching enabled, DNS queries will be forwarded to or cached from the specified DNS servers and DNS queries can be logged. In this article: Configure Basic DNS Settings Configure Advanced DNS Settings Configure Caching DNS Settings Configure Slave DNS Settings Configure Basic DNS Settings 1. 2. 3. 4. 5. 6. 7. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click DNS Settings. From the Configuration Mode menu, select Switch to Advanced View. Click Lock. Enter the Box DNS Domain that the Barracuda NG Firewall belongs to. In the DNS Server IP table, specify the DNS server's IPv4 and/or IPv6 addresses to be queried by the Barracuda NG Firewall. Click Send Changes and Activate. Configure Advanced DNS Settings 1. From the Configuration Mode menu, select Switch to Advanced View. 2. Click Lock. 3. In the DNS Search Domains table, add the names of the domains that should automatically be appended to an alias name when performing a DNS query. Separate multiple domains with spaces. 4. When using multiple DNS servers, a. Select if DNS queries should regularly rotate between the servers from the DNS Query Rotation list. b. Specify the DNS Query Timeout in seconds. When the timeout is exceeded, the next DNS server is queried. 5. To add local hosts, a. Click + in the Known Hosts section. b. Enter a Name for the local host and click OK. c. Enter the Host IP address. d. Enter Fully Qualified Domain Name (FQDN), with dots as namespace delimiter. e. Add Aliases if applicable (no dots). f. Click OK. 6. Click Send Changes and Activate. The name and IPv4 addresses of local hosts are added to the system /etc/hosts file. By default, this file is consulted first for name resolution. It is useful to specify address/name pairs of locally known hosts for which no name resolution via DNS is available. The name and alias are used. Configure Caching DNS Settings Do not install both the Forwarding/Caching DNS (bdns) service and a running DNS service. The Forwarding/Caching DNS (bdns) configuration will collide with the DNS service. 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. From the Configuration Mode menu, select Switch to Advanced View. In the left menu, click Caching DNS Service. Click Lock. From the Run Forwarding/Caching DNS list, activate the local caching/forwarding DNS service . From the Run Slave DNS list, activate a local slave DNS service if applicable. Configure the settings as described in Configure Slave DNS Settings . 7. From the Query Source Address list, select which IP address to use as source address when querying the DNS or Master DNS servers. You can select one of the following options: Wildcard (default) – IP selection is accounted for dynamically according to definitions in the routing table. VIP – (For Barracuda NG Firewalls that are administered by a Barracuda NG Control Center) - Uses the system’s Virtual Management IP address. MIP – Uses the system’s management IP address, which is the Main Box IP. Other – Select this check box to explicitly specify an IPv4 or IPv6 address. 8. In the DNS Query ACL table, add the single IPv4 / IPv6 addresses or netmasks that can access the DNS service via an App Redirect fir ewall rule. 9. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 204 9. Enable Log DNS Queries to log every DNS query. 10. Click Send Changes and Activate. Configure Slave DNS Settings When activated, configure the local slave DNS service. The slave DNS service gets its slave zone configurations from the entries in the DNS Slave Zones table and the configuration files from the servers specified in the Default Master DNS table. 1. Add the Default Master DNS servers that the slave can query for zone files. You can enter a single DNS server or a list of DNS servers (IPv4). 2. In the DNS Slave Zones table, click + to add an entry for the slave zone. 3. Enter the fully qualified domain name of the zone in the Name field and click OK. The DNS Slave Zone window opens. 4. Specify the DNS Zone Type. You can select: Forward (default) – Provides IP addresses for known hostnames. Reverse – Provides hostnames for known IP addresses. Specify the network and netmask that the specified zone resides in in the Reverse Lookup Net and Reverse Lookup Netmask fields. Both – Provides both. Specify the network and netmask that the specified zone resides in in the Reverse Lookup Net and Reverse Lookup Netmask fields. 5. In the DNS Master IP table, add the DNS servers that the local slave DNS service queries for this zone. You can enter a single DNS server or a list of DNS servers (IPv4). If specified, this setting overrides the globally defined DNS Master IP address. If left empty, the field is ignored. 6. From the Transfer Source Address list, select which IPv4 address to use as source address when querying the master DNS servers. This IP address will override the globally defined value. You can select: Wildcard (default) – IP address selection is accounted for dynamically according to definitions in the routing table. Query-Source – Uses the IP address of the client that initiates the query. VIP – (For Barracuda NG Firewalls that are administered by a Barracuda NG Control Center) Uses the system’s virtual management IP address. MIP – Uses the system’s management IP address, which is the main box IP address. Other – Select this check box to explicitly specify an IPv4 or IPv6 address. 7. Click OK. 8. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 205 How to Configure DNS Interception With the DNS Interception feature, you can configure a policy to redirect or block queries for specific domains. You can also configure a whitelist to create exceptions for queries to subdomains of the intercepted domains. Whitelisting always takes precedence over the DNS Interception policies. Follow the instructions in this article to add domains to the DNS Interception whitelist and policy. The DNS Interception feature requires a running Caching DNS. In this article: DNS Interception Process Add Domains to the Whitelist Add Domains to the DNS Interception Policy DNS Interception Process The DNS Interception feature handles DNS requests as follows: 1. A host behind the Barracuda NG Firewall sends a DNS query to the DNS server. 2. If the DNS request is for a domain that is in the DNS Interception whitelist, the request is not intercepted by the Barracuda NG Firewall, even if it is listed in the DNS Interception policy. 3. If the DNS request is for a domain that is listed in the DNS Interception policy, the Barracuda NG Firewall intercepts the request. According to the policy settings, the Barracuda NG Firewall then answers the request with one of the following actions: Blackhole (NXDOMAIN reply) – Returns a non-existent domain message (NXDOMAIN) to the client indicating that the requested hostname does not exist. No Data – Returns the information that, although the domain exists, there is no IP (no data) assigned to it. Return Other Domain (CNAME) – Returns the hostname that is specified in the policy settings. Return IP Address – Returns the IP address that is specified in the policy settings. Add Domains to the Whitelist To add a domain to the DNS Interception whitelist: 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. From the left Configuration menu, select DNS Interception. Click Lock. In the DNS Interception Exceptions section, click the plus sign (+). In the Whitelisted Domains window, enter the Matched Domain that must be allowed. For example, if you blocked the google domain but want to allow the Google mail service, enter mail.google.com. 6. Click OK. 7. Click Send Changes and Activate. Add Domains to the DNS Interception Policy To add a domain to the DNS Interception policy: 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. From the left Configuration pane, select DNS Interception. Click Lock. In the DNS Interception Policy section, click the plus sign (+). In the Intercept Domains window, specify the following settings: Matched Domain – Enter the domain that must intercepted. You can use the asterisk (*) or question mark (?) as wildcard characters. For example, if you want to intercept queries for the www.google.com domain, you can enter *.google.com or * .google.?om. Action – Select how the intercepted queries are answered. Depending on which action you select, you might also have to specify these settings: Returned IP – If you select the Return IP Address action, enter the IP address that is returned to the user. Returned Domain – If you select the Return Other Domain (CNAME) action, enter the domain that the queries are redirected to. 6. Click OK. 7. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 206 How to Configure Time Server (NTP) Settings Precise timekeeping is very important for the Barracuda NG Firewall and NG Control Center. HA synchronization, data accounting, NG Control Center configuration updates, logging, event notification, and other time-based services rely on a correct time system. The NTP daemon listens on port UDP/123 of the management IP address and, if remotely managed, the VIP address of the NG Firewall. The Barracuda NG Firewall supports two methods to synchronize the time: NTP Servers – The Barracuda NG Firewall acts as a client and retrieves and sets the time according to the time retrieved from the NTP server. You can use multiple NTP servers. The time deviation between the NTP server and the Barracuda NG Firewall must be less than 1000 seconds for the synchronization to succeed. To continuously synchronize the time with a NTP server, you must enable the NTP daemon on the NG Firewall. If multiple time servers are used, the time server with the lower stratum value is preferred. NTP Peers – To keep the time in your network synchronized when the NTP servers are unavailable, use the two-way NTP peer synchronization. NTP peers will converge toward a median time in multiple steps. No synchronization step can exceed two minutes. This means that two systems might take some time to synchronize. You can use MD5, SHA, SHA1, Ripe-MD160 and autokey authentication. When you run the NTPd, your system becomes vulnerable to NTP exploits and UDP-based DoS attacks. Never use untrusted reference time servers or run a time server in a hostile environment. In this article: Step 1. Configure Time Settings Step 2. Configure the Time Server Step 3. (optional) Configure NTP Peers Event Processing NTP Troubleshooting Step 1. Configure Time Settings 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click Time Settings / NTP. Click Lock. Select your Timezone in the form country/city. You can use Etc/GMT time, or UTC. Etc/GMT times do not support daylight saving time (DST). When using a Barracuda NG Control Center for multiple systems in different time zones, consider using UTC for all your systems. 5. Enable Set HW Clock to UTC to protect your system against unexpected time lapses caused by daylight saving time (DST). 6. Click Send Changes and Activate. Step 2. Configure the Time Server Configure the NTP servers you are using to set and synchronize the time for your Barracuda NG Firewall. NTP servers must be reachable from the management IP address of the NG Firewall or NG Control Center. 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click Time Settings / NTP. Click Lock. Enable NTP sync on Startup to synchronize with an NTP server via ntpdate when starting. (You can also run an NTP daemon on the system for continuous time synchronization.) In the Time Server IP table, add the IP address of the NTP time server(s). A remote, managed NG Firewall as an NTP server can be used by entering its VIP address. Enable Start NTPd to synchronize the NTP daemon with the NTP time server(s). Set the Local Clock Stratum value for the NTPd. If you are configuring an NG Control Center, make sure to use a stratum value lower than the default stratum (10) of the NG Firewall. (optional) Select the events that you want to be notified about (Event-IDs 2070-2073) in Event on NTPd: start-failure (default) +stop-failure ++start-success +++stop-success The list is additive. Events further down the list automatically include all the events that are listed before them. Click Send Changes and Activate. Step 3. (optional) Configure NTP Peers Configure the NTP peers in your network. NTP peers should be on the same stratum. To authenticate NTP peers, you can choose between passphrase/MD5 and NTP autokey authentication. NTP peers must be reachable from the management IP address of the NG Firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 207 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, click Time Settings / NTP. Click Lock. In the Time Peers section, click + to add your NTP peers. The Time Peers window opens. Specify the following settings for each peer: Peer IP Address – Enter the IP address for the NTP peer. Peer Authentication Type – Select None, MD5, SHA, SHA1, Ripe-MD160 or Autokey authentication. (MD5,SHA,SHA1, RipeMD160 authentication only) Peer Authentication ID – Enter a number between 0 and 1000000. You must use the same Peer Authentication ID on all peers. (MD5,SHA,SHA1, RipeMD160 authentication only) Peer Authentication – Enter the NTP peer authentication string. (Autokey authentication only) Peer Host Name – Enter the FQDN for the trusted NTP peer. (Autokey authentication only) Trusted Public Key – Import the public key for the NTP peer. 6. Click OK. 7. If you are using NTP autokey authentication, click Set next to NTP Autokey Configuration. The NTP Autokey Configuration window opens. a. Enter the NTP Key Password which is used to encrypt the private key. b. Click Create New NTP Key. c. Click OK. The NTP certificate is created. d. Click Ex/Import and select Export to File. Use the public key to authenticate to other NTP peers. 8. Click Send Changes and Activate. Event Processing The event setting only pertains to NTPd behavior during controlled start or stop sequences. You will not be notified when NTPd is killed manually or just dies unexpectedly. Events are also triggered when the NTPd is restarted on the Box page with the following options: Restart NTP – The control daemon restarts the NTPd. Sync – Starts the synchronization processes with the ctrltime script, which stops the NTPd and then executes ntpdate on port 123. NTP Troubleshooting On the command line, enter: ntpq -p to check which NTP servers and peers your Barracuda NG Firewall is using. See below for an example of an NG Firewall using one NTP server (10.0.10.44) and three NTP peers. For more information, see http://ntp.org Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 208 How to Set Idle Administrative Session Time Limits Limit the length of idle sessions for administrators to specify login password and session timeout behavior of the Barracuda NG Firewall. After the initial login with password, certificate, smartcard, or eToken, a session password is dynamically created and used for subsequent access. The session timeout sets the time until the session password is discarded and the user must log in again. Configure Session Limits 1. 2. 3. 4. 5. 6. 7. 8. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Control. In the left menu, select Administrative Sessions. Click Lock. In the NG Admin Max. Idle field, specify the maximum number of minutes that a Barracuda NG Admin session can be idle before it is closed (default: 60). After the session is closed, you must log back in. In the NG Admin Max. Idle field, specify the maximum number of minutes that a Barracuda NextGen Admin session can be idle before it is closed. After the session is closed, you must log back in. In the Console Max. Idle field, specify the maximum number of minutes that a shell/SSH session can be idle before it is closed. (optional) To use session passwords, set Disable Session Passwords to yes. This will generate a session password after successful authentication. Recommended for smartcard or eToken authentication. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 209 How to Configure Global HTTP Proxy Configure the global HTTP proxy settings for the Barracuda NG Firewall. Select the unit's Internet connection and specify the connection details and authentication settings. Configure HTTP Proxy Settings 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. Click Lock. In the left navigation pane, select HTTP Proxy. Select the Internet Connection Type for the system. If you are using a proxy server to connect, select HTTP/S. Only select Direct Access if the system is directly connected to the Internet. 5. Enter the IP address of your proxy server and specify the listening port for the proxy. 6. In the Proxy User and Password sections, enter the HTTP/S proxy user credentials for proxy authentication. 7. In the Proxy User Domain field, enter the domain for the HTTP proxy user. 8. To join a domain, go to the Control > Box page. From the Domain Control menu in the left navigation pane, click Register Proxy at Domain. Note: Not all services use NTLM or MS-CHAPv2 authentication. 9. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 210 How to Configure the System Email Notification Address Some services on the F-Series Firewall can be configured to send email notifications. The configured email address is used for both the sender (to) and the source (from) in the notification emails. Services using system email notifications Advanced Threat Detection (ATD) Configure Email Notification 1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. 2. Click Lock. 3. 4. 5. 6. In the left navigation, select Email Notifications. In the Email Address section, enter the address where all email notifications should be sent to. In the SMTP Server field, enter the hostname or IP address of the SMTP server that should be used wh en sending email notifications. Click Send Changes and Activate. All services that are configured to send notifications will now send emails to the specified address if required. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 211 How to Configure SCEP Settings SCEP (Simple Certificate Enrollment Protocol) supports the secure issuing of certificates to network devices in a scalable manner, using existing technology whenever possible. After configuring SCEP on the Barracuda NG Firewall, you can configure TINA and IPsec VPN tunnels to use SCEP with X.509 certificates. The SCEP protocol supports the following operations: CA and RA public key distribution Certificate enrollment Certificate query CRL query For more information about the SCEP protocol, see http://tools.ietf.org/html/draft-nourse-scep-17. In this article: Before you Begin Configure SCEP Configure VPN Tunnels with SCEP Before you Begin When sending SCEP requests to a DNS hostname instead of a server IP address, verify that the DNS resolver of the gateway has been configured and is able to resolve it. Configure SCEP Connect the SCEP server to the Barracuda NG Firewall and configure the settings for your certificate requests. Step 1. Configure SCEP Server Settings 1. 2. 3. 4. 5. 6. 7. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. In the left menu, expand Configuration Mode and click Switch to Advanced. In the left menu, click SCEP. Click Lock. Enable SCEP. Next to SCEP Settings, click Set/Edit. The SCEP Settings window opens. In the SCEP Server IP or Hostname field, enter the IP address or hostname of the SCEP server where the SCEP requests will be sent to. 8. In the SCEP URL path field, enter the complete URL path of the SCEP server destination. 9. To configure HTTP Authentication for the SCEP server, click Set or Edit. The SCEP HTTP Server Authentication windows opens. 10. Specify the Authentication Type. You can select: None – Only a password is used. Enter a Password. Basic-Authentication – No external authentication, only username and password. Enter Username and Password. NTLM-Authentication – NTLM authentication is used. a. Enter Username and Password. b. Set the Domain where the user is located. 11. Click OK. Step 2. Configure X509 Request Settings 1. Specify the Common Name (CN) of the certificate (default: $BOXNAME). This value will be replaced with the real hostname of the box when the request is created. 2. In the Alternative Name field, specify the alternative name of the certificate (default: IP:$BOXIP). This value will be replaced with the real IP address of the box when the request is created. 3. Add any applicable information to the certificate request fields. The X509 Key Usage table defines specific key usage. Leave blank for general purpose key usage. Key pairs may be intended for particular purposes, such as encryption only, or signing only. The usage of any associated certificate can be restricted by adding key usage and extended key usage attributes to the PKCS#10. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 4. 212 Specify the SCEP Password Policy. You can select: No-Password – No challenge password will be included in the certificate request. Password-from-Configuration – The challenge password is statically configured on the Barracuda NG Control Center and will be included in the certificate request. Enter the static challenge SCEP Password. Enter-Password-at-Box – The challenge password will be prompted at the box when the certificate request is created. Get-Password-From-Website – The challenge password is fetched from a website (typically the CA itself). a. In the SCEP Password URL Path field, enter the search path required when requesting the password from the CA website. b. In the SCEP Password Search Pattern field, enter the text to search for when requesting the password from the CA website. 5. Click OK. Step 3. Configure Connection Details Use the systems HTTP proxy settings or configure an explicit proxy connection. 1. From the Proxy Settings list, select whether to use the system settings or define explicit settings. 2. When using an explicit proxy, click Set/Edit. The SCEP HTTP Proxy Settings window opens. a. Enter the Proxy IP Address of the proxy server. b. In the Proxy Port Number field, enter the TCP port number on which the proxy server listens for requests (default: 3128). c. Select the Proxy Authentication Type used at the proxy server and fill in the credentials required for authentication. 3. Click OK. 4. Import the SCEP HTTPS client key and certificate. Step 4. Configure Encoding Parameters Specify the format in which the transaction ID field should be sent to the SCEP server and specify encryption settings. 1. From the Transaction ID Encoding list, specify the format for the transaction ID field: Binary – The transaction ID field is sent in a binary format. Text – The transaction ID field is sent in base64 encoded text format. Some SCEP servers support both binary and text format for the transaction ID. When experiencing problems with the binary format, switching to text format might help. 2. From the PKCS7 Cipher list, select the encoding cipher for use when communicating with the CA, accordin gly to the CA settings. 3. From the PKCS7 Hash list, select the hashing method for use when communicating with the CA, accordingl y to the CA settings. 4. Enable PKCS7 Replay Protection to protect your system from replay attacks. 5. From the Select Encryption Certificate list, select the certificate encryption method. 6. Click Send Changes and Activate. SCEP is now configured. Unless the SCEP password policy was set to Enter-Password-at-Box, no further intervention is required for successful operation. However, Barracuda NG Admin offers options to interact with the SCEP subsystem in order to display SCEP status, re-initiat e pending requests, force SCEP update or retry and set the SCEP password. The SCEP status and control menus are available on the CONTROL > Box page under the SCEP Control menu, when connected to the Barracuda NG Firewall unit. The files held by the SCEP subsystem are stored in the /opt/phion/certs/scep-* directory on the box. Configure VPN Tunnels with SCEP Configure your TINA and IPsec VPN tunnels to use SCEP with X.509 certificates. Import the root certificate and configure your VPN tunnel to accept SCEP as an identification type. For general information about configuring VPN tunnels Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 213 with the GTI editor, see How to Create a VPN Tunnel with the VPN GTI Editor. Step 1. Import the Certificate 1. 2. 3. 4. 5. Open to the VPN GTI Editor page for your range or cluster. Click Lock. Click the Root Certificates tab. Right-click the table and select Import PEM from File. Import the root certificate used by the CA for signing the SCEP certificates. To specify the SCEP authentication method at the GTI level, GTI group level, or individually per tunnel, select the Just like any other VPN tunnel setting authentication method. Step 2. Configure the VPN Tunnel To configure your VPN tunnel to accept SCEP as an identification type: 1. 2. 3. 4. Click the TINA or IPSec tab. From the Accept Identification Type list, select Box SCEP Certificate (CA signed). Click OK. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 214 Authentication Beyond its powerful network firewall and VPN technologies, the Barracuda NG Firewall provides seamless integration with all authentication methods (e.g., Active Directory, RADIUS, LDAP/s, etc.) to facilitate policy configuration based on the actual user and group information and not just IP addresses. User visibility and control is a significant factor for handling network traffic and creating policies. If you do not have an external authentication server available, you can create and maintain a list of local users and groups on the Barracuda NG Firewall. The Barracuda NG Firewall can also use the Barracuda DC Agents on the MSAD server and the Barracuda Terminal Server Agents on the Microsoft Terminal server to provide fully transparent user authentication. You can use local and external authentication for the following services and features: Forwarding Firewall and Firewall Authentication HTTP Proxy URL Filter VPN Service (C2S VPN and SSL VPN) Access Control Service FTP Gateway SSH Proxy Mail Gateway Administrator Accounts External Authentication By integrating the Barracuda NG Firewall with your authentication server, you can configure policies that apply to specific users and groups. The Barracuda NG Firewall lets you configure a range of external authentication schemes, such as Microsoft Active Directory (MSAD) Barracuda DC Agent MS-CHAP Lightweight Directory Access Protocol (LDAP) Remote Access Dial In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS+) RSA-ACE SecurID MSNT Barracuda Web Filter Authentication Barracuda Terminal Server Agent WiFi AP Authentication Online Certificate Status Protocol (OCSP) Kerberos Local Authentication If no external authentication service is available, NGF Local Authentication locally manages users and groups on your Barracuda NG Firewall. For more information, see: How to Configure NGF Local Authentication. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 215 How to Configure MSAD Authentication Microsoft Active Directory (MSAD) is a directory service that allows authentication and authorization of network users. On the Barracuda NG Firewall you can configure MSAD as an external authentication scheme. MSAD is included with all Windows Server operating systems since Windows 2000 Server. For MSAD authentication, you can also configure the Barracuda DC Agent, which allows transparent authentication monitoring with the Barracuda NG Firewall and Microsoft® domain controllers. In this article: Before you Begin Configure MSAD Authentication MSAD Authentication through the Remote Management Tunnel Before you Begin If MSAD is running in native mode on a Windows 2003 Server domain, you must deactivate Kerberos pre-authentication for each user. To use services such FTP, URL Filter, VPN, or Firewall Authentication and Guest Access, you might need to gather group information. The distinguished name (DN) containing the group information is needed for external authentication using MSAD and LDAP (see also How to Configure LDAP Authentication). To gather group information from MSAD: 1. 2. 3. 4. Go to My Network Places > Search Active Directory. Select the searching domain. Enter the name of the user you are searching for and click Find Now. After you have found the user, add the X500 Distinguished Name column. Select View > Choose columns. Select X500 Distinguished Name. Click Add. The DN is displayed in the search results. Configure MSAD Authentication 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select MSAD Authentication. Click Lock. Enable MS Active Directory as external directory service. In the Basic table, add an entry for the domain controller. Enter the name and IP address of the primary domain controller, without the domain suffix. The name must be DNS-resolvable. The IP address is optional. If given, the IP address is used instead of the hostname. 7. In the Active directory searching user / password fields, enter the Distinguished Name (DN) and password of a user with permission to search the Active Directory and to view group information. For example: CN=search,OU=development,DC=domain,DC=local 8. In the Base DN field, specify where to search for user information. Define the Base DN as specific as possible in order to increase the speed of the lookup and avoid timeouts. If you enter the domain in this field (e.g.: DC=xyz,DC=com ), Active Directory may refuse the BaseDN lookup. If possible, add Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 216 an OU= entry to your BaseDN. 9. When using NTLM authentication, enable Use MSAD-groups with NTLM to periodically synchronize user groups from MSAD and let the Barracuda NG Firewall handle them offline . 10. When using MSAD-groups with NTLM, enable Cache MSAD-groups to reduce network traffic and load on the MSAD server. 11. To search additional LDAP attributes for mail addresses, enter a comma separated list of LDAP attributes in the Additional Mail Fields. Specify a comma-separated list of meta-directory field names that should also be searched for a mail address. Only LDAP attributes are allowed, no spaces and no GUI description fields. If you are not sure, use an LDAP browser. All additional fields are searched via a pattern search (prepended * and appended *). 12. 13. 14. 15. 16. Select Use SSL when establishing the connection to the LDAP directory using SSL. Select Follow referrals to search the MSAD global catalog and follow LDAP referrals. Click OK. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. In the Group Filter Patterns table, you can add patterns to filter group information from the directory service. Example: Group Filter Pattern: *SSL* User01: CN=foo, OU=bar, DC=foo-bar, DC=foo User02: CN=SSL VPN, DC=foo-bar, DC=foo In this example, User01 does not have the *SSL* pattern in its group membership string and will not match in group-based limitations. 17. Click OK. 18. Click Send Changes and Activate. MSAD Authentication through the Remote Management Tunnel To allow remote NG Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound B OX-AUTH-MGMT-NAT host firewall rule. Per default this rule is disabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 217 How to Configure MS-CHAP Authentication Use the Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP V2) to authenticate VPN clients over L2TP/PPTP (mutual authentication between peers) or to authenticate HTTP Proxy users. In this article: Before you Begin Connecting to Read Only Domain Controllers Step 1. Configure MS-CHAP Authentication Step 2. Add the Barracuda NG Firewall to a Windows Domain Before you Begin Before using MS-CHAP authentication, you must add the Barracuda NG Firewall to a Windows (NT4, 2000, or 2003) domain. Connecting to Read Only Domain Controllers In addition to the adding the hostname for the Barracuda NG Firewall, you must verify that the password for the user account used in the Helper Scheme is cached on the read-only domain controller. Step 1. Configure MS-CHAP Authentication 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select MS-CHAP Authentication. From the Configuration Mode menu on the left, select Switch to Advanced View. Click Lock. Enable MS CHAP as external directory service. Choose the NTLM protocol version supported by your authentication service. When changing the protocol version, a restart of the authentication daemon (phibs) is necessary. Restart the service in CONT ROL > Server > Service Status > box. 7. In the Domain Realm field, enter the name of the Windows domain that is queried by the authenticator. 8. If the NetBIOS domain name differs from the MS Active Directory domain name, specify the NetBIOS Domain Name. The NetBIOS domain name is important for user group synchronization. It is required for NTLM authentication and URL Filter configuration when user group filters apply. For more information, see How to Configure Web Filtering. 9. Enter the MS Active Directory Workgroup Name if the workgroup name is different from the MS Active Directory domain name (Domain Realm). 10. In the Domain Controller field, enter the IP address of the domain controller. If you also configured the MSAD authentication scheme with the Use MSAD-groups with NTLM setting enabled, the Barracuda NG Firewall must be able to resolve the DNS name of the domain controller. (This also applies for the WINS Server IP address.) 11. In the WINS Server field, enter the IP address of the domain’s Windows Internet Name Service (WINS) server. 12. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. For example, select MSAD if MS-CHAP is used for identity verification but group information must be queried from MSAD. 13. Click Send Changes and Activate. Step 2. Add the Barracuda NG Firewall to a Windows Domain 1. Go to CONTROL > Box. 2. In the left navigation, expand Domain Control and click Register at Domain. Verify that the Barracuda NG Firewall is joined to the domain by clicking Show Registration Status in CONTROL > Box > Domain Control. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 218 Barracuda NG Firewall 6.1 Administrator's Guide - Page 219 How to Configure LDAP Authentication Lightweight Directory Access Protocol (LDAP) is used for storing and managing distributed information services in a network. LDAP is mainly used to provide single sign-on solutions. It follows the same X.500 directory structure as Microsoft Active Directory. In this article: Before you Begin Configure LDAP Authentication LDAP Authentication through the Remote Management Tunnel Before you Begin To use services such FTP, URL Filter, VPN, or Firewall Authentication and Guest Access, you may need to gather group information. The distinguished name (DN) containing the group information is needed for external authentication using LDAP. With an arbitrary LDAP browser, you can gather DNs for the LDAP authentication scheme. Open the LDAP browser and connect to your domain controller to retrieve the distinguished name. Configure LDAP Authentication To configure LDAP for external authentication with the Barracuda NG Firewall, complete the following steps: 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select LDAP Authentication. Click Lock. Enable LDAP as external directory service. In the Basic table, add a new entry for each Base DN. You can configure the following settings: LDAP Base DN – Distinguished name for the user organizational unit. LDAP Server / Port – IP address and port of the LDAP server (default: port 389 ). LDAP User / Password Field – Name of the user identification and password attribute in the LDAP directory. Anonymous – If authentication is not required, set to Yes. LDAP Admin DN / Password – Name and password of the administrator who is authorized to perform LDAP queries. Group Attribute – Name of the attribute field on the LDAP server that contains group information. The attribute fields on the LDAP server are customizable. If you are unsure about the required field name, ask the LDAP server administrator to provide the correct information. Services that process group information (for example, URL Filter) require group attribute specification. If not set, they will not be able to match group conditions. Cache LDAP Groups – Enabling caching for selected LDAP group objects to reduce network traffic and server load on the LDAP server. The local LDAP group cache contains the following objects: memberof attributes in person objects, memberUid in p osixGroup objects (NIS or RFC2307 schema) and member attributes in groupOfNames objects. Offline sync (every min./hour) – Select how often the local LDAP group cache is refreshed. Additional Mail Fields – Allows definition of comma-separated additional fields to 'mail'. Use SSL – If the authenticator must use SSL for connections to the authentication server, select this checkbox. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 220 Logon to Authenticate – Select this checkbox if the authenticator must log directly into the LDAP server to verify user authentication data. When selected, the LDAP server does not expose user passwords. Instead, the server hides user passwords, even from administrators. 6. Click OK. 7. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. 8. In the Group Filter Patterns table, you can add patterns to filter group information from the directory service. Example: Group Filter Pattern: *SSL* User01: CN=foo, OU=bar, DC=foo-bar, DC=foo User02: CN=SSL VPN, DC=foo-bar, DC=foo In this example, User01 does not have the *SSL* pattern in its group membership string and will not match in group-based limitations. 9. Click Send Changes and Activate. LDAP Authentication through the Remote Management Tunnel To allow remote NG Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound B OX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 221 How to Configure LDAP Authentication for Mac OS X Directory Services To retrieve authentication information from a Mac OS X Directory server, configure it as an external LDAP authentication server. Configure LDAP Authentication for Mac OS X Directory Services 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service In the left menu, select LDAP Authentication. Click Lock. Enable LDAP as external directory service. In the Basic table, add a new entry for each Base DN. Configure the following settings: LDAP Base DN – Enter the distinguished name for the user organizational unit. LDAP Server / Port – Enter the IP address and port for the Mac OS x Directory server (default: port 389). Anonymous – Select No. LDAP Admin DN / Password – Name and password of the administrator authorized to perform LDAP queries. Group Attribute – Enter gidNumber. Cache LDAP Groups – Enable checkbox to display groups by name. Logon to Authenticate – Enable checkbox. 6. Click OK. 7. Click Send Changes and Activate. You can now retrieve authentication information from your Mac OS X Directory server. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page OS X osx OSXLDAP ldap Copyright © 2015, Barracuda Networks Inc. 222 Barracuda NG Firewall 6.1 Administrator's Guide - Page 223 How to Configure RADIUS Authentication Remote Access Dial-In User Service (RADIUS) is a networking protocol providing authentication, authorization, and accounting. The Barracuda NG Firewall can use RADIUS authentication for IPsec, Client-to-Site, and SSL VPN. Configure RADIUS Authentication To configure RADIUS for external authentication with the Barracuda NG Firewall, 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select RADIUS Authentication. Click Lock. From the Configuration Mode menu on the left, select Advanced View. Enable RADIUS as external directory service. In the Radius Server Address / Port fields, enter the IP address and port of the RADIUS server (default: port 1812). 7. In the Radius Server Key section, define the pre-shared secret to authorize requests. (Do not use backslashes.) 8. From the Group Attribute Delimiter list, you can select how groups are delimited in a list. To explicitly specify a delimiter character, select the Other checkbox and enter the character in the Group Attribute Delimiter field. 9. From the Group Attribute Usage list, you can select the group information that is used (e.g.: CN=…, OU=…, DC=…). You can select: 10. 11. 12. 13. All (default) – Complete string. First – Only the first group. Last – Only the last group. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. Enter the NAS identifier, IP address, and port if your RADIUS servers requires you to set NAS credentials. Enable OTP preserves State if a One-Time Password server (e.g., Symantec VIP Enterprise Gateway 9.0) requires the RADIUS response to contain the 'State' attribute. Click Send Changes and Activate. RADIUS Authentication through the Remote Management Tunnel To allow remote NG Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound B OX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 224 How to Configure TACACS+ Authentication Terminal Access Controller Access-Control System Plus (TACACS+) is an access control network protocol (TCP) for routers, network access servers, and devices. Unlike RADIUS, TACACS+ uses separate authentication and authorization. TACACS+ provides centralized user and group management and offers extended logging options. TACACS+ supports multiple protocols, e.g., IP and AppleTalk . Configure TACACS+ To configure TACACS+ for external authentication with the Barracuda NG Firewall, 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select TACACS+ Authentication. Click Lock. Enable TACACS+ as external directory service. In the TACACS+ IP Address table, add an entry for each TACACS+ server. You can edit the following settings: TAC+ IP Address – IP address of the TACACS+ server. TAC+ ID Port – ID Port information. E.g.: tty10 TAC+ Server Port – TCP port of the TACACS+ server. TAC+ Key – DES encryption key. Timeout (s) – Authentication timeout in seconds. TAC+ Login Type – TACACS+ login type (inbound). 6. Click OK. 7. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. 8. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 225 How to Configure RSA-ACE SercurID Authentication RSA-ACE is a commonly used two-factor authentication method for the authentication of network and VPN users. When authenticating with an RSA-ACE server, users can sign in with the username and password, consisting of PIN and RSA SecurID provided by a token. In this article: Before you Begin Step 1. Configure the RSA-ACE Server Step 2. Configure RSA-ACE Authentication RSA-ACE SecurID Authentication through the Remote Management Tunnel Before you Begin RSA-ACE does not provide group information. If you want to create groups, follow the instructions given in How to Configure Explicit Groups . For authentication against the Barracuda NG Firewall using an RSA-ACE authentication server, verify that the Clear Node Secret is properly set: Step 1. Configure the RSA-ACE Server Before configuring RSA-ACE authentication, you must prepare the RSA-ACE server: 1. Create an Agent Host and add the users who want to authenticate over the Barracuda NG Firewall. The hostname must be DNS resolvable (Box IP address of the Barracuda NG Firewall and ACE-Server IP address). Time on the Barracuda NG Firewall must be the same as on the ACE server. Encryption = DES Type = Unix Agent 2. Assign Acting Server. 3. Export the configuration to insert it in the RSA-ACE Authentication configuration as explained in Step 2. Users who want to authenticate over proxy must be authenticated for the first time not over the Barracuda NG Firewall because the PIN number validation is not supported. Step 2. Configure RSA-ACE Authentication 1. 2. 3. 4. 5. 6. 7. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select RSA-ACE Authentication. Click Lock. Enable RSA-ACE as external directory service. In the RSA Configuration File section, import the configuration file that is provided by the RSA SecurID server (sdconf.rec). Enter the IP address of the RSA server. In the DNS Resolved IP field, enter the IP address that is used to connect to the RSA server. This IP address must match the configured client IP address that the server has; otherwise, the connection is refused. 8. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. 9. Click Send Changes and Activate. RSA-ACE SecurID Authentication through the Remote Management Tunnel Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 226 To allow remote NG Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound B OX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 227 How to Configure MSNT Authentication Windows NT (MSNT) is used as external directory service, e.g., to authenticate Client-to-Site VPN users. MSNT validates user accounts and authorizes access to local or remote systems or domains at log-on of type local, domain, or trusted domain. On the Barracuda NG Firewall, you can configure MSNT as an external authentication scheme. Before you Begin MSNT does not provide group information. If you want to create groups, follow the instructions given in How to Configure Explicit Groups. Configure MSNT To configure MSNT for external authentication with the Barracuda NG Firewall: 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select MSNT Authentication. Click Lock. Enable MSNT as external directory service. In the Domain Controller Name table, add an entry for each domain controller. You can edit the following settings: Domain Controller Name – Name of the primary domain controller, without the domain suffix. The name must be DNS-resolvable. Domain Name – Name of the domain. Domain Controller IP – IP address of the domain controller. If given, the IP address is used instead of the hostname. 6. Click OK. 7. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. 8. Click Send Changes and Activate. MSNT Authentication through the Remote Management Tunnel To allow remote NG Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound B OX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 228 How to Configure Barracuda Web Filter Authentication This article refers to the Barracuda Web Security Gateway appliance, not the URL Filter service on the Barracuda NG Firewall. For more information on the URL Filter, see URL Filter. The Barracuda Web Security Gateway appliance provides content filtering with HTTP/HTTPS support and URL filtering by category for various types of users and groups. For authentication of users and groups from the Barracuda Web Security Gateway on the Barracuda NG Firewall, configure Web Filter authentication as external authentication scheme. Before you Begin Before configuring Web Filter authentication, verify that you have properly configured your user groups on the Barracuda Web Security Gateway. For more information, see Managing Users and Groups in the Web Security Gateway TechLibrary. Configure Web Filter Authentication To configure Web Filter Authentication for the Barracuda NG Firewall, 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select Webfilter Authentication. Click Lock. Enable the Webfilter Authentication query scheme. In the Server Setting table, add an entry for each Webfilter server. Specify the following settings: IP Address – IP Address of the Web Security Gateway server. Passphrase – The authentication passphrase on the Web Security Gateway. Sync Interval (s) – Synchronization interval in seconds between NG Firewall and Web Security Gateway. 6. Click OK. 7. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 229 How to Configure WiFi AP Authentication The Barracuda NG Firewall can parse authentication information contained in the syslog stream of supported wireless access points. WiFi access points typically use authentication services such as RADIUS servers to authenticate users before allowing them to connect. The Barracuda NG Firewall monitors the syslog files sent by the WiFi access points for usernames and the associated IP address of logged-in users. Depending on the access point the Barracuda NG Firewall receives login and/or logout information. Supported WiFi Access Points Aerohive (login only) Ruckus (login and logout) Aruba (login only) In this article Video Before you Begin Step 1. Configure a Box Level IP Address Step 2. Configure WiFi AP Authentication Video Watch the following video to see the Barracuda NG Firewall receive user information via WiFi Access Point authentication from a Aerohive Access Point: Videos are not visible in the PDF export. Before you Begin Configure the WiFi Access point to stream the syslog to the Barracuda NG Firewall. For more information, see: WiFi AP Authentication Aerohive Configuration WiFi AP Authentication Ruckus Wireless Configuration Step 1. Configure a Box Level IP Address Add an IP address to the box level that can be reached by the wireless access point. 1. 2. 3. 4. 5. 6. 7. 8. Go to CONFIGURATION > Configuration Tree > Box > Network. Click Lock. Click + to add an Additional Local IP. Enter a Name. Select the interface from the Interface Name dropdown. Enter the IP Address and Associated Netmask. Click OK. Click Send Changes and Activate. Step 2. Configure WiFi AP Authentication If the WiFi access point is using an SSL encrypted connection, the certificate can be imported from a PEM or PKCS12 file. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication. Click Lock. In the left menu, click WiFi AP Authentication. Set Activate Scheme to yes. Click + to add an WiFi AP Endpoint. The WiFi AP Endpoints window opens. 6. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 230 6. Enter the Source IP. This is the IP address of your WiFi access point. 7. Select the Protocol used by the WiFi access point to send the syslog. UDP TCP SSL 8. (SSL only) Enter the Certificate Subject Alternative Name for the SSL certificate. 9. (SSL only) Click Ex/Import and import the Certificate File. 10. Select the manufacturer of your WiFi access point from the WiFi AP Model dropdown. 11. Click OK. 12. Click Send Changes and Activate. You can now use the authentication information from your WiFi access point. Go to Firewall > Users. All users with WiFi-AP in the Origin colum n are authenticated via the WiFi access point. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 231 WiFi AP Authentication Aerohive Configuration To authenticate users connected to Aerohive access points, you must stream the syslog containing the authentication data to the Barracuda NG Firewall. Reference Devices/Versions: Aerohive AP230 802.11ac Wireless AP Version 6.4r1a Aerohive Networks HiveManager Online 6.4r1 Enable Syslog Streaming on the Aerohive AP 1. Log into the Aerohive Networks HiveManager. 2. Go to Configuration > Advanced Configuration > Management Services > Syslog Assignments. 3. Click New and configure syslog streaming: Syslog Server – Select the IP address of the Barracuda NG Firewall from the dropdown. Severity – Select Info from the dropdown. 4. Click Apply. 5. Click Save. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 232 Add Syslog Configuration to Network Policy Add the syslog configuration to the Network Policy you are using for your access points. Verify that the Barracuda NG Firewall is receiving the Syslog Data On the Barracuda NG Firewall, go to LOGS and open the Box > Control > AuthService_wifiap.log. After a successful authentication, you will see a logged in user <username> with IP <IP address> line in the log. The WiFi access point name is also listed. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 233 WiFi AP Authentication Ruckus Wireless Configuration To authenticate users connected to Ruckus access points, you must stream the syslog containing the authentication data to the Barracuda NG Firewall. Reference Devices/Versions: ZoneDirector 1100 (ZD1106) Version 9.10.0.0 build 21 ZoneFlex zf7321-u Access Point): Step 1. Enable Syslog Streaming on the Ruckus Wireless AP Enable Client Association in the debug log settings. 1. Go to Administer > Diagnostics. 2. In the Debug Logs section, enable Client Association. 3. Click Apply. Step 2. Enable Syslog Streaming on the Ruckus Wireless AP 1. Go to Configure > System Log Settings. 2. Enable the Remote Syslog. 3. Enter the IP address of the Barracuda NG Firewall. 4. Click Apply. Verify that the Barracuda NG Firewall is receiving the Syslog Data On the Barracuda NG Firewall, go to LOGS and open the Box > Control > AuthService_wifiap.log. After a successful authentication, you will see a logged in user <username> with IP <IP address> line in the log. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 234 WiFi AP Authentication Aruba Configuration To authenticate users connected to Aruba access points, you must stream the syslog containing the authentication data to the Barracuda NG Firewall. Reference Devices/Versions: Aruba Controller 651 Version 6.4.1.0 Aruba AP 105 Enable Syslog Streaming on the Aruba AP 1. 2. 3. 4. Log into the Aruba Mobility Controller. Click on the Configuration tab. In the MANAGEMENT section of the left menu, click on Logging. In the Logging Servers section, click New: IP Address – Enter the management IP address of the Barracuda NG Firewall . Category – Select user. Logging Facility – Select the logging facility to be able to differentiate between multiple Aruba APs. Severity – Select notifications. 5. Click Add. 6. Click Apply 7. Click on the Levels tab. 8. Set the Logging Levels in the User logs section to notifications. 9. Click Apply. Verify that the Barracuda NG Firewall is Receiving the Syslog Data On the Barracuda NG Firewall, go to LOGS and open Box > Control > AuthService_wifiap.log . After a successful authentication, you will see a logged in user <username> with IP <IP address> line in the log. The Wi-Fi access point name is also listed. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 235 Barracuda NG Firewall 6.1 Administrator's Guide - Page 236 How to Configure Kerberos Authentication Kerberos works as a request-based authentication scheme and provides authentication and authorization on a single sign-on basis. The Kerberos authentication protocol provides mutual authentication, which means that both the user and the server verify each other's identity. Implementing Kerberos-based authentication within your network will allow the Barracuda NG Firewall to associate outgoing web requests with Active Directory users, to log user activity, and to apply user-specific or group-specific policies to outgoing connections. In this article: Implementation Advantages Requirements for Using a Kerberos Authentication Server Configure Kerberos Step 1. Configure Kerberos for the HTTP Proxy Service Step 2. Join the Domain Step 3. Create ACLs Step 4. Configure your Web Browser Kerberos Authentication through the Remote Management Tunnel Troubleshooting Implementation You can use Kerberos with the Barracuda NG Firewall in any of the following scenarios: Clients are behind a NAT-enabled router – Requests from users on client machines behind a NAT-enabled router would appear to the Barracuda NG Firewall to be sent from the same reusable NAT router IP address. Windows Terminal Services – Requests from users using Windows Terminal Services to access remote data and applications on another client machine would appear to the Barracuda NG Firewall to be sent from the Windows terminal IP address. Citrix Presentation Services – Requests from users accessing remote data and applications on a Citrix Presentation Server would appear to the Barracuda NG Firewall to be sent from the Citrix Presentation Server. Advantages Kerberos is useful when a Microsoft domain controller is running in native mode. It is a forward proxy authentication scheme, and each authentication request against a domain controller does not need to be verified by the Barracuda NG Firewall. All users are transparently identified so that rendering DC Agents becomes unnecessary. All clients can use the same IP address (for example, in a terminal server environment). Kerberos uses a ticketing system. The user submits an initial request and afterwards has the possibility of submitting more tickets to the Kerberos ticketing system. Users do not continuously receive pop-up authentication messages when the initial authentication is processed. Usage of unique Service Principal Names (SPNs) makes automatic transparent authentication possible with network resources (each resource has its own SPN). Requirements for Using a Kerberos Authentication Server Before you integrate with a Kerberos authentication server, verify that the following requirements have been met: MSAD authentication is configured. Kerberos requires the MSAD authentication scheme. MS-CHAP authentication is configured. A forward proxy is deployed on the Barracuda NG Firewall. For more information, see How to Set Up and Configure the HTTP Proxy. The management IP address, hostname, domain, and proxy are DNS-resolvable. Check your settings on the following pages: IP Configuration page (CONFIGURATION > Configuration Tree > Box > Network). DNS Settings page (CONFIGURATION > Configuration Tree > Box > Administrative Settings). The DNS server can resolve IP addresses in both forward and reverse. Use type A DNS records for the Kerberos Key Distribution Center (KDC). There are known issues with some clients forming an incorrect SPN request when CNAME DNS records are used. Configure all host machines to use NTP. All clocks must be synchronized within 5 minutes of the Kerberos server clock for authentication to succeed. Time server settings must be configured on the Barracuda NG Firewall. For more information, see How to Configure Time Server (NTP) Settings. Configure Kerberos After verifying that the requirements for using a Kerberos authentication server have been met, complete the steps in the following sections to implement Kerberos on the Barracuda NG Firewall: Step 1. Configure Kerberos for the HTTP Proxy Service Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 237 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings. 2. Click Lock. 3. In the left navigation pane, select User Authentication. 4. Next to Authentication Settings, click Set. 5. From the Use Kerberos list, enable Kerberos. 6. In the Kerberos Service Name field, enter a name for the Kerberos service. This name represents the IP address of the HTTP Proxy service and is used for joining the Kerberos service to MS Active Directory. The name must also be present in the DNS Settings section (CONFIGURATION > Configuration Tree > Box > Administrative Settings). 7. In the Authentication Worker Kerberos field, enter the number of workers started for authentication if required (default: 5). For proxy servers with a high load, you can enter up to 48. 8. In the Authentication Service Settings, select MS Active Directory from the Authentication Scheme list. 9. Click OK. 10. Click Send Changes and Activate. All configured services and service names must be fully DNS-resolvable within the configured domain. Step 2. Join the Domain After you configure the Kerberos authentication scheme and the HTTP Proxy service, register the Barracuda NG Firewall and the HTTP Proxy service at the domain. 1. Go to CONTROL > Box. 2. In the left navigation pane, expand Domain Control and click Register at Domain. 3. From the Domain Control menu, select Register Proxy at Domain. If the Kerberos service name is changed later, you must rejoin the Barracuda NG Firewall to the domain in order to successfully use MS-CHAP v2 authentication again. If you want to use Kerberos with the new service name, you must re-register and restart the proxy. Step 3. Create ACLs To specify administration rights, you can implement access control for specific users. The Kerberos access control list (ACL) file, kadm5.acl allows you to specify individual privileges. You can also use the '*' wildcard in the principal name to specify group privileges. For more information, see Access Control. Step 4. Configure your Web Browser To use Kerberos authentication, you must specify the proxy settings in your web browser. In the HTTP proxy settings for your web browser, enter the Kerberos service name (fully qualified domain name). For example: 01ha.domain.c om Do not enter an IP address in your HTTP proxy settings. Kerberos Authentication through the Remote Management Tunnel To allow remote NG Firewalls to connect to the authentication server through the remote management tunnel, you must activate the outbound B OX-AUTH-MGMT-NAT Host Firewall rule. By default, this rule is disabled. Troubleshooting To troubleshoot any issues with your Kerberos authentication settings, consider the following: Hostnames must be DNS-resolvable in both directions. Clock synchronization is crucial. The maximum allowed clock skew is 300 seconds. The Kerberos Constraint Delegation (KCD) service must be reachable for the system and the authenticating user. Service Principal Names (SPNs) are unique and available in the KDC´s database. If not, the KDC will not issue the TGS. To look up the ticketing process from your Windows client, you can use the klist command. To view log files, click the Logs tab on your Barracuda NG Firewall. If you see an error message containing "BH hostname error" in the HTTP Proxy service cache.log, check if the hostname is DNS-resolvable. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page helperStatefulHandleRead:unexpected read from bytes 'BH hostname error' 238 negotiateauthenticator #1, 18 If you are using CNAME DNS records for your KDC and you see the following error message in the HTTP Proxy service cache.log. Use A DNS records instead. ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 239 How to Configure Explicit Groups Explicit groups are a way to organize users into groups for authentication schemes that do not provide group information, such as MSNT or RSAACE. Configure Explicit Groups 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left menu, click Explicit Groups. Click Lock. In the Explicit Groups table, click + to add a group: Group Name – Enter the name of the group. Login Name – In this table, add users that belong to the group. 5. In the External DB Files table, add references to the Berkley DB files containing already existing group and user information. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 240 How to Configure NGF Local Authentication Configure NGF local authentication to locally administer users and groups on the Barracuda NG Firewall. With NGF local authentication, you can refer to local users and groups when creating firewall rules, VPN tunnels, and services. Configure NGF Local Authentication 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select NGF Local Authentication. Click Lock. Enable NGF Local Scheme as authentication scheme. In the Users table, add an entry for each user that you are administrating with the local authentication scheme. For each entry, you can configure the following settings: Username – Authentication name of the user. Password – Initial user password. Mail address – Email address for the user. 6. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. For example, select LDAP if group information must be queried from an LDAP directory. 7. Click Send Changes and Activate. Changing User Passwords When using NGF local authentication, you can also provide users the option of managing and changing their passwords. This is done by creating an access rule to redirect HTTP/S requests (port 80/443) to the local web server of the system. Create an App Redirect firewall rule with the following settings: Action – App Redirect Source – Trusted LAN (LAN network users) Service – HTTP+S Destination – Choose a custom IP address to be entered by the user to access the web interface. For example: 1.1.1.1 Redirection – IP address of the local web server, together with the HTTP/S port. For example: 127.0.0.1:80 The Redirection IP address must also be configured on the Barracuda NG Firewall. After you create and activate this firewall rule, users can enter http://1.1.1.1/cgi-bin/ngflocalpasswd into a web browser to change their password. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 241 How to Configure MSAD DC Client Authentication The Barracuda DC Client receives user authentication information from Barracuda DC Agents installed on Microsoft domain controllers. Before you Begin Before you configure MSAD DC Client authentication, you must install the Barracuda DC Agent on the Microsoft Active Directory server. For more information, see Barracuda DC Agent for User Authentication. Configure the MSAD DC Client Configure MSAD DC Client settings on the Barracuda NG Firewall: 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left menu, click MSAD DC Client. Click Lock. Set Activate Scheme to Yes. In the Server Setting table, add all Microsoft Active Directory servers running the Barracuda DC Agent. 6. For each entry, specify the IP 7. Enter the Address of the Active Directory server running the DC Agent. TCP Port of the Active Directory server running the DC Agent (default: port 5049). 8. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. 9. Click OK. 10. In the Group Filter Patterns table, you can add patterns to filter group information from the directory service. Example: Group Filter Pattern: *SSL* User01: CN=foo, OU=bar, DC=foo-bar, DC=foo User02: CN=SSL VPN, DC=foo-bar, DC=foo In this example, User01 does not have the *SSL* pattern in its group membership string and will not match in group-based limitations. 11. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 242 How to Configure TS Agent Authentication Use the Barracuda TS Agent to authenticate users on a Microsoft Terminal Server. The TS Agent is installed as a service on the Microsoft Terminal Server. Each user is assigned a dedicated port range that is transmitted over an SSL encrypted connection to the Barracuda NG Firewall. This information enables the Barracuda NG Firewall to identify individual users even though the traffic is coming from the same source IP address. The TS Agent detects both login and logout events. Citrix Desktop deployments on Windows Terminal Servers are also supported. You can use SSL client certificates to authenticate the remote TS Agent on the Terminal Server, or if no SSL certificates are configured, allow all incoming SSL connections. Before You Begin Install the Barracuda TS Agent on the Microsoft Terminal Server(s). For instructions, see How to Set Up the Barracuda Terminal Server Agent. (Optional) Create SSL client certificates. Verify that the Host Firewall rule BOX-AUTH-TSAGENT-SYNC-IN (TCP Port 5050) is present in the Host Firewall Inbound rulelist (Conf ig > Full Config > Infrastructure Services > Host Firewall Rules). You can find the default Host Firewall rules, here: Default Host Firewall Rules . Configure TS Agent Authentication On the Barracuda NG Firewall, enable and configure connections with the Barracuda TS Agent. 1. 2. 3. 4. 5. 6. Open the Authentication Service page (Config > Full Config > Infrastructure Services > Authentication Service). In the left pane, click TS Agent Authentication. Click Lock. Set Activate Scheme to Yes. Enter Auto Logout After [d] to automatically log out users after a certain number of days. (Optional)In the TS Agent Certificates section, click +. The TS Agent Certificates window opens. a. Enter the Subject Alternative Name of the SSL client certificate. b. Upload the SSL client certificate. c. Click OK. 7. (optional) Set Strip Domain Name to Yes. E.g., MYDOMAIN\myuser will become myuser. 8. In the TS Agent IP Addresses section, add the IP addresses for the Microsoft Terminal Server the TS Agent is running on. 9. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 243 How to Configure Additional Authentication Schemes On the Barracuda NG Firewall, you can introduce additional authentication schemes, for example, to configure a second proxy server in your network with an alternative authentication server. There is no limit to the number of authentication schemes that you can add. References to additional schemes are not checked for integrity. Keep in mind that schemes may be deleted even though they are used by VPN users. Configure an Additional Authentication Scheme 1. 2. 3. 4. 5. 6. 7. 8. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. Click Lock. In the left menu, click Additional Schemes. In the Schemes section, click + to add an entry for the additional authentication scheme. Enter a Name for the additional authentication scheme. Enable the scheme to start the authentication processes. Select the scheme from the Method list. Configure the settings applicable to the selected scheme: MSNT Settings – For information on the settings in this section, see How to Configure MSNT Authentication . MSAD Settings – For information on the settings in this section, see How to Configure MSAD Authentication . RADIUS Settings – For information on the settings in this section, see How to Configure RADIUS Authentication . LDAP Settings – For information on the settings in this section, see How to Configure LDAP Authentication . RSA-ACE Settings – For information on the settings in this section, see How to Configure RSA-ACE SercurID Authentication . NG Firewall Local Authentication Settings – For information on the settings in this section, see: How to Configure NGF Local Authentication . TACACS+ Settings – For information on the settings in this section, see How to Configure TACACS+ Authentication . OSCP Settings – For information on the settings in this section, see How to Configure OCSP Validation . 9. In the Filter Settings section, select the scheme from the User Info Helper Scheme list if group information is queried from a different authentication scheme. For example, select LDAP if RADIUS is used for identity verification but group information must be queried from an LDAP directory. 10. In the Group Filter Patterns table, you can add patterns to filter group information from the directory service. Example: Group Filter Pattern: *SSL* User01: CN=foo, OU=bar, DC=foo-bar, DC=foo User02: CN=SSL VPN, DC=foo-bar, DC=foo In this example, User01 does not have the *SSL* pattern in its group membership string and will not match in group-based limitations. 11. Click OK. 12. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 244 How to Configure Authentication Service Timeouts and Logging Configure timeout and logging settings to manage login processes and to log user group information related to your configured authentication schemes. Configure Timeout and Logging To configure timeout and logging settings for authentication services: 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service. In the left navigation pane, select Timeouts and Logging. From the Configuration Mode menu in the left, select Switch to Advanced View. Click Lock. Enable Log Groups to log user group information. If desired, enable Log Add. Meta-directory Fields to log additional meta-directory fields. In the Timeout Settings, you can adjust the setting according to your requirements. If required, configure the Expert Settings, e.g., Client Codepage. Click Send Changes and Activate. With timeout and logging settings configured, user group information is logged and the logfiles will be dispayed on the Barracuda NG Firewall Lo gs page. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 245 Virtual Servers and Services Virtual servers represent the main operative instance on the Barracuda NG Firewall next to global settings and box configuration objects. The virtual server layer manages all IP addresses that are required for the services running on the virtual servers. It introduces all IP addresses that are needed for proper operation except remote management and HA IP addresses. Depending on your requirements, you can create multiple virtual servers on a standalone box or on a system within a Barracuda NG Control Center cluster. Virtual Servers The virtual server layer runs on the box layer of the Barracuda NG Firewall. It is a purely logical layer whose most important function is to make IP addresses available for the services (service layer). By default, the virtual server S1 is already created on every Barracuda NG Firewall except the larger hardware models. When a virtual server is started, it assigns IP addresses to its services, causing the box layer to automatically activate pending routes of directly attached network routes. On a virtual server you must introduce all IP addresses that should be managed by the server and assigned to the services under it. These IP addresses must be in one of the networks for which a directly attached network route exists on box level. Do not use the IP addresses configured on the box layer, such as the management IP address or additional local IP addresses, because this causes problems in HA setups. The encryption level is also configured at the virtual service level. If your Barracuda NG Firewall is running without a valid license (demo mode) or in an export-restricted country, you can only use export-restricted encryption until your system gets licensed. Virtual servers are bound to the product type and name. Once created, they cannot be renamed. For more information, see How to Configure Virtual Servers. HA Monitoring and Transparent Failover A virtual server is transferable between members of a high availability cluster. If the primary unit fails, the virtual server, including its assigned IP addresses and all services, is instantly transferred to the secondary unit. You can also create virtual servers with services to run only on a secondary unit that, in case of a failover, are transferred to the primary unit and vice versa. For HA failover, the management IP address and the 1st virtual server IP address are monitored by default. To configure transparent monitoring for HA clusters, create monitoring policies for interfaces and IP addresses. The virtual server stays up as long as these health check targets are reachable. For more information, see Virtual Server Monitoring and High Availability. Virtual Servers in the NG Control Center On the Barracuda NG Control Center, virtual servers are created in the NG Control Center cluster. The setup procedure is very similar to the procedure on a Barracuda NG Firewall, which means that you can create a server and assign the network IP addresses and services. Virtual servers act as separate configuration entities, so you can copy them from one to another cluster. For example, you can assign the virtual server S1 once per cluster. When assigning virtual servers to different clusters, the setup requires the matching product type. For example, you cannot assign a VF25 virtual server to a Barracuda NG Firewall F10. For more information, see How to Configure Virtual Servers. Services The service layer runs on the virtual server layer of the Barracuda NG Firewall. It introduces the services such as firewall, HTTP proxy, VPN, and DHCP. The services use the configured IP addresses of the virtual server on which they are running. If the virtual server shuts down, all of the assigned services and IP addresses are also shut down and made unavailable. If the Barracuda NG Firewall is deployed in a high availability cluster, the services and necessary IP addresses transparently failover to the other HA unit. For more information, see How to Configure Services, NG Firewall Services or NG Control Center Shared Services Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 246 How to Configure Virtual Servers To manage networking and services on the Barracuda NG Firewall, you can use the virtual server S1 that is already present on the unit. To extend firewalling and networking capabilities, introduce additional servers with IP addresses that can be adapted and used by networks and services created under them. If a Barracuda NG Firewall system hosting virtual servers is running in a high availability (HA) cluster, the virtual servers are also present on the HA unit. If the primary unit fails, the virtual server, IP addresses, and all services are taken over instantly by the secondary unit. In this article: Create a Virtual Server on a Standalone Barracuda NG Firewall Create a Virtual Server on a Barracuda Control Center Deleting a Virtual Server Moving/Copying Virtual Servers (NG Control Center only) Before you Begin Verify that direct routes exist on the box layer for the network the virtual server IPs are in. If you are using a HA cluster, the routes must be configured on both units. Create a Virtual Server on a Standalone Barracuda NG Firewall 1. Go to CONFIGURATION > Multi-Range > your range > your cluster. 2. Right-click on Virtual Servers in your cluster and select Create Server. The Create Server windows opens. 3. Configure the following settings: Server Name – Enter a unique name up to six characters long for the virtual server. Product Type – Select the model of your Barracuda NG Firewall. The product type of the virtual server and the NG Firewall the virtual server is running on must match. Active Box – Select This-Box. Backup Box (optional) – Select Other-Box if you are using a high availability cluster, or No-Backup if you are using a standalone Barracuda NG Firewall. Encryption Level – Select Full Featured Encryption unless you are running in demo mode or are located in an export-restricted country. First-IP – Enter the first IP address for the virtual server. Reply to Ping – Select yes for the virtual server to answer ICMP pings on the first IP address. Second-IP (optional) – Enter the second IP address for the virtual server. Reply to Ping – Select yes for the virtual server to answer ICMP pings on the second IP address. Additional IP (optional) – Enter as many additional IP addresses as needed. 4. Click Next 5. (optional) Configure monitoring settings for the virtual server. For more information, see Virtual Server Monitoring. 6. Click Next. 7. (optional) Enter custom command-line scripts that are executed when the virtual server is started or stopped. For more information, see Command-Line Interface 8. Click Finish. 9. Click Activate. Create a Virtual Server on a Barracuda Control Center Create a virtual server in a cluster on the Barracuda NG Control Center. The virtual server can be used for every managed NG Firewall of the same product type in the cluster. 1. Go to CONFIGURATION > Multi-Range > your range > your cluster. 2. Right-click on Virtual Servers in your cluster and select Create Server. The Create Server windows opens. 3. Configure the following settings: Server Name – Enter a unique name up to six characters long for the virtual server. Product Type – Select the model of your Barracuda NG Firewall. The product type of the virtual server and the NG Firewall the virtual server is running on must match. Encryption Level – Select Full Featured Encryption unless you are running in demo mode or are located in an export-restricted country. Primary Box – Select the NG Firewall the virtual server runs on. The box must be in the same cluster as the virtual server. Secondary Box (optional) – Select the secondary NG Firewall First-IP – Enter the first IP address for the virtual server. Reply to Ping – Select yes for the virtual server to answer ICMP pings on the first IP address. Second-IP (optional) – Enter the second IP address for the virtual server. Reply to Ping – Select yes for the virtual server to answer ICMP pings on the second IP address. Additional IP (optional) – Enter as many additional IP addresses as needed. 4. Click Next. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 247 4. 5. 6. 7. 8. 9. 10. 11. 12. (optional) Create or import the Server Private Key. (optional) Import the Server Certificate. Click Next. (optional) If you are planning to use GTI, add the local networks for the VPN tunnels. For more information, see CC VPN GTI Editor. Click Next. (optional) Configure monitoring settings for the virtual server. For more information, see Virtual Server Monitoring. Click Next. (optional) Enter custom command-line scripts that are executed when the virtual server is started or stopped. For more information, see Command-Line Interface Click Finish. Click Activate. Deleting a Virtual Server If you delete a virtual server, all of its assigned services are also deleted. Before changing server and service settings, back up your system configuration. For more information, see Backups and Recovery. 1. 2. 3. 4. Right-click on the virtual server you want to delete and click Lock. Right-click on the virtual server and click Remove Server. Click Yes. The virtual server and all its services are now marked with a red "x". Click Activate. Moving/Copying Virtual Servers (NG Control Center only) You can move or copy virtual servers on the NG Control Center between different clusters. It is not possible to create a copy of a virtual server in the same cluster it is currently in. The clusters must use at least the same release version. For example, you cannot move a 6.0 virtual server to a 5.2 cluster. 1. 2. 3. 4. 5. 6. Right-click on the virtual server you want to move or copy and click Lock. Right-click on the virtual server and click Move Server or Copy Server. Select the destination in the Range/cluster tree. Enter the new name of the virtual server. Click OK. Click Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 248 Virtual Server Monitoring To ensure and maintain the connectivity of a virtual server, you can define pools of IP addresses and/or network interfaces that are continuously monitored by the Barracuda NG Firewall. If the health check of a monitored IP address or the link state of a network interface fails, the virtual server is automatically shut down. As soon as the health check target is successful, the virtual server is started again. Monitoring policies define which requirements must be met for the virtual server to remain active, or to be shut down. If you are using an HA cluster, you can use monitoring policies to define the behavior of the secondary HA unit. If necessary, you can use custom scripts which are executed when the virtual server is started or stopped. In this article: Layer 3 Monitoring Layer 2 Monitoring Server Monitoring in HA Clusters Step 1. Configure the Operation Mode Step 2. Configure the Monitoring Policy Configure Custom Scripts Layer 3 Monitoring The Layer 3 monitoring policy defines the settings for IP address monitoring. The policy configuration provides two address pool tables. Add the target addresses to the tables. These IP addresses must be reachable for the virtual server to stay up. The following Layer 3 monitoring policies are available: all-OR-all-present – All of the IP addresses from at least one IP address pool, e.g., from the Monitored IPs I table, must be reachable. If you enter IP addresses in both the Monitored IPs I and II tables, the IP addresses from at least one of these tables must be available. Otherwise, the virtual server is deactivated. one-AND-one-present – At least one IP address from each monitoring pool must be reachable. If you only enter IP addresses in the Mo nitored IPs I table, at least one IP address from this table must be available. If you enter IP addresses in both tables, at least one IP address in each table must be available. The control service runs an ICMP check on all IP addresses in 10-second intervals. If no answer is received, the IP addresses are probed every second for a 10-second period. If no response is received from a valid health check target during the 10-second period, the virtual server shuts down. The server is reactivated as soon as an answer is received for the subsequent probes. Example Setup: Layer 3 monitoring is configured for the virtual server S2, using both address pools with the following IP addresses and statuses: Monitored IPs I Status Monitored IPs II Status 10.0.10.110 up 10.0.10.88 up 10.0.10.68 down 10.0.10.99 down The status of the virtual server is displayed on Control > Server page: If the monitoring policy one-AND-one-present is used, the server stays up because one IP address of each address pool is available. If the all-OR-all-present policy is used, the server shuts down because at least no IP pool is fully available. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 249 Layer 2 Monitoring The Layer 2 monitoring policy defines the settings for interface monitoring. Add the interfaces that should be checked according to the policy in the Monitored Interfaces I and II tables. Layer 2 monitoring is available in the following modes: all-OR-all-present – All of the interfaces from at least one interface pool, e.g. from the Monitored Interfaces I table, must be available. one-AND-one-present – At least one interface from each interface pool table must be available. If you have added interfaces in one table, at least one IP address from this table must be available. If you have added interfaces in both tables, at least one interface from each table must be available. The control service checks the link status of each interface on a regular basis. Depending on the selected policy, the server is shut down if the links on the monitored interfaces are unavailable. The server is restarted when the links of the monitored interfaces are up again. Server Monitoring in HA Clusters If your Barracuda NG Firewall is part of an HA cluster, you can extend the monitoring policy to both units. For HA monitoring, you can select the following options: Monitoring on Backup Box – If set to No (default), server monitoring on box and HA box is processed only by the primary unit. In case of failover, the non-availability of health check targets is ignored by the HA box and the server stays up on the secondary unit. If set to Ye s, the monitoring policy will also be enforced by the backup box. In case of a failover, the virtual server is then also deactivated on the second unit if the monitoring also fails on the secondary unit. Shared-HA-Probing – Shared HA probing combines the IP address and interface information of both units. Both sets of IP addresses or interfaces must be available on both units. An IP address or interface that is not operational on both HA peers will be excluded from the HA logic decision. If a server is active on a unit and blocked on the peer unit, any probing results will be ignored. The probing decision will only be made if a situation persists over two probing cycles. This gives the system time to account for the delay between detection and synchronization and avoids aliasing effects. Local-HA-Probing – (default) Only local health check target resources are probed. This means every HA partner performs its own monitoring procedure. Step 1. Configure the Operation Mode Configure the monitoring policies for IP addresses and interfaces that must be reachable in order for the virtual server to stay up. When your Barracuda NG Firewall unit resides in an HA cluster, specify the monitoring policy for the case of HA failover: 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties. In the left menu, select Monitoring Policy. Click Lock. From the Monitoring on Backup Box list, select whether monitoring should be performed and, in case of failover, adapted by a secondary HA unit. 5. Select the Probing Policy. For more information, see Server Monitoring in HA Clusters. Step 2. Configure the Monitoring Policy Specify the monitoring policy for IP addresses and interfaces. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties. In the left menu, select Monitoring Policy. Click Lock. In the Layer 3 Monitoring section, specify the IP address monitoring policy. For more information, see Layer 3 Monitoring. In the Monitored IPs I / II tables, add the IP addresses that must be reachable via the ICMP protocol by the system that is hosting the server. 6. In the Layer 2 Monitoring section, specify the interface monitoring policy. For more information, see Layer 2 Monitoring. 7. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 250 7. In the Monitored Interfaces I / II tables, add the physical interfaces that must have a link in order for the server to stay up. 8. Click Send Changes and Activate. Configure Custom Scripts Configure custom scripts for use with your monitoring policies. These scripts are run after the server starts or before the server shuts down due to unreachable IP addresses or interfaces. Do not use phionctrl in your custom scripts; this might cause a deadlock. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties. In the left menu, select Custom Scripts. Click Lock. In the Start and Stop Script fields, enter the commands that should be executed when the server is started up or shut down (7-bit ASCII characters and standard Bash version 2-compliant). 5. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 251 How to Configure Services The Barracuda NG Firewall has two types of services. Box services provide functionality required to run the Barracuda NG Firewall system. They are factory-defined and cannot be created or removed by the user. Server services are created and run in a virtual server. Services relying on other services for certain functionality (i.e., firewall and virus scanner service) must be created on the same virtual server. Although possible, it is recommended to only create one service type per virtual server. You can create the following services: Barracuda NG Firewall Services Depending on your model, some services may not be available. Consult the datasheet for your appliance for more information on which services are available for your model. Click here to view a list of services available on the Barracuda NG Firewall ... DHCP Service DHCP Relay DNS Firewall FTP Gateway HTTP Proxy URL Filter Mail Gateway OSPF/RIP/BGP Service SNMP Service (Server Layer) SPAM Filter SSH Proxy Virus Scanner VPN Service Access Control Service Barracuda NG Control Center Services Click here to view a list of services available on the Barracuda NG Control Center ... CC DNS CC Firewall CC Configuration Service CC Event Service CC Syslog Service CC FW Audit Log Service CC Reporter CC Statistics Collector CC VPN Service CC Access Control Service CC PKI Service In this article: Create a Service Remove a Service Enable or Disable a Service Move a Service Create a Service Step 1. Add a Service to a Virtual Server 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services. Right-click Assigned Services and select Create Service. Enter a Service Name. The name must be unique and no longer than six characters. The service name cannot be changed later. In the Software Module field, select the type of service that you are creating. You cannot change the service type after the service is created. The types of services that you can create are dependent on your license and system model. Verify the product type and appliance model in the Box Properties if services are missing. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 252 Step 2. Service IPs and Type of Service Assign the IP addresses the service listens on. 1. In the Service IPs section, enter the IP addresses for the service. 2. Select the IP addresses the service listens on from theService Availability list. All IPs – Some services (i.e., firewall) will automatically listen on all available Server IP addresses. First + Second-IP – Listen on the first and second virtual server IP address. First-IP – Listen on the first virtual server IP address. Second-IP – Listen on the second virtual server IP address. Explicit – Add the IP addresses you want to use to the Explicit Service IPs table. Explicit IP addresses must also be added to the Additional IP table in the Server Properties of the virtual server. For more information, see How to Configure Virtual Servers. 3. Click Next . Step 3. Statistics (optional) Enable statistics settings for the service. By default, all settings are enabled for the service: 1. In the Statistics Settings section set Generate Statistics to yes. 2. Edit the following settings according to your requirements: Src Statistics – Generates IP source-based statistical data for the service. Only the number of connections from IP addresses is recorded. The times at which the connections were made are not recorded. Src Time-Statistics – Generates IP source-based statistical data for the service. Both the number of connections made from IP addresses and the times at which the connections were made are recorded. Dst Statistics – Generates IP destination-based statistical data for the service. Only the number of connections to IP addresses is recorded. The times at which the connections were made are not recorded. Dst Time-Statistics – Generates IP destination-based statistical data for the service. Both the number of connections made to IP addresses and the times at which the connections were made are recorded. Src-Dst Statistics – Generates IP source/destination pair based-statistical data for the service. Only the number of connections to and from IP addresses is recorded. The times at which the connections were made are not recorded. 3. Click Next. Step 4. Access Notification (optional) Configure which events are created for successful and unsuccessful logins. On standalone Barracuda NG Firewalls and on the box level of the NG Control Center, this setting can only be configured for all administrators. On the Barracuda NG Control Center, each type of administrator (Mu lti-Range > Global Settings > CC Access Notification) can be handled separately: Access notifications are only available for DHCP Server, Firewall, VPN Service and the Mail Gateway service. The following events are used for login attempts: The User Unknown event is generated when the admin ID is unknown to the underlying Barracuda Networks authentication module. The Authentication Failure event type is used when the password or key do not match or the admin is not authorized to access the service (multi-admin environment, only in conjunction with a Barracuda NG Control Center). To configure which events are created, complete the following steps: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 1. In the Notification section, edit 253 the following settings according to your requirements: a. Success – Select the notification level for a successful login: Silent – No event. Notice – NGFW Subsystem Login Notice [2420]. Warning – NGFW Subsystem Login Warning [2421]. Alert – NGFW Subsystem Login Alert [2422]. b. Failure – Select the notification level for an unsuccessful login: Silent – No event. Notice – NGFW Subsystem Login Notice [2420]. Warning – NGFW Subsystem Login Warning [2421]. Alert – NGFW Subsystem Login Alert [2422]. 2. 3. Click Finish. Click Activate to create the service. The service is now displayed as active ( ) on the CONTROL > Server page. Remove a Service Removing a service is permanent and cannot be undone. 1. 2. 3. 4. 5. Expand the Assigned Services node (Configuration > Configuration Tree > Box > Virtual Servers > your virtual server). Right-click the service you want to delete and click Lock. Right-click the service you want to delete and click Remove Service. A verification popup opens. Click Yes. Click Activate. Enable or Disable a Service 1. Go to the Service Properties node (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > your service). 2. Click Lock. 3. To disable the service set Enable Service to No. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 254 4. To enable the service set Enable Service to Yes. 5. Click Send Changes and Activate. Move a Service You can move services between virtual servers. If you are moving a service on a Barracuda NG Control Center, verify that the name of the service is unique in the cluster. 1. 2. 3. 4. 5. 6. Expand the Assigned Services node (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server). Right-click the service you want to move and click Lock. Right-click the service you want to move and click Move Service. The Select Destination window opens. Select the destination virtual server. Enter the Name for the New Object. Click OK 7. Click Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 255 NG Firewall Services Services are software modules running on the service layer of the Barracuda NG Firewall. Each service provides a piece of network functionality. Depending on which service you start, it might require additional services or be limited to one service per virtual server or NG Firewall. The following services are available on standalone and managed Barracuda NG Firewalls: Access Control Service The Barracuda NG Firewall Access Control service defines security policies for network users (e.g., VPN clients) and provides a range of features, such as registry checks and repairs on a client. Create access control objects with policy rulesets specifying required system and service settings to let the Barracuda NG Firewall perform identity and health checks on connecting clients and groups. For more information, see Access Control Service. DHCP The DHCP service automatically assigns IP addresses to clients in the same network. For clients requiring special DHCP options, combine the DHCP server with the DHCP Relay service to share a DHCP server across multiple network segments. For more information, see DHCP. DNS The Barracuda NG Firewall can act as an authoritative DNS server. The DNS service returns definitive answers to DNS queries for domain names and IP addresses. Use split DNS to return different answers depending on the source IP of the DNS query. This allows you to redirect internal clients to an internal IP address of a server. For more information, see DNS. Dynamic Routing Protocols Dynamic Routing enables the NG Firewall to learn and select the optimal route to a destination IP address, detects changes to the network topology, and advertises these changes to other neighboring routers. The Barracuda NG Firewall supports three Dynamic Routing protocols OSPF, RIP (V1 and V2), and BGP. For more information, see Dynamic Routing Protocols (OSPF/RIP/BGP). Forwarding Firewall The Forwarding Firewall handles all traffic for which the destination does not match with a listening socket on the Barracuda NG Firewall - in other words, all traffic passing through the NG Firewall. The firewall service in the NG Firewall offers Application Detection 2.0, integrated Virus Scanning, URL Filtering, and an integrated Intrusion Prevention System. For more information, see Firewall. FTP Gateway The FTP Gateway service of the Barracuda NG Firewall acts as a proxy for an internal FTP server. Policies including authentication settings, permissions, and restrictions for server access and file handling are defined per gateway. You can also create user and group specific profiles. For more information, see FTP Gateway. HTTP Proxy The Barracuda NG Firewall HTTP Proxy service provides content filtering and caching, antivirus, malware protection, and access control. You can configure the HTTP Proxy in forward, reverse and transparent mode. For more information, see HTTP Proxy. Mail Gateway The Mail Gateway service handles mail traffic according to delivery policies and scans incoming and outgoing mail for viruses and malware. The Mail Gateway also supports extended domains, POP3 scanning, and group patterns for recipient verification. The Mail Gateway interface displays the mail queue from where you can perform operations such as showing processes, logfiles etc. For more information, see Mail Gateway. SSH Proxy Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 256 The SSH Proxy service of the Barracuda NG Firewall allows regulating SSH connections. Based on OpenSSH, the SSH Proxy service provides DoS protection, public key support, and configurable SSH protocol support for accessing target systems. For more information, see SSH Proxy. SIP Proxy To correctly forward SIP traffic, the Barracuda NG Firewall includes a SIP Proxy service. This service will act as a (transparent) proxy for SIP and RTP connections. For more information, see SIP Proxy. Spam Filtering The Barracuda NG Firewall Spam Filter service identifies spam by using mechanisms such as text analysis, DNS blacklists, and collaborative filtering databases. The spam filter examines the mail header and body against a configured ruleset and a Bayesian filter. To improve the filter mechanisms, the mail filter also regularly collects and processes mail from configured training environments. For more information, see Spam Filter. URL Filter The Barracuda NG Firewall offers the choice between two different web filter engines: the Barracuda Web Filter (CFDEF) or the Barracuda NG Web Filter (IBM/ISS). Both engines can be used by the Barracuda NG Firewall HTTP Proxy service, but only the Barracuda Web Filter can be used in combination with Application Control 2.0. URLs are categorized according to content. For more information, see URL Filter. Virus Scanner The Virus Scanner service of the Barracuda NG Firewall provides virus protection, archive scanning, malware detection, and HTTP multimedia streaming. The Virus Scanner service can be configured using the integrated Avira or ClamAV virus scanning engine. Using the Virus Scanner service requires a subscription that can be renewed annually. For more information, see Virus Scanner. VPN The VPN service supports site-to-site, client-to-site, and SSL-VPN VPN connections. The Barracuda NG Firewall supports multiple encryption methods, traffic intelligence, and WAN optimization when using the TINA protocol. IPsec client-to-site connections also support authentication using pre-shared keys, which is used by iOS and Android clients. For more information, see VPN. Wi-Fi For administration of Wi-Fi networks, the Wi-Fi service provides configuration settings for the local access point. The service also supports user authentication in large networks via RADIUS and EAP. For more information, see Wi-Fi. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 257 Access Control Service The Barracuda NG Firewall Access Control service defines security policies for network users (e.g., VPN clients) and enables the Barracuda NG Firewall to perform identity and health checks on clients. The Access Control service of the Barracuda NG Firewall interacts with the Barracuda Network Access Client and needs to be set up simultaneously. For proper operation, all components of the Barracuda Network Access Client framework, the Access Control service on the Barracuda NG Firewall, and the client software require up-to-date virus and spam protection. Access Control Service Trustzones Access Control services within the same trust zone share the same set of security policies that are defined in access control objects. If you are using the Access Control service on a managed NG Firewall, the Barracuda NG Control Center provides Access Control Service Trustzones as global objects. Access Control Service Trustzones can be configured on a range, cluster, or virtual server basis. For more information, see Configuring Access Control Service Trustzones. Access Control Objects Access control objects are assigned to clients according to access control policies and enable administrators to perform certain actions such as registry checks and repairs on a client. Create access control objects with policy rulesets specifying required system and service settings to let the Barracuda NG Firewall perform identity and health checks on connecting clients and groups. Access control objects permit access only to administrators with appropriate administrative scope and appropriate permission. For more information, see Configuring Access Control Objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 258 Configuring Access Control Objects Access Control Policy rulesets can reference so-called Access Control Objects. Access Control Objects are attributes assigned to the client according to the policies configured in the Access Control Service Trustzone and work similarly to the objects available for Client-to-Site VPN in the Barracuda Network Access Client. Welcome Messages Welcome messages can be used to display customized messages to welcome users to the corporate network, inform them about security policies, or display administrator contact details. For each policy rule, a different Welcome Message can be displayed to individual groups of users. In addition, Welcome Messages can be used to display localized messages. Each message is assigned to a language. According to the client's language settings, the localized message is displayed. The client will display the English-language message as a fallback. Pictures Pictures assigned to clients are usually small bitmaps displaying the corporate logo. Sometimes they are also used to notify the users about special events. Assigned pictures are displayed in the client after successfully connecting to the Access Control service. Keep the size of your picture small because the picture will be transferred to all clients. Pictures larger than 167x90 pixels are automatically scaled down on the Barracuda NAC Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 259 Personal Firewall Rules Barracuda Personal Firewall rules are explained in detail on the Configuring Personal Firewall Rules on the Barracuda NG Control Center page. Registry Check Objects These objects enable administrators to define registry checks to be performed on the client. This allows registry keys and values to be validated, just like taking action in case of failed validation. Available actions are Repair, Notify, or Fail. In case of a Fail, the Access Control service health validation will fail if the specified registry keys are not set appropriately. Notify generates appropriate log messages on the Barracuda NG Firewall. Important registry changes (e.g., the introduction of a new registry key) are only done for local machine authentication. Thus, users need to log off or reboot the client to activate these changes. Registry values can also be verified and changed for user authentication. To import a registry file, click the Clipboard icon on the right, top side of the Registry Check Rules table, select Replace With Registry Import... and import the respective file. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 260 Access Control Objects provide a hierarchical override mechanism. Objects on cluster level that share the same name as global or range objects override the global definition(s). This mechanism works like the one using global firewall objects for the Barracuda NG Firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 261 Configuring Access Control Service Trustzones Each Access Control Service belongs to a so-called trustzone. To enforce security policies across multiple F-Series Firewalls, the Control Center provides Access Control Service Trustzones as global objects (see also: Configuring Access Control Objects). This advanced feature allows all Access Control services within the same trustzone to share the same set of security policies. In addition, they share a signing key, so that a mutual trust relationship can be established. In this article: Rules Identity Matching - Basic Identity Matching - Advanced Required Health State - Basic Required Health State > Advanced Health State Policy Assignments Settings Support Chart On stand-alone firewalls, configuration of the trustzone is located in the CONFIGURATION > Configuration Tree > Box > Virtual Servers > you r virtual server > Assigned Services > Access Control Service > Access Control Service Trustzones. The Control Center provides Access Control Service Trustzones either within the Global Settings, Range Settings or the Cluster Settings. The predefined Access Control Service Trustzones can be referenced by navigating to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Access Control Service > Access Control Service Settings > System Health-Validator > Trustzone. The NextGen Control Center automatically links the trustzone to the appropriate global / range / cluster object. Each trustzone contains three policy rulesets. There is a local machine policy ruleset that is used to determine a policy for a connecting machine if no user is currently logged in. As soon as user authentication is requested by the connecting client, the current user policy ruleset is used for policy matching. User authentication can be skipped by setting Access Control Service Settings > User Authentication > User Authentication Required to No. In addition, local machine rulesets allow user authentication to be skipped for a specific policy rule (Policy Assignments > Exception > User Authentication Required). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 262 If the connection attempt is mediated by an intermittent VPN service, the VPN policy ruleset is adopted. Create an Access Control Server service within CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Access Control Service. Click Access Control Service Trustzone to open the configuration dialogue. Rules The main window of an Access Control Service Trustzone is split up into a navigation bar on the left and policy rulesets on the right (if some are already defined). Identity Matching - Basic The first step when processing a policy ruleset (either local machine, current user, or VPN) is to determine the client's identity. Depending on the value of Basic Matching > Policy Matching, either all or one of the specified criteria must match to determine the client's identity. If the identity match fails, the next rule is considered. Access Control Service Trustzone > Rules > Identity Matching Basic > Basic Identity Matching Policy Name The name of the policy. This name is visible in the log file and in the access cache. Deactivate Policy Disables the configured policy. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Client Connection 263 External Ignore Internal External effects that this policy rule is ignored for internal connection (connections to an IP address not defined in External IPs) Internal effects that this policy rule is ignored for external connections (connection to an IP address defined in External IPs). Ignore means that the policy rule is ignored neither for internal nor external connections. Time Restriction Each policy rule can be assigned with a date and time restriction. The date restriction consists of a Start Date and an End Date. Outside that time period, this policy rule will be ignored. The granularity of the time restriction is 1 hour per week? A rule is allowed at all times by default; that is, all check boxes in the Time Interval window are cleared. Selecting a check box denies a rule for the given time. Click the respective icon to configure allowed and disallowed time intervals simultaneously. Click the respective icon to clear selected check boxes. Click the respective icon to configure disallowed time intervals. Select Continue if mismatch to proceed with the health evaluation process within the policy ruleset of the next rule (default). Select Block if mismatch to stop the health evaluation process and set the client to "unhealthy" immediately. Access Control Service Trustzone > Rules > Identity Matching Basic > Basic Matching Policy Matching All-of-following One-of-following Set this to All-of-following if all of the identity matching parameters (basic and advanced), except the empty ones, must match for a successful identity verification. If just one field does not match, the identity is not verified successfully within this policy rule and the health match process will proceed with the next policy rule in the policy ruleset. Set this to One-of-following to let the identity verification succeed if just one field matches. Empty fields will be ignored in both cases. String comparison is case insensitive. For the pattern to match, at least one user group must match at least one defined group pattern. Group Patterns At least one user group must match at least one of these patterns for successful identity verification. Ensure that you are using the accurate syntax for the group patterns. For example, MSAD groups must be entered as follows: CN=group-*, OU=my-unit,CD=mycompany,DC=at Net Bios Domain A NetBIOS domain to match only users belonging to a specific domain. This is only available for the Current User and VPN rulese ts. User [Login Name] Username patterns consist of the login name (without leading DOMAI N\). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Networks Allowed OS Versions 264 The user's peer address must be part of at least one of these networks. Name OS Versions Service Pack Major Number Service Pack Minor Number Minimum Build Number Policy on OS Allowed or explicitly denied client OS versions. OS Versions must be one of the listed Microsoft Windows Versions. Service Pack Major Number and Service Pack Minor Number are the service pack numbers of the client OS. Minimum Build Number needs to be the OS build number and is checked only if Policy on OS is set to This-One-Or-Newer. Possible values for Policy on OS are: Exact-This-One The client OS must match OS Versions, Service Pack Major Number, and Service Pack Minor Number. Explicit-Deny If the client OS matches OS Versions, Service Pack Major Number, and Service Pack Minor Number, then the current policy rule will be ignored for the current match, and health evaluation processing proceeds with the next policy rule in the policy ruleset. This-One-Or-Newer The client OS must be identically equal to OS Versions. The client Service Pack Major Number and Service Pack Minor Number need to be equal or greater than those defined here. Hostnames Enter hostnames here. Patterns may be used. Identity Matching - Advanced Access Control Service Trustzone > Rules > Identity Matching Advanced > Advanced Identity Matching MAC Addresses Patterns may be used. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Microsoft Machine SIDs 265 A SID is a globally unique machine identifier generated by Microsoft operating systems. It is visualized in the Access Control Server’s access cache. Patterns may be used. Access Control Service Trustzone > Rules > Identity Matching Advanced > Certificate Conditions x509 Subject The X.509 subject of the client's authentication certificate must match at least one of these patterns. For example: CN=name-*, O=my-company. Certificate authentication is only possible in local machine and basic user authentication. x509 Issuer The subject of the issuer of the client's certificate must match at least one of these patterns. For example: CN=name-*, O=my-company. Certificate authentication is only possible in local machine and basic user authentication. x509 Altnames The subject alternative name of the client's authentication certificate must match at least one of these patterns. For example: IP:10.0.10.*. Certificate authentication is only possible in local machine and basic user authentication. The subject alternative name must be prefixed with its type (for example, email: or IP:) Required Health State - Basic After successful verification of the client’s identity, this configuration entity is used for determining the client’s health state. Some of the parameters provide the following options: Not required The result of the health evaluation does not depend on this parameter. Required If a Required parameter does not match, the user is notified and manual action is required. In addition, the client's health state changes Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 266 to Probation. Required <Auto-Remediation> Notifies the client as well, but tries to automatically execute the necessary actions to fulfill the health requirements. During this period, the client's health state changes to Probation. For third-party products (e.g., a Virus Scanner), Auto-Remediation may not work with all available engine versions. As a fallback, the client always requests manual action. Access Control Service Trustzone > Rules > Required Health State Basic > Service Settings Personal Firewall On Required Required <Auto-Remediation> Not Required (default) Set to Required if a client must have the Personal Firewall up and running to be healthy. If the client does not meet this requirement, the user will be advised to turn on the firewall. Antivirus Scanner On Required Required <Auto-Remediation> Not Required (default) Set to Required if a client must have the Virus Scanner up and running to be healthy. If the client does not meet this requirement, the user will be advised to turn on the Virus Scanner. The Required option only takes effect as long as the Antiv irus check box is activated (see the figure above). Antispyware Scanner On Required Required <Auto-Remediation> Not Required (default) Set to Required if a client must have the Spyware Scanner up and running to be healthy. If the client does not meet this requirement, the user will be advised to turn on the Spyware Scanner. The Required option only takes effect as long as the Antis pyware check box is activated (see the figure above). Access Control Service Trustzone > Rules > Required Health State Basic > Miscellaneous Continue Match Registry Check Rules STOP on Health Mismatch (default) Continue on Health Mismatch Set this to Continue on Health Mismatch if the health validation should continue with the next policy rule in the policy ruleset in cases where the health evaluation in the current rule stated that the client is not healthy. Set this to STOP on Health Mismatch if health validation should not continue with the next policy rule in the policy ruleset if the client is not healthy. In this case, the policy attributes of the current rule are assigned to the client and the client is advised to heal itself. Select a registry check object. To be healthy, the client’s registry entries must match those of the selected registry check object. Access Control Service Trustzone > Rules > Required Health State Basic Antivirus Enable or disable the Antivirus settings parameters. For the parameter description, see the next list. Default: not selected. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Antispyware 267 Enable or disable the Antispyware settings parameters. For the parameter description, see the next list. Default: not selected. Access Control Service Trustzone > Rules > Required Health State Basic > Antivirus AV Real Time Protection Required Required <Auto-Remediation> Not Required (default) Set to Required if a client must have enabled the real-time protection of the Virus Scanner to be healthy. If the client does not meet this requirement, it will be advised to turn on the real-time protection of the Virus Scanner. Last AV Scan Not Older Than Ignore 6-Hours > 1-Month 24-Hours (default) Set to a value other than Ignore to ensure that the client’s last full virus scan is not older than <value> to be healthy. If the client does not meet this requirement, it will be advised to perform a full virus scan. Last AV Scan Action Manual Auto Remediation Depending on this parameter, either the user gets informed to manually perform a full virus scan, or the client tries to execute a full system scan automatically. AV Engine Required Ignore Latest (default) Previous Last-2 Set to Ignore if the client’s Virus Scanner version should not be checked. Set to Latest if the client must not have an older version of the Virus Scanner to return a healthy state. Set to Previous if the latest and the previous version of the Virus Scanner are accepted to return a healthy state. Set to Last-2 if the latest, the previous, and the second-to-last Virus Scanner versions are accepted to return a healthy state. If the client does not meet the chosen requirement, it will be advised to perform a Virus Scanner engine update. AV Patterns Not Older Than (h) Ignore 6-Hours > 1-Month 24-Hours (default) Set this to a value other than Ignore to require Virus Scanner patterns to be not older than <value> to be healthy. This value will be ignored if the latest Virus Scanner pattern is older than <v alue>. For example, if this option is set to 6-Hours but the latest pattern was released 8 hours ago, the client will be set to unhealthy stat e due to this option. Release cycles of Virus Scanner patterns depend on the Virus Scanner vendor. AV Engine/Pattern Action Manual Auto Remediation Depending on this parameter, either the user gets informed to manually update the AV system, or the client tries to trigger AV updates automatically. Allowed Vendors Choose one or more out of this list of Virus Scanner vendors in order to enforce a specific Virus Scanner product to be installed on the client. Virus Scanner products not listed here are ignored in the health validation process. This option is helpful especially to exclude certain Virus Scanner products from the health validation process. The list of available Virus Scanner vendors is created dynamically. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 268 Access Control Service Trustzone > Rules > Required Health State Basic > Antispyware AS Real Time Protection Required Required <Auto-Remediation> Not Required (default) Set to Required if a client must have enabled the real-time protection of the Spyware Scanner to be healthy. If the client does not meet this requirement, it will be advised to turn on the real-time protection of the Spyware Scanner. Last AS Scan Action Manual Auto Remediation Depending on this, the user either gets informed to manually perform a full spyware scan, or the client tries to execute a full system scan automatically. Last AS Scan Not Older Than Ignore 6-Hours > 1-Month 24-Hours (default) Set to a value other than Ignore to ensure that the client's last full spyware scan is not older than <value> for validly returning the healthy state. If the client does not meet this requirement, it will be advised to perform a full spyware scan. AS Engine Required Ignore Latest (default) Previous Last-2 Set to Ignore if the client's anti-spyware engine version should not be checked. Set to Latest if the client must not have an older version of the Spyware Scanner engine to validly return the healthy state. Set to Previous if the latest and the previous version of the Spyware Scanner engine can validly return the healthy state. Set to Last-2 if the latest, the previous, and the second-to-last Spyware Scanner engine versions are allowed to validly return the healthy state. If the client does not meet the chosen requirement, it will be advised to perform a Spyware Scanner engine update. AS Pattern Definitions Required Ignore Latest (default) Previous Last-2 Set to Ignore if the client's spyware pattern definitions should not be verified. Be aware that, in this case, the client may be healthy without having any spyware patterns installed. Set to Latest if the client’s spyware patterns must be up-to-date to validly return the healthy state. Set to Previous if the client’s spyware patterns must either be up-to-date or of the previous version to validly return the healthy state. Set to Last-2 if the client’s spyware patterns must either be up-to-date or of the previous or the second-to-last versions to validly return the healthy state. If the client does not meet the chosen requirement, it will be advised to perform a spyware patterns update. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 269 AS Patterns Not Older Than (h) Ignore 6-Hours > 1-Month 24-Hours (default) Set this to a value other than Ignore to require spyware patterns to be not older than <value> to validly return the healthy state. The setting will be ignored if the latest spyware pattern is older than <value>. For instance, if the value is set to 6-Hours but the latest spyware pattern was released 8 hours ago, the client will be set to the un healthy state due to this setting. Release cycles of spyware patterns depend on the Spyware Scanner product vendor. AV Engine/Pattern Action Manual Auto Remediation Depending on this setting, the user either gets informed to manually update the Spyware Scanner, or the client tries to trigger such an update automatically. Allowed Vendors Choose one or multiple entries from the list of Spyware Scanner vendors in order to enforce specific Spyware Scanner vendor products to be installed on the client. Spyware Scanner products not listed here are ignored during the health validation process. This setting is helpful especially for excluding certain Spyware Scanner products from the health validation process. The list of available Spyware Scanner vendors is dynamically created. Required Health State > Advanced Health State Select New from the context menu to create a new entry. The configuration dialog provides the following entries: Access Control Service Trustzone > Rules > Required Health State > Advanced > Allowed Health Suite Versions Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 270 Name Specify a name. Major Release The client's health suite major release version number must match M ajor Release. Minor Release The client's health suite minor release version number must match Mi nor Release. Service Pack Number The Service Pack Number must match the service pack number of the client's health suite. Policy on OS Exact-This-On The client's health suite version must match all three number values. Explicit-Deny If the client’s health suite version matches all three number values, the health state will be set to a value different than healt hy and the clients will be advised to update the health suite. This-One-Or-Newer The client’s health suite major version must equal Major Version. The minor release version number and the service pack number need to be equal or greater than those defined here. Health suite updates are always performed on an equal major release version number. For instance, a client’s health suite version 4.0.2 can be updated to 4.1.0 but not to 5.0.0. It is also possible to include a validation of the currently installed Microsoft hotfixes on the client computer: 1. Right-click into the Required Security Updates field 2. Click New..., then enter the ID of the Microsoft hotfix. For example: KB936929. Policy Assignments Access Control Service Trustzone > Rules > Policy Assignments > Attributes Personal Firewall Settings Ruleset Name Select one of the created Personal Firewall Rule objects. If the client does not already have this ruleset installed, the health state will be set to a value other than healthy and the client will be advised to update the personal firewall rule set from the remediation server. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Message of the Day Limit Access 271 Select one of the created Welcome Message objects. If the client does not already have this message, it will be advised to get the message from the remediation server. Ruleset Name Message Client Emerg. Quarantine Time (s) Configure the quarantine ruleset. Assignment of Limited Access rulesets and messages is only available for the Local Machine ruleset. The quarantine ruleset (Limited Access) is stored on the local machine. This means that the quarantine ruleset can only be updated if the current user logs off or the client is rebooted. If a client changes its state to unhealthy, the local machine quarantine ruleset is activated. Access Control Service Trustzone > Rules > Policy Assignments > Exceptions Software Update Required Yes No (default) Yes-Even-Major Change this to Yes for the client to automatically perform software updates if a new software minor version is available on the CC. Yes-Even-Major will cause the client to also perform major version updates. User Authentication Required Yes No Like Service Settings (default) Only available for the local machine ruleset. If this is set to No, user authentication is not performed even if a user logs in. Access Control Service Trustzone > Rules > Policy Assignments > Radius Attributes Healthy Attribute Assignments RADIUS attribute assignments passed to a RADIUS server as key-and-value pairs if the client meets the health requirements. Unhealthy Attribute Assignments RADIUS attribute assignments passed to a RADIUS server as key-and-value pairs if the client does not meet the health requirements. Settings If no policy rule matched the identity for a client, or at least one matched but the Continue Match parameter was set on that/those policy rule(s), the client's state will be untrusted and it will be assigned the No Rule Exception attributes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 272 Access Control Service Trustzone > Settings > Identity The RSA key for digital passport signing. The Health Validator returns a digital passport to the client as result of the health validation. The passport contains all information required for the remediation server. To ensure authenticity, the passport is digitally signed. Health Passport Signing Key Since all Access Control services of the same trustzone share the same credentials, the remediation server instances can verify whether a passport was issued by a health validator of the same trustzone. Health Passport Verification Key The RSA public key for verifying a digital passport signature. If one Access Control Server instance acts exclusively as a remediation server, it is not necessary to set the Health Passport Signing Key. However, the Health Passport Verification Key must be set. Client Shutdown Passphrase If a passphrase is set here, the Access Control service will lock the A dvanced Settings locally on the clients unless the local user enters the correct passphrase. In addition, the client can only be terminated on the workstation after the passphrase has been entered. The default setting <not-required> disables these restrictions and enables the local user to administer and terminate the client. Access Control Service Trustzone > Settings > No Rule Exception Bitmap Select one of the Picture objects. The client will then be advised to get the respective bitmap from the remediation server. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Limited Access Ruleset Name Limited Access Message 273 For more information on these two parameters, see Limit Access in the Access Control Service Trustzone > Rules > Policy Assignments > Attributes list. Access Control Service Trustzone > Settings > Limited Access Defaults Client Emergency Quarantine Time (s) If the Access Control Server is not reachable anymore for the client, it switches automatically to the Unhealthy restricted state. Entering a value of 0 disables this. For more information, see Limit Access in the Access Control Service Trustzone > Rules > Policy Assignments > Attributes list. If no Access Control Server IP address is available, this parameter does not have any effect. For more information, see The Barracuda Access Monitor, Access Control Server IPs from Registry and Access Control Server IPs from DHCP sections. Quarantine Ruleset Name Select one of the Personal Firewall Rules objects. The client will be advised to get the respective bitmap from the remediation server. Quarantine Message Select one of the Welcome Messages objects. The client will be advised to get the respective bitmap from the remediation server. Health Validation Mode Moderate Health checks are executed after connection establishment. Offensive Health checks are executed during connection establishment. The Health Validation Mode parameter can also be configured on the client via the following registry key: Path .DEFAULT\Software\Phion\phionha\settings\ Key SpeedVPNValidation Moderate Offensive Value The Client Emergency Quarantine Time (s) parameter can also be configured on the client using the following registry key: Path .DEFAULT\Software\Phion\phionha\settings\ Key QuarantineCountDown Value [Default: 3600000 ( = 1 hour in milliseconds)] Access Control Service Trustzone > Settings > Radius Attribute Assignments With this feature, it is possible to send additional attributes to the switch, depending on the health state of the client. VLAN Change attributes are already hardcoded. Healthy Unhealthy For a description of these two parameters, see the Access Control Service Trustzone > Rules > Policy Assignments > Radius Attributes list. Support Chart This view provides information concerning the supported Virus Scanner and Spyware Scanner vendors and versions. The Support Chart is automatically downloaded from the Barracuda Networks update service and distributed to Barracuda NextGen Admin upon connecting. Thus, the Support Chart reflects the current capabilities of the Access Control service. The following restrictions appear on Microsoft Windows Vista and Windows 7 64-bit: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 274 The supported features listed in the support chart may differ from the technically executed actions. For example, regarding automatic updating of Windows Defender 1.x, the chart states Implemented although it may not work on the 64-bit client. The reason is that the released version of the 64-bit client contains a 32-bit compatible COM+ server for integrated OPSWAT modules (health check). Therefore, this component is not yet implemented as native 64-bit. This leads to some restrictions regarding auto-remediation features of the health agent system: Enabling and disabling of Virus and Spyware Scanner functionality cannot be done automatically for some vendors (see support charts). Auto-remediation for Virus Scanner and Spyware Scanner engine and pattern updates is disabled in the 64-bit client. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 275 DHCP DHCP Service The DHCP service automatically assigns IP addresses to clients that reside in a defined subnet. In the DHCP server configuration, you can define address pools and explicitly map MAC addresses to a reserved IP address. You can also define additional parameters that are passed to the client when an IP address is requested. For configuration instructions, see How to Configure the DHCP Service and Advanced DHCP Settings. DHCP Relay The DHCP Relay service forwards DHCP broadcast messages to other network segments. DHCP relaying allows you to share a single DHCP server across logical network segments that are separated by a firewall. For more information, see How to Configure the DHCP Relay Agent. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 276 How to Configure the DHCP Service Configure the DHCP service and specify a network range from which the IP address for the clients will be assigned. In the advanced settings for DHCP, you can configure additional service availability settings,and set up HA synchronization. In this article: Before you Begin Configure the DHCP Service Check the DHCP Server Status Configure Advanced DHCP Settings Before you Begin Add a Virtual Server IP for each subnet you want to use for the DHCP server. For more information, see Virtual Servers and Services. Configure the DHCP Service 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. Click Lock. 3. In the left menu, select Operational Setup IPv4 or 6. 4. In the Address Pool Configuration window, enable DHCP. 5. Click + to add an entry to the Subnets table. 6. Enter a descriptive name for the subnet and click OK. The Subnets configuration window opens. 7. From the Used Subnet list, select one of the available IPv4 subnets or select explicit and enter the IP address in the Network Address f ield. When using IPv6 select any (stateless dhcp) to use DHCPv6 to extend IPv6 with DHCP capabilities (assigning domain name or DNS servers). 8. In the DHCP Server Identifier field, enter the name of the server. This name is provided to the client. 9. Click + to add a new entry to the Pool Ranges table. 10. Specify the following for each range: IP Begin – The first IP address in the network range. E.g.: 10.10.10.20 IP End – The last IP address in the network range. E.g.: 10.10.10.40 11. Click OK. 12. (optional) Add MAC to IP address mappings to the Reservations table: a. Enter the Reserved IP for the client. b. Enter the MAC Address of the client. 13. Click OK. 14. In the Router table, add the default gateway IP address. E.g.: 10.10.10.100 15. In the DNS Servers table, add the DNS server IP address. E.g.: 10.10.10.100 16. Enter the Domain Name if the client range is part of a domain. 17. Enter the NIS Domain Name and specify the details required for all servers that should be assigned. 18. In the Static Route Net table, click + to add static routes that the client should install in its routing cache. If there are multiple routes to the same destination, list them in descending order of priority. a. In the Static b. c. 19. 20. 21. 22. Route Net field, enter the destination IP address. In the Static Route GW field, enter the IP address of the router. Click OK. Enter the TFTP Server Name if the 'sname' field in the DHCP header has been used for DHCP options. Enter the TFTP Server IP Address for Cisco CallManager devices. In this field, you can enter a comma-delimited list of addresses. Enter the Boot File Name if the 'file' field in the DHCP header has been used for DHCP options. If you set the Barracuda Network Access Clients Policy of an Address Pool to Barracuda Network Access Clients or guests, add the required info to the Access Control Service IPs/Names table for a client to receive valid policy server information. You can add vendor IDs, policy server IP addresses, or DNS resolvable policy server names. If the Barracuda Network Access Clients Policy field is set to none, the information in the Access Control Service IPs/Names table is ignored. 23. 24. 25. 26. For information on dynamic DNS configuration, refer to How to Configure DHCP with Dynamic DNS. For information on lease configuration, refer to How to Configure DHCP Parameter Templates. Click OK. Click Send Changes and Activate. Check the DHCP Server Status Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 277 Click the DHCP Tab to check the real-time status of the configured DHCP server. Configure Advanced DHCP Settings 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode menu, select Switch to Advanced View. 3. Click Lock. 4. In the left pane, select Operational Setup IPv4 or 6. 5. In the Address Pool Configuration window, enable DHCP. 6. Enable Use Advanced Pool Configuration. This disables the Subnets section and allows configuration of address pools. 7. In the DHCP Server Identifier field, enter the name of the server. This name is provided to the client. 8. Enable Server Is Authoritative. When the DHCP server receives a DHCPREQUEST message from a DHCP client requesting a specific IP address, the DHCP protocol requires that the server determines whether the IP address is valid for the network to which the client is attached. If the address is not valid, the DHCP server should respond with a DHCPNAK message, forcing the client to acquire a new IP address. To make this determination for IP addresses on a particular network segment, the DHCP server must have complete configuration information for that network segment. Unfortunately, it is not safe to assume that DHCP servers are configured with complete information. Therefore, the DHCP server normally assumes that it does not have complete information and, thus, is not sufficiently authoritative to safely send DHCPNAK messages as required by the protocol. 9. Select the UDP Listen Port on which the DHCP server listens for DHCP requests. By default, the server listens on port 67. 10. For an HA setup, edit the settings in the HA Synchronization Setup section to synchronize the DHCP database between both units: a. Enable HA Synchronization to synchronize the DHCP database between the HA units. b. Specify the HA synchronization interval if required (default: 300 seconds). 11. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 278 Advanced DHCP Settings In the advanced DHCP service settings, you can configure address pools, specify additional service availability settings, and set up HA synchronization behavior. Before configuring the advanced settings for DHCP, verify that the DHCP service has been properly created on the Barracuda NG Firewall. For more information, see How to Configure Services. With advanced pool configuration enabled in the DHCP service settings, you can configure the following features: Subnets and Address Pools DHCP Templates Known Clients DHCP Classes Dynamic DNS Text-Based Configuration For more information, see How to Configure Advanced DHCP Settings. Subnets and Address Pools Use advanced pool configuration and configure DHCP and DNS settings for subnets and address pools. For more information, see How to Configure DHCP Subnets and Address Pools. DHCP Templates Configure DHCP option and parameter templates for subnets and shared network devices. For more information, see How to Configure DHCP Option Templates. For more information, see How to Configure DHCP Parameter Templates. Known Clients Configure known clients and specify the settings for IP address assignment for client groups. For more information, see How to Configure Known Clients. DHCP Classes Define DHCP classes and subclasses that are allowed or denied to get leases from the DHCP address pool. For more information, see How to Configure DHCP Classes. Dynamic DNS Configure DHCP with dynamic DNS, add DNS zones, and specify update settings. For more information, see How to Configure DHCP with Dynamic DNS. Text-Based Configuration View and configure the DHCP server using a text configuration file. For more information, see How to Activate Text-Based Configuration. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 279 How to Configure Advanced DHCP Settings In the advanced settings of the DHCP service, you can enable address pool configuration for subnets, specify additional service availability settings, set up HA synchronization, and add DHCP options. Configure Advanced DHCP Settings 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. In the left menu, expand the Configuration Mode section, and click Switch to Advanced View. 3. Click Lock. 4. In the left menu, select Operational Setup IPv4 or 6. 5. In the Address Pool Configuration window, enable DHCP. 6. Enable Use Advanced Pool Configuration. This disables the Subnets section and allows configuration of address pools. 7. Enter the name of the DHCP server in the DHCP Server Identifier textbox. This name allows clients to distinguish between different DHCP servers. 8. Select the UDP Listen Port on which the DHCP server listens for DHCP requests. By default, the server listens on port 67. 9. Click Send Changes and Activate. You can now configure advanced DHCP settings such as subnets and address pools, templates, classes, and known clients. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 280 How to Configure DHCP Subnets and Address Pools With advanced DHCP service settings enabled, you can configure DHCP subnets and address pools and assign policies for handling DHCP client groups and Barracuda Network Access Clients . In this article: Before You Begin Step 1. Configure Advanced Subnets Step 2. Configure Address Pools Step 3. Configure Shared/Multihomed Subnets Before You Begin Before configuring DHCP address pools, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. Step 1. Configure Advanced Subnets 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode, select Switch to Advanced View. 3. From the left Configuration menu, select Address Pools. 4. Click Lock. 5. In the Advanced Subnets section, click + and add a subnet. 6. Enter a Name for the subnet and click OK. The Advanced Subnets window opens. 7. From the Used Subnet field, select a network that is configured on the Barracuda NG Firewall. When configuring a relayed network, select explicit and enter the network address and mask in the Network Address field. 8. Enter the DHCP Server Identifier that should be included in DHCPOFFER messages to let clients distinguish between multiple lease offers. 9. From the Perform DDNS Update list, enable or deactivate DNS setting updates for subnets. You can select: true – Enables DNS setting updates for subnets (The DNS Zone setting is activated) and enter the updating DNS Zone (configu red within dynamic DNS). false – Disables DNS setting updates for subnets. not-set – (default) Enforces global DNS parameters to be used for subnets. 10. From the Subnet Parameters list, select the DHCP parameter template if configured, which settings should be used for this subnet. For more information, see How to Configure DHCP Parameter Templates. 11. From the Subnet DHCP Options list, select the DHCP options template for the subnet if configured. For more information, see How to Configure DHCP Option Templates. Step 2. Configure Address Pools Configure your address pools and define client policies. 1. 2. 3. 4. 5. 6. 7. 8. In the Address Pools section, click + to add an entry. Enter a Name for the address pool and click OK. The Address Pools window opens. Enter the first and last IP address of the pool range in the IP Begin and IP End fields. From the All Clients Policy list, select a policy for handling DHCP clients. You can select: none – (Default) A global policy is not used. Instead, the policies that are specified by the Known Clients, Unknown Clients, Al lowed Classes, and Denied Classes settings are used. allow – All clients are allowed IP addresses from this pool. deny – All clients are denied IP addresses from this pool. From the Network Access Clients Policy list, select the policy for handling Barracuda Network Access clients. You can select: none – (Default) No Barracuda Network Access Clients policy is not used. Network Access Clients – Barracuda Network Access Clients are allowed to receive IP addresses from the pool. guests – Barracuda Network Access Clients are denied IP addresses from the pool. In the Allowed / Denied Classes tables, add the DHCP classes that are allowed or denied to get leases from the address pool. For more information, see How to Configure DHCP Classes . From the Known / Unknown Clients list, select the policy for handling known and unknown clients if a global policy is not selected from the All Clients Policy list. You can select: allow – (Default for known clients) Clients are allowed leases from the address pool. deny – (Default for unknown clients) Clients are not allowed leases from the address pool. not-set – This setting is deactivated. For more information on specifying known clients, see How to Configure Known Clients. From the BOOTP Clients Policy list, select the dynamic-bootp flag that specifies if the DHCP server dynamically assigns addresses to bootp clients if a global policy is not selected from the All Clients Policy list. You can select: allow_dynamic – Dynamic BOOTP for IP addresses are allowed. deny_dynamic – Dynamic BOOTP for IP addresses are denied. not-set – This setting is deactivated. 9. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 281 9. Click OK. 10. If the subnet is shared, complete Step 3. 11. Click Send Changes and Activate. Step 3. Configure Shared/Multihomed Subnets If multiple subnets have to be hosted on a single network interface, configure and specify additional subnets in the Multi Subnet Configuration s ection: 1. 2. 3. 4. Enable Shared Network Device if the interface must host multiple subnets. This enables Further Subnets. Select the desired parameter template from the Shared Parameters list. From the Shared DHCP Options list, select the DHCP options for the additional network. In the Further Subnets table, add any additional subnets. For each entry, you can specify settings that are similar to those in the Subne t Configuration section. 5. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 282 How to Configure DHCP Option Templates Create DHCP option templates to simplify the configuration of multiple DHCP subnets and apply them to your configured address pools. Extende d template settings allow you to integrate vendor details to exchange vendor-specific information and provides the option of configuring additional server settings. In this article: Before You Begin Configure DHCP Option Templates Extended Options Before You Begin Before configuring DHCP option templates, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. Configure DHCP Option Templates 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode menu, select Switch to Advanced View. 3. In the left pane, select DHCP Option Templates. 4. Click Lock. 5. In the DHCP Options table, click + to add an option template. 6. Enter a Name for the template and click OK. The DHCP Options window opens. 7. Select the required Subnetmask. 8. In the Router table, add the IP addresses of the default gateways. 9. In the DNS Servers table, add the IP addresses of the domain name servers. 10. Enter the Domain Name. 11. In the Access Control Service IPs/Names table, add the required info for a client to receive valid policy server information if you set the Barracuda Network Access Clients Policy of an Address Pool to Barracuda Network Access Clients or guests. You can add vendor IDs, policy server IP addresses, or DNS resolvable policy server names. 12. You can also edit the settings in the Extended Options section. 13. Click OK. 14. Click Send Changes and Activate. Now you can apply your configured template to your DHCP subnets. Fore more information, see How to Configure DHCP Subnets and Address Pools. Extended Options Vendor ID / Raw Vendor ID – Enter one vendor ID or a semicolon-separated list of two or more vendor IDs. Use ASCII encoded characters (Vendor ID) or hexadecimal string (Raw Vendor ID) if required. Configuring Access Control Service IPs/Names (see above) and Vendor ID simultaneously is not valid. The client will receive any policy server information. Only one of the settings can be configured at a time. To provide policy server IP addresses to clients, configure Access Control Service IPs/Names instead. Broadcast Address – The broadcast address. NIS Domain Name – Enter the domain of the NIS in this field. NIS Server – In this table, add the IP addresses of the NIS servers. NTP Server – To enable synchronized times, enter the IP addresses of the NTP servers in this table. WINS Server – If you are using WINS servers, enter the IP addresses of the servers in this table. NBDD Server – If you are using NBDD servers, enter the IP addresses of the servers in this table. Netbios Node Type – If you are using a Linux client, select not-set from this list. Otherwise, you can select one of the following options to allow NetBIOS to configure TCP/IP clients: b-node - Broadcast; like clients use broadcast for name registration/resolution. Do not select this option for use with large networks because broadcasts use lots of bandwidth. p-node - Point; like client registers itself at the NetBIOS server (point-to-point). m-node - Multi; like client first uses b-node. If it fails, p-node is used. Do not select this option for use with large networks because broadcasts use lots of bandwidth. h-node - Hybrid; like m-node, but uses p-node first and then b-node (as a last resort). Netbios Scope Id – If you are using a Linux client, leave this field blank. If you are using NetBIOS Scope IDs (e.g., for isolating NetBIOS traffic or for giving the same name to different computers), enter the ID in this field. The NetBIOS Scope ID is case-sensitive. LPR Server – If you are using the LPR protocol for Unix systems, enter the IP address of the printer in this field. Log Server – If you are using a standalone log server, enter the IP address of the server in this field. Time Server – If you are using a time server according to RFC868, enter the IP address of the server in this field. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 283 Time Offset – In this field, enter the client's time offset (in seconds) from UTC. IEN Name Server – If you are using an IEN name server, add the IP address of the server to this table. Cookie Server – If you are using a standalone cookie server, add the IP address of the server to this table. Swap Server – If you are using a separate swap server, enter the IP address of the server in this field. Local Subnets – To use local subnets, select true. Default: not-set. Impress Server – If you are using an image impress server, add the IP address of the server to this table. Resource Location Server – In this table, add the RFC 887 Resource Location servers that are available to the client. List the servers in order of preference. Perform Mask Discovery – (not supported with Linux clients) Specifies if a subnet mask discovery is performed. From this list, you can select: true - Client uses ICMP for subnet mask discovery. false - No subnet mask discovery is to be performed. not-set (default) - Deactivates the setting. Perform Router Discovery – (not supported with Linux clients) Specifies if a router discovery is performed. From this list, you can select: true - Client performs ICMP router discovery (according to RFC1256). false - No router discovery is to be performed. not-set (default) - Deactivates the setting. Static Route Net – In this table, add static routes that the client should install in its routing cache. If there are multiple routes to the same destination, list them in descending order of priority. The routes are made up of IP address pairs. The first address is the destination address. The second address is the router for the destination. The default route (0.0.0.0) is an illegal destination for a static route. In the Router field, specify the default route. The following options are available: Static Route Net – Enter the destination IP address. Static Route GW – Enter the gateway IP address. TFTP Server Name – If the 'name' field in the DHCP header has been used for DHCP options, enter the TFTP server name in this field. TFTP Server IP Address – The TFTP server IP addresses for Cisco CallManager devices. In this field, you can enter a comma-delimited list of IP addresses. Proxy Automatic Discovery – This field lets you specify a Web Proxy Automatic Discovery (WPAD) URL, for example http://foo.com/pr oxy.pac Boot File Name – If the 'file' field in the DHCP header has been used for DHCP options, enter the boot file name in this field. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 284 How to Configure DHCP Parameter Templates Create DHCP parameter templates to simplify the configuration of multiple DHCP subnets. Specify time settings for leases and updates, configure networking settings, and apply them to your client address pools. In this article: Before You Begin Step 1. Configure Lease Constraints Step 2. Configure Dynamic DNS Parameters Step 3. Configure Miscellaneous Parameters Before You Begin Before configuring DHCP parameter templates, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. Step 1. Configure Lease Constraints 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode menu, select Advanced View. 3. In the left navigation pane, select Parameter Templates. 4. Click Lock. 5. In the Parameters table, click + to add a parameter template. 6. Enter a Name for the template and click OK. The Parameters window opens. 7. In the Lease Constraints table, configure the following settings: Max Lease Time – The maximum length of time in seconds that will be assigned to a lease. The only exceptions to this setting are Dynamic BOOTP lease lengths, which are not specified by the client. Def Lease Time – The default length in seconds that is assigned to a lease. Min Lease Time – The minimum length in seconds that is assigned to a lease. Reply Delay – The minimum number of seconds since a client began trying to acquire a new lease before the DHCP server will respond to its request. The number of seconds is based on what the client reports, and the maximum value that the client can report is 255 seconds. If you specify 1 second, the DHCP server will not respond to the client's first request but will always respond to its second request. This setting can be used to set up a secondary DHCP server which never offers an address to a client until the primary server has been given a chance to do so. If the primary server is down, the client will bind to the secondary server, but otherwise clients should always bind to the primary. This does not, by itself, permit a primary server and a secondary server to share a pool of dynamically-allocatable addresses. Step 2. Configure Dynamic DNS Parameters Configure dynamic DNS settings if DNS updates are enabled and ddns-update (see How to Configure DHCP with Dynamic DNS) is set to interi m. 1. From the Do Fwd Updates list, select whether the DHCP server should attempt to update a DHCP client's A record if the client acquires or renews a lease. true – Forward updates are enabled, and the DHCP server will also honor the setting of the client-updates flag. false – The DHCP server only attempts to update the client's PTR record if the client supplies an FQDN that should be placed in the PTR record using the 'fqdn' option. 2. From the Optimized Updates list, select one of the following options: true – The DHCP server will only update when the client information changes, the client gets a different lease, or the client's lease expires. false / not-set – If set for a given client, the server will attempt a DNS update for that client each time the client renews its lease, rather than only attempting an update when necessary. This allows the DNS to heal from database inconsistencies more easily, but the DHCP server must do many more DNS updates. 3. Leave Update Static Leases as default (false) unless instructed otherwise. DNS updates for static IP addresses are not recommended because the DHCP server will not tell that the update has been done, and therefore will not delete the record when it is not in use. Also, the server must attempt the update each time the client renews its lease, which could have a significant performance impact in environments that place heavy demands on the DHCP server. 4. Enter the DDNS Domainname that should be appended to the client's hostname to form a FQDN. 5. In the Rev DDNS Domainname field, you can change the domain name (default= in-addr.arpa.) for use in the client's PTR record, that Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 285 5. should be appended to the client's reversed IP address (e.g. 74.92.17.10.in-addr.arpa. for client 10.17.92.74). 6. In the Dynamic BOOTP Lease Time field, you can specify the length in seconds of leases dynamically assigned to BOOTP clients. At some sites, it may be possible to assume that a lease is no longer in use if its holder has not used BOOTP or DHCP to get its address within a certain time period. If a client reboots using BOOTP during the timeout period, the lease duration is reset to this length, so a BOOTP client that boots frequently enough will never lose its lease. Use this setting with extreme caution! 7. In the Boot File Server field, enter the host IP address of the server from which the initial boot file (specified in the file name statement) is to be loaded. If this setting does not apply to a given client, the IP address of the DHCP server is used. 8. In the Boot File field, you can enter the name of the initial boot file which is to be loaded by a client. The file name should be recognizable to the file transfer protocol used to load the file. Step 3. Configure Miscellaneous Parameters Configure address assignment for clients without host declaration, and specify domain lookup and ping checking behavior. Some BOOTP clients expect RFC1048-style responses, but do not follow RFC1048 when sending their requests. In this case, the client is not getting the options that you have configured for it and the server log the message '(non-rfc1048)' is printed with each BOOTREQUEST that is logged. To send RFC1048 options to such a client, you can set the always-reply-rfc1048 option (RFC1048 Conformance) in that client's host declaration and the DHCP server will respond with an RFC-1048-style vendor options field. 1. From the Boot Unknown Clients list, select one of the following options: true / not-set – Clients without host declaration are allowed to obtain IP addresses, as long as those addresses are not restricted by 'allow' and 'deny' statements within their pool declarations. false - Clients without host declaration will not be allowed to obtain IP addresses. 2. From the RFC1048 Conformance list, select one of the following options: true – Response in RFC 1048-style. This flag affects all clients that are covered by the respective scope. false – Response NOT in RFC 1048-style. 3. From the Hostname via Rev-DNS list, select whether or not DHCP looks up the domain name corresponding to the IP address of each address in the lease pool and uses that address for the DHCP hostname option: true – Lookup is done for all addresses in the current scope. false – No lookups are done. 4. From the Ping Check list, select whether or not an ICMP echo request is sent to the address being assigned. If the DHCP server dynamically allocates an IP address to a client, it first sends an ICMP echo request (ping) to the address being assigned. It waits for a second, and if no response is heard, it assigns the address. If a response is heard, the lease is abandoned, and the server does not respond to the client. This setting introduces a default one-second delay in responding to DHCPDISCOVER messages, which can be a problem for some clients. true – Ping check is done for all addresses in the current scope. In the Ping Timeout field, specify how many seconds the DHCP server should wait for an ICMP echo response. If a response is not received before the timeout expires, it assigns the address. If a response is heard, the server does not respond to the client. false – No ping checks are done. not-set (default) – Deactivates the setting. 5. Click OK. 6. Click Send Changes and Activate. Now you can apply your configured template to your DHCP subnets. Fore more information, see How to Configure DHCP Subnets and Address Pools. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 286 How to Configure Known Clients Configure DHCP client groups and assign hostnames and option templates. Host declarations are matched to actual DHCP or BOOTP clients by matching the dhcp-client-identifier option specified in the host declaration to the one supplied by the client, or, if the host declaration or the client does not provide a dhcp-client-identifier option, by matching the hardware parameter in the host declaration to the network hardware address supplied by the client. BOOTP clients do not normally provide a dhcp-client-identifier, so the hardware address must be used for all clients that may boot using the BOOTP protocol. In this article: Before You Begin Configure Known Client Advanced Client Assignments Before You Begin Before configuring known clients for use with the DHCP service, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. Configure Known Client 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. In the left menu expand the Configuration Mode section, select Advanced View. 3. In the left menu, select Known Clients. 4. Click Lock. 5. In the Client Groups table, click + and add a client group. 6. Enter a Name for the group and click OK. The Client Groups window opens. 7. From the Group DHCP Options list, select the DHCP options template which settings should be used for the group. For more information, see How to Configure DHCP Option Templates. 8. From the Group Parameters list, select the DHCP parameter template which settings should be used for the group. For more information, see How to Configure DHCP Parameter Templates. 9. Enable or disable Automatic Hostname Assignment. You can select: true – For every host declaration of this group of known clients, the name provided for host declaration will be supplied to the client as its hostname. false – (default) The setting is disabled. 10. In the Clients table, click + and add the client group members. 11. Enter a Name for the client and click OK. The Clients window opens. 12. Enter the DHCP Client Identifier that identifies the host client when requesting an IP address. Only the DHCP Client Identifier setting and hardware address can be used to match a host declaration. E.g., it is not possible to match a host declaration to a host-name option. This is because the host-name option cannot be guaranteed to be unique for any given client, whereas both, hardware address and DHCP Client Identifier option, are at least theoretically guaranteed to be unique to a given client. 13. 14. 15. 16. 17. 18. Enter the MAC Address of the client required for identification. From the Match Type list, select the type of network card requesting a lease. If required, enter the static IP address(es) that are sent to the client in the Fixed IP Addresses field. For advanced configuration settings, see the following Advanced Client Assignments section. Click OK. Click Send Changes and Activate. Advanced Client Assignments In the Advanced Client Assignments section you can apply templates to be used for your clients and configure advanced settings for server responses and host declaration. For each client entry, you can edit the following settings: Client DHCP Options – From this list, select the DHCP options template which settings should be used for the client. For more information, see How to Configure DHCP Option Templates. Client Parameters – From this list, select the DHCP parameter template which settings should be used for the client. For more information, see How to Configure DHCP Parameter Templates. Allowed Broadcast Reply – DHCP and BOOTP protocols both require DHCP and BOOTP clients to set the broadcast bit in the flags field of the BOOTP message header. Unfortunately, some DHCP and BOOTP clients do not do this, and therefore may not receive responses from the DHCP server. The DHCP server can be configured to always broadcast its responses to clients by setting this flag to Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 287 yes for the relevant scope; relevant scopes would be inside a conditional statement, as a parameter for a class or as a parameter for a host declaration. In order to avoid creating excessive broadcast traffic on your network, Barracuda Networks recommends that you restrict the use of this option to as few clients as possible. Duplicates Policy – From this list, you can select either allow or deny. Host declarations can match client messages based on the DHCP Client Identifier option or on the client's network hardware type and MAC address. If the MAC address is used, the host declaration will match any client with that MAC address – even clients with different client identifiers. This is possible when one computer has more than one operating system installed on it. For example, Microsoft Windows and NetBSD or Linux. This setting tells the DHCP server that if a request is received from a client matching the MAC address of a host declaration or any other lease matching that MAC address, it should be discarded by the server even if the UID is not the same. This does not adhere to the DHCP standard but can prevent clients whose client identifiers change regularly from holding too many leases at the same time. Client Hostname – If a name is entered, the statement within a host declaration will override the use of the name in the host declaration. DDNS Hostname – Defines the hostname to be used in setting up the client's A and PTR records; if not specified, the server will derive the hostname automatically, using an algorithm that varies for each of the different update methods. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 288 How to Configure DHCP Classes Define classes for use by DHCP clients and servers and specify the lease behavior. With DHCP classes configured the server identifies different client types and provides the corresponding IP addresses depending on the match statement in the class definition. Spawn subclasses define the parameters for each match value within the class they belong to, which simplifies the class lookup. In this article: Before You Begin Configure DHCP Classes Before You Begin Before configuring DHCP classes, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. Configure DHCP Classes 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode menu, select Advanced View. 3. In the left navigation pane, select Classes. 4. Click Lock. 5. Click + to add an entry for a DHCP class. 6. Enter a Name for the class and click OK. The Classes configuration window opens. 7. Enable or disable Spawn Subclasses depending on your requirements. If a. enabled, Select the spawn subclass from the Spawn Parameter field. b. Enter the maximum number of parallel active leases in the Lease Limit field. 8. Specify the Match Parameter. Exact – Indicates ONE client. List – Allows multiple clients. 9. From the Match Type list, select the desired option. When selecting exact, enter the match value for one client (for example, MAC, store agent ID, …) in the Match Value field. When selecting list, enter the match values for multiple clients in the Match Value List field. The way MAC addresses are entered depends on the used type of interface: Ethernet requires a 1: prior to the MAC address (e.g.: 1:00:01:f3:34:44:2g) Tokenring requires a 6: prior to the MAC address (e.g.: 6:00:01:f3:34:44:2g) 10. Click OK. 11. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 289 How to Configure DHCP with Dynamic DNS Configure dynamic DNS updates for the Barracuda NG Firewall DHCP service. The DDNS update style is evaluated once after reading the dhcpd.conf file, not each time a client is assigned an IP address, so the same DNS update style is used for all clients. Before You Begin Before configuring dynamic DNS, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. Configure Dynamic DNS 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. In the left menu, expand the Configuration Mode section and click Advanced View. 3. In the left menu, select Dynamic DNS. 4. Click Lock. 5. Select whether or not to use a DNS Update Scheme. When selecting interim choose an option from the Client Updates list. The DHCP server does not necessarily always update both the A and the PTR records. The FQDN (fully qualified domain name) option includes a flag which, when sent by the client, indicates that the client wishes to update its own A record. In that case, the server can be configured either to honor the client's intentions or ignore them. This is done with the statement allow client-updates; or the statement ignore client-updates. By default, client updates are ignored. 6. In the Zone Keys table, click + and add the HMAC-MD5 keys for the DNS zones. 7. In the DNS Zones table, click + and add the DNS zones. 8. Specify the Zone Type. You can select: Forward (default) – The hostname is looked up. Enter the network of the forward lookup in the Forward Zone Name field. Reverse – The IP address is looked up. Enter the network of the reverse lookup in the Reverse Lookup Net/Netmask fields. Both – IP address and hostname are looked up. Enter the network of the forward and reverse lookup in the Forward Zone Name and Reverse Lookup Net/Netmask fi elds. 9. Enter the DNS Server IP address. 10. Select the Authentication Key for the zone that was entered in the Zone Keys table. 11. Click OK. 12. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 290 How to Activate Text-Based Configuration You can view and configure the DHCP server settings in a text configuration file. Note that if you manually configure the DHCP server in a text configuration file, all of the settings that have been made in the user interface are disabled. Before You Begin Before you can view and configure the DHCP server in a text configuration file, enable advanced pool configuration in the DHCP service setup. For more information, see How to Configure Advanced DHCP Settings. View the Configuration File To view the DHCP server configuration in read-only text: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode menu, select Advanced View. 3. In the left navigation pane, select GUI as Text. 4. Click Lock. 5. Enable Show GUI as Text. 6. Click Send Changes and Activate. In the GUI Corresponding Text table, the DHCP server configuration is displayed in read-only text. Configure the DHCP Server Text Configuration File The DHCP server text configuration file must be created directly on the Barracuda NG Firewall when configuring a managed NG Firewall. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. From the left Configuration Mode menu, select Advanced View. 3. In the left navigation pane, select Text Based Configuration. 4. Click Lock. 5. Enable Use Free Format. When you enable this setting, all of the settings that have been made in the user interface are disabled. To re-enable the settings that are made in the user interface, disable Use Free Format. 6. In the Free Format Text table, enter the configurations for the DHCP server. Use the following syntax: option <option-name> <parameter> 7. For more information on the commands and syntax that can be used, see http://www.daemon-systems.org/man/dhcp-options.5.html. 8. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 291 How to Configure Additional DHCP Options Some clients may need specific DHCP options to be set in the DHCP server configuration. To set options that are not directly configurable, you must use Advanced Pool Configuration and enter the necessary options as freetext-based configuration. In this example, a server requires the DHCP options 176 and 242 to be set to custom strings. In this article: Before you Begin Step 1. Define a Variable for Each Additional DHCP Option Step 2. Set Values for Each Additional DHCP Option Before you Begin Enable Use Advanced Pool Configuration in the advanced DHCP Settings. For more information, see How to Configure Advanced DHCP Settings. Configure an Address Pool and DHCP Option Template. For more information, see How to Configure DHCP Subnets and Address Pools and How to Configure DHCP Option Templates. Step 1. Define a Variable for Each Additional DHCP Option 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. Click Lock. 3. In the left menu, expand Configuration Mode and click Switch to Advanced View. 4. In the left menu, click Operational Setup. 5. For each DHCP option you want to add, click + in the Additional Global Definitions table and define a variable for the DHCP option in the following format: option VARIABLE_NAME code OPTION_NUMBER=VARIABLE_TYPE E.g., option hbcs-avaya-176 code 176 = text 6. Click Send Changes and Activate. Step 2. Set Values for Each Additional DHCP Option The variables set in step 1 can be set to different values for each DHCP Option Template. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Service > DHCP Enterprise Configuration. 2. Click Lock. 3. In the left menu, expand Configuration Mode and click Switch to Advanced View. 4. In the left menu, click DHCP Option Templates. 5. Double-click on the DHCP Options template used for the address pool. The DHCP Options window opens. 6. For each DHCP Option you defined in step 1, click + in the ISC DHCP Option Freetext Field and set the value for each entry in the following format (including the quotation marks): option VARIABLE_NAME-OPTION_NUMBER "ENTER_YOUR_STRING_HERE" E.g., option hbcs-avaya-176 "MCIPADD=10.10.10.10,MCPORT=1719,TFTPSRVR=10.10.10.10" 7. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 292 Example - DHCP Configuration for Two Networks The following article provides an overview of how to configure DHCP for an example environment. It provides steps and example settings to configure a DHCP service for an environment that contains two networks with three different IP pools. In this article: Example Environment Example Environment Configuration Example Environment For the example environment that is displayed in the following figure, a DHCP service must configured for two networks with three different IP pools: Network 1 (10.0.8.0/24) – Contains two address pools: one pool for unknown clients and one pool for known clients (identified via their MAC addresses). Network 2 (10.0.4.0/24) – Contains one address pool for unknown clients and two known clients. Example Environment Configuration The DHCP service for the example environment can be configured with the following steps and settings: Step Settings for Example Environment Step 1: Create a virtual server. The virtual server is created with the following settings: First-IP: 10.0.8.35 Second-IP: 10.0.4.44 Step 2: Create the DHCP service. By default, Service Availability for the DHCP service is set to All-IPs . Step 3: Enable advanced DHCP settings. To enable the advanced DHCP settings, you must be in the Advanced Configuration Mode. On the DHCP Enterprise Configuration - Operational Setup page, click Switch to Advance d View from the Configuration Mode menu in the left navigation pane . Make sure that you select yes from the Use Advanced Pool Configuration list. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Step 4: Configure DHCP classes. 293 A DHCP class named testclass is created with the following settings: Match Type: MAC Match Value List: 1:00:01:f3:34:44:2g and 1:00:01:f3:34:44:2e For Ethernet interfaces, you must enter 1: before the MAC address Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Step 5: Configure subnets and address pools. 294 Two separate subnets are created for Network 1 (10.0.8.0/24) and Network 2 (10.0.4.0/24). 1. A subnet named Subnet1 for 10.0.8.0/24 is created with the following settings: Subnet Type: explicit Network Address: 10.0.8.0/24 Address Pools: The two address pools for Subnet1 are configured with the following settings: Address Pool Description Address Pool 1 Unknown From the first address pool, only unknown clients may receive IP addresses. This address pool is configured with the following settings: IP Begin: 10.0.8.10 IP End: 10.0.8.15 Denied Classes: test class Known Clients: deny Unknown Clients: all ow Address Pool 2 Classpool From the second address pool, only allowed classes may receive IP addresses. This address pool is configured with the following settings: IP Begin: 10.0.8.20 IP End: 10.0.8.30 Allowed Classes: tes tclass Known Clients: not-s et BOOTP ClientsPolic y: not-set 2. A subnet named Subnet2 for 10.0.4.0/24 is created with the following settings: Subnet Type: explicit Network Address: 10.0.4.0/24 Address Pools: The subnet has one address pool which is configured with the following settings: Address Pool Description Address Pool 1 Unknown From the address pool, only unknown clients may receive IP addresses. This address pool is configured with the following settings: IP Begin: 10.0.4.10 IP End: 10.0.4.15 Known Clients: deny Unknown Clients: all ow Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Step 6: Configure known clients. 295 Two client groups are created: Client Group Step 7: View real-time information for the DHCP service. Settings Known Client 1 MAC Address: 00:01:f3:3 4:44:2g Fixed IP Address: 10.0.4. 31 (Optional) Known Client 2 MAC Address: 00:01:f3:3 4:44:2e Fixed IP Address: 10.0.4. 32 (Optional) To view and modify lease and IP range information for the DHCP service, click the DHCP tab. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 296 How to Configure the DHCP Relay Agent The DHCP relay service allows to pass DHCP broadcast messages to network segments a client computer is not directly attached to. DHCP relaying can be used to share a single DHCP server across logical network segments that are separated by a firewall. The DHCP relay service does not handle IP addresses. It sends unicast messages instead of broadcast messages. In this article: Before You Begin Configure the DHCP Relay Agent for IPv4 Configure the DHCP Relay Agent for IPv6 Cascading DHCP Relay Agents Figure 1. DHCP relay agent between two LANs. Before You Begin If you are using both a DHCP and a DHCP Relay service on the same Barracuda NG Firewall, verify that both services are not using the same interface. Configure the DHCP Relay Agent for IPv4 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Relay. Click Lock. Select Enable Relay for IPv4. Enter the UDP Port the relay agent is listening on (default: 67). 5. In the Relay Interfaces section, click + and add the network interfaces that are used by the DHCP relay agent to connect to the DHCP server and client networks. To specify an explicit interface (e.g., a virtual interface), enter its name in the Other field. If you must configure multiple relay agents in a cascaded environment, do not specify the server-side interface of the cascaded ('border') relay agent. For more information, read the following section. 6. In the DHCP Server IPs field, enter the IP addresses of the DHCP servers. 7. Enable Add Agent ID (AID) if you want the DHCP relay agent to add an Agent ID (AID) to the transmitted packets. An AID indicates that the data has been relayed. 8. Enter the maximum DHCP Packet Size in bytes (default: 1400). 9. From the AID Relay Policy list, select how your DHCP relay agent handles DHCP packets that are already flagged by an AID from another agent: Append (default) - Attaches your AID to the existing AID. Replace - Replaces the existing AID with your AID. Forward - Passes DHCP packets without any modification. Discard - Discards DHCP packets that are already flagged by an AID. 10. From the Reply AID Mismatch Policy list, select how your DHCP relay agent handles DHCP server replies that do not contain its AID: Discard - Default. Discards the DHCP packet. Forward - Forwards the DHCP packet to the DHCP client. The Reply AID Mismatch Policy setting is important when multiple relay agents serve the DHCP server. 11. 12. 13. 14. Specify the maximum Packet Hop Count to avoid infinite packet loops (default: 10). Select Forward unicast packets if Bootstrap/BOOTP unicast messages should be forwarded by the DHCP relay. Click OK. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 297 Configure the DHCP Relay Agent for IPv6 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP-Relay > DHCP-Relay Settings. 2. Click Lock. 3. Select Enable Relay for IPv6 4. Enter the UDP Port the relay agent is listening on (default: 547). 5. Specify the maximum Packet Hop Count to avoid infinite packet loops (default: 10). 6. Select Interface ID to force use of the DHCPv6 Interface-ID option. This option is automatically sent when there are two or more downstream interfaces in use, to disambiguate between them. 7. In the Lower Network Interfaces list, specify the network interface and link address on which queries will be received from clients or other relay agents. If no link address is specified, the first non-link-local address is used. 8. In the Upper Network Interfaces list, specify the network interface and destination unicast or multicast address to which queries will be forwarded. If no destination address is specified, requests are forwarded to the FF02::1:2 multicast address (All_DHCP_Relay_Agents_and_Servers) 9. Click OK. 10. Click Send Changes and Activate. Cascading DHCP Relay Agents Only use cascading DHCP relay agents if a client subnet is connected to the server-side DHCP relay agent. The DHCP Relay Agent is not designed for cascaded use. If you must configure multiple relay agents in a cascaded environment, do not specify the server-side interface of the cascaded ("border") relay agent in the configuration or this will lead to conflicts. In Figure 2, two client subnets are connected to DHCP relay agents 1 and 2. When you configure the relay agents, the interfaces listening to broadcast requests from the clients (eth1 and eth4) must be specified as relay interfaces. The server-side interface of relay agent 2 (eth5), which is connected to the DHCP server, must NOT be specified. Figure 2. Cascading DHCP relay agents with interfaces to be configured. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 298 How to Configure a DHCP Relay over a VPN Tunnel To use the same DHCP server in two different networks that are connected by a VPN tunnel, configure DHCP relays on both the local and remote NG Firewalls. In this article: Before you Begin Step 1. Create an Access Rule on the Local NG Firewall Step 2. Create a DHCP Relay on the Remote NG Firewall Step 3. Create a Host Firewall Rule on the Remote NG Firewall Before you Begin Create a Site-to-Site VPN tunnel between both locations. Use a separate DHCP server, such as the DHCP server on Windows Servers in your network. It is not possible to use the DHCP service on the NG Firewall in this scenario. Step 1. Create an Access Rule on the Local NG Firewall Create an PASS access rule allowing the management IP address of the remote NG Firewall access to the DHCP server. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Fo rwarding Rules . 2. Click Lock. 3. Right-click in the main are and select New and Rule. The Edit Rule window opens. 4. Create the following access rule: Action – Select PASS. Source – Enter the management IP address of the remote NG Firewall. Service – Create and select a Service object for UDP Port 67. Destination – Enter the IP address of the DHCP server. Connection – Select No SNAT. 5. Click OK. 6. Click Send Changes and Activate. Step 2. Create a DHCP Relay on the Remote NG Firewall Configure DHCP Relay on the remote NG Firewall to pass along 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DHCP Relay > DHCP Relay Settings . 2. Click Lock. 3. Check the Enable Relay for IPv4 checkbox. 4. Click + for each Relay Interface the DHCP Relay listens on: a. Select the internal interface used to connect to the DHCP server from the list. E.g., eth0 b. Enter the VPN interface used for the Site-to-Site tunnel in the Other textbox. E.g., vpn0 5. Click + and add the DHCP Server IPs. E.g., 10.0.10.100 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 299 5. 6. Click Send Changes and Activate. Step 3. Create a Host Firewall Rule on the Remote NG Firewall Create an access rule to allow the traffic of the DHCP Relay service into the VPN tunnel. 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Host Firewall Rules. Click Lock. Click on the Outbound rule set. Create a new PASS access rule. The Edit Rule window opens. Enter the Name of the rule. E.g., BOX-DHCP-OUT-RELAY-VPN 6. Use the following settings for the access rule: Action – Select PASS. Source – Select Any. Service – Select DHCP-S. Destination – Select World. 7. Select <explicit-conn> from the Connection Method list. 8. Double-click on Std Explicit in the Connection Method section. The Edit / Create a Connection Object window opens. 9. From the NAT Address list select Explicit. 10. Enter the management IP address of the NG Firewall as the Explicit IP. Copyright © 2015, Barracuda Networks Inc. 10. 11. 12. 13. 14. Barracuda NG Firewall 6.1 Administrator's Guide - Page 300 Click OK. Click OK. Place the access rule above the BOX-DHCP-OUT rule. Click Send Changes and Activate. Clients in the remote network can now receive DHCP leases from the DHCP server in the local network. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 301 DNS The Barracuda NG Firewall can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names specified in its configuration. The Barracuda NG Firewall DNS service specifies DNS zones such as hosts, domains, mail-exchangers etc. Each of the available zones can be defined as forward or reverse lookup zone. You can use the the same namespace internally and externally. You can return different IP addresses based on the source IP address of the DNS query (split DNS). Configure the DNS Service The DNS service provides the following configuration instances: DNS Hint Lookup Zone – The hint zone contains information on the initial set of root servers. DNS Template Zone – Use the template zone to build templates for the creation of new zones. DNS Configuration – This node contains the Forward Lookup configuration area. Sub-items of Forward Lookup are the already existing zones, including the hint and template zones. For more information, see How to Configure the DNS Service. DNS Zones The DNS server stores information about parts of the domain name space in so-called zones. All names in a given zone share the same domain suffix. For example, if barracuda.com is the domain suffix, mail.barracuda.com and eng.barracuda.com are possible subdomains. These can all be served by one domain name server or some of the subdomains can be delegated to other domain name servers. Every domain or subdomain is in exactly one zone. Rather than make a distinction between a zone and a domain, the Barracuda NG Firewall offers the possibility to create a domain. The Barracuda NG Firewall DNS configuration contains two predefined zones: Zone 1: _template – This zone contains the general template, which is used as model for all newly created zones. Here, you can create or modify settings for Start Of Authority (SOA), primary server, Name Server (NS), etc. Zone 2: '.'– The initial set of root-servers is defined using a hint zone. When the server starts up, it uses the hint zone file to find a root name server and get the most recent list of root name servers. The "." zone is short for this root zone and means any zone for which there is no locally defined zone (slave or master) or cached answer. Do NOT modify the root server settings in zone 2 ('.') unless you know exactly what you are doing. When creating additional zones, you can configure the following zone types: Master – Every domain configuration change takes place on the master. From here, the information is propagated to the secondary servers. A master zone requires at least a Start of Authority (SOA) record and a Name Server (NS) record. Slave – A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. DNS slave zones do not require much configuration; just enter the IP addresses of the master server (or servers) and examine the security settings. Forward – A forward zone is used to direct all queries in it to other servers. The specification of options in such a zone will override any global options declared in the options statement. A forward zone does not need a transfer-source-IP. Hint – The initial set of root name servers is specified using a hint zone. When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. The Barracuda NG Firewall DNS server already has a hint zone (Zone ".") preconfigured, so normally there is no need to introduce another hint zone. For information on how to configure DNS zones, see How to Configure DNS Zones. DNS Interception DNS Interception allows redirection or blocking of DNS queries for specific domains. This is achieved by applying policies. When creating a policy, you can also specify whitelisting for certain domains. For more information, see How to Configure DNS Interception. Debug Logging You can also enable debug logging for the DNS service via the Command-Line Interface. When you enable debug logging for DNS: The log file may increase, depending on the number of requests. With every change in the service configuration, the debug-logging is disabled. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page For information on how to enable debug logging, see How to Configure DNS Zones. Copyright © 2015, Barracuda Networks Inc. 302 Barracuda NG Firewall 6.1 Administrator's Guide - Page 303 How to Configure the DNS Service The Barracuda NG Firewall can act as a authoritative DNS server for your domains. In this article: Before you Begin Configure the DNS Service Before you Begin Before modifying the server settings, you must create a DNS service. For more information, see How to Configure Services. Configure the DNS Service To configure zone-independent DNS server settings, 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. Double-click DNS Configuration. Right click the server name in the DNS configuration area (e.g.: S1_dns) and select Lock Server. Right click the server name and select Properties. 5. In the Interface section, configure the forwarding behavior of the DNS service. forward – This menu offers the following settings: <blank> – The default settings of BIND are used. first – The server forwards the DNS query first. Only in case no entry is found the local database is queried. only – The server forwards all DNS queries. forwarders – Enter the IP addresses of the DNS servers to which DNS queries are forwarded. Separate multiple entries with a semicolon and space (e.g. 10.0.0.53; 10.0.0.67). recursion– Define the allowance of recursive queries. The following options are available: <blank> – The default settings of BIND are used. yes – The server allows recursive queries. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 304 no – The server does not allow recursive queries. notify - Define whether the DNS server should actively notify its slaves about settings updates. forward source-ip – This field offers various options to select the IPv4 or IPv6 address to be used for contacting other DNS servers. <blank> – The default settings of BIND are used. server-first – The DNS service uses the first server IP for connecting. server-second– The DNS service uses the second server IP for connecting. explicit – The DNS service uses an explicit IP address for connecting. This IP address must be configured as a server IP. Separate multiple IP addresses or address ranges using semicolon and whitespace characters (e.g. 10.0.0. 53; 10.0.0.67; 192.168.0.10; 10.17.0.0/16). Use CIDR notation. 6. In the Security section, configure security options for the DNS service (when selecting any, you can optionally define one or more further IPv4 or IPv6 addresses): allow notify – Hosts that are allowed to notify the DNS server about zone changes. allow query – Hosts that are allowed to query the DNS server. By default all hosts are allowed to query the DNS server. allow recursion – Hosts that are allowed to make recursive queries on this server. allow transfer – Hosts that are allowed to fetch the DNS database from the DNS server. blackhole – Addresses that the server will not accept queries from and not use to resolve a query. In each pull-down field, one of the following values can be filled in: none any (one or more IPv4 or IPv6 addresses) – These entries can optionally be complemented with further IP addresses. 7. Click OK. 8. Click Send Changes and Activate. Continue with How to Configure DNS Zones. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 305 How to Configure DNS Zones Configure DNS zones for use with the DNS service of the Barracuda NG Firewall. Modify the DNS zone template by adding hosts, subdomains, mail exchangers, etc. You can also create new DNS zones. When adding new zones, they will inherit all the settings specified in the template zone. The procedure for creating and modifying zone template settings is identical to the procedure for creating and editing settings in a new zone. Each zone can be defined as forward or reverse lookup zone. In this article: Before you Begin Configure a DNS Zone Add a New Name Server Add a New Host Add a New Mail Exchanger Add a New Domain Add New Others Add a New Zone Troubleshooting Add a New Start of Authority (SOA) Enable Debug Logging Before you Begin Before starting the configuration, you must create a DNS service. For more information, see How to Configure Services. Make sure that you DNS server is properly configured. For more information, see How to Configure the DNS Service. Configure a DNS Zone Configure zone 1 (_template), by modifying the Start of Authority (SOA). Then, you can add and configure further zones that will inherit the template settings. Every DNS record has a Time to Live (TTL) value, which is the length of time that the DNS record can be cached. For most DNS records, two days is a typical and acceptable value. However, A records should have a very short TTL, such as 30 seconds. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. Double-click DNS Template Zone. Right click the zone entry (e.g. _template) in the left navigation tree and select Lock Zone. In the main table, double click the zone entry (e.g. _template). The Properties of window opens. 5. Define a Serial number. Update will increase the serial number by one. The serial number of the master has to be higher than the serial number saved on a slave, otherwise the slave will stop fetching information updates from its master. 6. In the Primary Server field, define the primary name server of the domain. Click Pick up to select already created entries. person field, define a person responsible for this host/zone. The syntax that has to be used is username.dom 7. In the Responsible ain (e.g. ernestexample.test.org). 8. Adjust the following settings according to your needs: Refresh after – This interval tells the slave how often it has to check whether its data is up to date. Retry after – When the slave fails to reach the master server after the refresh period (Refresh after), then it starts trying again after this set time interval. Expire after – When the slave fails to contact the master server for the expire period, the slave expires its data. Expiring means Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 306 that the slave stops giving out answers about the data because the data is too old to be useful. Minimum TTL – (standard) This value sets the Time To Live of cached database entries of this zone (format: days:hours:minute s:seconds). Expire (TTL) – This value sets the Time To Live of cached database entries of this zone until it is considered as expired. 9. Click OK. 10. Click Send Changes and Activate. The Start of Authority (SOA) for the zone is now configured and you can add Name Server (NS), host, Mail-Exchanger and sub-domains, depending on your requirements. Each added entry generates an additional tab in the Properties of window for the SOA from where you can edit the settings. Add a New Name Server Introduce a Name Server (NS) to the zone. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. 2. Double-click DNS Template Zone. 3. Right click the zone entry (e.g.: _template) in the left navigation tree and select Lock Zone. 4. Right 5. 6. 7. 8. click in the table and select New Name Server (NS). Click Add. The Properties of window opens. Enter the Servername. To select existing entries, click Pick up. Enter the IPv4 or IPv6 address of the name server and click Add. In the Expire (TTL) field, set the globally defined length of life, future name server records are expected to have (format: days:hours:minutes:seconds), and click OK. 9. Click OK. 10. Click Send Changes and Activate. An entry for the new name server is now displayed in a separate row within the main table and can be selected for further modification. Add a New Host Introduce a host to the zone (e.g.: _template). 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. Double-click DNS Template Zone. Right click the zone entry (e.g.:_template) in the left navigation tree and select Lock Zone. Right click in the table and select New Host. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 5. In the Host field, enter 307 the name of the host. 6. Enter the host IPv4 address and click Add. 7. 8. Define the Expire (TTL) (format: days:hours:minutes:seconds). Select Add corresponding reverse lookup entry (PTR) to automatically create a pointer record when creating the A-Record. Entries made in the individual tabs will be saved in separate rows of type A, TXT, HINFO and WKS within the main configuration window. Each configuration tab allows specification of the Expire (TTL) (format: days:hours:minutes:seconds). 9. Open the Text (TXT) tab. 10. In the Text field, enter an optional description of the system to simplify maintenance of the DNS database. 11. Under the Host Information (HINFO) tab, add information on the hardware and operating system of the host if applicable. 12. Under the Well-Known Services (WKS) tab, specify the IPv4 address and the used protocol in the appropriate fields. The services must be entered in plain text and separated with blanks (e.g. telnet ssh smtp ftp). 13. Click OK. 14. Click Send Changes and Activate. An entry for the new host is now displayed in a separate row within the main table and can be selected for further modification. Add a New Mail Exchanger Introduce a mail exchanger to handle mail-traffic for the domain. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. 2. Double-click DNS Template Zone. 3. Right click the zone entry (_template) in the left navigation tree and select Lock Zone. 4. Right click in the table and select New Mail-Exchanger. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 5. 308 In the Host field, specify the following values according to your needs: Mail-exchanger is responsible for @domain.com any_text Mail-exchanger is responsible for @any_text.domain.com 6. Specify the Mailserver name. To select existing entries, click Pick up. 7. If required, set the values for Mailserver priority and Expire 8. (TTL) (format: days:hours:minutes:seconds). Open the Mailbox information (MINFO) tab. 9. Specify the name of the Mailbox (MB). To select existing entries, click Pick up. 10. Specify the name of the Error Mailbox (MB) and Expire (TTL) (format: days:hours:minutes:seconds). 11. 12. Under the Well-Known Services (WKS) tab, enter the IPv4 address and the used protocol in the appropriate fields. Enter the services (e.g. telnet ssh smtp ftp). The services must be entered in plain text and separated with blanks. 13. Click OK. 14. Click Send Changes and Activate. An entry for the mail exchanger is now displayed in a separate row within the main table and can be selected for further modification. Add a New Domain Introduce a new subdomain to the zone (e.g.: _template). 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. Double-click DNS Template Zone. Right click the zone entry (_template) in the left navigation tree and select Lock Zone. Right click in the table and select New Domain. 5. Enter a name for the new sub-domain and click OK. After clicking OK, the new subdomain displays in the DNS tree. Within the new sub-domain, you can perform the same operations as described above. Completely set up new subdomains before clicking Send Changes and Activate. Otherwise, incompletely configured subdomains are deleted. 6. Click Send Changes and Activate. Add New Others There are several other objects you can add to your DNS configuration. These objects can be introduced by right clicking in the DNS config table and selecting New Others. The following objects can be added to the DNS configuration: Parameter Overview Click here to expand... Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 309 A New host. AAAA IPv6 address. AFSDB AFSDB records specify the hosts that provide a style of distributed service advertised under this domain name. A subtype value (analogous to the preference value in the MX record) indicates which style of distributed service is provided with the given name. Subtype 1 indicates that the named host is an AFS® database server for the AFS cell of the given domain name. Subtype 2 indicates that the named host provides intra-cell name service for the DCE cell named by the given domain name. CNAME CNAME specifies an alias or nickname for the official or canonical name. An alias should be the only record associated with the alias; all other resource records should be associated with the canonical name and not with the alias. Any resource records that include a zone name as their value (for example, NS or MX) must list the canonical name, not the alias. This resource record is especially useful when changing machine names. DNAME DNAME specifies an alias for one or more subdomains of a domain. The effect of this is that the entire subtree of DNS identified by the domain name can be mapped onto the target domain. HINFO HINFO records contain host-specific data. They list the hardware and operating system that are running on the listed host. If you want to include a space in the machine name, you must quote the name. Host information is not specific to any address class, so ANY may be used for the address class. There should be one HINFO record for each host. For security reasons, many sites do not include the HINFO record, and no applications depend on this record. ISDN Representation of ISDN addresses. MB MB lists the machine where a user wants to receive mail. The "name" field is the user's login; the machine field denotes the machine to which mail is to be delivered. Mail box names should be unique to the zone. MG The mail group record (MG) lists members of a mail group. MINFO MINFO creates a mail group for a mailing list. This resource record is usually associated with a mail group, but it can be used with a mailbox record. The "name" specifies the name of the mailbox. The "requests" field is where mail such, as requests to be added to a mail group, should be sent. The "maintainer" is a mailbox that should receive error messages. This is particularly appropriate for mailing lists when errors in members' names should be reported to a person different to the sender. MR MR records lists aliases for a user. The "name" field lists the alias for the name listed in the fourth field, which should have a corresponding MB record. MX MX records specify a list of hosts that are configured to receive mail sent to this domain name. Every host that receives mail should have an MX record, since if one is not found at the time the mail is delivered, an MX value will be imputed with a cost of 0 and a destination of the host itself. NAPTR NAPTR records map between sets of URNs, URLs and plain domain names and suggest to clients what protocol should be used to talk to the mapped resource. For example NAPTR is used in SIP. The SIP URN for the US telephone number 1-800-555-1234 would be tel:+1-800-555-1234 and its domain name sipcalls.sip.com Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 310 NS NS lists a name server responsible for a given zone. The first "name'' field lists the zone that is serviced by the listed name server. There should be one NS record for each name server of the zone, and every zone should have at least two name servers, preferably on separate networks. PTR PTR allows special names to point to some other location in the domain. The following example of a PTR record is used in setting up reverse pointers for the special in addr.arpa domain. This line is from the example mynet.rev file. In this record, the "name'' field is the network number of the host in reverse order. You only need to specify enough octets to make the name unique. RP RP identifies the name (or group name) of the responsible person(s) for a host. This information is useful in troubleshooting problems over the network. RT Route-through binding for hosts that do not have their own direct wide area network addresses (experimental). SRV Information on well known network services (replaces WKS). TXT A TXT record contains free-form textual data. The syntax of the text depends on the domain in which it appears; several systems use TXT records to encode user databases and other administrative data. WKS WKS records describe the well-known services supported by a particular protocol at a specified address. The list of services and port numbers comes from the list of services specified in /etc/services. There should be only one WKS record per protocol and address. Because the WKS record is not widely used throughout the Internet, applications should not rely on the existence of this record to recognize the presence or absence of a service. Instead, the application should simply attempt to use the service. X25 Representation of X.25 network addresses (experimental). Add a New Zone Create an additional zone and configure the settings according to your requirements. This new zone will inherit the settings configured in the template zone. (Note that only template settings will be inherited that already existed before the zone was created.) 1. 2. 3. 4. 5. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. Double-click DNS Template Zone. Right click your DNS server and select Lock Server. Right click your DNS server and select Add New Zone. The Properties of window opens. Select the Type of the zone from the list. (For more information, see DNS) 6. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 311 6. Enter the Origin Domain Name you wish to create here (e.g. barracuda.com). 7. Define whether the zone should perform DNS Forward or Reverse lookup: Forward – Provides IP addresses for known host names. Reverse – Provides host names for known IP addresses (provided only for 8-bit networks, e.g. 213.47.10.0/24). 8. When type Slave is selected, add the master IP addresses. 9. When type Forward is selected, add the forward IP addresses. 10. Clicking advanced and configure the following settings in the Interface section: notify – Allows the administrator to select whether the DNS server should notify slave DNS servers about zone changes. If expli cit is selected, enter the explicit IP address in the also notify field. also notify – Here you may enter a list of IPv4 or IPv6 hosts that should be notified about zone changes although these machines are not registered slaves of the DNS server. Separate multiple entries with a semicolon and space (e.g. 10.0.0.53; 10.0.0.67; 192.168.0.10; 2001:db8:85a3:0:0:8a2e:370:73341). transfer-source-ip – (only available for type Slave) The IP address the slave has to use when contacting its master DNS server. Be sure to set the transfer-source-IP when configuring a slave zone, otherwise the slave zone will not be accepted by the DNS server. 11. In the Security section, configure detailed security options for the DNS service (These settings are very important for type Master and Forward).: allow notify – (only available for type Slave). Defines if the slave accepts notifications about updates from its master. allow query – Lists the IPv4 or IPv6 hosts that are allowed to query the DNS server. By default all hosts are allowed. allow update – Lists the hosts that are allowed to update the database of the DNS server. allow transfer – Lists the hosts that are allowed to fetch the DNS database from the DNS server. 12. Click OK. 13. Click Send Changes and Activate. The new zone is now displayed in the left configuration tree. Clicking on this entry displays the zone details in the main table, from where you can add Name Servers, hosts, subdomains, mail exchangers, etc. Troubleshooting Add a New Start of Authority (SOA) In case if you have deleted the standard template which is automatically inherited by newly generated zones and have thereafter created a new zone, you must create a new Start of Authority (SOA). 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service. Double-click DNS Template Zone. Right click your DNS server and select Lock Server. Locate the newly created domain lacking an SOA record in the tree view. 5. Right click in the table and select Add a New Start of Authority (SOA), or, if 6. 7. the SOA record already exists, double-click an existing entry with type NS or SOA and select the Start of Authority (SOA) tab. Specify the settings as described in Configure DNS Zones. Click Send Changes and Activate. In order to function, the reverse zone as described in Define Reverse Lookup Zones must have already been created. Enable Debug Logging To enable debug logging for the DNS service, edit its named.conf file. Then restart the service. 1. Edit the named.conf file. vi /opt/phion/config/active/servers/<servername>/services/<dns-servicename>/named.conf 2. Replace these lines: logging { category "default" { "default_syslog"; }; }; 3. with the following lines: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 3. logging { category "default" { "default_syslog"; }; category "general" { "default_syslog"; }; category "database" { "default_syslog"; }; category "security" { "default_syslog"; }; category "config" { "default_syslog"; }; category "resolver" { "default_syslog"; }; category "xfer-in" { "default_syslog"; }; category "xfer-out" { "default_syslog"; }; category "notify" { "default_syslog"; }; category "client" { "default_syslog"; }; category "unmatched" { "default_syslog"; }; category "network" { "default_syslog"; }; category "update" { "default_syslog"; }; category "queries" { "default_syslog"; }; category "dispatch" { "default_syslog"; }; category "dnssec" { "default_syslog"; }; category "lame-servers" { "default_syslog"; }; }; 4. Restart the DNS service. Enter: phionctrl module restart dns Copyright © 2015, Barracuda Networks Inc. 312 Barracuda NG Firewall 6.1 Administrator's Guide - Page 313 Dynamic Routing Protocols (OSPF/RIP/BGP) The Barracuda NextGen Firewall F-Series supports three dynamic routing protocols - Open Shortest Path First (OSPF), Routing Information Protocol (RIP Version 1 and RIP Version 2), and Border Gateway Protocol (BGP). OSPF and RIP are Interior Gateway Protocols (IGP) and distribute routing information within an autonomous system, whereas BGP is a Exterior Gateway Protocol. The routes learned via the dynamic routing protocols are applies to the kernel routing table. Set the route metric instead of the administrative distance to prioritize one route over the other. OSPF The F-Series Firewall supports OSPFv2 and OSPFv3 versions of the OSPF protocol. OSPF is a link state protocol and uses Dijkstra algorithm to calculate the shortest path tree. A router's interface is the "link". The "state" of this interface is summed up by its IP address, subnet mask, interface type, neighbor state … Every router keeps track of all connected interfaces and states and sends this information with multicasts to its neighbors. These packets are known as LSAs (Link State Advertisements). The router builds its link state database with the information provided by the LSAs. Every time a network change occurs, LSAs containing the new information are sent, thus triggering every router to update its database. After having received all LSAs, the router calculates the loop-free topology. LSAs cannot be filtered within an area because all routers in an area must have the same link state database. If some information is missing, routing loops can occur. OSPF is a hierarchical IGP - it uses Areas to achieve this. The top-level Area is known as Backbone Area, and the number of this Area must always be 0 or 0.0.0.0. All other Areas must be physically connected to this Backbone Area. One very important aspect of OSPF is that Areas must not be split (If this cannot be avoided, a virtual link has to be used to expand Area 0 over any other area.). Routers within an area are known as Area Routers. Routers connected to two or more areas are known as Area Border Routers (ABR) and routers connected to other autonomous systems are called Autonomous System Boundary Routers (ASBR). Routing information can be summarized on ABRs and ASBRs. It is not possible to summarize routing information within an area. The metric used by OSPF is cost. Every link has an associated cost value, derived from the link bandwidth. The metric to a destination is calculated by adding up all costs. If there are more possible paths to a destination, the route with the lowest cost is chosen as the best route. To advertise LSAs, the router has to live in OSPF neighborship with other routers. When this neighborship is fully established, the interfaces begin sending the updates (LSAs). To build an adjacency, hello packets are continuously exchanged between neighboring routers. This also keeps track of the existence of the connected OSPF neighbors. To lower the number of updates exchanged on a Broadcast Medium (for example, Ethernet), LSAs are only sent to a so called Designated Router (DR). This interface advertises the information to all other routers on the shared medium. Without a DR, an any-to-any neighborship between all OSPF routers on this segment would be needed. For backup reasons, a Backup DR (BDR) is elected. Each other router establishes neighborship only with the DR and BDR. Areas can be configured as stub areas, where external routes are not advertised by ABRs to the Area Routers. Instead, a default route is injected to the area. Area 0 cannot be stub. OSPF is very CPU and memory intensive. Therefore, be careful when enabling OSPF on low-end interfaces in a large network. For more information, see How to Install and Configure the OSPF/RIP/BGP Service How to Configure OSPF Routers and Areas How to Configure Filter Setup for OSPF and RIP How to Enable Debugging for OSPF Example for OSPF and RIP Configuration RIP The F-Series Firewall supports RIPv1, RIPv2, and RIPng versions of the RIP protocol. RIP is a distance-vector protocol. The expression "distance-vector" can be defined as follows: The vector is the direction to the destination (next hop); the distance is treated as a metric type. Example: Destination A is a distance of 3 hops away and the direction is via router AA. RIP uses Hop Count as metric. A maximum of 15 hops are possible; metric 16 means that a network is unreachable. All RIP routers periodically send routing updates. Every update includes the whole routing table. The following techniques have been introduced to prevent routing loops: Split Horizon - When sending Updates out a particular interface, the routes learned from this interface are not included in the update. Split Horizon with Poison reverse - This method is an extension to Split Horizon. The router includes learned routes in the update but marks these routes as unreachable. Counting to infinity - To recognize unreachable networks on link failures. Infinity in RIP is defined as 16 hops. Every time a routing update passes a router, the hop count is increased by 1. When the counter reaches 16, the network is considered unreachable. RIPv1 is classful, which means that subnet information cannot be distributed. RIPv2, on the other hand, is classless. This means the subnet mask is included in the routing update. The maximum route metric for RIP routes is 255. This means it is not possible to use RIP routes as fallback routes if other OSPF or BGP route metrics are over 255. For more information, see How to Install and Configure the OSPF/RIP/BGP Service Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 314 How to Configure RIP Router Setup How to Configure Filter Setup for OSPF and RIP Example for OSPF and RIP Configuration BGP The F-Series Firewall supports BGP4 and BGP4+ versions of the BGP protocol. BGP is an Exterior Gateway Protocol (EGP) and is typically used to connect autonomous systems (AS) of Internet service providers. BGP calculates routing paths based on several pieces of information, such as AS Path, IGP-Metric, Multi-Exit Discriminator, Communities, Local Preferences, Next Hop, Weight and Origin. AS communicate with each other through TCP sessions on port 179. BGP can run between peers in the same AS as well as peers on the border to other AS. It thus acts as an IBGP ( Interior Border Gateway Protocol) as well as an Exterior Gateway Protocol (EGP). How to Install and Configure the OSPF/RIP/BGP Service How to Configure BGP Router Setup How to Configure BGP for Inbound Link Failover Protocol Comparison The following table summarizes the feature differences between the supported dynamic routing protocols. Attribute OSPF RIP BGP Convergence Fast Slow Slow Network size For large and small networks. Only for small to medium networks due to the fact that max. metric is 15 hops. For large networks. Need of device resources Memory and CPU intensive. Much less memory and CPU intensive than OSPF. Depends on the size of the routing table but scales better than OSPF. Need of network resources Less than RIP; only small updates are sent. Bandwidth consuming; Whole Routing table is sent (default: every 90 seconds). Bandwidth consuming while learning network routes from connected AS or while update bursts. Metric Is based on bandwidth. Is based on hop count, no matter how fast the connections are. Is based on AS Path, IGP-Metric, Multi-Exit Discriminator, Communities, Local Preferences, Next Hop, Weight and Origin. Design Hierarchical network possible. Flat network. Fully meshed. HA Operation The OSPF/RIP service synchronizes externally learned routes with its HA partner. Routes cannot be introduced on the partner while this is "passive" because network routes required to do so are missing. The external routes HA information is thus stored in a file and introduced on the HA system during startup of the OSPF/RIP service. Take-over and startup of the OSPF/RIP service usually take a few seconds. The HA routes are introduced as protocol "extha" (number 245). These routes are then either replaced by newly learned external OSPF or RIP routes (protocols "ospfext" or "ripext") or removed with the HA garbage collection after five minutes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 315 How to Install and Configure the OSPF/RIP/BGP Service This article provides step-by-step information on how to install and configure dynamic routing protocols. Configure OSPF/RIP/BGP To configure OSPF/RIP/BGP settings, proceed with the following steps: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service. 2. Click Lock. 3. In the left menu, click Operational Setup. General parameters of the dynamic routing protocols, like enabling/disabling the protocol and handling of dynamic routes are configured. On a Barracuda NG Firewall, route selection is directly dependent of the metric of a route; routes with a lower metric are preferred to routes with a higher metric. Static routes have a metric of 1 by default. RIP routes can have a maximum metric of 15 hops and OSPF routes will mostly have a cost of more than 20. As it is desirable that OSPF routes be preferred to RIP routes, metrics can be increased artificially through defining administrative distances. The corresponding parameter Administrative Distance for RIP is set to 120 and Admin Distance related to OSPF is left empty by default. The value specified for the administrative distance is going to be added to every route learned through OSPF or RIP respectively. Operational Setup Idle Mode If this parameter is set to yes, the OSPF/RIP/BGP wrapper gets started by the control daemon but does not start up the actual OSPF/RIP/BGP routing service. Run OSPF Router By setting this value the OSPF routing functionality can be enabled or disabled. Run RIP Router By setting this value the RIP routing functionality can be enabled or disabled. Run BGP Router By setting this value the BGP routing functionality can be enabled or disabled. Hostname Allows overriding the propagated hostname, which by default is the box hostname. Operation Mode The operation mode defines handling of route learning and propagation. The following settings are possible: advertise-only – Routes are only advertised. learn-only – Networks are not propagated, except those networks living on the interfaces configured for OSPF/RIP/BGP themselves; learned routes from other systems are still advertised. advertise-learn – OSPF/BGP routes are learned and propagated. Router ID Every OSPF/BGP router is identified by its Router ID. This ID is defined by an IP address explicitly configured for this router. Note that the router ID must also be set if the routing service only provides a RIP service, although not used by RIP, you must enter any IP address. OSPF Preferences Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 316 Log Level Specifies the verbosity of the OSPF routing service: Use Special Routing Table By setting this parameter to yes and selecting a table name below, routes learned by the OSPF service are introduced into an own routing table. Note that the routing table is not automatically introduced but has to be configured manually by introducing Policy Routes. Table Names A list of policy routing names can be specified here. Routes learned by the routing daemon are introduced into each of the enlisted routing tables. Multipath Handling ignore critical debugging emergencies errors informational (default) notifications warnings alerts Multipath routes will be discarded. OSPF summarizes routes to multipath routes automatically if more than one next hop to a prefix exists. Use setting "ignore" with caution. Ignore default route (Advanced Mode) assign-internal-preferences Multipath routes will be translated to several routes with different metrics (preferences). accept-on-same-device Multipath routes will be introduced as multipath if all nexthops are reachable on the same interface. accept-all (default) Multipath routes will be introduced. If enabled, the learned default route is not inserted into the routing table of the Barracuda NG Firewall, but at the same time is still propagated via OSPF. If you do not want the default route to be propagated, use an OSPF filter. For more detailed information on OSPF Router configuration, see How to Configure OSPF Routers and Areas. RIP Preferences This section, accessible via the link in the Configuration menu, can be specified the same way. For more detailed information on RIP Router configuration, see How to Configure RIP Router Setup. For a setup example including screenshots, see Example for OSPF and RIP Configuration. BGP Router Setup Setting Description AS Number Number of the autonomous system this router belongs to. Confederation Parent AS Number of the autonomous system that internally includes multiple sub-autonomous systems (aka confederation). Confederation Partners Sub-autonomous system numbers belonging to same confederation. Terminal Password Password to connect to the BGP router through telnet. The system is reachable on loopback TCP port 2605. Privileged Terminal Password Password to enable configuration through a telnet connection. Networks Enter all networks the BGP router should run on. When running a Exterior Gateway Protocol BGP router, enter your WAN network. Make sure to enter an IP address including netmask. For example: 210.80.90.100/26 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 317 Route Aggregations Enter network addresses to perform route aggregation to decrease the size of routing tables. Advanced settings Configuration of advanced BGP Settings. External Distance Definition – Adminis trative distance for BGP external routes. External routes are the best path learned from a neighbor that is external to the AS. (default 20) Internal Distance Definition – Administ rative distance for BGP internal routes. Internal routes are the best path learned from other BGP speakers within the same AS. (default 200) Local Distance Definition – Administra tive distance for BGP local routes. Local routes are networks configured with the network command. (default 200) Keep Alive Timer – Number of seconds this BGP speaker waits for a keepalive message before deciding that the connection is down. Recommended value is 1/3 of of Hold Time. Administrative Distance – Number of seconds this BGP speaker waits for a keepalive, update, or notification message before deciding that the connection is down. Recommended value is 3 times of Keep Alive Timer. BGP Preferences Setting Description Log Level Logging level of the BGP routing daemon. Use Special Routing Table Routes learned via BGP will not be introduced in main table, but in tables given below. Table Names Tables must exist in network configuration. Multipath Handling ignore – Multipath routes will be discarded. assign-internal-preferences – Multipath routes will be translated to several routes with different metrics (preferences). accept-on-same-device – Multipath routes will be introduced as multipath, if all nexthops are reachable on the same device. For more detailed information on BGP Router configuration, see How to Configure BGP Router Setup. GUI as Text This parameter set is only available in Advanced View mode. The configuration done with the GUI is displayed here in quagga/Cisco commands. Show as Text – Set this to yes to show created OSPF syntax configuration after Send Changes. OSPF Text – Created OSPF syntax configuration. Shown, if Show as Text is set to yes. RIP Text – Created RIP syntax configuration. Shown, if Show as Text is set to yes. BGP Text – Created BGP syntax configuration. Shown, if Show as Text is set to yes. Text Based Configuration Configure dynamic routing here, if you do not want to configure it with the GUI. Already done GUI configuration will be replaced. Syntax as used for quagga or Cisco applies. OSPF Configuration / Free Format RIP Configuration: Use Free Format – Set this to yes to use free OSPF/RIP syntax configuration. Free Format Text – OSPF/RIP/BGP syntax configuration. This field applies when parameter Use Free Format is set to yes. Routing Configuration Example Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 318 Network routes which are required for an OSPF/RIP network prefix must NOT be a subset of another route (see below for an explanation). OSPF network prefix: 10.0.66.0/24 Server IP: 10.0.66.98 Box network route:10.0.66.0/24 via dev eth1 Additional box network route: 10.0.0.0/8 via dev eth0 In this configuration example, the required box network route "10.0.66.0/24 via dev eth1" is completely included in the additional box network route (bold). This will lead to a mismatch in the OSPF configuration. OSPF will neither detect eth0 nor eth1 as OSPF enabled and therefore not work. HA Operation The OSPF/RIP service synchronizes externally learned routes with its HA partner. Routes cannot be introduced on the partner, while this is "passive" because network routes required to do so are missing. The external routes HA information is thus stored in a file and introduced on the HA system during startup of the OSPF/RIP service. Take over and startup of the OSPF/RIP service usually take a few seconds. The HA routes are introduced as protocol "extha" (number 245). These routes are then either replaced by newly learned external OSPF or RIP routes (protocols "ospfext" or "ripext") or removed with the HA garbage collection after five minutes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 319 How to Configure BGP Router Setup In this article: Requirements Step 1. Configure Basic Settings Step 2. Configure Operational Settings Step 3. Configure BGP Preferences Step 4. Add an IP Prefix Filter Step 5. Configure Neighbor Settings Step 6. Add the IP Address of the BGP Router Step 7. Create a Firewall Rule for BGP Router Communication Administrating BGP Routers from the Command Line Requirements Request your own or use an unique ARIN registered autonomous system (AS) number for your BGP site. Know the AS numbers of BGP sites to be connected. Create an OSPF/RIP/BGP service on the Barracuda NG Firewall. Step 1. Configure Basic Settings 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Enable BGP (If you are not using OSPF and RIP, disable them). 3. From the Operation Mode drop down field, select one of the following options according to your requirements: advertise-only – Networks are only advertised. learn-only – Only networks on the interfaces that are configured for OSPF/RIP/BGP are propagated; learned routes from other systems are still advertised. advertise-learn – Networks are learned and propagated. 4. In the Hostname field, enter the hostname of the BGP router. 5. In the Router ID field, enter the IP address of the BGP router. You can enter any address from your ARIN range. Usually, the first or last IP address in the subnet is used. You must also add this IP address as an additional IP address in the Virtual Server Properties on the Barracuda NG Firewall, as described later in Step 6 of the configuration. 6. Click Send Changes and Activate. Step 2. Configure Operational Settings In the settings for network routes that should be propagated by the BGP router, make sure that you enable the Advertise Route settin g. See How to Add a Direct Attached Route or How to Configure Gateway Routes. 1. On the OSPF/RIP/BGP Settings page, click BGP Router Setup from the Configuration menu in the left navigation pane. 2. In the AS Number field, enter the AS number that you received from the ARIN. (This is the number of the autonomous system that the BGP router belongs to). 3. In the Terminal Password field, specify the password for the connection to the BGP routing daemon through the command-line interface. 4. In the Networks table, add an entry for the ARIN network and any other network that you want to advertise. a. Enter a name for the network and click OK. The Network window opens. b. In the Network Prefix field, enter the network and subnet mask in CIDR notation for the autonomous system of the BGP router. c. Click OK. 5. In the Route Distribution Configuration section, enable the network route types to be redistributed by this BGP router according to your requirements. You can enable the following network routes: a. Kernel Routes – Kernel network routes will be redistributed. b. Static Routes – Gateway network routes will be redistributed. c. Connected Routes – Network routes of directly attached networks will be redistributed. d. RIP Routes – Network routes learned by the RIP router will be redistributed. e. OSPF Routes – Network routes learned by the OSPF router will be redistributed. 6. Click Send Changes and Activate. Step 3. Configure BGP Preferences In most cases, the default BGP preferences are sufficient and do not have to be configured. If you want, you can configure more detailed logging, special routing tables, and multipath handling. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 320 1. On the OSPF/RIP/BGP Settings page, click BGP Preferences from the Configuration menu in the left navigation pane. 2. Specify the logging details according to your requirements. 3. Click Send Changes and Activate. Step 4. Add an IP Prefix Filter 1. On the OSPF/RIP/BGP Settings page, click Filter Setup IPv4 from the Configuration menu in the left navigation pane. The Barracuda NG Firewall does also provide this configuration area for IPv6 addresses. When using IPv6, specify all settings described in the sections designated for IPv6. Note, that IPv6 has to be enabled in Quagga too. For general information on the implementation of IPv6 on the Barracuda NG Firewall, see How to Use IPv6. 2. In the IPv4 Prefix Filter table, add an entry for the IP prefix filter. Enter a descriptive name, for example ARIN, and then click OK. 3. In the IPv4 Prefix Filter configuration, enter an optional description. For example, ARIN Range. 4. In the Sequence Number section, click + to add a Sequence Number configuration and specify a unique identifier number for the prefix list item in the Sequence Number field. For example, 01. 5. In the Network Prefix field, enter the network IP range that you received from the ARIN (in this example 198.200.200.0/24 ). Then click OK. 6. Click OK. 7. Click Send Changes and Activate. Step 5. Configure Neighbor Settings Before you configure the neighbor settings, the network for each provider that participates in BGP routing must be configured properly. Obtain and carefully verify the default gateway IP address for each provider. You must only start configuring the neighbor settings on the provider side after you have completed the previous sections for enabling BGP , configuring the BGP router and adding an IP prefix filter . Otherwise, the BGP routing infrastructure will dampen any ICMP request and response, and the BGP service will have to be restarted on the ISP side. This ping dampening will occur whenever the BGP service goes up and down numerous times over a small period of time. 1. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left navigation pane. 2. In the Neighbors table, add an entry for each provider network: a. Enter a descriptive name for the network and then click OK. The Neighbors window opens. b. In the Neighbor IP field, enter the default gateway IP address of the existing provider. c. From the Enable BGP Routing Protocol Usage list, select yes. d. In the BGP Parameters section, enter the BGP AS number of the ISP. (Do not enter the customer AS number that was specified in the BGP router settings.) e. In the Neighbor Password field, enter the password that should be used to connect to the neighbor peer. f. Select yes from the Update Source drop down list to enable the Update Source Interface setting. g. In the Update Source Interface field, enter an IP address from your network that should be used for the BGP session to this neighbor. If you only advertise the ARIN route to go to providers (and not the network IP ranges or the ranges of other ISPs), it is highly recommended that you configure the Peer Filtering for Output settings. Select the Peer Filter from the IP filter list that you created in the previous section (Add an IP Prefix Filter). h. Click OK. 3. Click Send Changes and Activate. Step 6. Add the IP Address of the BGP Router You must add the IP address of the BGP router as an additional IP address in the Virtual Server Properties on the Barracuda NG Firewall. To add the IP address of the BGP router: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties. 2. Click Lock. 3. In the Virtual Server IP Addresses section, add an entry to the Additional IP table. a. In the Additional IP field, enter the IP address of the BGP Router. b. From the Reply to Ping list, select yes. c. You can enter an optional description. d. Click OK. 4. Click Send Changes and Activate. Step 7. Create a Firewall Rule for BGP Router Communication Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 321 To allow communication with other BGP routers, introduce a host firewall rule that allows network traffic through TCP port 179. For more information on creating firewall rules, see Firewall Rules. Administrating BGP Routers from the Command Line The BGP routing daemon for the Barracuda NG Firewall is based on the Quagga Software Routing Suite. You can configure and administrate the BGP router from the Barracuda NG Firewall command-line interface. 1. Open the Command-Line Interface. 2. Enter vtysh to launch the configuration tool. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 322 How to Configure EBGP Multihop Routing To allow connections between BGP neighbors that are not directly connected to each other, you can configure EBGP multihop routing with either a route map or static routes. This article provides example scenarios and step-by-step instructions for configuring EBGP. In this article: Choosing to Use a Routing Map or Static Routes Configuring EBGP with a Route Map Step 1. Introduce a Route Map Step 2. Configure Neighbor Settings Configuring EBGP with Static Routes Step 1. Configure Neighbor Settings Step 2. Execute a Next Hop Lookup Step 3. Configure a Static Route Step 4. Configure a Device Route Choosing to Use a Routing Map or Static Routes There are different scenarios which may require the implementation of EBGP multihop routing - for example, as illustrated in the following diagrams: Scenario 1 – A BGP peer runs on a loopback address that is externally unreachable. This can be required if the other IP addresses of the system are dynamically changeable. Scenario 2 – The BGP peer (router R1) is located in an external network. For both scenarios, you can configure EBGP multihop routing with either a route map or static routes: Route Map – If you do not require load balancing over more than one router, using a route map is the simplest way of configuring EBGP. You only need to configure the BGP neighbor and do not need to introduce additional routes. All routes learned by router R1 (as configured in Scenario 2) are directed over one gateway. However, this setup can prolong traffic from routes whose next hop would initially have been directly reachable from router R0, and load balancing over more than one router is no more possible. Static Routes – For arriving routes without a directly reachable next hop, configure static routes. You only need to configure the neighbor once for EBGP multihop routing and do not need to change any other BGP configurations. Routes received via next hop can be analyzed. However, you must also set up a new next hop, and the routing table for the kernel becomes more complicated. Complete the steps in the following sections to configure EBGP multihop routing with either a route map or static routes, depending on your network architecture. The sections provide examples of how to configure EBGP multihop routing for Scenario 2, as illustrated in the above diagram. BGP peer R1 in an external network is configured on router R0. Configuring EBGP with a Route Map This example procedure configures a route map to modify all routes arriving from router R1 so that the next hop is changed to the IP address of the gateway for router R0. This gateway is always directly reachable from R0 and then autonomously forwards data traffic to router R1. Step 1. Introduce a Route Map Introduce a route map to modify routes arriving from R1 so that the next hop is set to the gateway of R0. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 323 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. From the Configuration menu in the left navigation pane, click Filter Setup IPv4. 3. Click Lock. 4. In the Route Maps IPv4 table, click + to add an entry for the route map. 5. Enter a name for the route map and then click OK. 6. In the BGP Specific Conditions table, click + to add an entry for the BGP settings. 7. In the Route Map Entry window, specify the following settings and then click OK: Sequence Number – Enter a unique number for the route map entry. Type – Select permit. Match Condition – Select None to specify that all routes must be modified. Set Action – Select Next_Hop. Set Next-Hop IP – Enter 10.0.0.1, the gateway address. 8. In the Route Maps window, click OK. 9. Click Send Changes and Activate. Step 2. Configure Neighbor Settings Configure EBGP in the neighbor settings for R1. 1. 2. 3. 4. 5. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left navigation pane. Click Lock. In the Neighbors table, click + to add an entry for the neighbor settings. Enter a name for the neighbor settings and then click OK. In the Usage and IP section of the Neighbors window, specify the following settings: Neighbor IPv4 – Enter 10.1.0.2. BGP Routing Protocol Usage – Select yes. 6. In the BGP Parameters section, specify the following settings: AS Number – Enter 200. Update Source – Select Address. Update Source IPv4 Address – Enter 10.0.0.2. 7. To add a new route map, click Set next to Peer Filtering For Inputs. 8. In the EBGP MultiHop field, you can specify the maximum allowed next hop distance to the neighbor. For example, 20. 9. After you specify all of the required settings in the Neighbors window, click OK. 10. Click Send Changes and Activate. Configuring EBGP with Static Routes This example procedure configures the neighbor settings for router R1 and introduces two routes: A static route over the gateway of router R0 to the network of router R1. A direct route to the network of router R1. Step 1. Configure Neighbor Settings Configure EBGP in the neighbor settings for R1. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. From the Configuration menu in the left navigation pane, click Neighbor Setup IPv4. 3. Click Lock. 4. In the Neighbors table, click + to add an entry for the neighbor settings. 5. Enter a name for the neighbor settings and then click OK. 6. In the Usage and IP section of the Neighbors window, specify the following settings: Neighbor IPv4 – Enter 10.1.0.2. BGP Routing Protocol Usage – Select yes. 7. In the BGP Parameters section, specify the following settings: AS Number – Enter 200. Update Source – Select Address. Update Source IPv4 Address – Enter 10.0.0.2. 8. In the EBGP MultiHop field, you can specify the maximum allowed next hop distance to the neighbor. For example, 20. 9. After you specify all of the required settings in the Neighbors window, click OK. 10. Click Send Changes and Activate. Step 2. Execute a Next Hop Lookup Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 324 Assuming that a route arrives at 192.168.0.0/24 with the next hop 10.1.0.2, execute a next hop lookup for R1 (10.1.0.2). The lookup should provide the IP address of the gateway for R0 (10.0.0.1) and the interface port1. Step 3. Configure a Static Route Introduce a static route over the gateway of R0 to the network of R1. Use the following settings: Target Network Address: 10.1.0.2/32 Route Type: gateway Gateway: 10.0.0.1 For more information, see How to Configure Gateway Routes. Step 4. Configure a Device Route To introduce the route that was learned over BGP, you must configure a direct -route with the following settings: Target Network Address: 10.1.0.2/32 Route Type: directly attached network Interface Name: port1 For more information, see How to Add a Direct Attached Route. Whenever a route with an unknown next hop is received, you must execute a next hop lookup, configure a static route, and then configure a device route. Use the example steps from above. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 325 How to Configure BGP for Inbound Link Failover BGP is used to announce routes to the neighboring networks. If you are using two or more ISPs to connect to the Internet, you can configure BGP to propagate routes for both ISPs to the neighboring networks. The remote BGP service monitors the neighboring connections and automatically chooses the other link when one link goes down. All traffic for your network is then routed over the remaining link. In this article: Before You Begin Step 1. Enable the BGP Service Step 2. Configure the BGP Service Step 3. Create a BGP Neighbors for ISP 1 and ISP 2 Monitoring BGP Routes Before You Begin Before you configure the BGP service, you need an AS number for your network. AS numbers from 64512 to 65534 and 4,200,000,000 to 4,294,967,295 are reserved for private use. Step 1. Enable the BGP Service Create and configure the BGP service. 1. Create a OSPF/RIP/BGP Service. For more information on how to create a service, see How to Configure Services. 2. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 3. Click Lock. 4. From the Run BGP Router list, select yes. 5. From the Operation Mode list, select advertise-learn. 6. In the Router ID field, enter the IP address of the router. 7. Click Send Changes and Activate. Step 2. Configure the BGP Service 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. In the left menu, click on BGP Router Setup. 3. Enter the AS Number for your network. 4. In the Terminal Password fields, specify a password for connecting to the BGP router service via telnet from the shell of the Barracuda NG Firewall. 5. In the Networks table, add the local subnet (e.g., 10.0.0.0/24). a. Click the plus sign (+). b. Enter a Name for the network and click OK. c. In the Network Prefix field, enter the subnet. This is the subnet which is propagated via BGP (e.g., 10.0.0.0/24). d. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 326 Step 3. Create a BGP Neighbors for ISP 1 and ISP 2 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. In the left menu, click Neighbor Setup IPv4. 3. Click Lock. 4. In the Neighbors table, create a BGP neighbor for each ISP: a. Click the plus sign (+). b. Enter a Name for the ISP (e.g., ISP1bgpNeighbor or ISP2bgpNeighbor). c. In the Neighbors window, specify the following settings: Neighbor IPv4 – Enter the IP address of the BGP neighbor (e.g., 192.168.0.1 or 192.168.1.1). OSPF Routing Protocol Usage – Select no. RIP Routing Protocol Usage – Select no. BGP Routing Protocol Usage – Select yes. AS Number – Enter the AS number that is assigned to the BGP neighbor (e.g., 64513 or 64515). Update Source – Select Address. Update Source IPv4 Address – Enter the IP address that is assigned to the ISP WAN interface. d. Click OK. 5. Click Send Changes and Activate. Monitoring BGP Routes To monitor the routes that are learned and propagated by BGP, go to the CONTROL > Network page and click the BGP tab. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 327 How to Configure BGP Routing over IPsec VPN Follow the instructions in this article to configure the BGP service with an intermediary /30 network between a local and remote VPN gateway. The BGP service uses the IPsec tunnel to dynamically learn the routes of the remote network. You must configure both the local and remote NG Firewalls. Example Values for the Local Barracuda NG Firewall Example Values for the Remote Barracuda NG Firewall VPN Next Hop Interface Index 13 13 VPN Next Hop Interface IP Address 192.168.22.1/24 192.168.22.2/24 Virtual Server Additional IP 192.168.22.1 192.168.22.2 VPN Local Networks 192.168.22.0/30 192.168.22.0/30 VPN Remote Networks 192.168.22.0/30 192.168.22.0/30 VPN Interface Index 13 13 VPN Next Hop Routing 192.168.22.2 192.168.22.1 ASN 64577 64579 Router ID 192.168.22.1 192.168.22.2 Neighbor IPv4 192.168.22.2 192.168.22.1 Neighbor AS Number 64579 64577 Neighbor Update Source Interface vpnr13 vpnr13 In this article: Before You Begin Step 1. Add a VPN Next Hop Interface Step 2. Add the VPN Interface IP to the Virtual Server Addresses Step 3. Configure the Site-to-Site VPN Settings Step 4. Configure the BGP Service Step 4.1 Configure which Routes to Propagate into BGP Step 4.2 Configure the BGP Router Step 4.3. Add a BGP Neighbor Step 5. Verify the BGP Service Configuration Before You Begin Before you configure BGP over an IPsec VPN, obtain the following: A free /30 subnet. E.g., 192.168.22.0/30 Autonomous system numbers (ASNs) for the remote and local networks. The ASNs can be private or public, because the VPN is not directly connected to the Internet. Step 1. Add a VPN Next Hop Interface Add a VPN next hop interface using a /30 subnet. 1. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 328 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings. 2. Click Lock. 3. In the Settings tab, click the Click here for Server Settings link. 4. In the Server Settings window, click the Advanced tab. 5. Next to the VPN Next Hop Interface Configuration table, click Add. 6. Configure the VPN next hop interface settings: In the VPN Interface Index field, enter a number between 0 and 999. E.g., 13 In the IP Addresses field, enter an the VPN interface IP address. E.g., 192.168.22.1/30 for the local NG Firewall or 192. 168.22.2/30 for the remote NG Firewall. Click OK. The VPN next hop interface is listed in the VPN Next Hop Interface Configuration table. 7. Click OK. 8. Click Send Changes and Activate. Step 2. Add the VPN Interface IP to the Virtual Server Addresses Add the IP address of the virtual interface to the list of IP addresses that the virtual server listens on. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties. 2. Click Lock. 3. In the Additional IP table, add the intermediary VPN IP address of the local VPN interface. E.g., 192.168.22.1 for the local NG Firewall or 192.168.22.2 for the remote NG Firewall. 4. Click Send Changes and Activate. Step 3. Configure the Site-to-Site VPN Settings Configure a site-to-site VPN IPsec tunnel including the VPN next hop interface. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site. 2. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 2. 3. 4. 5. 329 Click Lock. Click the IPSEC Tunnels tab. Right-click the table under the IPSEC Tunnels tab and then select New IPsec tunnel. In the IPsec Tunnel window: a. In the Local Networks tab, enter: Local IKE Gateway: Enter the local public IP address the VPN service is listening on. Network Address: Add the intermediary VPN subnet. E.g., 192.168.22.0/30 b. In the Remote Networks tab, enter: Remote IKE Gateway: Enter the remote public IP address the remote VPN service is listening on. Network Address: Add the intermediary VPN subnet. E.g., 192.168.22.0/30 c. Click the Peer Identification tab and then enter a passphrase the Shared Secret d. Click the Advanced tab and enter: VPN Next Hop Routing: Enter the IP address of the remote VPN next hop interface. E.g., 192.168.22.2 for the local NG Firewall or 192.168.22.1 for the remote NG Firewall Interface Index: Enter the interface number of the VPN next hop interface configured in step1. E.g. 13 e. Click OK. 6. Click Send Changes and Activate. Step 4. Configure the BGP Service Enable and configure the BGP service. Configure the remote VPN interface IP address as a BGP neighbor to dynamically learn the routes of the neighboring network. Step 4.1 Configure which Routes to Propagate into BGP You can either enter the networks you want to propagate manually or set the Advertise Route parameter to yes for routes you want propagated. 1. Go to CONFIGURATION > Configuration Tree > Box > Network. 2. Click Lock. 3. To propagate the management network, set Advertise Route to yes in the Management IP and Network section. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 330 4. In the left menu click on Routing. 5. Double click on the direct attached and gateway routes you want to propagate. The Routes window opens. 6. Set Advertise Route to yes and click OK. 7. Click Send Changes and Activate. Step 4.2 Configure the BGP Router 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Set Run BGP Router to Yes. 3. (optional)To learn routes from the remote ASN set Operation Mode to advertise-learn. 4. Enter the Router ID. Typically the local VPN next hop interface IP address is used. E.g., 192.168.22.2 for the local NG Firewall 192. 168.22.1 for the remote NG Firewall. 5. In the left menu, click BGP Router Setup. 6. Enter the AS Number. E.g., 64577 for the local NG Firewall or 64579 for the remote NG Firewall 7. Enter the Terminal Password. Use this password if you must directly connect to the dynamic routing daemon via command line for debugging purposes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 331 8. To propagate the directly attached and gateway routes configured in Step 1 set Connected Routes to yes. 9. (alternative) To manually enter the networks you want to propagate, click + in the Networks table and enter the network. E.g., 172.16. 0.0/24 10. Click Send Changes and Activate. Step 4.3. Add a BGP Neighbor To dynamically learn the routing of the neighboring network, set up a BGP neighbor for the remote VPN next hop interface. 1. 2. 3. 4. 5. In the left menu of the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4. Click Lock. Next to the Neighbors table, click the plus sign (+) to add a new neighbor. Enter a Name for the neighbor and click OK. The Neighbors window opens. Configure the following settings in the Usage and IP section: Neighbor IPv4: Enter the remote address for the VPN next hop interface. E.g., 192.168.22.2 for the local NG Firewall 192. 168.22.1 for the remote NG Firewall. OSPF Routing Protocol Usage: Select no. RIP Routing Protocol Usage: Select no. BGP Routing Protocol Usage: Select yes. 6. In the BGP Parameters section, configure the following settings: AS Number: Enter the ASN for the remote network. E.g., 64579 for the local NG Firewall 64577 for the remote NG Firewall. Update Source: Select Interface. Update Source Interface: Enter the VPN next hop interface in the format: vpnr<interface number>. E.g., vpnr13 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 332 7. Click OK. 8. Click Send Changes and Activate. Step 5. Verify the BGP Service Configuration On the CONTROL > Network page, verify that BGP routes are learned. Click the BGP tab and expand the relevant AS tree. It can take up to three minutes for new routes to be learned. Local Firewall Network > BGP page: Remote Firewall Network > BGP page: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 333 Barracuda NG Firewall 6.1 Administrator's Guide - Page 334 How to Configure BGP Routing over TINA VPN To dynamically learn BGP propagated routes from a remote location connected via TINA VPN tunnel, VPN next hop interfaces are used to create an intermediary network. The BGP service is configured to use the remote IP address in the intermediary network as a BGP neighbor. You must complete this configuration on both the local and the remote Barracuda NG Firewall using the respective values below: Example Values for the Local Barracuda NG Firewall Example Values for the Remote Barracuda NG Firewall VPN Next Hop Interface Index 11 11 VPN Next Hop Interface IP Address 192.168.21.16/24 192.168.21.17/24 Virtual Server Additional IP 192.168.21.16 192.168.21.17 VPN Local Networks 192.168.21.16 192.168.21.17 VPN Remote Networks 192.168.21.17 192.168.21.16 VPN Interface Index 11 11 ASN 64577 64578 Router ID 192.168.21.16 192.168.21.17 Neighbor IPv4 192.168.21.17 192.168.21.16 Neighbor AS Number 64578 64577 Neighbor Update Source Interface vpnr11 vpnr11 In this article: Before You Begin Step 1. Add a VPN Next Hop Interface Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses Step 3. Configure the TINA Site-to-Site VPN Tunnel Step 4. Configure the BGP Service Step 4.1 Configure which Routes to Propagate into BGP Step 4.2 Configure the BGP Router Step 4.3. Add a BGP Neighbor Step 4.4. (optional) Adjust Keep Alive and Hold Timer Step 5. Verify the BGP Service Configuration Step 6. Create Access Rules for VPN Traffic Before You Begin A free /24 subnet (e.g., 192.168.21.0/24) for the intermediary network is needed. You must have or assign private Autonomous system numbers (ASNs) for the remote and local networks. The ASNs can be private if you are not propagating these networks to other public networks. Step 1. Add a VPN Next Hop Interface Add a VPN next hop interface using a /24 subnet (e.g., 192.168.21.0/24). 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 335 1. 2. 3. 4. 5. 6. VPN-Service > VPN Settings. Click Lock. In the Settings tab, click the Click here for Server Settings link. The Server Settings window opens. In the Server Settings window, click the Advanced tab. Next to the VPN Next Hop Interface Configuration table, click Add. In the VPN Interface Properties window, configure the following settings and then click OK. In the VPN Interface Index field, enter a number between 0 and 999. E.g., 11 In the IP Addresses field, enter the VPN interface IP address including the subnet. E.g., 192.168.21.16/24 for the local or 192.168.21.17/24 for the remote NG Firewall. Click OK. The interface is now listed in the VPN Next Hop Interface Configuration table. 7. In the Server Settings window, click OK. 8. Click Send Changes and Activate. Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses Introduce the IP address of the VPN next hop interface as a virtual server -IP address. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties. Click Lock. In the Additional IP table, add the IP address of the VPN interface. Click Send Changes and Activate. Step 3. Configure the TINA Site-to-Site VPN Tunnel Configure a TINA VPN tunnel using the local next hop interface IP address and the VPN next hop interface. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site. 2. Click Lock. 3. Right-click In the TINA Tunnels tab and select New TINA tunnel. The TINA tunnel window opens. 4. Enter a Name. 5. Configure the Transport, Encryption and Authentication settings as well as the Local and Remote public IP addresses. For more information, see How to Create a TINA VPN Tunnel between Barracuda NG Firewalls. 6. Use a free IP address or network as Local and Remote Network. To avoid multiple tunnels using the same local an remote network it is recommended to use the next hop interface IP addresses. E.g., 192.168.21.16 and 192.168.21.17 In the Local Networks tab, enter the local next hop interface IP address, as Network Address and click Add. E.g., 192.168.2 1.16 for the local and 192.168.21.17 for the remote NG Firewall. In the Remote Networks tab, enter the remote next hop interface IP address, as Network Address and click Add. E.g., 192.1 68.21.17 for the local and 192.168.21.16 for the remote NG Firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 336 If used for multiple NG Firewalls connecting to a VPN hub, it is recommended to use the IP address of the local and remote VPN next hop interface to avoid using the same Remote and Local networks for multiple VPN tunnels. 7. In the Remote Networks tab, enter the VPN Interface Index number that you created in the VPN Interface Configuration in step 1. E.g. 11 8. Click OK. 9. Click Send Changes and Activate. Step 4. Configure the BGP Service Enable and configure the BGP service. Configure the remote VPN interface IP address as a BGP neighbor to dynamically learn the routes of the neighboring network. Step 4.1 Configure which Routes to Propagate into BGP You can either enter the networks you want to propagate manually or set the Advertise Route parameter to yes for routes you want propagated. 1. Go to CONFIGURATION > Configuration Tree > Box > Network. 2. Click Lock. 3. To propagate the management network, set Advertise Route to yes in the Management IP and Network section. 4. In the left menu click on Routing. 5. Double click on the direct attached and gateway routes you want to propagate. The Routes window opens. 6. Set Advertise Route to yes and click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 337 6. 7. Click Send Changes and Activate. Step 4.2 Configure the BGP Router Enable BGP and use the VPN next hop interface IP address as the Router ID. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. Set Run BGP Router to Yes. 4. (optional)To learn routes from the remote ASN set Operation Mode to advertise-learn. 5. Enter the Router ID. Typically the VPN next hop interface IP address is used. E.g., 192.168.21.16 for the local or 192.168.21.17 fo r the remote NG Firewall. 6. In the left menu, click BGP Router Setup. 7. Enter the AS Number. E.g., 64577 for the local NG Firewall or 64578 for the remote NG Firewall. 8. Enter the Terminal Password. Use this password if you must directly connect to the dynamic routing daemon via command line for debugging purposes. 9. To propagate the directly attached and gateway routes configured in Step 1 set Connected Routes to yes. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 338 10. (alternative) To manually enter the networks you want to propagate click + in the Networks table and enter the network. E.g., 172.16. 0.0/24 11. Click Send Changes and Activate. Step 4.3. Add a BGP Neighbor To dynamically learn the routing of the neighboring network, set up a BGP neighbor for the VPN next hop interface. 1. 2. 3. 4. 5. In the left menu of the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4. Click Lock. Next to the Neighbors table, click the plus sign (+) to add a new neighbor. Enter a Name for the neighbor and click OK. The Neighbors window opens. Configure the following settings in the Usage and IP section: Neighbor IPv4: Enter the remote address for the VPN next hop interface. E.g.,192.168.21.17 for the local NG Firewall or 192 .168.21.16 for the remote NG Firewall. OSPF Routing Protocol Usage – Select no. RIP Routing Protocol Usage – Select no. BGP Routing Protocol Usage – Select yes. 6. In the BGP Parameters section, configure the following settings: AS Number – Enter the ASN for the remote network. E.g., 64578 for the local NG Firewall or 64577 for the remote NG Firewall. Update Source – Select Interface. Update Source Interface – Enter the VPN next hop interface in the format: vpnr<interface number>. E.g., vpnr11 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 339 7. Click OK. 8. Click Send Changes and Activate. Step 4.4. (optional) Adjust Keep Alive and Hold Timer Speed up BGP updates by adjusting the keep alive and hold timer. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. In the left menu, click on BGP Router Setup. 4. In the left menu, expand the Configuration Mode section and click on Switch to Advanced View. 5. Click the Edit button for the Advanced Settings. The Advanced Settings window opens. 6. Adjust the following parameters to influence how fast BGP reacts to connections which are down: Keep Alive Timer – Default: 60 Recommended: 10 Hold Timer – Set to three times the Keep Alive Timer. Default: 180 Recommended: 30 7. Click OK. 8. Click Send Changes and Activate. Step 5. Verify the BGP Service Configuration On the CONTROL > Network page, verify that BGP routes are learned. Click the BGP tab and expand the relevant AS tree. It can take up to three minutes for new routes to be learned.The Origin column lists incomplete for direct attached or gateway routes or IGP routes learned via BGP including manually entered networks. Local Firewall CONTROL > Network > BGP page: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 340 Remote Firewall CONTROL > Network > BGP page: Step 6. Create Access Rules for VPN Traffic Create access rules on both local and remote NG Firewalls to allow traffic from the learned networks through the VPN tunnel. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 341 How to Configure Inbound Load Balancing and Link Failover with BGP BGP is used to announce routes to the neighboring networks. If you are using two or more ISPs to connect to the Internet, you can use BGP to assign a preferred link to each propagated subnet. To make your preferred route more attractive to the remote router, you can make the secondary link appear longer by artificially lengthening its AS-Path. Because BGP neighbors are continuously monitored by the remote router, inbound link failover is achieved because the secondary link is automatically chosen if the preferred link becomes unavailable. In this article: Before You Begin Step 1. Enable the BGP Service Step 2. Configure the BGP Service Step 3. Create BGP Neighbors Step 4. Create IPv4 Prefix List Filters Step 5. Create Route Map IPv4 Filters Monitoring BGP Routes Before You Begin Before you configure the BGP service, get an AS number for your network. AS numbers from 64512 to 65534 and 4,200,000,000 to 4,294,967,295 are reserved for private networks. Step 1. Enable the BGP Service Create and configure the BGP service. 1. Create an OSPF/RIP/BGP Service. 2. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 3. Click Lock. 4. From the Run BGP Router list, select yes. 5. From the Operation Mode list, select advertise-learn. 6. In the Router ID field, enter the IP address of the router. 7. Click Send Changes and Activate. Step 2. Configure the BGP Service Configure the BGP service and propagate the local subnets (e.g., 10.0.0.0/24 and 172.16.16.0/24). 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. In the left pane, click BGP Router Setup. 3. Enter the AS Number for your network. 4. In the Terminal Password fields, specify a password for connecting to the BGP router service via telnet from the shell of the Barracuda NG Firewall. 5. In the Networks table, add the local subnets (e.g., 10.0.0.0/24 and 172.16.16.0/24). For each subnet: a. Click the plus sign (+). b. Enter a Name for the network and click OK. c. In the Network Prefix field, enter the subnet. This is the subnet which is propagated via BGP (e.g., 10.0.0.0/24 or 172.16. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 342 c. 16.0/24). d. Click OK. 6. Click Send Changes and Activate. Step 3. Create BGP Neighbors Specify the IP addresses of the BGP neighbors that the BGP routing information should be propagated to. Normally, the ISP's router is the BGP neighbor. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. In the left pane, click Neighbor Setup IPv4. 3. Click Lock. 4. In the Neighbors table, create a BGP neighbor for each ISP. For each BGP neighbor: a. Click the plus sign (+). b. Enter a Name for the ISP (e.g., ISP1bgpNeighbor). c. In the Neighbors window, specify the following settings: Neighbor IPv4 – Enter the IP address of the BGP neighbor (e.g., 192.168.0.1 or 192.168.1.1). OSPF Routing Protocol Usage – Select no. RIP Routing Protocol Usage – Select no. BGP Routing Protocol Usage – Select yes. AS Number – Enter the AS number that is assigned to the BGP neighbors (e.g., 64513 or 64515). Update Source – Select Address. Update Source IPv4 Address – Enter the IP address that is assigned to the interface of the BGP neighbor (e.g., 192. 168.0.254 or 192.168.1.254). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 343 d. Click OK. 5. Click Send Changes and Activate. Step 4. Create IPv4 Prefix List Filters Create prefix list filters for each local subnet. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. In the left pane, click Filter Setup IPv4. 3. Click Lock. 4. In the IPv4 Prefix List Filters table, create a filter for the local subnets (e.g., 10.0.0.0/24 and 172.16.16.0/24). For each local subnet: a. Click the plus sign (+). b. Enter a Name. c. In the Sequence Number section, click the plus sign (+). d. In the Sequence Number window, specify the following settings: Sequence Number – Enter the sequence number (e.g., 1). For additional networks to the prefix list, iterate the sequence number. Network Prefix – Enter the subnet (e.g., 10.0.0.0/24 or 172.16.16.0/24). Type – Select permit. Extent Type – Select none. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 344 e. Click OK to close the Sequence Number window with your settings. f. Click OK to close the IPv4 Prefix Lists window with your settings. 5. Click Send Changes and Activate. Step 5. Create Route Map IPv4 Filters For each BGP neighbor, create a route map to propagate your preferences on how you want the remote router to route traffic to your network. The route maps add the AS number a second time to the BGP entries, to influence the remote router's decision on which network route is more direct. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. In the left pane, click Filter Setup IPv4. 3. Click Lock. 4. In the Route Maps IPv4 Filters table, add a filter for each BGP neighbor that you created in Step 3. For each neighbor: a. Click the plus sign (+). b. Enter a Name and click OK. c. In the Route Map Entry section, click the plus sign (+). d. In the Route Map Entry window, specify the following settings: Sequence Number – Enter a unique sequence number (e.g., 1). This sequence number must be unique across all route maps. For additional entries iterate the sequence numbers. Type – Select permit. Match Condition – Select IP_Prefix_List. IP Prefix List – Select the IP prefix list that contains the subnet using this connection as the preferred incoming route (e .g., 10.0.0.0/24 via 64515 or 172.16.16.0/24 via 64513). Set Action – Select None. e. Click OK. f. In the Route Map Entry section, click +. g. In the Route Map Entry window, specify the following settings: Sequence Number – Enter a unique sequence number (e.g., 1). This sequence number must be unique across all route maps. Iterate the sequence number for further Type – Select permit. Match Condition – Select IP_Prefix_List. IP Prefix List – Select the IP prefix list that contains the subnet using this connection as a backup (e.g., 10.0.0.0/24 via 64513 or 172.16.16.0/24 via 64515). Set Action – Select AS_Path. Set addition to AS-Path – Enter your AS number (e.g., 64514). h. Click OK to close the Route Map Entry window with your settings. i. Click OK to close the Route Maps IPv4 window with your settings. 5. Click Send Changes and Activate. Monitoring BGP Routes To monitor the routes that are learned and propagated by BGP go to the CONTROL > Network page and click the BGP tab. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 345 Barracuda NG Firewall 6.1 Administrator's Guide - Page 346 How to Configure OSPF Routers and Areas After enabling OSPF, set up your OSPF router and areas. This article provides instructions on configuring global settings and network definitions that are used by OSPF to build relationships with neighbors and advertise routes. In this article: Configure OSPF Routers Configure OSPF Areas Configure OSPF Routers 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. In the left menu, click OSPF Router Setup. 4. Edit the following settings: Setting Description ABR Type Specifies the area border router (ABR) behavior of the OSPF routing daemon. You can select: Not an ABR Cisco Type Standard RFC 2328 Type IBM Type Terminal Password The password to connect via telnet. The OSPF router is reachable on TCP port 2604 (loopback only). Privileged Terminal Password The password to enable configuration via Telnet. RFC1583 Compatibility Specifies if the router is compatible with RFC 1583 standards. Auto-Cost Ref Bwidth [MBit/s] The OSPF metric. This metric is calculated as reference bandwidth divided by bandwidth. The default setting is 10000. This value is overwritten by explicit cost statements. This setting should be used equally with all OSPF routers in an autonomous system. Otherwise, the metric calculation will be incorrect. Network Prefix Defines the interfaces on which OSPF runs and the networks that are propagated as OSPF intra-area or inter-area routes. Enter a network address including the network mask. Network Area Enter an existing area ID. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Advanced Settings 347 To specify the following advanced settings, click Set or Edit: Support Opaque LSA – To enable Opaque LSA, select yes . SPF Delay Timer – The length of time in seconds to wait before running an SPF after receiving a database change. SPF Hold Timer – The length of time in seconds to wait between consecutive SPF runs. Refresh Timer – You can enter values from 10 to 1800. Default Metric – Defines the default metric for the OSPF protocol. Use if other protocols are also used for metric-translation. Admin Distance – To determine which routing protocol to use if two protocols provide routing information for the same destination, the administrative distance is used as the first criterion. Higher distance values imply lower trust ratings. The admin distance setting is used to increase the metric of routes that are introduced to the system. For instance, an externally learned RIP route with metric 2 and administrative distance of 100 is introduced with metric 102. As a result, the OSPF route is favored over the RIP route. Remember that administrative distance is not advertised and thus only has local impact. Default Route Distribution The default route distribution settings. To edit the following settings, click Edit: OSPF Metric – Set the metric in the router’s link state advertisement. The SPF algorithm uses this value to calculate the cost for each route. Routes with lower costs are preferred over routes with higher costs. OSPF External Metric – Select an external metric type: Type1 – Type 1 external routes have a cost that is the sum of the cost of this external route plus the cost to reach the ASBR. Type2 – The cost of Type 2 external routes is defined similarly to the cost of Type 1 routes but without the cost to reach the ASBR. Route Maps - Filter definitions. Reference the Route Map Filters settings on the Filter Setup page. For more information, see How to Configure Filter Setup for OSPF and RIP. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Route Redistribution 348 In this table, add route redistribution settings. For each entry, you can edit the following settings: Route Types – The route type. You can select connected, RIP, or BGP. OSPF Metric – Set the metric in the router’s link state advertisement. The SPF algorithm uses this value to calculate the cost for each route. Routes with lower costs are preferred over routes with higher costs. OSPF External Metric – If required, select an external metric type: Type1 – Type 1 external routes have a cost that is the sum of the cost of this external route plus the cost to reach the ASBR. Type2 – The cost of Type 2 external routes is defined similarly to the cost of Type 1 routes but without the cost to reach the ASBR. Otherwise, select NOT-SET if an external metric setting is not required. Route Maps – Filter definitions. Reference the Route Map Filters settings on the Filter Setup page. For more information, see How to Configure Filter Setup for OSPF and RIP. 5. Click Send Changes and Activate. Configure OSPF Areas 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. In the left menu, select OSPF Area Setup. 4. In the Areas table, add your OSPF areas. For each entry, you can edit the following settings: Setting Description Enable Configuration Enables or disables the area: To enable the area, select yes. To disable the area, select no. Area ID Format Specifies which format is used to enter the area ID. You can select: Integer (default) – Enter your area ID as an integer in the A rea ID [Int] field. Quad-IP – Enter your area ID as a Quad IP address in the A rea ID [IP] field. Area ID [IP] The area ID in Quad IP address format. For example, 0.0.0.1. Area ID [Int] The area ID as a number. For example, 0. The ID for the first area must be 0. Authentication Type The authentication method for the area (default: Digest-MD5). Simple Authentication Key The OSPF area authentication credentials for simple authentication. Digest Authentication Key The OSPF area authentication credentials for digest authentication. Message Digest Key ID The key for digest authentication. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Special Type 349 Specifies if the area is a Stub or Not-So-Stubby Area. You can select: NONE – Default setting. The area is not a special type. stub – Stub areas do not import or originate external LSAs. nssa – The OSPF Not-So-Stubby Area where an ASBR can be located in a stub area (see RFC 3101). NSSA-ABR Translate Election This setting option is defined by RFC 3101. Disable Summary Disables summary LSAs. Virtual Link ID (ABR) The virtual link ID for this area. This setting is only available in A dvanced View mode. Virtual Link Params To edit the settings for the virtual link, click Edit. For more information on these settings, see the "Template Configuration" section of How to Configure Network Interfaces for OSPF and RIP. This setting is only available in Advanced View mode. Area Default Cost The cost for the default route injected in an attached stub area. Summary Range IP/Mask In this table, configure special actions for a summary range. For each entry, you can edit the following settings: Summary Range IP/Mask – The IP address/mask of the summary range. Range Action – The special action for the range. You can select: advertise (default) non-advertise substitute Range Cost – Cost for a range. Advertised Range – Advertise configured range to. Area Export Filters In this table, create an export ACL. Area Import Filters In this table, create an import ACL. Area in Filters In this table, create an import prefix list. Area out Filters In this table, create an export prefix list. 5. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 350 How to Configure Network Interfaces for OSPF and RIP This article provides information on how to configure the parameters for the Network Interfaces Configuration section within the OSPF/RIP Settings of the Barracuda NG Firewall. In the Network Interfaces Configuration section, interface specific parameters of the routing protocols are configured (This applies to OSPF an d RIP): 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. In the left menu, click Network Interfaces. In this section, the parameters can be specified as follows: Section Network Interfaces Configuration Load Interface Info – If set to yes, the list of available interfaces is loaded after execution of Send Changes. Interfaces – See Interface list (Available Interfaces). Shared Interfaces Configuration Shared interfaces can be edited by double clicking or added by using the + icon. Interface Description – Informational text field. Apply to Interface – Specifies the network interface to which the following settings apply. Activate Config for – Specifies the routing protocols for which the settings should be activated on this interface. Possible settings are OSPF, RIP or OSPF+RIP. Passive Interface – On a passive interface the routing protocol does not send Hello packets. The network configured for this interface is still advertised. An interface is active by default (setting: No). Parameter Template – References templates for this interface. OSPF Specific Parameters Network Type – Type of network. Ethernet is normally broadcast. Sometimes there may be a need to use point-to-point for Ethernet-Links, for example when there is only a /30 subnet. Type non-broadcast is needed to propagate OSPF over a VPN tunnel. Bandwidth [kBit/s] – Bandwidth of the interface. Configuration is highly recommended since this information can not be determined automatically. This setting is used by OSPF to calculate the metric. Interface Addresses – By specifying an Interface Address the configuration only applies for a single OSPF network. This parameter can be useful in multinet environments. Otherwise the parameters applies to all OSPF networks on the given interface. Parameter Template for Address – References templates for this interface. RIP Specific Parameters Enable Split Horizon – Split Horizon is a mechanism used by RIP to reduce the possibility of routing loops. By enabling this parameter (default: yes), routes learned from a specific interface, are not re-advertised on this interface. Enable Poisoned Reverse – This technology is an extension to Split Horizon. By enabling this setting (default: no), routes learned from a specific interface are re-advertised on this interface but the metric is set to infinity (16). Section Available Interfaces This section displays a read-only list of the available network interfaces. Available interfaces can be edited by double clicking or added by using +. Section Parameter Template Configuration Shared interfaces can be edited by double clicking or added by using the + icon. OSPF Parameters Authentication Type – Authentication for neighbors on specified interface. Either no authentication (default: null), simple authentication as specified in RFC1583 or the cryptographic authentication digest-MD5 (RFC2328) can be used. Simple Authentication Key – Password for simple authentication. This value only has to be specified with Authentication type set to s imple. Digest Authentication Key – Password for digest authentication. This value only has to be specified with Authentication type set to di gest-MD5. Message Digest Key ID – Key for digest authentication. This value only has to be specified with Authentication type set to digest-MD5 . OSPF Cost – Set to a higher value, the router will be more eligible to become a Designated Router or a Backup Designated Router. Set to 0, the router is no longer eligible to become a Designated Router. Default: 1. OSPF Dead Interval – Seconds for timer value used for Wait Timer and Inactivity Timer. This value must be the same for all routers attached to a common network. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 351 OSPF Hello Interval – Time to wait between OSPF "hello" messages to neighbors (sec). This value must be the same for all routers attached to a common network. OSPF Retransmit Interval – Minimum time waited between retransmissions (sec). OSPF Transmit Delay – Sets number of seconds for InfTransDelay value. The InfTransDelay parameter defines the estimated time required to send a link-state update packet on the interface. RIP Parameters Authentication Type – Authentication for neighbors on specified interface. Either no authentication (default: null), text authentication or the cryptographic authentication digest-MD5 (RFC2082) can be used. RIP Key Chain – The pull-down menu displays the configured key chains (see: ) and allows selection of a key chain which is used for authentication. RIP Text Secret – Specifies the text secret used for authentication purposes. Note that the value specified here always takes precedence over the RIP keychains settings. Send Protocol – Configures protocol types for transmission. Possible values are Version_1, Version_2 or Version_1+2. Receive Protocol – Configures protocol types for reception. Possible values are Version_1, Version_2 or Version_1+2. Neighbor Setup For connectivity issues it is sometimes recommended to set the neighbors statically. 1. In the left menu, click Neighbor Setup IPv4 or Neighbor Setup IPv6 if you are using IPv6 addresses. Note: IPv6 has to be enabled in Quagga too. 2. To add an entry, click +. 3. Enter a descriptive name and click OK to open the configuration window. 4. In this section, the parameters can be specified as follows: Neighbor IPv4 – IP address of the neighbor to exchange routing information with. Active – Set to no if you want to disable this neighbor configuration. Routing Protocols – Specifies which routing protocols should be exchanged with this neighbor. Possible values are OSPF, RIP or BGP. Neighbor Priority – This parameter influences the Designated Router election. Set to a higher value, the router will be more eligible to become a Designated Router. Set to 0 , the router is no longer eligible to become a Designated Router or a Backup Designated Router. Default: 1. Dead Neighbor Poll Interval – Seconds between two neighbor probings. 5. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 352 How to Configure Filter Setup for OSPF and RIP This article explains how to configure filter setup for OSPF and RIP. A filter is required for example when redistributing routes from one protocol to another. Route maps can be used to modify routing information. In route maps, the filter is applied to match the routes. Some set actions can be applied to the matching routes. Example: The RIP learned route 10.0.0.0 /24 with metric 4 hops should have metric 6 instead. The match condition in the route map must be a filter matching 10.0.0.0/24 and the set condition must be metric 6. When applying route filters in the RIP or OSPF section, only ACLs or Prefix-lists but no route maps are needed. This dialog is restricted to basic ACLs. Extended ACLs must be be configured in tab Text Based Configuration. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. In the left menu, click Filter Setup IPv4 (when using IPv6 addresses, select Filter Setup IPv6 and configure the settings for IPv6). Access List IPv4 Filters This section allows the definition of filters which can be referenced within the OSPF Area Setup (see: How to Configure OSPF Routers and Areas) and within the RIP Route Update Filtering section (see: How to Configure RIP Router Setup). Setting Description Name This is the ACL name / ID. Description A short description of the ACL. Network Prefix Enter the network prefix. Type Specifies if the traffic is allowed or blocked: permit (default) / deny Route Map IPv4 Filters Route maps are used to control and modify routing information that is exchanged between routing domains. Setting Description Name This is the Route Map Name. Route Map IPv4 Configuration A short description of the route map. OSPF Specific Conditions Sequence Number Unique identifier for a route map entry. Type Action for route map: permit (default) / deny Match Condition The route map entry matches when the route matches the configured criteria or filter: ACL (default) PREFIXLIST Gateway-IP Interface-Name ACL Name – Name of ACL defined in the Access-Lists section above. IP Prefix List – Name of IP prefix list defined in OSPF/RIP Settings - Filter Setup - IPv4 Prefix List Filters. Gateway IP – IP address of the next hop in the route. Out Interface Name – See interfaces to gain available interface names. Set Action – Defines action to set: Metric / Metric-Type Set OSPF Metric – Set metric for route map. Set OSPF External Metric – Set external metric-type for route map. RIP Specific Conditions Sequence Number Unique identifier for a route map entry. Type Action for route map: permit (default) / deny Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Match Condition The route map entry matches when the route matches the configured criteria or filter: 353 ACL (default) PREFIXLIST Gateway-IP Interface-Name Metric ACL Name – Name of ACL defined in the Access-Lists section above. IP Prefix List – Name of IP prefix list defined in OSPF/RIP Settings - Filter Setup - IP Prefix List Filters. Gateway IP – IP of the Next Hop in the route. Out Interface Name – See interfaces to gain available interface names. Match Metric – Defines when a route map is used. Set Action – Defines action to set: Next Hop / Metric Set RIP Metric – Set metric for route map. Set RIP Next-Hop IP – Set next-hop IP address. IPv4 Prefix List Filters Prefix lists are easier to understand for route-filters than ACLs. Example for IP prefix list filter usage: Network Prefix Type Extent Type Deny default route 0.0.0.0/32 0.0.0.0/32 deny none permit prefix 10.0.0.0/24 10.0.0.0/24 permit none Setting Description Name This is the name of the IP prefix list. IPv4 Prefix List Configuration Description A short description of the IP prefix list. Sequence Number Unique identifier for a prefixlist item. Network Prefix Network/Netmask Type Action for prefixterm: permit / deny Extent Type Matching condition: Prefix Length 4. Click OK to confirm your settings. 5. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. none (default) greater-than less-than Minimum or maximum prefix length to be matched. Barracuda NG Firewall 6.1 Administrator's Guide - Page 354 How to Configure OSPF Routing over TINA VPN To dynamically learn OSPF-propagated routes from a remote location connected via TINA VPN tunnel, VPN Next Hop interfaces are used to create an intermediary network. Limitations Currently only available for NG Firewalls managed by an NG Control Center because the VPN Tunnel configuration requires the GTI Editor. It is not possible to use both OSPF and BGP over the same VPN tunnel. You must complete this configuration on both the local and the remote Barracuda NG Firewall by using the respective values below: Example Values for the Local Barracuda NG Firewall Example Values for the Remote Barracuda NG Firewall VPNR Next Hop Interface Index 1 1 VPN Next Hop Interface IP Address 192.168.20.1/24 192.168.20.2/24 Virtual Server Additional IP 192.168.20.1 192.168.20.2 VPN Local Networks empty empty VPN Remote Networks empty empty Router ID 192.168.20.1 192.168.20.2 In this article: Before You Begin Step 1. Add a VPN Next Hop Interface Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses Step 3. Configure the TINA Site-to-Site VPN Tunnel in the GTI Editor Step 4. Configure the OSPF Service Step 4.1 Configure which Routes to Propagate into OSPF Step 4.2 Configure the OSPF Router Step 4.3. Create an OSPF Area Setup Step 6. Verify the OSPF Service Configuration Step 6. Create Access Rules for VPN Traffic Before You Begin A free /24 subnet (e.g., 192.168.20.0/24) for the intermediary network is required. Step 1. Add a VPN Next Hop Interface Add a VPN Next Hop interface using a /24 subnet (e.g., 192.168.20.0/24). 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings . 2. Click Lock. 3. In the Settings tab, click the Click here for Server Settings link. The Server Settings window opens. 4. In the Server Settings window, click the Advanced tab. 5. Next to the VPN Next Hop Interface Configuration table, click Add. 6. In the VPN Interface Properties window, configure the following settings and then click OK. In the VPN Interface Index field, enter a number between 0 and 999. E.g., 11 In the IP Addresses field, enter the VPN interface IP address including the subnet. E.g., 192.168.20.1/24 for the local NG Firewall, or 192.168.20.2/24 for the remote NG Firewall. In the Multicast Addresses field, enter the OSPF Multicast Addresses: 224.0.0.5 224.0.0.6 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 355 Click OK. The interface is now listed in the VPN Next Hop Interface Configuration table. 7. In the Server Settings window, click OK. 8. Click Send Changes and Activate. Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses Introduce the IP address of the VPN Next Hop interface as a virtual server -IP address. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties . 2. Click Lock . 3. In the Additional IP table, add the IP address of the VPN Next Hop interface. 4. Click Send Changes and Activate . Step 3. Configure the TINA Site-to-Site VPN Tunnel in the GTI Editor Edit the VPN tunnel to remove the local and remote networks and add the VPN Next Hop interface ID. 1. Go to the global/range/cluster GTI Editor. 2. Click Lock. 3. Click on the VPN tunnel and click on the first Transport to edit the VPN tunnel configuration. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor. 4. Remove all Local Networks from the remote and local VPN services. 5. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 356 5. Enter the VPN Next Hop interface ID for the remote and local VPN services. E.g., 11 6. Click OK. 7. Click Send Changes and Activate. Step 4. Configure the OSPF Service The OSPF setup must be completed on both the local and remote NG Firewalls. The configuration steps and values are the same except for the Router ID and propagated networks. Step 4.1 Configure which Routes to Propagate into OSPF Select the routes you want to propagate. 1. Go to CONFIGURATION > Configuration Tree > Box > Network. 2. Click Lock. 3. To propagate the management network, set Advertise Route to yes in the Management IP and Network section. 4. In the left menu, click on Routing. 5. Double-click on the direct attached and gateway routes you want to propagate. The Routes window opens. 6. Set Advertise Route to yes and click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 357 7. Click Send Changes and Activate. Step 4.2 Configure the OSPF Router Enable OSPF and use the VPN Next Hop interface IP address as the Router ID. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings . 2. Click Lock. 3. Set Run OSPF Router to Yes. 4. Set Operation Mode to advertise-learn. 5. Enter the Router ID. Typically the VPN Next Hop interface IP address is used. E.g., 192.168.20.1 for the local NG Firewall, or 192.1 68.20.2 for the remote NG Firewall. 6. In the left menu, click OSPF Router Setup. 7. Select Cisco Type from the ABR Type dropdown. 8. Enter the Terminal Password. Use this password if you must directly connect to the dynamic routing daemon via command line for debugging purposes. 9. Click + to add an entry to the Network Prefix table. The Network Prefix windows opens. 10. Enter the VPN Next Hop interface network as the Network Prefix. E..g, 192.168.20.0/24 11. Enter the Network Area. E.g., 0 because we are using OSPF area 0 for our example. This value must match with the OSPF Area configured below. 12. Click OK. 13. Click Send Changes and Activate. Step 4.3. Create an OSPF Area Setup 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings . 2. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 2. 3. 4. 5. 6. 7. 8. 358 Click Lock. In the left menu click OSPF Area Setup. In the OSPF Area Configuration, click + to add Areas. Enter the OSPF area Name. Click OK. The Areas window opens. From the Area ID Format dropdown, select Integer. Enter the Area ID[Int]. Use the same Area ID you used for the Network Area in Step 4.2. E.g., 0 9. (optional) Select the Authentication Type and configure the necessary parameters. 10. Click OK. 11. Click Send Changes and Activate. Step 6. Verify the OSPF Service Configuration On the CONTROL > Network page, verify that OSPF is active on the VPN Next Hop interface and that the remote NG Firewall is listed as an OSPF neighbor. The routes learned via OSPF are listed with a type of gateway-ospf in the routing table. The Interface is the VPN Next Hop interface and the Gateway the IP address of the remote VPN Next Hop interface IP address. Local Firewall CONTROL > Network > OSPF page: Remote Firewall CONTROL > Network > OSPF page: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 359 Step 6. Create Access Rules for VPN Traffic Create access rules on both local and remote NG Firewalls to allow traffic from the learned networks through the VPN tunnel. For more information, see How to Create Access Rules for Site-to-Site VPN Access. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 360 How to Enable Debugging for OSPF Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 361 How to Configure RIP Router Setup After enabling and configuring RIP, set up your RIP router. This article provides instructions on configuring global settings and network definitions that are used by RIP to advertise routes. This tab only has to be configured when RIP has been activated in the Operational Setup tab through setting the Run RIP Router para meter to yes. Specification of global RIP settings such as version, timers and authentication, and definition of interfaces on which the RIP process is to run, is done in this place. Configure RIP Router Setup 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings. 2. Click Lock. 3. In the left menu, select RIP Router Setup. In this section, the parameters can be specified as follows: Parameter Description To enable RIP authentication, so-called key chains must be introduced. A key chain can consist of several keys, where each key is identified by a number and a key string (password). RIP Keychains Key/Key String RIP Version The Barracuda NG Firewall routing service allows usage of both standardized RIP versions RIPv1 or RIPv2. The following values are thus available for selection: RIP Terminal Password Password to connect via telnet and query status information of the RIP router. The RIP router is reachable on TCP port 2604 (loopback only). This is mainly useful for debugging purposes. Note that remote connection to the RIP terminal is not possible. Privileged RIP Terminal Password Password to connect via telnet and change configuration of the RIP router (not recommended since changes made via the terminal are not persistent). Note that remote connection to the RIP terminal is not possible. Networks Route Update Filtering is used to provide Access Control Mechanisms and mechanisms to fine-tune RIP metrics. Version_1 (classful) Version_2 (classless) Metric Offsets Configuring Metric Offsets adds an offset to incoming and outgoing metrics to routes learned via RIP. Update Direction Enforced Metric ACLs Devices Route In/Out Filters Route Filters are used to control the advertising and learning of routes in routing updates. Filters with the parameter Update Direction set to "in" apply to routes processed in incoming routing updates. The filter is matched against the content of the update, not against the source or destination of the routing update packets. Update Direction Object Type ACLs IP Prefix List Devices 4. In the RIP Preferences section, accessible from the Configuration menu, the settings can be specified as follows: Parameter Log Level Description Specifies the verbosity of the RIP routing service. Available values are: Copyright © 2015, Barracuda Networks Inc. critical debugging emergencies errors informational (default) notifications warnings alerts Barracuda NG Firewall 6.1 Administrator's Guide - Page 362 Use Special Routing Table By setting this parameter to yes and selecting a table name below, routes learned by the RIP service are introduced into an own routing table. Note that the routing table is not automatically introduced, but has to be configured manually by introducing Policy Routes. Table Names A list of policy routing names can be specified here. Routes learned by the routing daemon are introduced into each of the enlisted routing tables. Multipath Handling ignore - multipath routes will be discarded. RIP summarizes routes to multipath routes automatically if more than one next hop to a prefix exists. Use setting ignore with caution. assign-internal-preferences - multipath routes will be translated to several routes with different metrics (preferences). accept-on-same-device - multipath routes will be introduced as multipath if all nexthops are reachable on the same interface. accept-all (default) - multipath routes will be introduced. 5. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 363 Example for OSPF and RIP Configuration Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 364 Firewall The Barracuda NG Firewall comes with two firewall services, one for handling local inbound/outbound traffic and the other for handling all forwarding traffic. The Host Firewall service runs on the box layer and cannot be removed. The Forwarding Firewall service can be added to one virtual server on every NG Firewall. The Host and Forwarding Firewall can handle only IP protocols. Non-IP traffic (such as Spanning Tree Protocol or IPX/SPX) is not forwarded. Forwarding Firewall The Forwarding Firewall handles all traffic for which the destination does not match with a listening socket on the Barracuda NG Firewall. You can create one (forwarding) Firewall service on each NG Firewall. This service listens to all IP addresses configured for the virtual server and is responsible for all connections that must be transferred over the Barracuda NG Firewall to a remote host. The firewall rules for the Forwarding Firewall are maintained in the forwarding ruleset. The Forwarding Firewall is tightly integrated with Application Control 2.0, Virus Scanners, Advanced Threat Detection (ATD), Intrusion Prevention System (IPS), and the URL Filter. Examples of connections that use the Forwarding Firewall are: A web browser that connects to an external web server without using the HTTP Proxy service on the Barracuda NG Firewall The administrator pings an external Linux server Incoming and outgoing traffic coming out of a VPN tunnel For more information, see Forwarding Firewall. Host Firewall There is one Host Firewall service running on the box layer of every Barracuda NG Firewall and Barracuda NG Control Center. Host Firewall rules are applied to connections where the target IP address and port number match a listening socket of a service on the Barracuda NG Firewall. The boxfw service manages this ruleset and additional traffic handlers such as SIP, RPC, Timer, Audit, Trace, and Sync. Restarting the boxfw s ervice reinitializes the service handlers and reloads the ruleset. The boxfw service is automatically activated on the Barracuda NG Firewall. You can have only one Host Firewall on a system. Examples of connections that are handled by the Host Firewall are: An incoming connection from a web browser to the HTTP Proxy service running on the Barracuda NG Firewall An outgoing connection from the HTTP Proxy service running on the Barracuda NG Firewall to a web server on the Internet Outgoing and incoming VPN traffic from the Barracuda NG Firewall VPN service to the tunnel endpoint Outgoing NTP or DNS queries For more information, see Host Firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 365 Forwarding Firewall The forwarding firewall service provides a policy framework to direct and manage traffic passing through the Barracuda NG Firewall: Firewall Policies: Firewall Access Rule Set – The access rule set contains a list of access rules. Incoming traffic is compared against the matching criteria set within each access rule. When a match is found, the action set in the access rule is executed. You can enable advanced features (Application Control, QoS, IPS) on a per-rule basis. Application Rule Set – If application control is enabled in an access rule that is executed, the application rule set is called. Applications and (if applicable) URL categories are detected and compared to the list of application rules. Upon a match, the application traffic is either passed or blocked depending on the action set in the application rule. IPS Policies – Detect and block network attacks, by comparing incoming traffic with predefined, constantly updated patterns. Traffic Shaping (QoS) Policies – Shape traffic to improve use of the available bandwidth, by prioritizing connections that are important for your business. User Policies – Allow or block access to network resources based on user information. Schedule (Time) Policies – Allow or block access to network resources based on time or date. Traditional packet forwarding capabilities are handled by the access rule set while next generation application-aware policies are applied in the dedicated application rule set. Access Rules The basic job of the firewall is to manage traffic between various trusted and untrusted network segments. Incoming network traffic is compared to the first access rule in the rule set. If the traffic does not match the criteria set in the rule, the next rule is evaluated, continuing from top to bottom until a matching rule is found. The first matching access rule is executed. If none of the rules match, the default BLOCKALL rule blocks the traffic. For more information, see Firewall Access Rules. Next Generation Firewall Capabilities Application Control 2.0 (with or without SSL Interception), a tightly integrated Intrusion Prevention System (IPS), URL filtering for content security, and Virus Scanning in the firewall offer granular control over your network traffic. Application Detection – For each access rule, you can enable Application Control. Application Control detects applications and subapplications. Detected application traffic can then be manipulated by the application rule set. By using custom application-based link selection connection objects, you can route traffic based on application type. For more information, see Application Control 2.0 SSL Interception – Most application traffic is SSL encrypted. SSL Interception transparently decrypts the SSL connections and re-encrypts the connection before it is forwarded it to its destination. SSL Interception enables Application Control to better detect sub-applications, making it possible to block single features such as Facebook games, while still allowing access to the rest of the site. URL Filter – If you want to block inappropriate web-based content from your network, use the Barracuda Webfilter to filter a large number of websites based on categories. With the URL filter, you can create either a whitelist (blocking everything except for selected sites) or a blacklist (blocking known unwanted content). If a site is not in the URL database, you can define a custom URL policy for it. The URL Filter can only filter based on the URL of the website. It does not offer the more granular control over sub-applications that Application Control does. For more information, see URL Filter. Virus Scanning – To protect against malware and viruses, enable antivirus (AV) scanning in the firewall. If a user downloads a file Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 366 containing malware, the Barracuda NG Firewall detects and discards the infected file and then redirects the user to a warning page. You can use the Avira and/or the ClamAV antivirus engines and specify the MIME types of all files that are to be scanned. For more information, see How to Configure Virus Scanning in the Firewall. ATD – Barracuda Advanced Threat Detection secures your network against zero day exploits and other malware not recognized by the IPS or Virus Scanner. You can choose between two policies which either scan the files after the user has downloaded them and if perceived to be a threat quarantine the user, or scan the file first and then let the user download the file after it is known to be safe. For more information, see Advanced Threat Detection (ATD). Traffic Shaping (QoS) You can adjust the QoS band traffic to prioritize business-critical traffic over less important traffic: Traffic shaping protects the available overall bandwidth of a connection. Network traffic is classified and throttled or prioritized within each access rule. Traffic shaping for application traffic can be configured in the application policy rules. For more information, see Application Control 2.0. For more information, see Traffic Shaping. Intrusion Prevention System (IPS) The tightly integrated Intrusion Prevention System (IPS) monitors the network for malicious activities and blocks detected network attacks. The IPS engine analyzes network traffic and continuously compares the bitstream with its internal signature database for known attack patterns. IPS must be globally enabled on a Barracuda NG Firewall. However, you can enable or disable IPS for each firewall rule. For more information, see Intrusion Prevention System (IPS). Users/Time For more granular control, you can configure access rules that are only applied to specific users or during specific times. Users can be used as a criteria for a rule. To enable the Barracuda NG Firewall to be aware of which connection belongs to a specific user, use the Barracuda DC Agent, Barracuda TS Agent, or the The Barracuda NG Firewall Authentication Client. For more information, see User Objects. You can create access rules that are only active for specific times or dates. For example, you can create a time object that only includes Mondays and the hours of 8:00 am to 9:00 am. A access rule including this time object allows traffic only during the time span defined in the time object. For more information, see Schedule Objects. Firewall Objects Use firewall objects to reference specific networks, services, time and dates, user groups, or connections when creating firewall rules. You can use firewall objects that are preconfigured on the Barracuda NG Firewall or create custom objects to fit your needs. The main purpose for firewall objects is to simplify the creation and maintenance of firewall rules. Firewall objects are re-usable, which means that you can use one firewall object in as many rules as required. Each firewall object has a unique name that is more easily referenced than an IP address or a network range. For more information, see Firewall Objects. Layer 7 Application Control (Legacy) Barracuda Networks recommends using Application Control 2.0. Layer 7 Application Control is a legacy feature using Deep Packet Inspection (DPI) and behavioral traffic analysis to detect and classify network traffic based on Layer 7 applications and protocols. For more information, see Layer 7 Application Control. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 367 Firewall Access Rules The firewall service compares the incoming traffic to the access rules until it has found a match and then executes the policy defined in the matching rule. The following article explains the configuration and interaction of access rules on the Barracuda NG Firewall. Access Rule Settings For each access rule you can configure the following settings: Name – The name of the access rule. This name is displayed on the Firewall > Live and History pages. Description – An additional field in which you can enter a description of the access rule, to help you and others determine the purpose of the access rule in case the rule must be edited it later. Action – Specifies how the Barracuda NG Firewall handles network traffic that matches the criteria of the rule. The following actions are available: Pass – The Barracuda NG Firewall passes all network traffic that matches the access rule. Block – The Barracuda NG Firewall ignores all network traffic that matches the access rule and does not answer to any packet from this particular network session. Deny – The Barracuda NG Firewall dismisses all network traffic that matches the access rule. Matching network sessions are terminated by replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, and ICMP Denied by Filter for other IP protocols. Dst NAT – The Barracuda NG Firewall rewrites the destination IP address, network, or port to a predefined network address. Map – The Barracuda NG Firewall rewrites IP ranges or networks to a predefined network or IP range. App Redirect – The Barracuda NG Firewall redirects the traffic locally to one of the services running on the Barracuda NG Firewall. Broad Multicast – The Barracuda NG Firewall forwards broadcasts for bridged networks. Cascade – Jump and evaluate a different rule list. Cascade Back – Jump back to the global rule list and resume evaluation the access rules below the cascade rule. Service – The protocol and protocol/port range of the matching traffic. You can define one or more services for the access rule. You can select a predefined service object or create your own service objects (see: Service Objects). Source – The source IP address/netmask of the connection to be handled by the rule. You can select a network object or explicitly enter a specific IP address/netmask. Destination – The destination IP address/netmask of the connection that is affected by the rule. You can select a network object or explicitly enter a specific IP address/netmask. Connection Method – The outgoing interface and source (NAT) IP address for traffic matching the access rule, using connection objects (see below). Connection Objects The following table lists the five default connection objects. Predefined Connection Object Outgoing Interface and IP Address Determined by Dynamic SNAT (Source-based NAT) Change the source IP address of network packets to the IP address to that of the matching interface with the lowest metric according to the routing table. No SNAT (No Src NAT - Client) Connection is established using the original source IP address. SNAT with DSL IP Source NAT with the IP address of the ppp1 device SNAT with 3G IP Source NAT with the IP address of the ppp5 device (3G uplink) SNAT with DHCP IP Source NAT with the IP address of the dhcp device (DHCP uplink) NAT Tables Source NAT for networks or IP ranges. Multiple rewrite conditions can be configured per connection object. Application Based Link selection Connection Objects Source NAT based on application type. You can also create custom connection objects. For more information, see Connection Objects. Troubleshooting Blocked Connections Video To get a feel for how to use access rules, and how NG Admin allows you to determine which rules to create, watch the following video: Videos are not visible in the PDF export. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 368 How to Edit, Copy, Clone, Deactivate, or Delete Access Rules You can perform various basic tasks when working with access rules in the host and forwarding rule sets: Edit Access Rules Inline Editing Edit Multiple Access Rules Clone Access Rules Copy, Cut, and Paste Access Rules Delete Access Rules Deactivate Access Rules Move Access Rules Up or Down Edit Access Rules Edit access rules by either double-clicking the rule or right-clicking the rule and selecting Edit. In the Edit Rule window, you can configure all possible configuration settings for the access rule. Toggle the Object Viewer check box in the left navigation display or hide the Object Viewer a ccording to your preferences. Inline Editing You can change a setting for an access rule without opening the Edit Rule window. Click the rule, hover your mouse pointer over the value that you want to change, and then click the edit icon ( or ) that appears. Edit Multiple Access Rules Use caution when you edit multiple access rules simultaneously because you can introduce a severe misconfiguration. For a basic setting such as source or destination that is used in multiple access rules, you can use a firewall object. When you change the object, the change is automatically updated in every rule that refers to this object. If you must change Advanced or ICMP Handling settings for more than one access rule, you can edit multiple access rules simultaneously. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Hold the Ctrl key and select the access rules that you want to edit. 4. Right-click the selected access rules and select Edit. 5. In the Edit Multiple Rules window, change Advanced, or ICMP Handling settings as needed. The settings are color-coded: Yellow – This setting differs from the default value and is the same for all selected access rules. Red – One or more of the selected access rules use differing settings for this parameter. Changing the parameter overwrites the settings for all selected access rules. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 369 Clone Access Rules If you want to duplicate an access rule, click Lock. Then right-click the access rule that you want to duplicate and select Clone. A copy of the rule is inserted below the original rule, with COPY appended to the rule name. Copy, Cut, and Paste Access Rules If you want to copy or cut an access rule from one rule set to another, click Lock. Then right-click the rule and select Copy or Cut. To paste the a ccess rule into a rule set, right-click the rule above the location that you want the new rule to be inserted and select Paste. Delete Access Rules To delete an access rule, click Lock. Then right-click the rule that you want to delete and select Delete. Deactivate Access Rules If you want to temporarily disable an access rule, click Lock. Then right-click the rule that you want to deactivate and select Deactivate. Until the rule is reactivated, it is not evaluated by the Firewall service. If you want to create temporary rules (e.g., for administrative SSH access), use dyn amic firewall rules. Move Access Rules Up or Down To change the order in which the access rules are evaluated, you can either drag and drop rules to the desired location or right-click the rule and select Move Up or Move Down to move the rule up or down one line. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 370 How to Create a Pass Access Rule A Pass access rule permits traffic for a specific Service coming from the Source to access the selected Destination. For the Source and Destin ation, you can specify network objects, IP addresses, networks, or geolocation objects. Create a Pass Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) at the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Pass as the action. 5. Enter a name for the rule. For example, LAN-DMZ. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses of the traffic. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. For the example access rule displayed in the figure above, a network object named HQ-DMZ containing the IP address of the DMZ server has been created. For more information, see How to Create Network Objects. 7. Click OK. 8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 9. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Schedule Objects – For more information, see Schedule Objects. Connection Method – For more information, see Connection Objects. Additional Policies IPS Policy – For more information, see Intrusion Prevention System (IPS). Application Control – For more information, see Application Control 2.0. SSL Interception – For more information, see How to Enable Application Control 2.0. URL Filter – For more information, see URL Filter. AV Scan – For more information, see How to Configure Virus Scanning in the Firewall. ATD – For more information, see How to Configure ATD in the Firewall. Safe Search – For more information, see How to Enforce Safe Search in the Firewall. YouTube For Schools – For more information, see How to Enforce YouTube for Schools in the Firewall. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page QoS Band (Fwd) or QoS Band (Reply) – For more information, see Traffic Shaping. Copyright © 2015, Barracuda Networks Inc. 371 Barracuda NG Firewall 6.1 Administrator's Guide - Page 372 How to Create a Block Access Rule A Block access rule prevents traffic from passing through the Barracuda NG Firewall. The sender is not notified that the traffic was blocked. Create a Block Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Block as the action. 5. Enter a Name for the rule. For example, ExampleBlockRule. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. 7. Click OK. 8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to block. Ensure that the rule is located ab ove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 9. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Additional Policy Schedule Objects – For more information, see Schedule Objects. Returning a Block Page for HTTP Traffic BLOCK and DENY access rules can return a block page if the user was blocked using the HTTP protocol on port 80. All other protocols and ports covered by the access rule will be blocked at TCP SYN level. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit a Block access rule. The Edit Rule window opens. 4. In the left menu click Advanced. 5. In the Miscellaneous section, set Block Page for TCP 80 to Access Block Page or Quarantine Block Page. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 373 6. Click OK. 7. Click Send Changes and Activate. When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more information, see How to Configure Custom Block Pages. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 374 How to Create a Deny Access Rule A Deny access rule terminates matching network sessions by replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, or ICMP Denied by Filter for other IP protocols. Because the remote host receives a reply, it knows that your system is up and running and protected by a firewall. Create a Deny Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Deny as the action. 5. Enter a Name for the rule. For example, ExampleDenyRule. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. 7. Click OK. 8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to deny. Ensure that the rule is located ab ove the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 9. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Additional Policy Schedule Objects – For more information, see Time Objects. Returning a Block Page for HTTP Traffic BLOCK and DENY access rules can return a block page if the user was blocked using the HTTP protocol on port 80. All other protocols and ports covered by the access rule will be blocked at TCP SYN level. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit a Block access rule. The Edit Rule window opens. 4. In the left menu click Advanced. 5. In the Miscellaneous section, set Block Page for TCP 80 to Access Block Page or Quarantine Block Page. Copyright © 2015, Barracuda Networks Inc. 5. Barracuda NG Firewall 6.1 Administrator's Guide - Page 375 6. Click OK. 7. Click Send Changes and Activate. When a user is blocked by this access rule while using HTTP on port 80, the customizable Access Block Page is displayed. For more information, see How to Configure Custom Block Pages. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 376 How to Create a Destination NAT Access Rule A Dst NAT access rule redirects traffic sent to an external IP address to a destination in the internal network. The following example shows a Dst NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ (172.16.0.10). Create a Dst NAT Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Dst NAT as the action. 5. Enter a Name for the rule. For example, Internet-2-DMZ-HTTPS-Server. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses of the traffic. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. Target List – The redirection target. You have the following options to define the target: Enter one IP address with or without a specific port. If you append a port to the IP address, the Barracuda NG Firewall maps the external port to that of the internal server (port 80 to port 8080). For example, 172.16.0.10 or 172.16.0.1 0:8080. Enter a space-delimited list of IP addresses. Click the Reference check box, and select a network object from the drop-down list that appears. If the network objects contains multiple IP addresses, only the first IP address is used. Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname or FQDN. (TCP only) Fallback/Cycle – The firewall can distribute TCP traffic over multiple IP addresses in two ways: Fallback – The connection is redirected to the first available IP address in the list. Cycle – New incoming TCP connections are distributed evenly over the available IP addresses in the list on a per source IP address basis. The same redirection target is used for all subsequent connections of the source IP address. UDP connections are redirected to the first IP address and not cycled. (TCP only) List of Critical Ports – Enter a space-delimited list of the used TCP ports. Connection Method – Select No SNAT. 7. Click OK. 8. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 9. Click Send Changes and Activate. Additional Matching Criteria Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 377 Authenticated User – For more information, see User Objects. Connection Method – For more information, see Connection Objects. Additional Policies IPS Policy– For more information, see Intrusion Prevention System (IPS). Application Control – For more information, see Application Control 2.0. SSL Interception – For more information, see How to Enable Application Control 2.0. URL Filter – For more information, see URL Filter. AV Scan – For more information, see How to Configure Virus Scanning in the Firewall. Schedule Objects – For more information, see Schedule Objects. QoS Band (Fwd) or QoS Band (Reply) – For more information, see Traffic Shaping. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 378 How to Create an App Redirect Access Rule The App Redirect access rule rewrites the destination IP address and forwards the traffic to service running on a local IP address of the Barracuda NG Firewall. For example, you can use an app redirect rule transparently redirect all web traffic over the HTTP proxy service. Create an App Redirect Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select App Redirect as the action. 5. Enter a Name for the rule. For example, Transparent-Proxy-LAN2INTERNET. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses of the traffic. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. 7. Enter the Redirection IP address and optional port as the Local Address. For example, 127.0.0.9:3128 for the HTTP proxy service. 8. Click OK. 9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 10. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Additional Policies IPS Policy– For more information, see Intrusion Prevention System (IPS). Application Control – For more information, see Application Control 2.0. URL Filter – For more information, see URL Filter. Schedule Objects – For more information, see Schedule Objects. QoS Band (Fwd) or QoS Band (Reply) – For more information, see Traffic Shaping. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 379 How to Create a Map Access Rule A Map access rule rewrites incoming network ranges or IP address to destination networks or IP ranges, just like a Dst NAT rule does for a single IP address. You can use a NAT Table as an object for the Destination and/or Connection settings. Ensure that the Destination network is the same size or smaller than the network used to redirect the request. Otherwise, the firewall wraps the larger source network into the smaller redirection network. Create a Map Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Map as the action. 5. Enter a Name for the rule. For example, ExampleMapRule. 6. Select the the Bi-Directional check box. 7. Specify the following settings that must be matched by the traffic that to be handled by the access rule: Source – The source addresses of the traffic. For example, select Internet. Destination – Enter the destination network, or select a NAT table Connection object. Service – Select a service object, or select Any for this rule to match for all services. 8. Enter the Redirection IP address or network. This is the network range that the connections will be rewritten to. 9. If the redirection IP network is not physically present on a network interface, select the Create Proxy ARP check box. For the example above, proxy ARP is not needed. 10. From the Connection Method list, select Client (No Translation). 11. Click OK. 12. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 13. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Connection Method – For more information, see Connection Objects. Additional Policies IPS Policy– For more information, see Intrusion Prevention System (IPS). Application Control – For more information, see Application Control 2.0. SSL Interception – For more information, see How to Enable Application Control 2.0. URL Filter – For more information, see URL Filter. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 380 AV Scan – For more information, see How to Configure Virus Scanning in the Firewall. Schedule Objects – For more information, see Schedule Objects. QoS Band (Fwd) or QoS Band (Reply) – For more information, see Traffic Shaping - MORE INFO OVERVIEW. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 381 How to Create a Broad-Multicast Access Rule A Broad-Multicast access rule propagates broadcasts between multiple bridged network interfaces. Create a Broad-Multicast Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Broad-Multicast as the action. 5. Enter a name for the rule. For example, EnableDeviceShare. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The bridged network. Destination – The broadcast addresses that you want to propagate in the network. Service – Select a service object, or select Any for this rule to match for all services. 7. In the Broad- Multicast - Propagation List field, enter the propagation interface or IP address(es). You can also enter a comma-delimited array of (bridged) network interfaces or existing IP addresses. Propagation List Content Example Operation Mixed list of IP addresses and interfaces port2,port3,192.168.200.10 IP packets are propagated through the specified interface and in case of IP addresses, the outgoing interface is determined by performing a routing lookup. Network interface(s) port2,port3,vpnr0,brid01 The IP packets are transmitted unchanged through the specified interface(s). IP address(es) 192.168.200.10,10.10.0.100 The target of IP packets is changed according to the specified IP address(es) and packets are delivered after performing a routing lookup. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 382 <interface>:<IP address> port2:192.168.200.10 The IP packets are transmitted through the specified interface and the target is changed according to the specified IP address. For a standard IP address, a layer 2 broadcast is triggered. For a multicast IP address, a corresponding layer 2 multicast MAC is created. <interface>:<IP address>! 192.168.200.10! Forces a layer 2 broadcast and the target MAC address is changed to ff:ff:ff:ff:ff:ff. This will also work if the destination is a multicast address. 8. Click OK. 9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 10. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Connection Method – For more information, see Connection Objects. Additional Policies Time Objects – For more information, see Schedule Objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 383 How to Create Cascade and Cascade Back Access Rules To better organize the access rule set, you can create additional rule lists. At the point in the rule list where you want to evaluate another rule list create a Cascade access rule. If none of the rules in the additional rule list you cascaded to matched, create a Cascade Back access rule to continue evaluating the rules in the main rule list. If you do not define a Cascade-Back rule in the additional rule list and none of the rules match, the default policy (BLOCK or ALLOW) is executed at the end of the rule list. Before You Begin Create one or more rule lists. For more information, see How to Create New Rule Lists. Create a Cascade Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 384 3. 4. Select Cascade as the action. 5. Enter a Name for the rule. For example, CascadetoDMZRuleList. 6. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses of the traffic. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. 7. Select the Rulelist that you want to also evaluate the traffic. E.g., DMZRuleList. 8. Click OK. 9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 10. Click Send Changes and Activate. Create a Cascade Back Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule. 4. Select Cascade Back as the action. 5. Enter a Name for the rule. For example, CascadeBack. 6. Specify the following settings that must be matched by the traffic that will be handled by the access rule: Source – The source addresses of the traffic. Destination – The destination addresses of the traffic. Service – Select a service object, or select Any for this rule to match for all services. 7. Click OK. 8. Drag and drop the access rule to the order that you want. Usually this rule is placed last in the rule list, but you can drag it further up the rule list as well. 9. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – For more information, see User Objects. Additional Policies Time Objects – For more information, see Schedule Objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 385 How to Create and Activate a Dynamic Rule Dynamically activated rules are flagged by the clock icon. Dynamic access rules prevent the security vulnerabilities caused by forgetting to revoking service access that is needed only temporarily. If you create a dynamic rule, it is inactive by default and can be enabled on demand for a configured time span. Create a Dynamic Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit the access rule you want to make dynamic. 4. Enable Dynamic Rule. 5. Click OK. 6. Click Send Changes and Activate. Create a Dynamic Application Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, click Application Rules. 4. Edit the application rule you want to make dynamic. 5. Enable Dynamic Rule. 6. Click OK. 7. Click Send Changes and Activate. Enable and Disable Dynamic Rules via NG Admin 1. Open the FIREWALL > Dynamic page. 2. Double click a dynamic rule to open the Change Dynamic Rule dialog. 3. Select Enable to enable the rule. 4. If you want the rule to be enabled temporarily enter the time span in the Timer section. 5. Select an action from the Action on expiry drop down list. Enable – Enables the access rule. Disable – Disables the access rule. Disable & Terminate – Disables the rule and terminates all existing connections based on this rule. Block – Blocks all traffic matching this rule explicitly. Block & Terminate – Blocks all traffic matching this rule and terminates all existing connections based on this rule explicitly. None – None. 7. Click OK. 8. Click Send Changes and Activate. Enable and Disable Dynamic Rules via SSL VPN Desktop and Mobile Portal Create a dynamic access rule resource to be able to use the web interface to enable or disable dynamic access rules on the SSL VPN desktop or mobile portal. For more information, see How to Create and Activate a Dynamic Rule and Mobile Portal User Guide. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 386 How to Create New Rule Lists For a better overview and organization of your access rule set, you can create additional rule lists to assigning rules a main or sub-priority within the forwarding rule set. You can apply the additional rule lists to traffic by creating a Cascade access rule. (see How to Create Cascade and Cascade Back Access Rules). Create a Rule List To create a new rule list: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. On the Access Rules page, click the yellow table icon in the top left of the rule set (next to Main Rules). 4. Enter a name for the rule list and click OK. 5. Click Send Changes and Activate. After the rule list is created, a tab for it appears next to the Main Rules tab on top of the list. In the new rule list, you can now specify a range of access rules. To switch between rule lists, click the tabs. You can also copy a rule from the main rule list by right-clicking the rule and selecting Copy and then right-clicking the additional rule list and selecting Paste. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 387 Firewall Rule Tester and Test Reports The Barracuda NG Firewall provides you with a few tools to test your firewall rule set: Check for Overlapping Rules – Highlights firewall rules with criteria that matches those of a selected firewall rule and helps you determine the best order for your firewall rules. Rule Tester – Tests the firewall rule set with the specified connection settings. Also verifies the consistency of your firewall rule set. Test Report – Contains settings and results that are saved from a rule test. Notifies you if any later changes to the firewall rule set result in an unsuccessful connection request with the saved settings. In this article: Check for Overlapping Rules Test the Firewall Rule Set Save the Rule Test to a Test Report Test Reports Check for Overlapping Rules Because a connection request can match the criteria of multiple firewall rules, the order of the rules is important. To help you identify firewall rules with criteria that matches those of a selected rule, use the overlap checker. 1. Open the Forwarding Rules page (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall). 2. Right-click a firewall rule and select Select Overlapping. Any firewall rules with matching criteria are highlighted. In most cases, the overlap is a harmless outcome of a very openly defined firewall object such as Any. Test the Firewall Rule Set To test your firewall rule set, you can simulate a specific connection by entering the network data in the rule tester. The rule tester then determines which firewall rule would match this connection attempt. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, expand the Rule List Verification section and click Rule Tester. 3. In the TEST CONNECTION section, enter the network parameters you want to test: Proto – Protocol Day/Hour – (Optional) Day of week and time Date – (Optional) Month, day, and year From – Source IP address Port – Source port (default is 2048) To – Destination IP address Port – Destination port SMAC – (optional) Source MAC address Input-IF – (optional) Incoming interface Output-IF – (optional) Outgoing interface Srv – Service 4. Click Test. The test result is displayed in the TEST RESULT section. Save the Rule Test to a Test Report To save your firewall rule test settings and result, click LOCK, enter a name in the Save Result to field and click Save Result to. Your test is saved as a test report. To view your saved test results, expand Rule List Verification and click Test Report in the left pane of the rule set page. Test Reports On the Test Report page, successful test results are indicated by a green icon. Unsuccessful test results are indicated by a red icon. If you make changes to the firewall rule set that would cause an unsuccessful test connection for a test report (such as renaming objects or changing the order of firewall rules), the green icon turns into a red icon. The new results are added to the test report while the old results are displayed in brackets. You can validate or edit the settings for the failed connection request. If the new results for a failed connection request are correct, you can validate the test report by right-clicking it and selecting Rectify. The red icon for the test report turns into a green icon. If the new results for a failed connection request are incorrect, you can edit the firewall rule or the test report settings. To edit the test report, right-click it and select Edit. To edit the firewall rule, double-click the test report. In the TEST RESULT section, click Edit next to the Rule field. While editing the test report, you can also use it as a template and save the new settings as a new test report. Test reports are only saved temporarily. If you want to save test reports, click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 388 Barracuda NG Firewall 6.1 Administrator's Guide - Page 389 Advanced Access Rule Settings In some specific situations, you may have to modify the default behavior of your firewall by changing the advanced access rule parameters. Some of these parameters can be used to increase the security level while others provide rarely needed exceptions to the strict default security policy of the Barracuda NG Firewall. The advanced parameters of an access rule can impact security if not properly configured. Ensure that you fully understand the functionality of a parameter before you change it. Advanced Access Rule Settings Rule Mismatch Policy TCP Policy Resource Protection Counting / Eventing / Audit Trail Miscellaneous Quarantine Policy Dynamic Interface Handling Rule Mismatch Policy Usually, a connection request is required to match the source, service, and destination of a rule. By default, the firewall continues to the subsequent rule in the rule set if one of the three conditions is not met. If you do not want a rule to be bypassed, you can change the policy for mismatches to the rule conditions. The following policies are available for Source, Destination, Service, User, and MAC address condition mismatch: CONTINUE on Mismatch (default) – Continues processing the next access rules. BLOCK on Mismatch – Ignores all traffic and does not answer to any matching packet (= silent drop). DENY on Mismatch – Dismisses all traffic and sends TCP-RST (for TCP requests), ICMP Port Unreachable (for UDP requests), or ICMP Denied by Filter (for other IP protocols) to the source. If you want the session to be re–evaluated when the rule set or authentication settings are changed, enable the Persistence setting. Example Use Case Two machines in your LAN have access to a database server on a critical port (for example, telnet). You want to ensure that no other rule accidentally allows access for a source other than these two clients. In this case, select Block on Mismatch from the Source list in the Rule Mismatch Policy section of the Advanced Rule Parameters window. The effect of these options is cumulative. If you check two options, you blank out the remaining values for all subsequent rules. TCP Policy In the TCP Policy section, you can edit the following TCP policy settings for traffic that is handled by the access rule: Setting Description Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Generic TCP Proxy 390 The firewall engine is capable of two TCP forwarding methods: Application Controlled Packet Forwarding (ACPF) / Generic TCP Proxy OFF – (Default) The firewall does not terminate the TCP connection. The TCP connection is directly established between the source and destination. Malformed packets are filtered by ACPF. Generic TCP Proxy ON – Also called Stream Forwarding. If you want to avoid any direct TCP connection between two TCP partners traversing the firewall, use stream forwarding to build two distinct TCP connections. The destination will not get any packets that are not generated by the firewall TCP stack itself, making it impossible for a potential attacker to exploit a security flaw in the destination servers TCP stack. Selecting this option reduces the performance of the firewall (400 - 500 MBit maximum). The security advantage of stream forwarding is not as important today as it was when firewall engines were less powerful. For detailed performance data, contact Barracuda Networks Technical Support. Features not available when using the Generic TCP Proxy: Application Detection High availability (HA) synchronization Intrusion Prevention System (IPS) Network Address Translation (NAT) Plug-ins TCP State Detection Syn Flood Protection (Forward/Reverse) Defines the behavior of the firewall with regard to the TCP three-way-handshake. You can select the following options: Server Default – Uses the default configuration. Outbound – Passes the SYN untouched through to the target address. Inbound – The firewall completes the handshake and only then performs a handshake with the actual target. This helps to protect the target from SYN flood attacks. Disabling this option may speed up interactive protocols like SSH. For more information, see Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies. Accept Timeout (s) Length of time that the firewall waits until the destination has to answer. After this timeout, the firewall sends a TCP RST packet to both partners (default: 10). Last ACK Timeout (s) Length of time in seconds that the firewall waits after an ACK to terminate the connection (default: 10). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 391 Retransmission Timeout (s) Length of time in seconds that the firewall waits until the source has to retransmit packets. If nothing happens, the firewall registers the session as a hijacking attempt (default: 300 seconds). Halfside Close Timeout (s) Length of time in seconds that the firewall waits after conscious termination of the connection to close the socket (default: 30). Disable Nagle Algorithm Enables TCP_NODELAY. This option is only available when the Gen eric TCP Proxy is enabled. Force MSS (Maximum Segment Size) Checks the SYN and SYN–ACK TCP packets for an MSS that is larger than the configured MSS. If the MSS TCP attribute is smaller, the packet is rewritten with the configured MSS. Use this feature for VPNs to force a TCP MSS that fits the MTU of the VPN tunnel device. For IPv4, the maximum transmission size must be at least 40 bytes smaller than the MTU. Raw TCP mode Handles sole chunks of TCP traffic without analyzing the entire contiguous TCP stream to allow routing loops. However, this mode is limited in terms of intrusion prevention, application detection, overall TCP state tracking, and other aspects. Raw TCP mode must be explicitly enabled in a forwarding firewall rule. Raw TCP sessions are not synchronized. You must only use this feature when it is absolutely necessary. It does not replace Traffic Intelligence or the Graphical Tunnel Interface. Raw TCP mode can also decrease the overall performance of the system. The following features are not available in Raw TCP mode: Application Control 2.0 Legacy Level 7 Application Detection High Availability (HA) Synchronization Intrusion Prevention System (IPS) Network Address Translation (NAT) Firewall Plugin Modules TCP State Detection WAN Optimization Resource Protection In the Resource Protection section, you can specify the following session limits to conserve your system resources: Setting Description Allow to exceed global session limits Allow this access rule to override the global session limits defined in the General Firewall Configuration. Max Number of Sessions Maximum number of accepted concurrent connections for this rule on a global basis (default: 0 = unlimited). If the Rule Limit Exceeded setting is enabled in your event monitor settings, the FW Rule Connection Limit Exceeded [4016] event is generated when the Max Number of Sessions limit is exceeded. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Max Number of Sessions per Source 392 Maximum number of accepted concurrent connections per source address (default: 0 = unlimited). You must only specify this limit if your system is susceptible to Denial of Service (DoS) attacks. If the Source/Rule Limit Exceeded setting is enabled in your event monitor settings, the FW Rule Connection per Source Limit Exceeded [4018] event is generated when the Max. Number of Sessions per Source limit is exceeded. Session Duration Limit (s) Maximum length of time in seconds that the session can stay active. By default, there is no duration limit for the session. This setting is only executable in the forwarding firewall; it does not affect the local firewall. Counting / Eventing / Audit Trail In the Counting / Eventing / Audit Trail section, define when events are logged or written to the access cache. Setting Description Firewall History Entry Save the connection information to the firewall history. (default: Yes). Log File and FW Audit Entry Obtains log file entries (default: Yes). Transparent Failover State Sync Synchronizes the session on a high availability system (default: Yes). Statistics Entry Obtains statistics (default: Yes). If you select No, global firewall statistics are not generated and information is not displayed in the firewall dashboard. Log Session State Changed Logs changes of session states (default: No). Own Log File Saves all log events in an extra log file (default: No). Service Statistics Generates service statistics for this rule (default: No). Eventing The severity level of the rule's event messages. Host firewall rules are not affected by this setting. You can select the following event levels to be generated if a forwarding firewall rule matches: None (default) – No events are generated. Normal – Generates the FW Rule Notice [4020] event. Notice – Generates the FW Rule Warning [4021] event. Alert – Generates the FW Rule Alert [4022] event. In the event settings, you can specify actions for these event messages. For more information, see How to Configure Event Settings. Regardless of this setting, forwarding as well as host firewall rules will generate event messages if BLOCK on Mismatch is selected for any of the Rule Mismatch Policy settings. Application Log Policy Default – No detected applications are logged. Log Blocked Applications – Only blocked applications are logged. Log Allowed Applications – Allowed applications are logged. Log All Applications – All detected applications are logged. Miscellaneous Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 393 In the Miscellaneous section, you can edit the following settings: Setting Description Authentication The required user authentication method for HTTP and HTTPS connections. You can select the following authentication methods: No Inline Authentication (default) Login+Password Authentication X509 Certificate Authentication X509 Certificate & Login+Password Authentication For more information about authentication, see Firewall Authentication and Guest Access. IP Counting Policy You can select the following policies: Default Policy – Uses the interface realm settings that are assigned in the network configuration for the local networks and interface routes. Depending on the specified realm, the source or destination IP counts. The Default Policy is hard-coded and cannot be changed in the Barracuda NG Firewall configuration. Count Source IP – Counts source IP addresses towards license limits. Count Destination IP – Counts destination IP addresses towards license limits. Time Restriction Applies a time restriction to rules that are configured with a feature level that is equal to or lower than 3.2. Clear DF Bit The DF bit determines whether a packet can be fragmented or not. In networks where packet size is limited to an MTU, packet fragmentation may become vital when packets sent to this network exceed the MTU (for example, as may frequently occur with SAP applications). Because the firewall must not override the DF bit setting, fragmentation is up to the client. When the DF bit is set and the target network's MTU specification requires fragmentation, the firewall responds with an ICMP Destination Unreachable message (C ode 4: Packet too large. Fragmentation required but DF bit in the IP header is set). If the client does not understand the answer code, data transmission fails and data loss may occur if packet sizes exceed the MTU of the network. Before enabling this setting, consider the following points: The fragmentation and packet reassembling process might lead to significant performance loss at high traffic rates. The maximum segment size (MSS) is automatically decreased as necessary when traffic is routed through the respective VPN. Encapsulating packets reduces the available MTU size. The DF bit is automatically cleared from traffic, which is forwarded towards a VPN interface. Only enable this setting when experiencing transport problems that are clearly associated with packet size restrictions. To clear the DF bit from the IP header and fragment packets if necessary regardless of the setting in the packet's IP header, select Yes. By default, this setting is disabled. Set TOS Value The TOS value. By default, the value is set to 0 (TOS unchanged). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Prefer Routing over Bridging 394 Controls the routing behavior of routed transparent Layer 2 bridges. To route traffic over bridges that are configured on the Barracuda NG Firewall, select Yes. Enable this setting when an external router connects the bridges and traffic should not be directed to this router. If traffic is first routed to the external router, it is rejected because it passes the gateway twice. By default, this setting is disabled. For more information on routed transparent Layer 2 bridges, see How to Configure Routed Layer 2 Bridging. The color of the rule in the rule set. Color Quarantine Policy In the Quarantine Policy section, you can select one of the following rule matching policies for evaluating sessions to and from a specific quarantine class: Match – The rule matches. Block – The rule blocks the request. Deny – The rule denies the request. Continue – Rule evaluation continues with the next rule in the rule set. A session is only evaluated when it matches the specified policy for the following settings: Setting Description LAN Rule Policy Matching policy for sessions to and from a non–quarantine net. Quarantine Class 1 Rule Policy Matching Policy for sessions to and from a Quarantine class 1 net. Quarantine Class 2 Rule Policy Matching Policy for sessions to and from a Quarantine class 2 net. Quarantine Class 3 Rule Policy Matching Policy for sessions to and from a Quarantine class 3 net. Dynamic Interface Handling Setting Description Source Interface Restricts rule processing to the specified dynamic network interface (if installed and configured). Continue on Source Interface Mismatch Continues with rule processing, even if no matching interface can be found. The subsequent rule is then used for rule evaluation. Reverse Interface (Bi-directional) The interface that the destination address is allowed to use. Only applicable for bi-directional rules. Interface Checks After Session Creation Disables interface checks. Only applicable for bi-directional rules. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 395 Example - How to Enable Remote Management Access From the Internet Barracuda Networks recommends that you only enable management access from the Internet for a limited period of time. Remote management access constitutes a significant security risk, especially if you allow access via SSH. To minimize risk potential, restrict access to very few trusted source addresses or networks, disable access when it is not needed, and use strong passwords or key authentication. When you place a standalone Barracuda NG Firewall at a remote site, you can enable access to it over the Internet for remote management and configuration. You can also enable remote access for Barracuda Networks Technical Support if direct access to the system is required for troubleshooting. Create an App Redirect Firewall Rule To enable remote management access to the Barracuda NG Firewall from the Internet, create an App Redirect Rule for the management ports to the internal management IP address. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. From the Rule Lists menu in the left pane, select Access Rules. 3. Click Lock. 4. Create an App Redirect rule with the following settings: Source – Select Internet. To restrict access to specific IP addresses, you can explicitly enter the IP addresses or create a network object for reference. Service – Select NGF-MGMT-STAT (TCP 807 Single Point Of Entry) Destination – If the Barracuda NG Firewall connects to the Internet via a dynamic address, select the network object to match your connection (DHCP Local IP, DSL Local IP or 3G Local IP). If the system uses a static public IP address, enter this address. Redirection – In the Local Address field, enter your internal management IP address (MIP) as defined in the network settings. 5. Click Send Changes and Activate. Next Step You can now manage your Barracuda NG Firewall over the Internet with the Barracuda NG Admin application. Instead of connecting to the management IP address of the unit, log into the system via the public IP address of your unit. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 396 How to Configure a Transparent Redirect To transparently forward connections to a proxy behind a Barracuda NG Firewall in the DMZ, you can configure the Dst NAT access rule to not rewrite the source and destination addresses of the connection. This configuration allows the proxy to apply all policies as if it were directly connected to the client. It also allows the proxy to create meaningful statistics and connection information. The proxy as described here may be a Barracuda Web Security Gateway. Transparent Redirect for the Barracuda Web Security Gateway is limited to HTTP. In this article Before your Begin Step 1. Create a Transparent Redirect DNAT Access Rule Step 2. Create a PASS Access Rule for the Proxy to Access the Internet Step 3. Create a PASS Access Rule for the HTTP Proxy to Access the Client Step 4. Configure the Proxy Before your Begin Verify that the Forwarding Firewall service is using Feature Level 6.1 or above. The Barracuda NG Firewall and the Proxy must be directly connected to the same subnet (within the same ARP domain). Step 1. Create a Transparent Redirect DNAT Access Rule Create the DNAT access rule to forward all traffic to the proxy. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules. 2. Click Lock. 3. Create an access rule to forward selected traffic coming from your clients to the proxy: Action – Select Dst NAT. Source – Select Trusted Networks. Alternatively enter the network the client using the HTTP Proxy is in. Destination – Select Internet. Service – Select the service you want to forward. E.g. HTTP+S. Target List – Enter the IP address. You can use multiple Proxies. E.g., 172.16.0.10 Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname or FQDN. Fallback/Cycle – If you have defined multiple target IP addresses, select how the Barracuda NG Firewall distributes the traffic between the IP addresses. Fallback – The connection is redirected to the first available IP address in the list. Cycle – New incoming TCP connections are distributed evenly over the available IP addresses in the list on a per source IP address basis. The same redirection target is used for all subsequent connections of the source IP address. UDP connections are redirected to the first IP address and not cycled. Connection Method – Select No SNAT. Application Policy – Disable Application Control: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 397 4. In the left menu, click Advanced. 5. In the Miscellaneous section set Transparent Redirect to Enable. 6. Click OK. 7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 8. Click Send Changes and Activate. Step 2. Create a PASS Access Rule for the Proxy to Access the Internet 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules. 2. Click Lock. 3. Create a PASS rule to allow the HTTP proxy to access the Internet: Action – Select Pass. Source – Enter the IP address of the HTTP Proxy. Destination – Select Internet. Service – Select HTTP+S. Connection Method – Select Dynamic SNAT. Application Policy – Disable Application Control. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 4. In the left menu, click Advanced. 5. In the Dynamic Interface Handling section set Source Interface to Any. 6. Click OK. 7. Click Send Changes and Activate. Step 3. Create a PASS Access Rule for the HTTP Proxy to Access the Client To allow the HTTP proxy to access the client, you must create a PASS rule: Action – Select Pass. Source – Enter the IP address of the HTTP Proxy. Destination – Select Trusted Networks. Service – Select HTTP+S. Connection Method – Select No SNAT. Application Policy – Disable Application Control. Copyright © 2015, Barracuda Networks Inc. 398 Barracuda NG Firewall 6.1 Administrator's Guide - Page 399 Step 4. Configure the Proxy In order to successfully send the connection from the proxy to the Internet you must configure the device to: Route to the Internet using the NG Firewall as the gateway. Route to the internal client network using the NG Firewall as gateway. Traffic must use the IP address of the proxy as the source IP for outgoing connections. The device must accept HTTP connections on port 80 and HTTPS connections on port 443. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 400 Firewall Objects Firewall objects are named collections that represent specific networks, services, applications, user groups or connections. You can use the firewall objects that are preconfigured on the Barracuda NG Firewall, but you can also create custom firewall objects depending on your requirements. Firewall objects are re-usable which means that you can use one firewall object in as many rules as required. The following section explains the firewall objects that are available for use and configuration on the Barracuda NG Firewall and contains articles on how to create the different firewall objects for your firewall rules. Advantages of Firewall Objects Using firewall objects gives you the following advantages: Each firewall object has a unique name that is more easily referenced than, for example, an IP address or a network range. Maintenance of the firewall rule set is simplified. When you update a firewall object, the changes are automatically updated in every rule that refers to this object. Firewall Object Types The following types of firewall objects are available for use and configuration: Connection Objects — The egress interface and source (NAT) IP address for traffic matching a firewall access rule. For more information, see Connection Objects. Proxy ARPs – Resolve MAC addresses not physically on the Barracuda NG Firewall to the corresponding IP addresses. For more information, see Proxy ARPs. Network Objects — Networks, IP addresses, geolocation, host names, or interfaces when configuring firewall rules. For more information, see Network Objects. Service Objects — TCP/UDP ports for a service. For more information, see Service Objects. User Objects — Lists of users and/or user groups for use within firewall rules. For more information, see User Objects. Schedule Objects — Time restriction or scheduling tables that can be applied to access rules on an hourly, weekly, or calendar date basis. For more information, see Schedule Objects. Interface Groups – A specific interface or interface group containing one of more interfaces. For more information, see How to Create Interface Groups. Applications – Lists of applications and/or sub-applications when creating application aware firewall rules. For more information, see Application Objects and Application Control 2.0. URL Filter – Access restrictions for web sites. The Barracuda NG Firewall provides a predefined list of URL categories that are available for blacklisting and whitelisting. For more information, see How to Create an URL Filter Policy Object. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 401 Network Objects Use network objects to reference networks, IPv4 and IPv6 addresses, hostnames, geolocation objects, or interfaces when you create firewall rules. A network object can also include other existing network objects. Network objects are stored in the host and forwarding firewall. If the Barracuda NG Firewall is managed by a Barracuda NG Control Center, it also inherits all network objects in the Global, Range, and Cluster Firewall Object stores. Firewall rule management is simplified with the use of network objects instead of explicit IP addresses. For example, if an IP address changes, you do not have to edit it in every rule that references it; you must only change the IP address in the network object. The IP address is then automatically updated for every rule that references the network object. Unified networks objects cannot contain both IPv4 and IPv6 addresses. For more information, see How to Use IPv6. Network Object Types A network object may consist of the following: Generic Network Objects – You can add network addresses of all types. All network objects that are available on Barracuda NG Firewall systems by default are configured as generic network objects. Single IP Address – A single IP address. List of IP Addresses – Multiple single IP addresses and/or references to other single IP address objects. For example: 10.0.10.1, 10 .0.10.10, 10.0.10.127 Single Network Address – A single network. For example: 10.0.10.0/25 List of Network Addresses – Any combination of multiple networks, IP addresses, and/or references to other network address objects. For example: 10.0.10.0/25, 172.16.0.10 Hostname (DNS Resolved) – A single DNS resolvable host name. For example: myhost.test.com If the hostname used in the network object is not resolvable, any firewall rules that use it will never be matched to traffic. For a detailed description of configuration options, see Hostname (DNS Resolvable) Network Objects. Single IPv6 Address – A single IPv6 address. List of IPv6 Addresses – Multiple IPv6 addresses and/or references to other single IPv6 address objects. Single IPv6 Network – A single IPv6 network. List of IPv6 Networks – Any combination of multiple IPv6 networks, IPv6 IP addresses, and/or references to other IPv6 network address objects. Excluded Entries – Specific networks that are excluded from the network object. For transparency and consistency, other network objects cannot be referenced in the Excluded Entry section. Enable L3 Pseudo Bridging – When bridging is activated on an interface, host routes and PARPs are automatically created by the Barracuda NG Firewall. In this section, you can specify the information required for this task. The Bridging section is only available in the Local Networks list of the Forwarding Firewall service. Select Bridging enabled (Advanced Settings) from the list (default: Bridging not Enabled) if you want to configure bridging details. The configuration options in the Bridging section are only applicable for Layer 3 Bridging. For more information, see How to Configure Layer 3 Bridging. Interface Address Reside – The name of the interface on which bridging is to be enabled (for example, eth1). Parent Network – The superordinate network from which the bridged interface has been separated. Introduce Routes – Introduces host routes to the IP addresses to be separated from the superordinate network (IP addresses listed in the network object) automatically. Restrict PARP to Parent Network – Restricts the Proxy ARP to only answering ARP requests within the parent network. Network objects cannot be deleted if they are referenced by other objects. You can delete network objects when they are only referenced in configuration files. Before you delete a network object, verify that it is not used anywhere. The Referenced By column in the Network Objects listing displays where a network object is currently referenced. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 402 Hostname (DNS Resolvable) Network Objects You can use hostnames in a network object. This might be needed in contexts where the remote network uses a dynamic IP address and can only be reached by hostname. The Firewall service resolves and uses the first 24 IP addresses in the network object. The firewall rule set uses these resolved IP addresses when evaluating rules. If the hostname is not resolvable or the DNS server is currently not available, the access rule will never match. In this article: Limitations and Drawbacks Creating Hostname Network Objects Using Hostname Network Objects Monitoring Network Objects of Type Hostname Site-Specific Network Objects Limitations and Drawbacks There are several limitations and drawback to using hostnames in network objects: Only explicit host names can be used. For example: www.barracuda.com A maximum of 24 IP addresses can be resolved Using a hostname network object in a BLOCK access rule is not recommended. When a non-resolvable object is used in a rule, rules cannot be matched or processed correctly. Hostname objects become non-resolvable when they refer to a non-existent host name or the DNS server is unavailable. Active sessions are not re-evaluated when DNS resolution changes; sessions are re-evaluated only when the rule itself is modified. To establish new connections with updated DNS entries, you must manually terminate persistent sessions. When the firewall is started or restarted, it can take up to 10 seconds until DNS resolution is provided for all configured hostname network objects. Because the firewall is already active, the traffic that you want to be handled by the rule with the added hostname object can be matched to another rule instead. To use hostname network objects, you must specify a DNS server in the DNS Server IP field in the Box Settings file (How to Configure DNS Settings). Using DNS resolvable host names in firewall rule sets can cause problems because of the following: IP addresses that are allocated to DNS host names might change. A DNS record might contain multiple IP addresses. Creating Hostname Network Objects You can create hostname objects: In the Local Firewall rule set. In the Forwarding Firewall rule set. As global, range-specific, or cluster-specific firewall objects. Hostname objects cannot be created as explicit source or destination objects in access rules. To create a hostname network object, select Hostname (DNS resolved) from the Type list in the Network Object window. Consider the following detail configuration options: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 403 You can configure the following parameters: Type – The type defines specific object characteristics. Network objects of type Hostname expect specification of an explicit DNS resolvable host name in the Name field below. Once the object has been created its type cannot be changed. Name – Into this field insert the DNS resolvable name the object is to be created for. Description – Into this field insert a significant object description. The specified name is the name of the network object at the same time. The object name may be changed retroactively. Resolve – The functionality of this button is purely informational. Click it to execute a DNS query for the host name inserted into the Nam e field. The result of the query is displayed in the IP field in the Entry section. Note that the query is executed using the DNS server(s) known to the client running the graphical administration tool Barracuda NG Admin and NOT using the DNS server(s) known to the Barracuda NG Firewall running the firewall service. DNS Lifetime (Sec) – The DNS Lifetime defines the interval after which to refresh DNS entries for network objects of type Hostname th at are configured for use in currently effective access rules (default: 600 s). Setting to a lower value than 30 seconds might cause problems in network object lists containing a huge number of hostname objects. DNS entries may also be refreshed manually in FIREW ALL > Dynamic > Dynamic Rules. The DNS Lifetime has no effect on actively established connections, even if the DNS resolution of a network object that is currently used in a access rule changes. In this case to force a refresh terminate the active session in order to enable new connection establishment using the updated DNS entry. The Include and Exclude Entries sections may be used to restrict a network object and to force a condition to match explicitly or to exclude it from being part of it. For example, if a DNS host name entry www.domain.com matches four DNS A-records pointing to the IP addresses 10.0.6.1, 10.0.8.1, 10.0.8.2 and 10.0.8.3, and it is wanted that connection requests must always point to addresses residing in the 10.0.8.0/24 network, but must never be addressed to the IP address 10.0.8.3, the following values need to be configured in the corresponding fields: Section Included Entry: IP 10.0.8.0/24, section Excluded Entry: IP 10.0.8.3. The configuration stated above will be processed as follows, when it is utilized in a access rule: Connection requests may be addressed to IP addresses living in the network 10.0.8.0/24, but they may not address the excluded IP address 10.0.8.3. Using Hostname Network Objects You can use hostname objects as: Source/Destination in rules within the Forwarding Firewall. Source/Destination in rules within the Local Firewall. Reference in the Entry list of generic network objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 404 You cannot reference hostname objects in other network object types. Monitoring Network Objects of Type Hostname DNS queries addressed to the DNS server configured in the box settings are triggered when a hostname network object is created. You can view these queries in the following places: In all views but the Dynamic Rules tab, DNS resolution is retrieved using the DNS server(s) known to the client running the graphical administration tool Barracuda NG Admin and NOT using the DNS server(s) known to the Barracuda NG Firewall running the firewall service. In the Entries column in the network object list. In the Rule Object list when the hostname object configured in the rule is used. In the Source/Destination window querying the rule object list when the hostname object is currently used. In the Rule Tester. In the Dynamic Rules tab of the Firewall Monitoring Interface. Site-Specific Network Objects Site-specific network objects can be used to share single firewall rule sets for branch offices with template-based network layout. This type of object inherits its content from the IP address or IP network defined in the Virtual Server’s Server Properties of a branch office. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 405 How to Create Network Objects Create a network object containing an IP address, a reference to another network object and a network. Do not change the dynamic network objects that are automatically generated by the Barracuda NG Firewall. Create a Network Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left navigation click on Networks. 3. Click Lock. 4. Right-click the table and select New. The Edit/Create Network Object window opens. 5. Enter a Name for the network object. E.g., ExampleNetworkObject 6. In the Include Entries section, click + , enter the IP address/es that should be included in the IP field and then click Insert and Close. 7. In the Exclude Entry section, add the IP addresses that should be excluded from the rule. 8. Click OK. 9. Click Send Changes and Activate. You can now use the network object in your firewall rules. When creating or editing a firewall rule click on the Object Viewer in the left navigation to see a list of all available network objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 406 How to Create a Geo Location based Network Object The geolocation database included with the Barracuda NG Firewall can match the IP address and network to the country it was issued to. This enables you to create firewall ruled based on the physical location of the source or destination. Lists of countries or regions are combined in a reusable network object. The geolocation database is updated with every firmware release. Create a Network Object Create a network object and include all countries you want to use for your firewall rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left pane, click on Networks. 3. Right click in the main area and select New. The Edit/Create Network Object window will open. 4. Enter a Name. 5. To include or exclude a region or country: a. Click the globe icon either in the Include or Exclude Entries section. b. In the Select Region/Country window, select the region or country. c. Click OK. 6. Click Send Changes and Activate. You can now select the geolocation network object you just created from the Source and Destination dropdown lists when creating firewall rules. Alternatively you can find the network object icon the Object Viewer in the Networks > Network Objects section. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 407 Barracuda NG Firewall 6.1 Administrator's Guide - Page 408 Custom External Network Objects If you have a file containing a list of IP addresses or networks, you can import them automatically or manually into the external network objects. On Barracuda NextGen F-Series Firewalls running in the public cloud, these objects are automatically filled in with information gathered from the cloud provider. File Format IP addresses must be written in CIDR notation. IP addresses must be separated by one whitespace. limited to 10.000 IP addresses per file. In this article Before You Begin Importing External IP File on a Stand-alone F-Series Firewall Step 1. Copy the File to the F-Series Firewall Step 2. Import the File into a Custom External Object Step 3. (Optional) Create a Cron Job for Import On an F-Series Firewall in the Public Cloud On a Barracuda NextGen Control Center Before You Begin An admin account with full shell access is required. Importing External IP File on a Stand-alone F-Series FirewallStep 1. Copy the File to the F-Series Firewall 1. Copy the file containing the IP addresses to /var/phion/home/. Use a temporary file format to ensure that only data of completely copied files are imported into the network objects. E.g., addresses.dirty 2. Rename the file after the copy process: # mv -f /var/phion/home/addresses.dirty /var/phion/home/addresses Step 2. Import the File into a Custom External Object On the command line enter /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses -o <External Firewall Object Number> in the Command section. E.g., /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses -o 1 to import into the Custom External Object 1 . Check the CustomExternalImport firewall log file to verify the import was successful. You can also open the FIREWALL > Forwarding Rules p age and click on Networks. The IP addresses and networks in the custom external network objects are not displayed on the CONFIGURATION > Full Configuration > Virtual Servers > your virtual server > Firewall > Firewall Rules page. Directly on the firewall go to FIREWALL > Forwarding Rules to see the content of the dynamic network objects. Step 3. (Optional) Create a Cron Job for Import Create a cron job to automatically trigger a periodic import process. 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tr ee > Box > Advanced Configuration > System Scheduler. Click Lock. In the left menu, click Daily Schedule. Click + to add an Interhour Schedule job. Enter the Name, and click OK. Enter /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home/addresses -o <External Firewall Object Number> in the Command section. 7. For High Availability setups, add -h to execute the CustomExternalAddrImport binary located in /opt/phion/bin and import the IP addresses to the Custom Network Object with the index number 1. E.g., CustomExternalObject1 8. Select every from the Minutely Schedule drop-down list and enter the period for the Run Every...Minutes parameter. 9. Click OK. 10. Click Send Changes and Activate. On an F-Series Firewall in the Public Cloud Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 409 If your F-Series Firewall is running in the public cloud (AWS or Azure), the custom external network objects will be automatically filled with: Custom external object number 1 contains the internal IP address. Custom external object number 2 contains the internal network address. Custom external object number 3 contains the external IP address. If you are using multiple virtual network interfaces in AWS, only information for the first interface will be imported. The IP addresses will also be automatically synced to the Control Center. On a Barracuda NextGen Control Center Configure a cron job on the Control Center to copy the addresses file to the /var/phion/home/ directory of your managed firewalls. Copying the files through the management tunnels does not require separate authentication as the Control Center already has a trust relationship established with the remote firewalls. On the managed firewalls create another cron job to import the addresses file every 5 minutes. On the Control Center, create a cron job to regularly copy the addresses file to the managed firewalls. On the managed firewalls, create a cron job to import the addresses. Do not use the h (HA synchronization flag) The predefined external objects can be copied into the global objects database and then be used throughout the firewall configuration. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 410 Service Objects Service objects, when applied to a firewall access rule, define which destination and client TCP/UDP ports and/or IP protocols that the service applied to the rule can use. By default, the Barracuda NG Firewall contains a set of pre-configured service objects. You can edit these service objects for a custom setup or use of a non-standard port, or you can create new services objects to reference IP protocols and, if TCP/UDP is used, the destination port numbers. A service object can consist of the following: IP Protocol – The required protocol (e.g. TCP) for the service used by an access rule. Ports and Port Ranges – The ports or port ranges that the service can use for the protocol. Dynamic Services – Dynamic services. Plugin Modules – Plugins for shared service objects (see Shared Service Objects). Port Protocol Protection – Policies for handling prohibited services. Shared Service Objects Shared service objects refer to services using dynamic port allocation. The Firewall service uses firewall plugin modules to dynamically open and close required ports. For more information, see Firewall Plugin Modules. Create a New Service Object For instructions on how to create a new service object, see How to Create Service Objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 411 How to Create Service Objects Create service objects to reference IP protocols and, if TCP/UDP is used, the destination port numbers, when configuring firewall access rules. The Barracuda NG Firewall provides a range of predefined service objects. When creating a new service object, you can also include (reference to) other service objects that are already configured. In this article: Create a Service Object Apply a Service Object to a Firewall Rule Service Object Settings Create a Service Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, click on Services. 3. Click Lock. 4. Right-click the table and select New. The Edit/Create Service Object window opens. 5. Enter a Name for the service object. E.g., POP3 Service. 6. If you want to include an already configured service object, select it from the Any drop down list and click New Reference. 7. Click New Object. The Service Entry Parameters window opens. 8. From the IP Protocol list, select the required protocol. E.g., 006 TCP For TCP- and UDP-based protocols, you can enter a space-delimited list of ports in the Port Range field. To use all ports for the protocol, enter an asterisk (*). You can also define a port range, such as 3001-3008, or enter a combination of port ranges and a space-delimited list of ports. For example: 25 80 8080 3001-3008 9. In the Port Protocol Protection section, select an action from the Action for prohibited Protocols list. 10. Click OK. 11. Click Send Changes and Activate. You can now apply the service object to your firewall access rules. Apply a Service Object to a Firewall Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left navigation, click on Access Rules. 3. Click Lock. 4. Double-click the number of the rule you want to apply the service object to, or right-click it and select Edit Rule. (You can also create a new rule.) 5. In the Edit Rule window, select the Object Viewer check box. 6. In the Object Viewer window that appears, open the Services tab, and drag the service object to the Service table in the Edit Rule win Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 412 6. dow. 7. Finish your rule configuration. Service Object Settings TCP & UDP Port Range – Port or port range the service is running on. Dyn. Service – This parameter is required in conjunction with ONCRPC. Service Label – Here you may enter certain labels. If left empty, well-known service names (available in /etc/services) are used. It is highly recommended that you use this parameter only for defining service names that are not well-known (for example, Oracle521). Client Port Used – The port range the firewall uses for the connection. This port range is only used if a dynamic port allocation is required, e.g., as in the 'proxy dynamic' connection type. If you want to enter a custom port range, select Manual Entry and enter the first port in the From field and the last port in the To field. This parameter is not evaluated when the firewall services checks if the rule matches. ICMP Echo Max Ping Size – The maximum size allowed for the ping packet. Min Delay – The minimum allowed delay for pinging. The 'FW Flood Ping Protection Activated [4002]' event is generated if this limit is not met. General Session Timeout – Time in seconds that a session can remain idle until it is terminated by the firewall (default values: TCP: 86400; UDP: 60; ICMP: 20; all other protocols: 120). This timeout is applied to all TCP connections by counting the time that has passed in a session since the last traffic transmission. Similarly, it applies an initial timeout to all stateless protocols counting the time until the source has answered the initial datagram. When the datagram is answered, the Balanced Timeout setting comes into effect. This parameter can only be used in the forwarding firewall. Setting this parameter in the host firewall has no effect. Balanced Timeout – The time in seconds that a session-like connection established through a non-connection oriented protocol (all protocols except TCP) can remain idle until it is terminated by the firewall (default values: UDP: 30; ICMP: 10; all other protocols: 120). The balanced timeout comes into effect after the initial datagram sent by the source has been answered and the "session" has been established. Generally, the balanced timeout should be shorter than the session timeout because it is otherwise overridden by the session timeout and never comes into effect. The balanced timeout allows for keeping non-connection oriented "sessions" short and minimizing the amount of concurrent sessions. The larger initial session timeout guarantees that late replies to initial datagrams are not inevitably dropped. This parameter is only executable in the forwarding firewall. Setting this parameter in the local firewall takes no effect. Plugin – The name and parameters of any plugins that you might be required for this object. For more information, see Firewall Plugin Modules. Port Protocol Protection Action for prohibited Protocols – From this list, select an action that should be taken if prohibited protocols are detected. For more information, see How to Define Port Protocol Protection. Detection Policy – From this list, select the policy to be applied. For more information, see How to Define Port Protocol Protection. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 413 Schedule Objects To restrict host, access, and application rules to specific times and intervals, configure schedule objects as an additional matching criteria. Sched ule objects provide time granularity in minutes. When time objects are evaluated the time of the NG Firewall it is running on is used. The Barracuda NG Firewall, the client running NG Admin, and, if applicable, the NG Control Center must use the correct time for their respective time zones. Using NTP is highly recommended. For more information, see How to Configure Time Server (NTP) Settings. A schedule object consists of two time configuration elements that can be combined or used separately: Recurring Schedule – Configure the schedule to be active during specific days and intervals by selecting weekdays and time from a list. Restrict to time interval – Configure the schedule to be active during a specific interval by specifying a date and time span. For information on how to create schedule objects, see How to Create and Apply Schedule Objects. In this article: Recurring Schedules Time Interval Schedule Object Options Legacy Time Restriction Settings for Access Rules Recurring Schedules You can restrict the schedule to a specific day and time interval, e.g., every week from Monday at 09:00 until Wednesday at 15:30, by selecting the Enable Recurring Schedule checkbox. Selecting this option expands the configuration and provides the Recurring Schedule table, where you specify the days and times for the schedule to be active. A time schedule entry can cover up to one week, starting on Mon-00:00, and ending on Mo 0:00 of the next week . To enable the schedule for an interval crossing the Mo 00:00 threshold, split the entry. E.g., Fri-15:00 to Mo 0:00 and Mon-00:00 to Tue-10:30. Time Interval Selecting the Restrict to time interval checkbox lets you restrict the schedule to a date and time span by specifying the dates and times in the fields provided by the section. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 414 Schedule Object Options Terminate existing sessions – By default, sessions that match the rule using the schedule object stay active until they are closed or time out. Selecting the Terminate existing sessions checkbox immediately terminates active sessions as soon as the time restriction configured in the schedule applies. Sessions are not terminated between two time intervals which directly follow each other. (E..g, Tue 8:00 - Tue 9:00 and Tue 9:00 - Tue 10:00) Block if schedule does not match – When you enable this option, the connection is blocked when the time schedule does not match, since no further access rule will be evaluated. Legacy Time Restriction Settings for Access Rules Existing Time Restrictions (Edit Rule > Advanced > Miscellaneous > Time Restriction) for an access rule override the schedule objects of an access rule. Barracuda Networks recommends configuring schedule objects instead of time restrictions in an access rule. Barracuda NG Firewall firmware 6.1 or later no longer supports legacy time restrictions. Use schedule objects instead. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 415 How to Create and Apply Schedule Objects Create schedule objects to configure rules with a time restriction. When applied to a host rule, application rule, or access rule, the schedule specifies the days and times that an action handled by the rule, is allowed or denied. You can also select specific dates that the schedule is valid for. Schedule Objects use the time of the NG Firewall they are running on. In this article: Before you Begin Create a Schedule Object Apply a Schedule Object to a Forwarding Rule Before you Begin Verify that the feature level of the Firewall service is set to 6.1 or later. 1. Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, expand the Settings section and click Setup. 4. Select Release 6.1 from the Feature Level dropdown. 5. Click OK. 6. Click Send Changes and Activate. Create a Schedule Object 1. Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, click Schedules. You can also create a schedule in the Object Viewer while editing an access rule. 4. Click the plus sign to create a new schedule object, or right-click the table and select New Schedule Object. The Schedule window opens. 5. In the Object Name field, enter a name for the schedule. 6. Configure the active time interval for the schedule object: a. To create a schedule for a recurring interval, e.g., Every Monday - Tuesday 14:00 - 15:00, and Thursday - Friday 09:00 - 15:00: i. Select the Enable Recurring Schedule checkbox. ii. Click the plus sign to add a time interval. iii. Select the weekdays and hours from the dropdown fields provided in the section. Recurring time intervals must be between Monday 0:00 to Monday 0:00 of the next week. Create multiple entries if the time interval passes the Mo 00:00 threshold. For more information, see Configuring Daytime Intervals in Schedule Objects. b. To create a schedule for a specific date and time span: i. Select the Restrict to time interval checkbox. ii. Enter or select the dates and times in the fields provided in the section. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 416 7. Select Terminate existing sessions if you wish active sessions to be terminated as soon as the time restriction begins. 8. By default, the rest of the access rules in the ruleset are evaluated when the schedule object of the access rule does not match. Select B lock if schedule does not match to immediately block the connection when the schedule object does not match. No further rules will be evaluated. 9. Click Save. The schedule object is now listed in the Schedules window and can be applied to host rules, access rules, or application rules. Apply a Schedule Object to a Forwarding Rule 1. 2. 3. 4. 5. 6. Go to Configuration > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Forwarding Rules. Click Lock. Edit the rule that you want to apply the schedule to. Select the time object from the Schedules dropdown. Click OK. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 417 User Objects User objects restrict firewall rules to specific users and user groups. You can apply user objects to forwarding firewall rules and specify user conditions such as login names, groups, and policy role patterns. You also have the option to include VPN groups in the object configuration. User objects are populated by querying the external authentication servers or the local authentication service on the Barracuda NG Firewall. For VPN, users objects can also query X.509 certificate patterns. User Conditions When you create a new user object, configure the following settings in the User Condition configuration window to define the users that the user object applies to: Authentication Pattern – The group assignments of the users, according to the affected external authentication scheme (MSAD, LDAP, or RADIUS). Policy Roles Patterns – The policy role patterns for VPN users when using the Barracuda Network Access Client. You can select: healthy unhealthy untrusted probation X509 Certificate Pattern – The certificate conditions for VPN users and groups: Subject/Issuer – The subject/issuer of the affected X.509 certificate. If multiple subject parts (key value pairs) are required, separate them with a forward slash (/). For example, if OU=test1 and OU=test2 are required, select OU and enter tes t1/test2. Policy/AltName – The ISO number and the SubjectAltName according to the certificate. VPN User Pattern – The VPN login and VPN group policy that the object has to apply to in the VPN Group field. Authentication Method – In this section, you can specify the following settings: Origin – Defines the type of originator. The following originators are available when configured: VPNP (PersonalVPN) VPNG (GroupVPN) VPNT (Tunnel) HTTP (Browser login) Proxy (Login via proxy) Server/Service/Box – Allows enforcing authentication on a certain server/service/box. Create a User Object How to Create and Apply Custom User Objects How to Create and Apply User Objects for VPN Users Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 418 How to Create and Apply Custom User Objects Create custom user objects to reference users and groups for implementation within the Barracuda NG Firewall forwarding rule set. In a user object, you can enter conditions such as authentication patterns and policy roles, depending on your requirements, to define the users that you want to include in the user object. You can also reference other user objects that have already been configured. In this article: Create a User Object Apply a User Object to an Access Rule Create a User Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. From the left menu, select Users and Groups. 4. Right-click the table and select New. 5. In the Edit/Create User Object window, enter a Name for the user object. For example: Trusted LAN Users 6. Click New to add a user condition. The User Condition window opens. 7. Enter the Login Name. Question marks (?) and asterisks (*) are allowed. If you enter a question mark and asterisk (?*), you must also enter at least one character. 8. From the Group Patterns list, select the required group condition. You have the following options: One Pattern must match (OR) – Users must match one of the patterns listed in the Group Patterns section. All Patterns must match (AND) – Users must match all the patterns listed in the Group Patterns section. 9. Click Add to select your users. The Edit Group Pattern window opens. This option lets you perform an AD Lookup. Select Use current AD Connection to check entries from your configured AD domain controller or enter your search criteria in the provided fields. 10. Select the users and/or groups the user object applies to, and click OK. 11. After you specify the conditions for all of the users that you want to include in this object, click OK to create the user object. 12. Click Send Changes and Activate. If you are using Offline Authentication, ensure that user-specific rules are sequenced after the fwauth rule (see How to Configure Offline Firewall Authentication). Apply a User Object to an Access Rule To apply a configured user object to an access rule: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit the access rule that you want to apply the user object to. 4. From the Authenticated User list, select the user object. 5. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 419 Barracuda NG Firewall 6.1 Administrator's Guide - Page 420 How to Create and Apply User Objects for VPN Users In user objects, you can enter either X.509 certificate patterns or VPN user patterns to reference VPN users and groups. With use of the Barracu da Network Access Client, you can also reference users by policy role patterns. Combining fields is also possible. For example, you can enforce a VPN connection (by entering required VPN user patterns) and require a matching X.509 certificate to be installed in the browser application (by entering required X.509 certificate patterns). In this article: Create a User Object for VPN Users Apply a User Object to a Firewall Rule Create a User Object for VPN Users 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. From the left Firewall Objects menu, select Users and Groups. 4. Right-click the table and select New. 5. In the Edit/Create User Object window, enter a Name for the user object. For example: VPN Users 6. Click New to add a user condition. The User Condition window opens. 7. If you are using the Barracuda Network Access Client, enter the policy roles patterns in the Policy Roles Patterns section. a. Select the required condition from the list. b. Click Add and select one or more patterns. If a condition must not apply, select the Negative Match check box. 8. To use a certificate, click Edit in the X509 Certificate Pattern section and specify the certificate conditions: Subject/Issuer – The subject/issuer of the affected X.509 certificate. If multiple subject parts (key value pairs) are required, separate them with / (for example, OU=test1 and OU=test2 are required, select OU and enter test1/test2). Using wildcards (?, *) is allowed. Take into consideration that order is mandatory. Policy/AltName – The ISO number and the SubjectAltName according to the certificate. 9. If applicable, enter the required VPN login and group policy the object has to apply to in the VPN User Pattern section: VPN Name – The required VPN login name. Using wildcards (?, *) is allowed. VPN Group – The required VPN group policy that the object has to apply to. Authentication Method – In this section, you can specify the following settings: Origin – Defines the type of originator (see User Objects). Server/Service/Box – Allows enforcing authentication on a certain server/service/box. 10. Click OK. 11. After you specify the conditions for all of the users that you want to include in this object, click OK to create the user object. 12. Click Send Changes and Activate. If you are using Offline Authentication, ensure that user-specific rules are sequenced after the fwauth rule (see How to Configure Offline Firewall Authentication). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 421 Apply a User Object to a Firewall Rule To apply a configured user object to a firewall rule: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit the firewall rule that you want to apply the user object to. 4. From the Authenticated User list, select the user object. 5. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 422 Connection Objects A connection object defines the egress interface and source (NAT) IP address for traffic matching the firewall access rule. If a source IP address is specified, the appropriate link will be used based on the routing table. If an interface is specified, the appropriate source IP address will be used based on the routing table. You can use the predefined connection objects or you can create new connection objects. Connection Objects Dynamic SNAT – The firewall uses the routing table to find a suitable interface for routing the packet and uses the IP address of the relevant interface as the new source IP address. No SNAT – The original source IP address of the packet is not changed. SNAT with 3G IP – Source NAT is using the first IP address on the ppp5 device. SNAT with DHCP IP – Source NAT is using the first IP address on the dhcp device. SNAT with DSL IP – Source NAT is using the first IP address on the ppp1 device. Custom Connection Objects (explicit-conn) – Create your own custom connection objects, to define the explicit source address for this connection. NAT Tables – NAT Table are a expanded type of source NAT for a network or IP address range. For more information, see How to Create a Custom Connection Object and How to Create NAT Tables (Translation Maps). Failover and Link Load Balancing For every custom connection objects you create a failover and link/load balancing can be defined. For more information, see How to Configure Link Balancing and Failover for Multiple WAN Connections. Multipath Routing Multipath routing is used when multiple paths are used to route traffic through a single target network. Multipath routing offers benefits such as increased bandwidth. When a session is established, the Barracuda NG Firewall assigns a network path to the session based on the source address. For more information, see How to Configure Multipath Routing. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 423 How to Configure Multipath Routing Firewall-assisted multipath routing is used when multiple paths are used to route traffic through a single target network. Multipath routing offers benefits such as increased bandwidth. When a session is established, the Barracuda NG Firewall assigns a network path to the session based on the source address. The weight of a multipath gateway determines how often the path is used in comparison with the others. If all multipath gateways are given the same weight, the load is distributed evenly over all available multipath gateways. Use connections and link balancing via connection objects in the Firewall service if you require failover support. If one part of the multipath connection goes down, the entire multipath route is considered down even if the other multipath gateways are still up and running. Configure Multipath Routing Create a multipath route and set the weight of each link according to your preferences. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Network. In the left menu, click Routing. Click Lock. In the left menu, expand the Configuration Mode section and click Advanced View. 5. Add a route to the Main Routing Table. 6. Enter a Name for the multipath route. 7. Enter the settings for the multipath route: Target Network Address – Enter the target network. For example, enter 0.0.0.0/0 if you want to use a multipath route as the default route Route Type – Select multipath. Trust Level – Select the trust level for the route. For example, select Untrusted for a WAN connection Route Metric – Enter the route metric for this route. If you want traffic to the target network to take this route, ensure that no other route to the same destination has a lower metric. Multipath Gateway – Click and enter the following settings for each multipath gateway: Multipath Gateway – Enter the IP address for the gateway. For example, enter 10.0.10.11 for the first gateway in the previous figure. Weight Number – Enter the weight number for this multipath gateway. Assigned Source – Enter the IP address that you want to use as the source IP address. 8. Click OK. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 424 9. Click Send Changes and Activate. 10. Open the CONTROL > Box page and click Activate new network configuration. Now you can send traffic to the Target Network of the multipath route and the traffic will be distributed across the configured multipath gateways according to the assigned weight. Balancing might not be perfect, because the link is selected based on a route table lookup, and route lookups are cached. Routes to heavily used IP addresses will most likely always be over the same link. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 425 How to Create a Custom Connection Object Connection objects are used to rewrite the source IP address of a connection. Connection object is also used for outbound loadbalancing and failover support. A custom connection object allows you to combine loadbalancing / failover support with a custom source IP address. Create a Custom Connection Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, click Connections. 3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens. 4. In the Name field, enter a name for the connection object. E.g., CustomConnectionObject 5. From the NAT Address list, select how the source address should be determined for your connection: Client | No Src NAT – Uses the source IP Source-based NAT – Dynamically chosen according to firewall routing tables. This is a general purpose option. Src NAT – 1st Srv IP (Proxyfirst) – Uses the First-IP[IP1] configured in the virtual Server Properties the firewall service is running on. Src NAT – 2nd Srv IP (Proxysecond) – Uses the Second-IP[IP2] configured in the virtual Server Properties the firewall service is running on. From Interface – Explicitly specified interface. May be used to restrict the bind address to a specific interface. Selecting Interface activates further options below and in section Firewall configuration Explicit – Explicitly specified IP address. May be used to restrict the bind address to a specific address. Selecting Explicit activ ates further options below and in section Firewall Configuration – Service Objects – General settings – section Failover and Load Balancing: Same Port – Ticking this checkbox enforces to use the same client port when establishing the connection. Explicit IP – Here the specific IP address is to be entered. Create Proxy ARP – If the explicitly defined IP address does not exist locally, an appropriate ProxyARP entry may be created by selecting this checkbox. Network Object – section Failover and Load Balancing: Interface Name – Here the name of the affected interface is to be entered. Translation Table – Source NAT for a complete subnet. In order to avoid misconfiguration, the netmasks up to 16 bits can be used. Otherwise, a Proxy ARP with 10.0.0.0/8 would "blank out" the whole internal network for example. If you define a map, make sure that the source range using this connection is equal or smaller than the map range. If not, the firewall will wrap the larger source net into the smaller bind net. E.g., If you use X.X.X.X/24 network as source and a Y.Y.Y.Y/25 as the map range, the IP address X.X.X.128 is mapped to Y.Y.Y.1. 6. Map to Network – Here the specific mapping network is to be entered. 7. Netmask – Here the corresponding netmask is to be entered. 8. Proxy ARP – This parameter is needed by a router if the addresses live in its local network. For more information, see How to Create Proxy ARP Objects. If the connection object applies to a multi-transport VPN tunnel, you can define the preferred and secondary transport class in the VPN Traffic Intelligence (TI) Settings section. 9. Click OK. 10. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 426 You can now apply the connection object to your firewall rules. Double-click a rule´s number (or right click an existing firewall rule and select Edit Rule to open the rule configuration). From the left navigation pane, select the Object Viewer check box to drag connections objects from the Obj ect Viewer window to the Connection Method table. Parameters Click here to expand... General Settings Parameter Description Name Name of the connection object. Description Significant connection object description. Connection Color Choose a color, in which you want the connection object to be displayed in the Firewall - Connections window. Connection Timeout This general option for all connection types is the timeout for trying to establish a connection. The default value is 30 seconds. Increasing this value can be useful for very protracted connection partners. Decreasing this value can be useful for faster failover mechanisms. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 427 This parameter specifies the Bind IP. The following options are available: NAT Address Proxyfirst | Src NAT - 1st Server IP – First IP address of server under which firewall service is operating. May be used to restrict the bind address or when policy routing is activated. Proxysecond | Src NAT - 2nd Server IP – Second IP address of server under which firewall service is operating. May be used to restrict the bind address or when policy routing is activated. Proxy Dyn | Dynamic Source NAT (default) – Dynamically chosen according to firewall routing tables. This is a general purpose option. Client | No Src NAT – IP Address of the Client. Source IP = Bind IP. Explicit – Explicitly specified IP address. May be used to restrict the bind address to a specific address. Selecting Expli cit activates further options below and in section Firewall Configuration – Service Objects - General settings – section Failover and Load Balancing: Same Port – Ticking this checkbox enforces to use the same client port when establishing the connection. This setting has no effect if the Failover and Loadbalancing policy is not set to NONE. Explicit IP – Here the specific IP address is to be entered. Create Proxy ARP – If the explicitly defined IP address does not exist locally, an appropriate ProxyARP entry may be created by selecting this checkbox. From Interface – Explicitly specified interface. May be used to restrict the bind address to a specific interface. Selecting Interface activates further options below and in section Firewa ll configuration – Service Objects - General Settings – section Failover and Load Balancing: Interface Name – Here the name of the affected interface is to be entered. Translation Table – Source NAT for a complete subnet. In order to avoid dramatic misconfiguration, the netmask is limited to up to 16 bits. Otherwise, a Proxy ARP with 10.0.0.0/8 would "blank out" the whole internal network for example. If you define a map, you’ve got to make sure that the source range using this connection is equal or smaller than the map range. If not, the firewall will wrap the larger source net into the smaller bind net. Map to Network – Here the specific mapping network is to be entered. Netmask – Here the corresponding netmask is to be entered. Proxy ARP – This parameter is needed by a router if the addresses live in its local network. For more information, see How to Create Proxy ARP Objects. The section Failover and Load Balancing is only available with parameter Address Selection set to Explicit or Interface. Failover and Load Balancing Parameter Description Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Policy 428 This parameter allows you to specify what should happen if the connection cannot be established. Especially when having multiple providers and policy routing this parameter comes handy because it allows you to specify which IP address/interface has to be used for backup reasons. Otherwise, connecting via the backup provider using the wrong IP address in conjunction with the backup provider would make routing back quite impossible. Available policies are: NONE – (No Fallback or Source Address Cycling) [default setting] Selecting this option deactivates the fallback feature. Fallback – (Fallback to alternative Source Addresses) Causes use of the alternative IP addresses/interfaces specified below. SEQ – (Sequentially Cycle Source Addresses) Causes cycling of the IP addresses/interfaces specified below. RAND – (Randomize Source Addresses) Causes randomized usage of the IP addresses/interfaces specified below. Configuration examples related to multipath routing are described below in more detail in the section Barracuda NG Firewall Multipath Routing. Alternative/Type Here up to three Alternative IP addresses or interfaces can be configured for use with the selected policy. Usage of alternative interfaces is recommended when no permanently assigned IP address exists on an interface. Weight Assigns a weight number to the IP address or interface. Higher numbers mean higher priority. When performing load balancing, the weight numbers represent the traffic balancing ratio of the available links. A weigh ratio of 40:20:10 means that traffic is balanced over the configured interfaces in a ratio of 4:2:1. Thus the first link will process twice as much traffic as link two and four times as much as link three. VPN Traffic Intelligence (TI) Settings Settings configured in this section only apply to Traffic Intelligence configuration in combination with TINA tunnel VPN technology. See Traffic Intelligence for details. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 429 How to Create NAT Tables (Translation Maps) NAT Table are a expanded type of source NAT for a network or IP address range. The NAT Tables connection object rewrites the source IP address to a source NAT IP address range. To rewrite both the destination and the source address of the connection, you can choose to use a NAT Table connection object with a MAP firewall rule. You can enter multiple rewriting maps that are are processed from the top to the bottom. The first matching rewrite map is used. Create a NAT Table Connection Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. From the left menu, click Connections. 3. Click Lock. 4. Right-click the table and select New >NAT Table. 5. Enter a Name for the NAT Table. If you want to use this NAT Table in a firewall rule, select this name from the Connection list in the firewall rule settings. 6. In the Original Address/Net/Range field, enter the source IP range or network. 7. In the Translated Address field, enter the network that you want the source IP address or network to be rewritten to. 8. Unless the destination network is connected by a Layer 2 bridge to the source network, select the Proxy ARP check box. 9. Click New to add the addresses to the list. 10. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 430 10. Click OK. 11. Click Send Changes and Activate. Apply the NAT Table to a Firewall Rule To apply a NAT Table object to a firewall rule, select the object from the Connection list in the firewall rule settings. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 431 Proxy ARPs The Address Resolution Protocol (ARP) is predominantly used to resolve IPv4 IP addresses to the corresponding MAC addresses. ARP sends a broadcast request including the IP address to all hosts in the same subnet. The host with the requested IP address then replies with the MAC address of the interface that the IP address is bound to. To connect two physically separated networks, a host (the Barracuda NG Firewall) must be configured as a proxy ARP to answer ARP requests for hosts in the other subnet which cannot be reached by the ARP broadcast. The Barracuda NG Firewall then answers ARP requests on behalf of the remote host and also accepts packets, taking over responsibility for forwarding all traffic to the actual destination. This is called transparent subnetting, as the client computer can connect to the remote host without knowing that the firewall is forwarding its request in between. The proxy ARP configuration is done via proxy ARP objects. Proxy ARPs can thus be regarded as additional IP addresses that the firewall responds to when it receives an ARP request. Proxy ARP addresses can be used for redirecting and mapping in firewall rule sets, if they are in the same address space as the source of a connection request. Additionally, Proxy ARP objects are used in bridging setups. Proxy ARP Types You can create either a standalone or dynamically generated proxy ARP object. Dynamically generated – These proxy ARPs exist as long as the objects that they have been created for are used, and they are deleted when the objects referring to them are deleted. To create proxy ARPs, select the Proxy ARP/Create Proxy ARP check box next to a specific configuration parameter’s properties in other configuration areas (rule configuration window, connection object dialog). Standalone – If you want to use a proxy ARP object that is not connected to a referring object, create it as standalone. As standalone, proxy ARP objects cannot be accidentally deleted if the referring object is deleted. Recommendations and Limitations You can define up to 256 proxy ARP entries per Barracuda NG Firewall. Only the numbers of entries are limited; the number of IP addresses are not limited. Do not create proxy ARPs in the subnet where the firewall IP address is configured as the gateway IP address, because traffic for other networks are sent to the gateway. The following provide of examples of a subnet where proxy ARP can be used and a subnet where Proxy ARP cannot be used. Localnet Firewall IP Default Gateway IP Redirected IP Create Proxy ARP 10.0.0.0/24 10.0.0.100 none 10.0.0.10 yes 10.0.0.0/24 10.0.0.100 10.0.0.100 10.0.1.10 no Create a Proxy ARP Object For more information, see: How to Create Proxy ARP Objects. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 432 How to Create Proxy ARP Objects You can configure the Barracuda NG Firewall to answer ARP requests on behalf of a remote interface. It can then accept packets and correctly forward packets to the remote host. Proxy ARPs can be treated like additional IP addresses that the firewall responds to when it receives an ARP request. If proxy ARP addresses are in the same address space as the source of a connection request, use them for redirecting and mapping in firewall rule sets. You can also use proxy ARP objects for bridging. Do not create Proxy ARPs in address spaces where the firewall IP address is configured as the gateway IP address. You can create a Proxy ARP object as a standalone object or in combination with a connection object. However, the proxy ARP object is then dependent on the connection object; if the connection object is deleted, the proxy ARP object is also deleted. Create a Proxy ARP Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, expand the Firewall Objects section and click Proxy ARPs. 3. Click Lock. 4. Right-click the main pane and select New. 5. In the Edit/Create a Proxy ARP Object window, configure the settings for your proxy ARP object: Expand proxy ARP settings explanations ... Setting Description Network Address Enter a single IP address or a complete network. Standalone To let the proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default. Primary Network Interface Interface that is used when responding to an ARP request. You can either enter a specific network interface (e.g., eth1), or select one of the following options: match (default) – ARP requests are answered via the interface that hosts the network. any – ARP requests are answered via any interface. Additional Interfaces Additional interfaces that are used when responding to ARP requests. Only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces. Exclude Networks Network addresses that sare from the network entered in the N etwork Address field. Enter a space-delimited list of addresses to exclude multiple IP networks. Source Address Restriction Network addresses that must be used as the source IP address when responding to ARP requests. Enter a space-delimited list of source addresses. Introduce Route on Interface Read-only field that displays the bridging interface route when using the proxy ARP for bridging. For more information, see Bridging. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Send Unsolicited ARP 433 To configure the firewall to propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default. Unsolicited ARPs can only be sent if the corresponding network interface has an active IP address. The status of the IP address is only verified when the forwarding firewall starts up, such as during an HA takeover or when the firewall rule set changes. The status of the IP address is not verified if the network interface changes into state "up" or if a pending route becomes active, such as when a server IP address is introduced. In this case, only the Proxy ARP is introduced to answer incoming ARP requests. 6. Click OK. 7. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 434 How to Create Interface Groups Processing of a firewall rule does not necessarily need to be associated with the physical network environment on a Barracuda NG Firewall box, which is configured on box level. On systems equipped with multiple network interfaces, you can explicitly define specific interfaces for usage when a rule comes into action. An interface group specifies the interface that the source address is allowed to use. When you create firewall rules, you can use predefined For each rule an interface may be assigned to origin and destination of the connection request when selected in the Connection Objects settings. groups, or if you want to reference custom interfaces that are not in the default list, you can create custom interface groups. In this article: Predefined Interface Groups Create an Interface Group Predefined Interface Groups 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. From the left navigation pane, expand the Firewall Objects menu and select Interface Groups. The following predefined network interface objects are available for selection: Any – With this setting the first interface matching the request is utilized for the connection in accordance with routing configuration. The packet source is not verified. Reply packets might be forwarded through another interface, if multiple interfaces capable of doing so are available. Not to check the physical source of packets might sometimes be needed in very special configurations. For security reasons do not use this setting without explicit need. Matching (default) – This setting ensures that arriving packets are processed through the same interface, which will forward the corresponding reply packets. Source and destination addresses are thus only reversed. This method aims at preventing a network attack, in which an attacker might try using internal addresses from outside the internal network (IP spoofing). With eventing activated (parameter IP Spoofing set to yes), IP spoofing identification will trigger the events FW IP Spoofing Attempt Detected [4014] and FW Potential IP Spoofing Attempt [4015]. RAM, ADSL, DHCP, ISDN, SERIAL, 3G, ... – Explicitly restricts rule processing to the specified dynamic network interface (if installed and configured). Create an Interface Group To create a new interface group, proceed with the following steps: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Right-click the table and select New. 4. In the Edit/Create an Interface Group window, enter a descriptive Name for the interface group. 5. From the Interface drop-down list, select your desired option: match (default) – This setting ensures that arriving packets are processed through the same interface, which will forward the corresponding reply packets. Source and destination addresses are thus only reversed. This method aims at preventing a network attack, in which an attacker might try using internal addresses from outside the internal network (IP spoofing). With eventing activated (parameter IP Spoofing set to yes), IP spoofing identification will trigger the events FW IP Spoofing Attempt Detected [4014] and FW Potential IP Spoofing Attempt [4015]. any – With this setting the first interface matching the request is utilized for the connection in accordance with routing configuration. The packet source is not verified. Reply packets might be forwarded through another interface, if multiple interfaces capable of doing so are available. Not to check the physical source of packets might sometimes be needed in very special configurations. For security reasons do not use this setting without explicit need. eth0 - 4 – Lets you select a specific port. dhcp – Explicitly restricts rule processing to the specified dynamic network interface (if installed and configured). 6. Click Add to add the interface to the list. 7. Click OK. 8. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 435 Application Control 2.0 With Application Control 2.0, you can control application traffic, including sub-applications (e.g., chat function and picture uploading). It includes the following features: Application Rule Set – Dedicated rule set to detect and control application traffic. You can create rules to drop, throttle, prioritize, or report detected applications. Traffic patterns are compared to predefined application objects containing detection patterns to detect the latest applications. The application pattern database is updated with every Barracuda NG Firewall firmware update. You can also customize application definitions based on previously analyzed network traffic. To classify applications and threats, all application objects are categorized based on risk, bandwidth, or vulnerabilities. URL Filtering – Based on the Barracuda Web Filter URL category database. SSL Interception – Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection intercepts and decrypts encrypted traffic to let Application Control 2.0 detect and handle embedded features or sub-applications of the main application. For example, you can create a policy that permits the general usage of Facebook but forbids Facebook chat. If you choose not to enable SSL Inspection, the main applications can still be detected. For example, Facebook can still be detected without SSL Inspection, but you will not be able to determine if Facebook chat or a Facebook app is being used. AV Scanning – If AV scanning is activated in a forwarding firewall rule, all matching traffic is scanned for malicious content. You can use Avira and/or clamav scanners. ATD – If ATD is enabled in an access rule, all matching traffic is scanned for malicious content by the virus scanner and if no virus is found and the file matches the ATD policy, the file is uploaded to the Barracuda Content Security Cloud for scanning. Safe Search – Enforce safe search on Google, Bing, Yahoo and YouTube. YouTube For Schools – Only allow access to the YouTube for Schools channel connected with the YouTube for Schools token supplied by YouTube. You can use Application Control 2.0 in combination with HTTP(S) proxies. However, the detection of sub-applications might not be available depending on the configuration and type of proxy service. For more information, see Using Application Control 2.0 with HTTP(S) Proxies. In this article: Understanding Application Control 2.0 Using Application Control 2.0 Understanding Application Control 2.0 Because applications either are web-based or connect via SSL or TLS encrypted connections to servers in the Internet, they can be detected and then controlled as they pass the Barracuda NG Firewall. If Application Control 2.0 and SSL Interception is enabled in the forwarding firewall rule that handles the application traffic, then the traffic is sent to the application rule set and processed as follows: 1. SSL traffic is decrypted. 2. Application rules are processed from top to bottom to determine if they match the traffic. If no rule matches, the default application policy is applied. 3. If a matching application rule is found, the detected application is handled according to the rule settings. The application can be reported, or it can be restricted by time, bandwidth (QoS), user information, or content (e.g., MPEG). 4. If the traffic was decrypted, it is re-encrypted. 5. The traffic is sent back to the forwarding firewall, which forwards it to its destination. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Using Application Control 2.0 How to Enable Application Control 2.0 Application Rule Set and Lists How to Create a Custom Application Object How to Create an Application Object How to Create a Protocol Object How to Create an Application Filter How to Create an Application Rule Application Based Provider Selection How to Override the Risk Classification of an Application Using Application Control 2.0 with HTTP(S) Proxies Copyright © 2015, Barracuda Networks Inc. 436 Barracuda NG Firewall 6.1 Administrator's Guide - Page 437 How to Enable Application Control 2.0 Application Control 2.0. expands the scope of the Firewall engine to include application type as a matching criteria. If an access rule matches that Application Control is enabled for, the application ruleset is processed from top to bottom and the action set in the first matching application rule is executed (block or deny). Application detection for applications using SSL-encrypted connections allow for more granular control when SSL Interception is enabled. Application Control 2.0 is currently limited to IPv4. Additional features of the Forwarding Firewall that require Application Control 2.0 are SSL Interception, Web Filtering, Virus Scanning, and ATD. In this article: Supported NG Firewall Models Enable Application Control 2.0 Supported NG Firewall Models Feature Supported NG Firewall Model Application Control Available on all Barracuda NG Firewall models with valid Energize Updates subscription. On hardware models without valid Energize Updates subscription or with a legacy phion license, Application Control is limited to detecting applications only. SSL Interception Available on all Barracuda NG Firewall models with valid Energize Updates subscription, except F10 and F100/F101. URL Filter Available on all Barracuda NG Firewall models with valid Energize Updates subscription, except F10. Virus Scanning Available on all Barracuda NG Firewall models with valid Energize Updates and Malware subscriptions, except F10. Advanced Threat Detection Available on all Barracuda NG Firewall models with valid Energize Updates, Malware, and Advanced Threat Detection subscriptions, ex cept F10 and F100/F101. Safe Search and YouTube for Schools Available on all Barracuda NG Firewall models with valid Energize Updates subscription. Enable Application Control 2.0 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, expand Settings and click Setup. The Ruleset Setup window opens. 3. Verify that the correct Feature Level is selected: Feature Required Firewall Feature Level Application Control 2.0 Release 5.4.0 or later SSL Interception Release 5.4.0 or later URL Filter Release 5.4.2 or later Virus Scanning in the Firewall Release 5.4.3 or later ATD Release 6.0.0 or later Safe Search Release 6.1.0 or later YouTube for Schools Release 6.1.0 or later 4. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 438 4. To enable the use of application rules, select Use Application Ruleset from the Application Ruleset list. 5. Click OK. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 439 Application Rule Set and Lists On the Forwarding Firewall - Rules page, you can view and configure the application rule set. You can also view the list of application and URL filter objects that can be used in application rules. In this article: Application Rule Set Application Objects List URL Filter Objects List Application Rule Set In the Application Rules section of the Forwarding Firewall - Rules page, you can view and edit the application rule set. It lists all of the application rules that have been created. After adding a new application rule, you can directly edit specific rules. For more information, see Firewa ll Access Rules The following figure displays the application rule set. In the rule set, information and settings for each rule is organized into the following columns: Column Description Name The name of the application rule. Application The applications and sub-applications that are affected by the rule. You can either statically assign specific applications or use an application object. Barracuda Networks recommends that you use Application Object or Application Filter instead of linking static applications to access rules. Content The types of multimedia content that are affected by the rule. You can choose to globally block Flash, AVI, MPEG, QuickTime, and RealMedia content in websites. URL Filter Match The URL Filter Match policy that are affected by the rule. You can either statically assign specific URL filters or use an existing URL filter match object. Barracuda Networks recommends that you use URL Filter Match Objects instead of linking static URL Filter Match policies to access rules. URL Filter Policy The URL Filter Policy that are affected by the rule. You can either statically assign specific URL Policies or use an existing URL Filter Policy object. Barracuda Networks recommends that you use URL Filter Policy Object instead of linking static URL Filter policies to access rules. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 440 Protocol The protocols that are affected by the rule. With protocols, traffic can be controlled without having to match criteria like source or destination network. For example, you can select protocols to globally detect IPsec or SMTP network traffic and apply QoS policies to prioritize business critical network communications without needing to know the origin or target. User The users and user groups who are affected by the rule. Schedule The time or date during which the rule can be applied. QoS The traffic shaping settings that are used by the rule. For more information, see Traffic Shaping and How to Create and Apply QoS Bands. Action The action that is performed when the application is accessed by the user (Deny or Pass). Source The source network address of the traffic that is affected by the rule. Because the source network is already evaluated in the Access Rule set, you can either use Any or enter specific IP addresses. Destination The destination network address of the traffic that is affected by the rule. Because the destination network is already evaluated in the Access Rule set, you can either use Any or enter specific IP addresses. Comment Optional. Additional information about the application rule. IPS Policy The Intrusion Prevention System (IPS) policy that is enforced by the rule. For more information on IPS, see Intrusion Prevention System (IPS). Usage Optional. Additional information about the application rule. TI-Settings The Traffic Intelligence (TI) settings. For more information, see Traffic Intelligence. Application Objects List In the Applications section of the Forwarding Firewall - Rules page, you can view, create, and edit the applications and application objects that are used in application rules. Applications are organized into the following categories: Application Object – Lists any application objects that you have created. An application object is a reusable combination of predefined applications, custom applications, and other applications objects. Application objects help simplify the configuration of application rules. For more information, see How to Create an Application Object. Protocol Object – Lists any protocol objects that you have created. A protocol object is a reusable combination of predefined protocols. For more information, see How to Create a Protocol Object. Custom Application – Lists any custom applications that you have created. If the default Application Control 2.0 pattern database does not cover an application that you want to use in your application rules, you can customize an application. For more information, see How to Create a Custom Application Object. Application Overrides – Lists any applications whose risk levels you have changed. For more information, see How to Override the Risk Classification of an Application. Applications – Lists predefined applications from the Application Control 2.0 database. The following figure displays the Applications section. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 441 The following information is provided for each application and application object: Name – The name of the application including the icon of the service/application. Ref by – The reference to which application object the selection points. This is applied when an application filter is created. Note that referenced objects cannot be deleted. Description – A description of the application including type and features. Comment – General information about the application. URL Filter Objects List In the URL Filter section of the Forwarding Firewall - Rules page, you can view, create, and edit URL filter objects that are used in application rules. The following information is provided for each URL filter object: Name – The name of the URL filter object. Ref by – The reference to which URL filter object the selection points. Note that referenced objects cannot be deleted. Description – A description of the URL filter object, including type and features. Comment – General information about the URL filter object. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 442 How to Create a Custom Application Object If the default Application Control 2.0 pattern database does not include an application that you want to use in your application rules, you can create a custom application object. Select a template for an existing application and configure it to match the application that you want to drop, throttle, prioritize, or report. Create a Custom Application Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, expand Firewall Objects and select Applications. 3. Click Lock. 4. Create the custom application by either right-clicking the table and selecting New > Custom Application or using the icons in the top-right area of the rule set. 5. Select an application to customize and click OK. 6. You can customize the following settings for the application: Name – The name of the application. Comment – Additional information about the application. Category – The category of the application. Risk – The risk level of the application, from 1 (low) to 4 (high). Properties – The properties of the application. Application Name – If you want to customize specific components of the application, add the component names. To get the name of a component, go to the Firewall > Monitor page, click the application, and see the Deep Application Control window in the Application Statistics section . Examples: Facebook – Use the canvas name of the FB application: https://apps.facebook.com/<canvasname>. SSL – Create matching criteria based on X.509 certificate content. Web browsing – Create matching criteria based on URL host (www.acme.com) or URL path (/images?/) 7. Click Save. The following figure displays the process for creating a custom application. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 443 How to Create an Application Object An application object is a reusable combination of predefined applications and custom applications. You can use application objects to create your own set of applications with custom include and exclude lists. Create an Application Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, expand Firewall Objects and select Applications. 4. Create the application by either right-clicking the table and selecting New > Application Object or using the icons in the top-right area of the rule set. 5. Filter the available applications by Name or Category. 6. Select the applications that you want to add to your application objects and either drag them to the Application Set section or click the plus sign (+) that appears in the Name column. If an application consists of more than one component, you can add the parent application and to also add the child objects. 7. Click Result to view a list of all currently selected applications. 8. To exclude specific sub-applications from applications containing of more than one component: a. Expand the application. b. Click the minus icon (-) icon next to the application features that you want to exclude. The base component belongs to the application and must never be excluded separately. 9. Click Save. 10. Click Send Changes and Activate. The following figure displays the process for creating an application object: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 444 How to Create a Protocol Object Internet communication systems are based on defined protocols that reside in the application layer (most common: HTTP, HTTPS, or SMTP) and guarantee that users can visit websites, access encrypted online banking accounts, and send emails through the web. Although Application Control 2.0 works on the application layer and detects applications based on communication patterns, you still want to have full control over generic network communication protocols like IPsec, BGP or SIP. In critical back-end environments (like MSSP), Application Control 2.0 detection based on protocol objects is the right tool to detect, classify, regulate, or even block generic IP-based protocols independent from communication criteria like source and destination network or even protocol. Create a Protocol Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, expand Firewall Objects and select Applications. 4. Create the protocol object by either right-clicking the table and selecting New > Protocol Object or using the icons in the top-right area of the rule set. 5. Either search or filter for the protocols to include in the object. 6. Add protocols by either dragging them to the Protocol Set section or clicking the plus sign (+) next to their names. 7. If an application consists of more than one component, you can add the parent application to also add the child objects. 8. Click Save. 9. Click Send Changes and Activate. The following figure displays the process for creating a protocol object. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 445 How to Create an Application Filter Application filters are objects that are dynamically updated to include applications based on category, risk, or properties selection. Any applications that match the criteria of the application filter are automatically added to the application filter object. Create an Application Filter 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, click Applications. 4. Create the filter by right-clicking the table and selecting New > Application Filter or using the icons in the top-right area of the rule set. 5. Select the categories, risk level, and properties for the applications to be filtered into the object. 6. Click Save. 7. Click Send Changes and Activate. The following figure displays the process for creating an application filter. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 446 How to Create an Application Rule Configuring an application rule is similar to configuring an access rule. You can enable Application Control 2.0 features on a per access rule basis. Application rules allow you to block or throttle traffic for detected applications. You can optionally combine the application rule with a URL filter policy objects. The application ruleset is evaluated every time an access rule matches that has enabled any of the Application Control options. Make sure the matching access rule allows all protocols needed for the applications you are creating policies for. The application ruleset can be created as a positive or negative list, depending on whether the default policy is set to allow or block undetected applications per default. In most cases setting the default policy to allow undetected applications and then creating application rules to block or throttle application traffic is the recommended setup. In this article: Before you Begin Step 1. Enable Application Control Features in the Access Rule Step 2. Create an Application Rule Additional Matching Criteria URL Filter Applying Traffic Shaping to Detected Applications Before you Begin Verify that you have enabled Application Control 2.0 and that you are using the latest feature level of the Firewall service. For more information, see How to Enable Application Control 2.0. Create Application Objects and/or Application Filters necessary for your application policies. For more information, see How to Create an Application Object and How to Create an Application Filter. Step 1. Enable Application Control Features in the Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Double-click to edit the access rule you want to enable application control for. 3. Click on the Application Policy link. 4. Select the Application Control 2.0 features used for this access rule: Application Control SSL Interception URL Filter AV Scan ATD Safe Search YouTube for Schools Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 447 5. Click OK. 6. Click Send Changes and Activate. Step 2. Create an Application Rule For each application policy create an application rule. Rules are evaluated from the top to bottom. The action set in the first matching rule is executed. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, click Application Rules. 3. Click Lock. 4. Click the green plus sign (+) in the top right of the page or right-click the rule set and select New > Rule. An application rule New Rule is added to the application ruleset. 5. Double click on the New Rule application rule you just created. The Edit Rule window opens. 6. Select Pass or Deny as the action. 7. Enter a name for the rule. For example, LAN-DMZ. 8. Specify the following settings that must be matched by the traffic to be handled by the access rule: Source – The source addresses of the traffic. The source must be the same or a subset of the source of the matching access rule. Destination – The destination addresses of the traffic.The destination must be the same or a subset of the destination of the matching access rule. Application – Select the application object or application filter. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 448 For the example access rule displayed above, a network object named FacebookAndGooglePlus has been created. For more information, see How to Create an Application Object and How to Create an Application Filter. 9. Set Additional Matching Criteria or change the QoS Bands as needed (see below). 10. Click OK. 11. Drag and drop the application rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed. 12. Click Send Changes and Activate. Additional Matching Criteria Authenticated User – Select a user object to apply this application policy only to a specific user group. For example, you can use this to allow social media access to specific employees, whereas an application policy below denies it for everybody else. For more information, see User Objects. Schedule Objects – Applies time restrictions to the application policy. For example, you can use a schedule object to throttle social media during office hours. For more information, see Schedule Objects. Protocol – Selecting a protocol object for a detected application allows to apply a policy that will deny an application the usage of this protocol, or alternatively apply a higher traffic shaping queue to the VOIP feature of an application. Protocols not allowed by the matching access rule cannot be allowed in the application rule. For more information, see How to Create a Protocol Object. Content – To block or allow specific content types, you can select from the following content types: Any Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 449 AVI Flash MPEG Quicktime Realmedia URL Filter You can combine URL filtering with application control. Use URL filter policy objects or URL Filter Match objects to block website categories. URL Filter Policy – URL Filter policies define the allow/block/warn/alert policy for every URL filter category. To apply that policy to the application rule select the URL filter policy object from the list. For more information, see How to Create an URL Filter Policy Object. URL Filter Matching – URL Filter matching is used to assign additional policies such as traffic shaping or TI settings to web categories. For more information, see How to Create an URL Filter Match Object. Applying Traffic Shaping to Detected Applications Applications can not only be allowed or denied, you can also change the QoS Band assigned to the traffic matching this application rule. This allows you to throttle or prioritize applications as needed. By default the QoS Band of the matching access rule is used. For more information, see Traffic Shaping. Change the QoS Band – Select this checkbox to use a different QoS band than the QoS band used by the matching access rule. QoS Band (Fwd) – Select the QoS Band to be applied to the outgoing application traffic matching this application rule. QoS Band (Reply) – Select the QoS Band to be applied to the incoming application traffic matching this application rule. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 450 Application Based Provider Selection You can specify which link is used for an application by creating an application based link selection connection object. In this object, add applications or application categories, and then assign them to a connection object that includes the links that they must use. The Barracuda NG Firewall detects the application as the client connects and routes the traffic through the link that is defined in the application based link selection connection object. If the application is not explicitly defined, the default connection policy is used. In this article: Before You Begin Step 1. Create a Application Link Connection Object Step 2. Create a Firewall Rule Before You Begin Before you create an application based link selection connection object, complete the following: Enable Application Control 2.0. For more information, see Application Control 2.0. Create connection objects for every ISP line that you want to route application traffic over. For more information on how to create connection objects, see Connection Objects. Step 1. Create a Application Link Connection Object To create an application link connection object: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, click Connections. 3. Click Lock. 4. Right-click the table and select New > Application Based Link Selection. 5. In the Edit Application Based Link Selection Object window, specify the following settings: Object Name – Enter a name for the connection object (e.g., AppBasedProviderSelection). Default Connection – Select the default connection from the list by clicking the link. Traffic that is not defined in the application based links is routed over this connection. 6. For every application or application category that you want to add: a. Click the plus sign (+) to add an application based link entry. b. Edit the Name of the new entry. c. Select the Connection Object for the ISP to route the detected application traffic (e.g., Source NAT with DHCP for the first DHCP line). d. Double-click the Condition field. e. In the Edit Condition window, click the No Application selected tab. f. Either add applications from the list by category or double-click the entry. You can also filter the application list by selecting Cate gory, Risk, and Properties. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 451 g. Click Save. h. Click Save. 7. Click Send Changes and Activate. The application link connection object is now in the Connections list. Step 2. Create a Firewall Rule Create a firewall rule to redirect the application traffic. Alternatively, you can also edit an existing matching firewall rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Right-click the Main Rules table and select New > Rule to create a new firewall rule. 4. Create a Pass firewall rule with the following settings: Source – Select Trusted LAN. Service – Select the type of service. Destination – Select Internet. Application Policy – Select App Control + SSL Interception. Connection Method – Select the application link connection object that you created in Step 1 (e.g., AppBasedProviderSele ction). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 452 5. Click OK. 6. Click Send Changes and Activate. All applications are now routed over the provider selected in the application based link selection object. Go to the Firewall > History page to monitor which link is selected for the applications defined in the connection object. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 453 How to Override the Risk Classification of an Application Every application pattern delivered with the Barracuda NG Firewall's Application Control 2.0 database contains a risk classification. The risk classification extends the category of each application, to allow an even more granular classification of single applications. Depending on the common usage and reputation, the risk classification may vary from 1 (low risk) to 4 (high risk). Let's take the category File Storage and Backup as an example: Cloud storage is more popular than ever and sometimes even an integral part of modern business communication. But depending on the business model of cloud storage services, some of them are highly attractive for illegal and extremely bandwidth consuming file sharing activities. While Copy and Amazon Web Services enjoy a good reputation, others like DepositFil es or Mega have a poor reputation. Transforming these reputations into risk categories, allows you to only allow services with a good reputation. Barracuda Networks continuously observes web application reputations and keeps you up to date with the latest risk classifications. However, in some cases it may be necessary to manually override risk classification. Override the Risk Level of an Application 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left navigation pane, expand Firewall Objects and click Applications. 4. Change the risk level of an application by either right-clicking it and selecting Override this Application or using the icons in the top-right area of the rule set. 5. Select the new risk level for the application and then click OK. 6. Click Send Changes and Activate. The risk classification of the application in the list is now changed to the new value. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 454 Using Application Control 2.0 with HTTP(S) Proxies You can use Application Control with the internal HTTP Proxy service and external proxies. Depending on what type of proxy is used, Application Control might be limited or require additional configuration. Proxy Type Application Control 2.0 Sub-application Detection SSL Interception ATD Application Based Provider Selection HTTP Proxy Service (Forward Proxy on ports 3128 and 8080) Yes (only for HTTP) No Yes (via HTTP Proxy service) Yes No HTTP Proxy Service (Transparent Proxy) Yes Yes (with a firewall rule for HTTPS) Yes (with a firewall rule for HTTPS) Yes No External HTTP(S) Proxy Yes Yes Yes Yes - External HTTP + HTTPS Proxies Yes Yes Yes Yes - HTTP Proxy Service (Forward Proxy) When the client is configured to use the HTTP Proxy service for both HTTP and HTTPS, Application Control 2.0 can be used to detect applications for HTTP connections. Clients contact the HTTP Proxy service directly on port 3128 or 8080 for both HTTP and HTTPS connections. SSL Interception is handled in the HTTP Proxy service Please note that this setup does not work if you are using a load balanced HA deployment where the Forwarding Firewall service and the HTTP Proxy service are not on the same virtual server. HTTP Proxy Service (Transparent Proxy) When the HTTP Proxy service on the Barracuda NG Firewall is configured as a transparent proxy, only HTTP traffic is sent to the HTTP proxy. To pass HTTPS traffic through Application Control and SSL Interception, you must configure an explicit firewall rule. It is not possible to use the built-in SSL Interception in the HTTP proxy in a transparent proxy configuration. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 455 External Proxy When clients use an external proxy for both HTTP and HTTPS traffic, there are no restrictions. Application Control 2.0 can inspect all traffic coming from or going to the proxy. Separate HTTP and HTTPS (SSL) Proxies No limitations apply when clients are configured to use separate external HTTP and HTTPS proxies. Application Control and SSL Interception can inspect all traffic coming from and going to the HTTP and HTTPS proxies. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page Copyright © 2015, Barracuda Networks Inc. 456 Barracuda NG Firewall 6.1 Administrator's Guide - Page 457 How to Configure SSL Interception in the Firewall Most applications encrypt outgoing connections with SSL or TLS. SSL Interception decrypts SSL-encrypted traffic to allow Application Control features (such as the Virus Scanner, ATD, URL Filter, Safe Search, or File Content Scan) to inspect encrypted content that would otherwise not be visible to the Firewall service. To avoid certificate errors when the users use SSL-encrypted connections, you must install the SSL Interception root certificate on all client computers. If you are using CRL checks, the CRL/OCSP check is done once per 24h period to reduce the load on the CRL/OCSP server. If an error occurs during the CRL check, it is repeated after 10 minutes. Applications with the application object property not interceptable cannot be intercepted and are automatically excluded from SSL Interception. Open the application object on the Forwarding Rules > Applications page to check if an application is interceptable. You can configure SSL Interception to use a cipher string of your choice. Enable SSL Interception Configure Advanced SSL Interception Settings Certificate Management Certificate Management with Intermediate Certificate Authorities SSL Interception for VPN Traffic SSL Interception on Bridged Interfaces Enable SSL Interception 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Sec urity Policy. 2. Click Lock. 3. Select the Enable SSL Interception checkbox. 4. In the Root Certificate section, either select Use self signed certificate or add your certificate by clicking the plus sign (+). The root certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NG Firewall can then intercept the HTTP/S connections by presenting the client with a CA that was derived from this root CA. When changing the root certificate, the firewall service must be restarted. 5. In the Trusted Root Certificates table, you can extend the default set of trusted root certificates by clicking the plus sign (+). To view the Barracuda NG Firewall's certificate store, click the Show CA Certificates link. 6. Select the Enable CRL Checks checkbox to automatically check for revoked CA certificates. 7. In the Exception Handling section, add domains that should be excluded from SSL Interception. SSL-encrypted traffic to and from these domains is not decrypted, although SSL Interception is globally enabled. Domains automatically include all subdomains. E.g., google.co m will also includes mail.google.com 8. In the Block Settings section, enter a browser message that should be displayed when traffic is blocked. 9. Click Send Changes and Activate. SSL Interception can now be enabled on a per-access or application rule basis. Configure Advanced SSL Interception Settings For SSL Interception, you can also configure advanced settings such as the number of working instances that are involved in the SSL decryption process, log verbosity, CRL checks, or the used cipher string. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policies. 2. Click the Advanced link in the upper right of the Security Policy page. The SSL Interception Advanced window opens. 3. Change the advanced SSL Interception settings according to your requirements: Number of Workers – The number of working instances to be involved in the SSL decryption and encryption process. Default: auto Maximum Workers – The maximum number of working instances that decrypt and encrypt SSL connections. When all workers are used, SSL connections are refused. Default: auto Worker Idle Timeout – The timeout for the working instances involved in the SSL decryption and encryption process. Default: 0 Log Verbosity – You can select one of the following log granularity options: Normal, Verbose, or Debug. Ignore Validation Status – Since the clients cannot check the revocation status for server certificates of intercepted SSL connections, you can configure the default validation policy for all intercepted SSL connections for which CRL/OCSP checks could not be performed. Default: Yes Yes – The NG Firewall creates a valid certificate for the client as long as the content of the server certificate is validated. No – The NG Firewall creates an invalid certificate to let the client know that CRL/OCSP checks could not be performed. SSL version handling Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 458 Allow (obsolete) SSLv2 – Enable if you must support clients that are SSLv3 only. Allow (obsolete) SSLv3 – Enable if you must support clients that are SSLv3 only. OpenSSL cipher string – You can set a custom cipher string.The Barracuda NG Firewall uses the DEFAULT cipher string of the OpenSSL version used in the firmware by default. 4. Click OK. 5. Click Send Changes and Activate. Certificate Management SSL Interception process breaks the certificate trust chain. To reestablish the trust chain, you must install the security certificate (root certificate) and, if applicable, intermediate certificates that are used by the SSL Interception engine. Install this certificate on every client in your network. To prevent browser warnings and allow transparent SSL interception, install the security certificate into the operating system's or web browser's certificate store. 1. On the Security Policy page, click the edit icon next to (Self Signed) Certificate and click Export to file. 2. Enter a name, select *.cer as file type, and click Save. 3. Deploy this certificate to the computers in your network. Either create a group policy object or install the certificate manually (MS Certificate Import wizard). Ensure that you deploy the certificate into MS Windows' Trusted Root Certification Authorities certificate store. Mozilla Firefox does not automatically use trusted CA certificates installed in the MS Windows certificate store. Certificate Management with Intermediate Certificate Authorities Intermediate CAs are not directly delivered from the Barracuda NG Firewall to the client. They must be deployed manually from the Microsoft Active Directory PKI. 1. Use Microsoft Internet Explorer and connect to your MS Active Directory Certificate Services server. For example, https://127.0.0.1/certsr v 2. Click Request a Certificate and select advanced certificate request. 3. Click Create and submit a request to this CA and answer all questions with Yes. 4. Select Subordinate Certification Authority from the Certificate Template. 5. Fill out the form below. 6. Select your key size in the Key Options section and select the Mark keys as exportable checkbox. 7. Click Submit and answer all questions with Yes. 8. Click Install this certificate. After the certificate is installed successfully, start the MS Active Directory's management console. 1. Open the Certificates - Current User snap-in. 2. Right-click the Intermediate Certification Authorities\Certificates section and select your certificate. 3. Select All Tasks > Export in the upcoming window. 4. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 4. 5. 6. 7. 8. 9. 10. 459 Click Next to proceed. In the Export Private Key window, select Yes, export the private key and proceed. Enter a password and click Next. Select the export destination folder and enter a file name. Click Finish. After the certificate has been exported, rename the file extension from *.pfx to *.p12 . Use openssl to extract the private key from your *.p12 file. Enter the following command: openssl.exe pkcs12 -in <filename>.p12 -nocerts -nodes -out privateKey.pem 11. Enter the password entered in step 6. 12. Use openssl to convert the key file to RSA. Enter the following command: openssl.exe rsa -in privateKey.pem -out yourPrivateKey.pem 13. You can now import the certificate (*.p12) and private key (*.pem) pair to be used for SSL Interception. 14. Install the certificate (*.p12) and root CA from which the certificate was derived. SSL Interception for VPN Traffic To use SSL Interception for traffic going through a VPN tunnel, you must create a VPN interface and assign an IP address that is covered by the source route of the VPN tunnel. SSL Interception on Bridged Interfaces SSL Interception can only be used on routed Layer 2 and Layer 3 bridges. Additionally, a default route is needed to carry out CRL checks. For more information, see Bridging. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 460 How to Configure Virus Scanning in the Firewall The Barracuda NG Firewall scans incoming traffic for malware on a per access rule basis when AV scanning in the firewall is enabled. If a user downloads a file containing malware, the Barracuda NG Firewall detects and discards the infected file and redirects the user to a warning page. You can combine virus scanning with SSL Interception to also scan SSL encrypted connections. In this article: Before You Begin Step 1. Enable the Virus Scanner Service Step 2. Configure an AV Engine Step 3. Enable SSL Interception and AV Scanning in the Firewall Step 4. Enable the AV Scanner in the Firewall Rules Monitoring and Testing Next Steps Before You Begin Enable Application Control 2.0. For more information, see How to Enable Application Control 2.0. Create a Virus Scanner service. For more information, see Virus Scanner Step 1. Enable the Virus Scanner Service Ensure that the Virus Scanner service is enabled. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner > Service Properties. 2. Click Lock. 3. From the Enable Service list, select yes. 4. Click Send Changes and Activate. Step 2. Configure an AV Engine Select and configure a Virus Scanner engine. You can use Avira and ClamAV either separately or together. Barracuda NG Firewall F100 and F101 can only use the Avira virus scanning engine. Using both AV engines significantly increases CPU utilization and load. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Virus-Scanner > Virus Scanner Settings. 2. Click Lock. 3. Enable the virus scanner engines of your choice: Enable the Avira AV engine by selecting Yes from the Enable Avira Engine list. Enable the ClamAV engine by selecting Yes from the Enable ClamAV list. 4. Click Send Changes and Activate. Step 3. Enable SSL Interception and AV Scanning in the Firewall If you want to scan files that are transmitted over a SSL-encrypted connection, enable SSL Interception and virus scanning in the firewall. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policy. 2. Click Lock. 3. Select the Enable SSL Interception check box. 4. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 461 4. Upload your root CA certificate or create a self-signed Root Certificate. 5. (Optional) Click the plus sign (+) in the Trusted Root Certificates section to add additional root certificates. 6. In the Virus Scanner Configuration section, select the Enable Virus Scanning in the firewall check box. 7. In the Scanned MIME types list, add the MIME types of the files that you want the AV scanner to scan. The default <factory-default-mime-types> includes the most important MIME file types. Click here for a full list of the factory default MIME types... application/msword application/msonenote application/vnd.openxmlformats-officedocument.wordprocessingml.document application/vnd.openxmlformats-officedocument.wordprocessingml.template application/vnd.ms-word.document.macroEnabled.12 application/vnd.ms-word.template.macroEnabled.12 application/vnd.ms-excel application/vnd.openxmlformats-officedocument.spreadsheetml.sheet application/vnd.openxmlformats-officedocument.spreadsheetml.template application/vnd.ms-excel.sheet.macroEnabled.12 application/vnd.ms-excel.template.macroEnabled.12 application/vnd.ms-excel.addin.macroEnabled.12 application/vnd.ms-excel.sheet.binary.macroEnabled.12 application/vnd.ms-powerpoint application/vnd.openxmlformats-officedocument.presentationml.presentation application/vnd.openxmlformats-officedocument.presentationml.template application/vnd.openxmlformats-officedocument.presentationml.slideshow application/vnd.ms-powerpoint.addin.macroEnabled.12 application/vnd.ms-powerpoint.presentation.macroEnabled.12 application/vnd.ms-powerpoint.slideshow.macroEnabled.12 application/pdf application/x-pdf Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 462 application/vnd.pdf application/vnd.android.package-archive 8. (optional) Change the Action if Virus Scanner is unavailable. 9. (optional) Click on Advanced: Large File Policy – The large file policy is set to a sensible value for your appliance. The maximum value is 4096MB. Data Trickling Settings – Change how fast and how much data is transmitted. Change these settings if your browser times out while waiting for the file to be scanned. 10. Click Send Changes and Activate. Step 4. Enable the AV Scanner in the Firewall Rules You can enable AV scanning for every Pass firewall rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Open the settings for the firewall rule that you want to enable AV scanning for. 4. Click the Application Policy link. 5. Select the Application Control and AV Scan check boxes. 6. If you want to scan SSL encrypted traffic, select the SSL Interception check box. 7. Click OK. 8. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 463 Monitoring and Testing Test the AV scan setup by downloading EICAR test files from http://www.eicar.com. The block page is customizable. For more information, see How to Configure Custom Block Pages. To monitor detected viruses and malware, go to the FIREWALL > Threat Scan page. Next Steps To combine ATD with virus scanning, see Advanced Threat Detection (ATD). Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 464 How to Configure ATD in the Firewall Configure when and which types of files are uploaded to the Barracuda ATD Cloud. Files with a size is limited by the Large File Watermark of the virus scanner and the 8 MB upload limit for the ATD cloud, whichever is the smaller value. You can also configure if users will receive files immediately or have to wait until the file analysis is completed to continue with the download. Users, who downloaded files with a risk factor higher than the defined risk threshold, are placed in quarantine. Create access rules to define what is blocked for the infected users and/or IP addresses.Malware and Advanced Threat Detection subscriptions are required. In this article Before you Begin Step 1. Configure ATD Scan Policy and Risk Threshold Step 2. Enable ATD in the Firewall and Configure Automatic Quarantine Policy Step 3. Create two Quarantining Access Rules Quarantine Management Manually Placing a User and/or IP Address in Quarantine Removing a User and/or IP Address from Quarantine Download a Scan Report Before you Begin You must have a Malware and an Advanced Threat Detection license subscription. For more information, see Licensing. Verify that you have configured a System Notification Email address. For more information, see How to Configure the System Email Notification Address. Verify that you have enabled virus scanning in the firewall. For more information, see How to Configure Virus Scanning in the Firewall. If you are not using the default MIMES types in the virus scanner configuration, verify that all file types you want to scan with ATD are also listed in the scanned MIME types of the virus scanner. For more information, see How to Configure Virus Scanning in the Firewall. Verify that all files types you want to scan are not whitelisted in the Virus Scanning configuration. For more information, see How to Configure Virus Scanning in the Firewall. Verify the Feature Level of the forwarding firewall ruleset is set to Release 6.0 or higher in (Forwarding Firewall > Forwarding Rules > Settings > Setup). Step 1. Configure ATD Scan Policy and Risk Threshold Configure the ATD scan policy to determine if the user will have to wait for scanning to complete before the file is forwarded. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services >Virus Scanner > Virus Scanner Settings. 2. Click Lock. 3. In the left menu, click ATD. 4. In the ATD Scan Policy section, select the Global Policy: Deliver First, then Scan – The user receives the file immediately. If malware is found the quarantine policy applies. Scan First, then Deliver – The user is redirected to a scanning page. If no malware is found during the scan, the download starts. 5. If needed set the individual scan policies for each file type: Apply Global Policy (default) Do Not Scan – This file type is not scanned and immediately forwarded to the user. Deliver First, then Scan – The user receives the file immediately. If malware is found the quarantine policy applies. Scan First, then Deliver – The user is redirected to a scanning page. After the scan is complete the download starts. 6. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 465 6. In the ATD Threats section, select the Block Threats policy: High Only – File classified as high risk are blocked. High and Medium (Default) – Files classified as high or medium risk are blocked. High, Medium and Low – Files classified as high, medium or low risk are blocked. Only files with classification None are allowed. 7. Set Send Notification Emails to: No – No notification emails are sent when malware is found. To System Notification Email (Default)– A notification email is sent to the system notification email address. For more information, see How to Configure the System Email Notification Address. To Explicit Address – Enter the Explicit Email Address and Explicit SMTP Server the Barracuda NG Firewall will use to send the notification emails. 8. (optional) Set the ATD Data Retention (in days). These values determine how long files are kept on the system before they are deleted. 9. Click Send Changes and Activate. Step 2. Enable ATD in the Firewall and Configure Automatic Quarantine Policy You must first enable ATD in the security policy of the forwarding firewall. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services >Firewall > Secu rity Policy. 2. Click Lock. 3. In the Advanced Threat Detection section click Enable ATD in the firewall. 4. Select the Automatic Blacklist Policy: No auto quarantining – No connections are blocked. User only – All connections by the infected user are blocked regardless of the source IP address. User@IP (AND) – All connections originating from the infected source IP address and the infected user are blocked. User, IP (OR) – All connections coming from the infected source IP address and/or the infected user are blocked. 5. Click Send Changes and Activate. Step 3. Create two Quarantining Access Rules To block users and/or IP addresses you must create access rules using the ATD User Quarantine network object. Place the Deny or Block rules before any other access rules handling traffic for these IP addresses and/or users. Enable Transparent Redirect on Port 80 to redirect HTTP traffic from quarantined users or IP addresses to the custom quarantine block page. You must allow DNS queries from quarantined users to display the HTTP block page. Non-HTTP traffic is simply blocked or denied. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Create a new access rule to allow DNS queries: Action – Select PASS. Source – Select ATD User Quarantine network object. Destination – Enter the IP addresses of your DNS servers. Service – Select DNS. Connection Method – Select a connection object to allow you to connect to the DNS Server. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 4. Click OK 5. Place the access rule, so that no rule before it matches the same traffic. 6. Create a new access rule: Action – Select Deny or Block. Source – Select ATD User Quarantine network object. Destination – Select Any (0.0.0.0/0) network object. Service – Select Any. 7. In the left menu, click Advanced. 8. In the Miscellaneous section, set Block Page for TCP 80 to Quarantine Page. Copyright © 2015, Barracuda Networks Inc. 466 Barracuda NG Firewall 6.1 Administrator's Guide - Page 467 9. Click OK. 10. Place the access rule directly below the rule allowing DNS queries from the quarantine, so that no rule before it matches the same traffic. 11. Click Send Changes and Activate. Quarantined users, or users connecting via HTTP from quarantined IP addresses are automatically redirected to the customizable quarantine page. For more information, see How to Configure Custom Block Pages. Step 4. Edit Access Rules to Use ATD Enable ATD by editing the access rules handling traffic you want to be scanned. E..g, LAN-2-INTERNET 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Edit the access rule handling the traffic you want analyzed by ATD. 4. Click the link below Application Policy. 5. Enable AV Scan. 6. Enable ATD. 7. If you want to scan files transmitted over SSL encrypted connections, enable SSL Interception. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 468 8. Click Send Changes and Activate. All traffic handled by access rules with the ATD enabled are now scanned by the ATD service. Quarantine Management Manually Placing a User and/or IP Address in Quarantine If you are not using automatic quarantine policy, the administrator can also place a user in quarantine manually. 1. 2. 3. 4. 5. 6. Go to FIREWALL >ATD. Click the Scanned Files tab. Double click the malicious file. The ATD File Details widow opens. In the File Download section select the user in the list. Click Quarantine. The Select Quarantine Policy window opens. Select the Quarantine Policy: Block only Users – Place the user in quarantine, but not the source IP address. Block only IP Addresses – Place the IP address in quarantine, but not the user. Block User @ IP (logic AND) – Place user@IP address in quarantine. Both user and IP address have to match. Block User, IP (logic OR) – Place the user and IP address in quarantine. Either user or IP address have to match. 7. Click OK. The user and/or IP address are now in quarantine network object (Click the Quarantine tab to verify). Create an access rule using the ATD User Quarantine network object to block connection to and from the infected users and/or IP addresses. Removing a User and/or IP Address from Quarantine 1. 2. 3. 4. Go to FIREWALL > ATD. Click the Quarantine Tab. Right click the user or IP address you want to remove from quarantine. Click Remove from Quarantine. The user and/or IP address is removed from the quarantine network object. Download a Scan Report You can download a short or long version of scan report. 1. Go to FIREWALL > ATD. 2. Double click the scanned file. 3. Click Download Report and select the report type: Summery Report Full Report Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 469 URL Filtering in the Firewall The Barracuda NG Firewall offers real-time URL filtering for web traffic. To use URL Filtering in the Firewall service, an Energize Updates subscription is required. The Barracuda Web Filter supports both Firewall and HTTP Proxy services. The Barracuda NG Web Filter is limited to the HTTP Proxy service. In this article URL Filter Firewall Objects URL Filtering in the Firewall URL Filter Override in the Firewall URL Filter Firewall Objects You can create two types of URL Filter firewall objects. URL Filter Policy Objects – The URL Filter policy objects allow you to assign a policy for every URL category with the option of including custom URL block and allow lists. URL Filter Match Objects – The URL Filter Match objects are handled as an additional application rule matching criteria. The application rule only matches if the detected website belongs to one of the URL categories included in the URL Filter Match object. For more information, see How to Create an URL Filter Policy Object and How to Create an URL Filter Match Object. URL Filtering in the Firewall URL Filtering in the Firewall is handled as a part of the application rule. Use URL Filter Policy objects for the URL categorization to take place after the application rule matches. URL Filter Match objects are evaluated as a matching criteria of the application rule. This means that if the website is not part of the URL categories listed in the object, the application rule does not match. For more information, see How to Configure URL Filtering in the Firewall. URL Filter Override in the Firewall If the action for the detected URL category is set to override in the URL Filter Policy object, the user can request permission for a URL category override. A URL Filter override admin must grant the request and set the duration of the override request. Override requests are granted per URL category. For more information, see How to Configure URL Filter Overrides. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 470 How to Create an URL Filter Policy Object A URL Filter Policy object determines how a website that matches one of the URL categories is handled by the Barracuda NG Firewall. To override Barracuda's URL database, you must define custom URL black- and whitelists. The following actions are available for each URL category: Allow – The user can access the website. Block – The user is blocked from viewing the website and is redirected to the customizable URL Filter block page. For more information, see How to Configure Custom Block Pages. Warn and Continue – The user can visit the webpage after clicking Continue on the customizable URL Filter warning page. This action is logged to Box/Firewall/acknowledged. For more information, see How to Configure Custom Block Pages. Alert – Visiting a website in this category is silently logged. Go to FIREWALL > Monitor and filter for Allowed, Warn & Alert or Warn & Alert to see the logged alerts. Override – Allow the user to request temporary access from an admin. Upon receiving the request the override admin must log in to the override admin interface to grant access for a specific amount of time to this otherwise blocked URL category. The admin can only gran overrides for the URL category not for specific websites. Before You Begin Before you create URL Filter Policy objects. verify that you have enabled the URL Filter. For instructions on how to activate the URL Filter, see H ow to Enable Application Control 2.0. Create a URL Filter Policy Object 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, click URL Filter. 4. Create the URL Filter Policy object by either right-clicking the table and selecting New > URL Filter Policy object or by using the icons in the top-right area of the ruleset. 5. 6. 7. 8. Click Advanced. The URL Cat Policy Object - Advanced Settings window opens. Select the Action if online URL database is unavailable. Enter the timeout for Warn and Continue Override valid for [min]. Default: 10 min. Click OK. 9. Click on Default Action and select Block, Allow or Alert from the dropdown. 10. Select Block, Allow, Warn and Continue, Alert or Override in the Action column for each URL category. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 471 11. (optional) To whitelist or blacklist specific domains, select Custom URLs. a. For each blacklisted domain, click + to add a domain to the Block List. b. For each whitelisted domain, click + to select the action and to enter the domain name in the Allow List. 12. Click Save. 13. Click Send Changes and Activate. You can now apply the URL Filter policy object to selected Application Rules. For more information, see How to Create an Application Rule. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 472 How to Create an URL Filter Match Object An URL Filter Match object acts as an application rule matching criteria. Application rules containing this type of object are only processed if the URL categories defined in the object are detected. If none of the defined URL categories match the traffic, the rule is not processed. Use this object type in your application rules to detect specific web content for additional processing, such as Quality of Service assignment. Before You Begin Before you create URL Filter Match objects, verify that you have enabled the URL Filter. For instructions on how to activate the URL Filter, see H ow to Enable Application Control 2.0. Otherwise, the URL Filter Match objects page is grayed out and you will not be able to create URL Filter Match objects. Create an URL Filter Match Object: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. In the left menu, expand Firewall Objects and click URL Filter. 4. Create the URL Filter Match object by either right-clicking the table and selecting New > URL Filter Match Object or using the icons in the top-right area of the rule set. 5. Either search or filter for the URL categories that you want to include in the object. 6. Add an URL category by either dragging it to the Matching URL Categories section or clicking the plus sign (+) next to its name. 7. Click Save. 8. Click Send Changes and Activate. The following figure displays the process for creating a URL Filter Match object. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 473 How to Configure URL Filtering in the Firewall To enforce web filtering policies, you can add URL Filter objects to the application rules as an additional matching criteria. When the application rule matches, the website URL is compared with the on-device cache or online Barracuda URL category database. Once classified, the policy set for this URL category is executed. A valid Energize Updates subscription is required for URL Filtering in the Firewall service. In this article Before you Begin Step 1. Enable URL Categorization Step 2. Enable URL Filter for the Access Rule Handling Web Traffic Step 3. Create Application Rule using URL Filter Objects Monitoring URL Filtering in the Firewall Firewall Live View Firewall Monitor Before you Begin Create URL Filter Policy Objects and URL Filter Match Objects as needed. For more information, see How to Create an URL Filter Policy Object and How to Create an URL Filter Match Object. A URL Filter service is required. Step 1. Enable URL Categorization You must enable the URL categorization engine to be able to process URL categorization requests. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration. Click Lock. From the Configuration menu in the left pane, click Application Detection. Set Working Mode to on. 5. Click Send Changes and Activate. The Barracuda URL Filter is now enabled and can handle URL categorization requests. Step 2. Enable URL Filter for the Access Rule Handling Web Traffic Enable Application Control 2.0, SSL Interception (optional), and URL Filter for the access rule matching web traffic. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Double-click to edit the access rule matching outgoing web traffic generated by your users. 3. Verify that the access rule matches on both HTTP and HTTPS Internet traffic. 4. Click on the Application Policy link and enable the following Application Control 2.0 features: Application Control (optional) SSL Interception URL Filter Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 474 5. Click OK. 6. Click Send Changes and Activate. Step 3. Create Application Rule using URL Filter Objects 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. In the left menu, click Application Rules . 3. Click Lock. 4. Create a PASS application rule. For more information, see How to Create an Application Rule. Source – Select the same source used in the matching access rule. Application – Select Any to use only the web filtering. Otherwise, select an application object from the dropdown to combine application control and URL filtering. Destination – Select the same destination used in the matching access rule. 5. Set at least one URL Filter object for the application rule: Select a URL Filter Policy Object from the URL Filter Policy dropdown. Select a URL Filter Match Object from the URL Filter Matching dropdown. 6. Click OK. 7. Click Send Changes and Activate. Monitoring URL Filtering in the Firewall You can either check individual connections to see which policies are applied in the FIREWALL > Live View or see a summary of all Application traffic in the FIREWALL > Firewall Monitor. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 475 Firewall Live View Go to FIREWALL > Live View and add the URL Category column to see the matching access and application rule, and the detected URL Filter category. Firewall Monitor Go to FIREWALL > Monitor to receive a summary of all application and web traffic that matches Application Control 2.0-enabled access rules. Click on the links in the individual elements to apply filters to the monitor. Click the filter icon in the taskbar to see only specific URL Filter policies. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 476 How to Configure URL Filter Overrides You can use the Override feature of the URL Filter to grant temporary access to otherwise blocked URL categories. URL categories that are set to the override policy redirect the user to the customizable Override Block page of the URL Filter. The user can then select the override admin and request an override. The override admin must log into the override admin interface and grant the request for a specified time. When the request has been granted, the user is automatically forwarded to the website. Overrides are always granted for the entire URL category. In this article Video Before you Begin Step 1. Create the SSL Certificate and Admin Users for the Override Admin Interface Step 3. Create App Redirect Access Rule for Override Admin Portal Granting URL Filter Override Requests Logging for URL Filter Overrides Video For see URL Filter Overrides Request in action, watch the following video: Videos are not visible in the PDF export. Before you Begin Create or edit existing URL Policy objects in order to use the override policy for the URL categories of your choice. Configure web filtering in the Firewall. For more information, see How to Configure URL Filtering in the Firewall. Step 1. Create the SSL Certificate and Admin Users for the Override Admin Interface Create or upload an SSL certificate for the Override interface. This certificate is also used for the ticketing system. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Settings. 2. In the left menu, select Authentication. 3. Click Lock. 4. Import or create the Default HTTPS Private Key and Default HTTPS Certificate. This SSL certificate is also used by inline and offline firewall authentication. If inline authentication is used, the Name of the certificate must be the IP address or an FQDN resolving to the IP address of the Barracuda NG Firewall. This value is used to redirect the client to the authentication daemon. 5. 6. 7. 8. 9. Click Edit to add URL Filter Override Users. The URL Filter Override Users window opens. Click + to add a User specific data entry. Enter the Name. This is the username used to log into the override admin interface. Enter the Password. Enter the Full Name. The user can select this name from the dropdown on the Override Block page when requesting and override from a specific admin. 10. Enter the User email. The email address is currently not used. 11. Click Send Changes and Activate. Step 3. Create App Redirect Access Rule for Override Admin Portal Add an access rule to redirect the admin user to the web filter override admin page.This rule will also allow access to the guest user ticketing system. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Create an App Redirect access rule: Action – Select App Redirect. Source – Select the source network allowed to access the web filter override portal. Service – Select HTTPS. Destination – Enter the IP address the override admin interface is accessed through. You can use any free IP address (e.g., 1.2.3.4) or an IP address on the Barracuda NG Firewall that does not have a listener on port 443. Redirection – Enter 127.0.0.1 Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 477 4. Click OK. 5. Place the access rule so that it is the first rule to match for HTTPS traffic to the chosen admin override IP address. 6. Click Send Changes and Activate. The admin ticketing interface is now reachable via https://1.2.3.4/cgi-bin/override-admin (if you used 1.2.3.4 as the destination IP address in the access rule). Granting URL Filter Override Requests JavaScript must be enabled in the client browser for the override request to be sent. When attempting to access a website that is in an override URL category, the URL Filter override page is displayed. You can optionally choose which override admin the request is sent to and then click Request Access. When the request has been granted by the override admin, click Re quest Access again to continue to the previously blocked website. If the admin denies the override request, the URL category is blocked for the set duration. For more information, see How to Grant URL Category Overrides - User Guide. Logging for URL Filter Overrides URL Filter overrides are logged to /Box/Firewall/Acknowledged. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 478 How to Grant URL Category Overrides - User Guide If you are an URL Filter Override admin, you can grant users access to URL categories that are normally blocked by the URL Filter. Follow the steps below to grant a user access to a URL category for a specific length of time. In this article Before You Begin Grant URL Category Override Before You Begin Get the following information from the Barracuda NG Firewall administrator: The IP address of the ticketing web interface (e.g., 1.2.3.4) The username and password for your admin user. Your browser must allow JavaScript on the override block and admin pages. Grant URL Category Override 1. In a browser, go to: http://IP address for the override web interface/cgi-bin/override-admin 2. Enter your Username and Password. 3. Click Login. 4. Set the number of minutes the override will remain valid for and click the green button or the red X button to deny the request. If the request was allowed the user is now permitted to access websites in this URL category for the timespan you set. If you denied the request this URL category is blocked for the set timespan. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 479 How to Enforce Safe Search in the Firewall You can protect users behind a Barracuda NG Firewall from undesired content in search results by enabling Safe Search for the access rule handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL when the request is forwarded by the Barracuda NG Firewall. Safe Search is supported for Google, Bing, Yahoo and YouTube search engines. Limitations Safe Search relies on the supported search engines to honor and filter the search results. The Barracuda NG Firewall can enable this feature, but the execution is left up to the search engine. Safe Search is not enforced for mobile search apps. Safe Search is always set to strict. In this article Before You Begin Create an Access to Enforce Safe Search Disabling SafeSearch for YouTube Before You Begin The Feature Level of the Forwarding Firewall must be 6.1 or higher. Enable Application Control 2.0. For more information, see How to Enable Application Control 2.0. Enable SSL Interception. For more information, see How to Configure SSL Interception in the Firewall. Create an Access to Enforce Safe Search You can enforce the usage of Safe Search for all web traffic matching an access rule by enabling the Safe Search settings in the Application Control 2.0 settings of the access rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) at the top right of the ruleset, or right-click the ruleset and select New > Rule. 4. Select Pass as the action. 5. Enter a name for the rule. For example, SafeSearch-LAN-2-INTERNET 6. Specify the following settings to match your web traffic: Source – The source addresses of the traffic. Destination – Select Internet. Service – Select HTTP+S. Connection Method – Select Dynamic SNAT. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 480 7. Click on the Application Policy link and select: Application Control – required. SSL Interception – Required for search provides which are available exclusively via HTTPS. URL Filter – optional. Safe Search – required. 8. (optional) Set additional matching criteria: Authenticated User – For more information, see User Objects. Schedule Object – For more information, see Schedule Objects. 9. Click OK. 10. Click Send Changes and Activate. Every search query handled by this access rule now automatically enables the Safe Search feature of the search engine provider. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 481 Disabling SafeSearch for YouTube In addition to removing the policy on the matching access rules, it is also necessary to clear the browser cache to remove the YouTube safe search cookie. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 482 How to Enforce YouTube for Schools in the Firewall The Barracuda NG Firewall can transparently add YouTube for Schools restrictions for all connections that the Barracuda NG Firewall forwards to YouTube without the need to configure the clients. Enable YouTube for Schools for access rules matching HTTP and HTTPS traffic connecting to YouTube. Limitations YouTube for Schools relies on YouTube to honor and filter the search results. The Barracuda NG Firewall can enable this feature, but the execution is left up to YouTube. YouTube for Schools is not enforced for mobile YouTube apps. In this article Before You Begin Step 1. Enter the YouTube For Schools Token Step 2. Create an Access Rule to Enforce YouTube for Schools Before You Begin Create a YouTube for Schools account. For more information, see Signing up and Getting started with YouTube for Schools. The Feature Level of the Forwarding Firewall must 6.1 or higher. Step 1. Enter the YouTube For Schools Token The YouTube for Schools token is a unique ID identifying your YouTube for Schools account. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policy. 2. Click Lock. 3. In the Safe Browsing Configuration section enter the YouTube for Schools Token. 4. Click Send Changes and Activate. Step 2. Create an Access Rule to Enforce YouTube for Schools You can enforce the usage of YouTube for Schools for all web traffic that matches an access rule by enabling YouTube for Schools in the Application Control 2.0 settings of the access rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Either click the plus icon (+) at the top right of the ruleset, or right-click the ruleset and select New > Rule. 4. Select Pass as the action. 5. Enter a Name for the rule. For example, YTFS-LAN-2-INTERNET 6. Specify the following settings to match your web traffic: Source – The source addresses of the traffic. Destination – Select Internet. Service – Select HTTP+S. Connection Method – Select Dynamic SNAT. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 483 7. Click on the Application Policy link and select: Application Control – required. SSL Interception – Required for search providers that are available exclusively via HTTPS. YouTube for Schools – required. 8. (optional) Set additional matching criteria: Authenticated User – For more information, see User Objects. Schedule Object – For more information, see Schedule Objects. 9. Place the access rule via drag and drop in the rule set, so that no access rule above it matches this traffic. 10. Click OK. 11. Click Send Changes and Activate. Only YouTube videos that have been added to your YouTube for Schools channel can now be accessed via this access rule. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 484 How to Configure Custom Block Pages The Barracuda NG Firewall uses generic, unbranded block pages by default. You can change the HTML source of these pages to adjust the content and style to fit your needs. Each page has a predefined list of placeholder objects that are replaced on-the-fly by the Barracuda NG Firewall when the block page is delivered to the client. Custom block pages can only be used for services using the Forwarding or Distributed Firewall services. The HTTP proxy does not support custom block pages. Block Page Service Action Triggering the Block Page Access Block Page Firewall Service Matching Deny or Block access rule with the advanced setting Block Page for TCP 80 se t to Access Block Page. Application Control Block Page Firewall Service / Application Control 2.0 Connection blocked due to the action set in the matching application rule. Fail-Close Block Page URL Filter or Virus Scanner not available The Fail Close policy for the URL Filter, Virus Scanner, or SSL Interception must be set and: URL Filter or Virus Scanner service is unavailable Configuration settings prevented the virus scanning engine from scanning the file. E.g., Block encrypted archives. SSL Interception is unavailable. Internal errors. Quarantine Page ATD Page displayed for users in ATD quarantine. URL Filter Block Page Firewall Service / URL Filter Connection blocked due to a URL Filter category. URL Filter Warning Page Firewall Service / URL Filter Connection blocked due to a URL Filter category. Virus Scanner Block Page Virus Scanner, ATD Connection/Download blocked due to detected Malware In this article Edit a Block Page Reset a Block Page to the Factory Default Edit a Block Page You can use HTML, CSS, and JavaScript code. Images up to 30 kB can be inserted as base64 encoded HTML code. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Response Messages. Click Lock. In the left menu, click the block page you want to edit. In the HTML source code window, edit the source code of the block page. You can use CSS, JavaScript and HTML. 5. Click External View or Update Preview to see the changes in an external browser or the preview area. 6. (optional) Click Insert Element to insert placeholder values or images into the block page. The available placeholder values depend on the block page. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 485 7. Click Send Changes and Activate. Reset a Block Page to the Factory Default You can reset the block pages to its default value 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Firewall > Response Messages. Click Lock. In the left menu, click on the block page you want to reset. Click on Restore Default. 5. Click Yes. 6. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 486 Intrusion Prevention System (IPS) The Intrusion Prevention System (IPS) actively monitors local and forwarding traffic for malicious activities and can also block suspicious traffic. The Barracuda NG Firewall engine analyzes network traffic and continuously compares the bitstream with its internal signatures database for malicious code patterns. You can create, edit, and override default and custom IPS signature handling policies. After configuring your IPS policies, you can also apply them to your firewall rules. In this article: IPS Features TCP Stream Reassembly URL Obfuscation TCP Split Handshake Configuring and Managing IPS IPS Features The following features are available with IPS: TCP Stream Reassembly The firewall engine provides support for TCP Stream Reassembly (SRA). In general, TCP streams are broken into TCP segments that are encapsulated into IP packets. By manipulating how a TCP stream is segmented, it is possible to evade detection. For example, by overwriting a portion of a previous segment within a stream with new data in a subsequent segment. This method allows the hacker to hide or obfuscate the network attack. The firewall engine receives the segments in a TCP conversation, buffers them, and reassembles the segments into a correct stream. For example, by checking for segment overlaps, interleaved duplicate segments, invalid TCP checksums, and so forth. Afterwards, the firewall engine passes the reassembled stream to the IPS engine for inspection. URL Obfuscation The IPS engine provides various countermeasures to avert possible network attacks based on the following URL encoding techniques: Escape encoding (% encoding) Microsoft %u encoding Path character transformations and expansions ( /./ , //, \ ) Premature URL ending Long URL Fake parameter TAB separation FTP Evasion The IPS engine is able to avert FTP exploits where the attacker is trying to evade the IPS by inserting additional spaces and Telnet control sequences in FTP commands. TCP Split Handshake The IPS engine provides an evasion countermeasure technique that is able to block the usage of TCP split handshakes attacks. Although the TCP split handshake is a legitimate way to start a TCP connection (RFC793), it can also be used by hackers to execute various network attacks by gaining access to the internal network by way of establishing a trusted IP connection, thus evading firewall and IPS policies. Configuring and Managing IPS For step-by-step instructions on how to configure and manage IPS, see the following articles: How to Check the IPS Security Subscription Status How to Configure IPS Policies How to Configure the Intrusion Prevention System (IPS) How to Manage Threats Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 487 How to Check the IPS Security Subscription Status The IPS signature database contains all signature definitions for detecting malicious network traffic. An Energize Updates subscription is required to receive IPS security updates. For more information, see Licensing. In this article: Check the Subscription Status Online IPS Database Updates Check the Subscription Status To access the IPS database, go to CONTROL > Server. The current Security Subscription status is displayed in the right pane as follows: To check the IPS security subscription status, use the following options: Version History – Click to see changes and updates to the IPS signature database. Database Browser – Browse the currently installed IPS database. Settings – Click to access the IPS Policies page: CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall Online IPS Database Updates You can perform an online update of the IPS database by using the following options: Update – Triggers an immediate update of the IPS database and offers the following selections: Check for updates – Check for available IPS database updates and install them. Roll back to previous version – Revert the IPS database to any previously installed version. Roll back to latest version – Revert the IPS database to the most recently installed version. Update files are stored in the phion0/mcdownload/ips/files share. CC-managed Barracuda NG Firewalls are updated by the Barracuda NG Control Center. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 488 How to Configure IPS Policies IPS policies control the behavior of the IPS when an attack is detected. You can define multiple IPS policies and apply them to individual firewall rules as needed. In this article: Default IPS Policy Custom Policy Section Policy Configuration IPS Policy Management IPS Signatures – Explicit Actions: Assign IPS Policy to Firewall Rules Default IPS Policy By default all firewall rules use the default IPS policy. All traffic is scanned according to this policy while the IPS is enabled. To turn off IPS scanning for an individual firewall rule, choose No Scan Policy from the IPS Policy dropdown. This makes sense for connections for which you want to avoid being blocked in case of a IPS misconfiguration. Custom Policy Section Within the Custom Policy section it is possible to create and manage user created IPS policies. Each of the created policies can be individually applied to firewall rules. The configuration interface for IPS policies is identical for the default policy and custom policies. Policy Configuration 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Policies. 2. Click Lock. 3. Select Enable IPS. 4. If you want malicious traffic to be dropped, disable the Report only check box. Barracuda Network recommends to use Report only mode and to monitor the log files for false positives for an initial deployment phase and then disable Report only mode later. 5. Select Scan SSL-Intercepted Traffic if decrypted SSL traffic should be scanned. Only available with enabled Application Control 2.0 with SSL Interception. 6. Configure the settings described in the following sections: From Client/From Server – Allows different actions for data streams of a session. Streams initiated from the host are classified as From Client, while answers from the target host are classified as From Server. It may be necessary for system administrators to configure different IPS policy settings for the traffic source and destination. Action – Describes the protection behavior of the IPS engine in case of detection of malicious traffic: Drop – Drops malicious network traffic. Log – Only informs about malicious network traffic according to the defined Notification. None – Malicious network traffic will be neither reported nor dropped. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 489 Notification – Describes the warning behavior (Eventing) of the IPS engine in case of detection of malicious traffic: Alert – An Alert Event will be generated. Warn – A Warning Event will be generated. Notice – A Notice Event will be generated. Severity – Detected malicious network traffic is classified by the IPS engine into the following severities: Critical High Medium Low Informational IPS Policy Management Custom Policies Click Add to create an IPS Policy with custom settings. Click Delete to remove the selected IPS Policy. Click Clone to copy the selected IPS Policy. Copy to Default Policy – Changes the currently selected policy to the default policy. Explicit Signatures – For each IPS Policy, a set of custom signature actions can be defined and IPS scanning can be limited to this user defined set. Scan only for explicit signatures – If enabled, the IPS scanning will only be performed for IPS signatures that have been edited via the explicit action link. Edit explicit actions – Click this link to modify the action of a IPS signature. IPS Signatures – Explicit Actions: Edit – Select the desired IPS signature and click Edit Selected to modify the according action. Click Edit All to change actions for all currently signatures displayed. Severity Filter – Select the desired severity to filter for. Policy Filter – Select the desired policy type: All – Display all available IPS signatures. Overwritten – Display only IPS signatures with custom actions. Default only – Display only IPS signatures with default actions. 7. Click Send Changes and Activate. Assign IPS Policy to Firewall Rules As soon as a custom IPS Policy is configured, it is selectable within a firewall rule. Open a firewall rule Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 490 and select the desired IPS Policy. Now traffic that is handled by this firewall rule will be scanned according to the selected policy. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 491 How to Configure the Intrusion Prevention System (IPS) IPS policies define how the IPS engine scans traffic. You can create default and custom IPS policies to apply to your firewall rules. IPS can automatically receive the latest intrusion prevention and security updates from Barracuda Central, an advanced 24/7 security operations center that works to continuously monitor and block emerging Internet threats. Exploit signatures are regularly updated at Barracuda Central and are automatically delivered to your system via Energize Updates. If your system is managed by a Barracuda NG Control Center, the IPS pattern updates are done by the Barracuda NG Control Center. As soon as the Barracuda NG Control Center receives IPS pattern updates, these patterns are delivered to all attached Barracuda NG Firewalls. Enabling IPS can decrease the overall throughput of your system. By default, all firewall rules use the default IPS policy. For specific firewall rules, you can disable IPS. In this article: Before you Begin Enable IPS View and Edit IPS Signature Policies Create New IPS Policies Create IPS Exceptions Apply an IPS Policy to an Access Rule Managing IPS on a Barracuda NG Control Center Before you Begin To use IPS, make sure that you have a valid Energize Updates subscription installed on your Barracuda NG Firewall or Barracuda NG Control Center. Enable IPS 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Policies. 2. Click Lock. 3. Select the Enable IPS check box. 4. If you want malicious traffic to be reported without being dropped, select the Report only check box. 5. Click Send Changes and Activate. View and Edit IPS Signature Policies 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Policies. 2. Click Lock. 3. In the Default Policy section, click Edit explicit actions to view the list of IPS signatures and how they are handled. 4. To view the details for an IPS signature, double click it. 5. To edit the settings for an IPS signature, right click it and choose Edit Selected. 6. In the Change Action for Explicit Signatures window, define how the IPS signature is handled and reported. To use the default IPS policy, select the Reset to default action check box. 7. Click OK and exit the list. 8. Click Send Changes and Activate. Create New IPS Policies Create new IPS policies to be applied to your access rules. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Policies. 2. Click Lock. 3. In the Custom Policies table, click + to add a new entry for your policy. 4. Select an ID for your policy and click OK. 5. Enter a Name and Description for the policy. 6. If you want to apply your settings to the default IPS policy, click Copy to Default Policy. 7. Click Send Changes and Activate. Create IPS Exceptions If you want to exempt specific IPS signatures from the default or custom IPS policies, create IPS exceptions. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Exception Database. 2. Click Lock. 3. Click the + icon. 4. In the Select IPS Signatures window, select the required IPS signatures and click Add. To remove a signature, select it and click Remo Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 492 4. ve. 5. Click OK. Your override is listed in the table on the IPS Exception Database page. 6. Click Send Changes and Activate. Apply an IPS Policy to an Access Rule 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Policies. 2. Click Lock. 3. Edit the access rule you wish to apply the policy to. 4. Under Policy, select the policy from the IPS Policy list. If you want to disable IPS for the rule, select No Scan. Managing IPS on a Barracuda NG Control Center On the Barracuda NG Control Center, IPS pattern version information is displayed in the lower section of the File Updates page while successful or failed IPS pattern updates for attached NG Firewalls are listed in the upper section. Adjusting global file update settings may be necessary if your Barracuda NG Control Center needs to have Internet access through a corporate HTTP proxy server. If your Barracuda NG Control Center is not able to download IPS patterns, increase the Log Level for better troubleshooting. 1. 2. 3. 4. 5. Go to the CONTROL tab and click File Updates in the ribbon bar. Click the Set Area Config button. In the Time Settings section, set the Download Interval (default: 60) In the Proxy Settings section, specify the settings for the proxy server. Click OK. If a Barracuda NG Control Center-managed unit is reinstalled, the IPS pattern database must be updated after the installation process because the database is not stored within the PAR file. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 493 How to Manage Threats Threats that are detected by the IPS engine are listed in the Threat Scan tab of the FIREWALL page of a Barracuda NG Firewall. This user interface provides a detailed view of information to each detected threat. Firewall Threat Scan Interface The Threat Scan interface can also be used to detect and manage false positive detections. If one of the entries listed was detected as malicious but should be allowed instead, 1. Select the desired entry. 2. Select Add IPS Overrides in the upper bar. 3. In the False Positive interface, click Send Changes and Activate. The entries are added to the IPS False Positives list of the Barracuda NG Firewall and, if present, to the Barracuda NG Control Center where you can import them. Entries added to the IPS False Positives list will automatically get the None action and can be edited in the IPS False Positive i nterface. IPS Exceptions With IPS enabled, it may happen that the engine detects network traffic that seems to be suspicious, but in special circumstances needs to be allowed by the system administrator. To manage these threats, proceed as follows: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > IPS Exception Database. 2. Click Lock. By selecting an entry, further modifications can be done by simply clicking the desired cell in the table. To extend a matching policy it is possible to enter * (ALL) in the columns IPS Signature ID, Source, Port and Destination. A blank cell represents * (All). It is also possible to manually create or copy false positives entries. To do so, click Add to create a new entry and configure as desired. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 494 Traffic Shaping Limited network resources make bandwidth prioritization a necessity. The Barracuda NG Firewall enables traffic shaping to prioritize network resources according to a number of factors such as time of day, application type and user identity. Traffic shaping supports the following features: Data Traffic Classification – Classify traffic into different bandwidth allocation priorities. Traffic Prioritization – Increase the bandwidth and lower the latency of important traffic. Bandwidth Partition – Specify bandwidth limits for certain traffic types. Network Overflow Protection – Prevent protocols without flow control mechanisms from congesting the network. Dynamically Adjusted Shaping – Adjust traffic to dynamic factors such as time of day or download volume. Shaping of VPN Transports – Adjust VPN tunnel settings to make sure remote locations are assigned enough bandwidth for business critical web applications. In this article: Traffic Classification QoS Profiles Virtual Interfaces Traffic Prioritization Firewall Rules TCP Flow Control Traffic Classification In addition to security classification, you can use the firewall rule set to classify network traffic for traffic shaping. Classification by the firewall rule set is static - it does not change after the session is initiated unless you select the session in the rule set and change the QoS band. For classification according to dynamic factors such as the time of day or download volume, the Barracuda NG Firewall provides the QoS profile. To connect the rule-based static classification (session) and traffic shaping, the QoS band is used. Network data can be shaped in the following ways: Outbound shaping – The traffic is shaped before it is delivered to a network interface. Inbound shaping – The traffic is shaped after it is received by a network interface. QoS Profiles When configuring the QoS profile for traffic shaping, an expandable “tree” of virtual interfaces is added to the network interfaces where traffic must be shaped. A virtual tree consists of a root virtual interface that can be attached to a real network interface, and a number of subnodes. When assigning a virtual tree to a physical network interface, you can enable and specify the rates for inbound and/or outbound traffic shaping. The outbound and inbound rate of a virtual interface is ignored when the QoS Band policy in the corresponding access rule is set to NoShaping. For more information on configuring virtual trees, see How to Create a QoS Profile. Virtual Interfaces The main purpose of a virtual interface is to shape and reduce traffic throughput from different sources to an available bandwidth according to priorities. Data is transmitted over the virtual interface and then forwarded inbound or outbound according to the traffic shaping settings. The most important characteristics of a virtual interface are: A limiting bandwidth – This limit specifies the maximum data rate that is available for the virtual interface itself. A priority weighting (high, medium or low) – This priority determines how the available bandwidth is partitioned if more data arrives than the bandwidth limit allows. Partitioning is never static. For example, if all available traffic has a low priority, it is assigned the whole bandwidth. The Weighted Random Early Drop (WRED) queue management algorithm is used for prioritization. To specify the bandwidth ratio of the traffic being propagated by a virtual node, you can select three priorities: class1, class2, and class3. For high priority traffic that should not be restricted to a bandwidth limit, you can assign the NoDelay priority. The NoDelay priority should only be used in well defined circumstances, to avoid crowding out the other traffic. The bandwidth ratio is enforced in two steps: 1. Virtual Interfaces: Depending on the source, traffic is assigned and processed by the assigned virtual interface. Traffic is shaped according to the bandwidth ratios set for each interface. 2. Virtual Root Interface: The virtual root interface is used to ensure that the combined traffic from all virtual interfaces do not exceed the global limits. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 495 Example Setup Traffic Prioritization The QoS band evaluates and prioritizes traffic (high, medium, or low). It continually evaluates an IP packet’s ToS (type of service), current data volume, and the absolute time domain. With QoS bands, you can construct routing-dependent traffic shaping schemes. For example, you can configure an Internet connection in normal and fallback (ISDN) operation. For more information, see the Traffic Shaping examples. QoS bands prioritize traffic flow in the shaping tree (together with the virtual interface). The connection between the traffic shaping engine and the firewall is done by the shaping connectors. There are eight connectors available for out-of-the-box traffic management: Interactive, VoIP, Busine ss, Internet, Background, LowPrio, LowestPrio, and Choke. VoIP will always be given first priority. The same applies for Interactive which is limited to 90% of the overall available bandwidth, thus always leaving at least 10% for VoIP traffic. The bandwidth which is not used by VoIP or Interactive. The bandwidth ratio of Business : Internet : Background is 10:2:1 for residual bandwidth which is not used by VoIP or Interactive. In addition, Internet has a built-in size limit of 10 MB after which a session is downgraded to Background, thus receiving a smaller bandwidth ratio after the limit is exceeded. The LowPrio virtual interface is limited to 5% of the overall available bandwidth. The bandwidth ratio of the LowPrio : LowestPrio : Choke shaping connectors is 10:2:1. The Choke virtual interface is limited to 0.1% of the overall bandwidth. These shaping connectors are ideally used to slow down somewhat unnecessary traffic and applications which cannot be completely blocked. For more information on configuring QoS bands, see How to Create and Apply QoS Bands. Firewall Rules In order to use a shaping connector, you must refer to it in a firewall rule. In the rule configuration, you can select between forward and reverse: forward – This direction is defined by traffic that is generated by the session initiator (client). reverse – This direction is defined by traffic that is generated by the responder (server). For each traffic type, shaping may be configured differently. For instructions on how to create a QoS Band and apply traffic shaping to a firewall rule, see How to Create and Apply QoS Bands. TCP Flow Control Because traffic shaping affects packet delivery, it also affects the TCP flow control mechanism. Ideally, the TCP flow control reduces its flow rate to an amount where the shaping mechanism is no longer forced to discard packets. This is only possible if the traffic shaping mechanism can delay packets long enough for the TCP flow control to detect a smaller bandwidth by measuring longer RTTs (round trip times). A longer delay involves larger queue sizes that should be considered when configuring virtual interfaces. Long delays also result in larger latency values, which might be unwanted for other protocols. Therefore, in the case of mixed TCP and other protocol traffic, consider using separate traffic shaping nodes for TCP with different queue size settings. It is also the TCP flow control mechanism which makes the priority weights approximate values. For example, there are 20 TCP sessions that are all trying to receive the maximum bandwidth possible—where 10 are classified as high and 10 are classified as medium priority. If you configure a ratio of 1:2 for the two priorities, you will observe this ratio when measuring the output for the two priorities. But if you change to setup to 1 high priority TCP session and 39 medium TCP sessions, the results change. The single TCP session gets less bandwidth than expected, because the flow control of the 39 TCP sessions generates more traffic while trying to find an optimum rate than the single high priority session. So to favor a small number of TCP sessions over a large number of unprivileged TCP sessions, you should anticipate a larger ratio in order to get the desired output ratio. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 496 How to Create and Apply QoS Bands To make traffic shaping settings connectible with the forwarding firewall ruleset, you must apply an existing or new QoS Band. To configure a new QoS Band, proceed as follows: 1. Create a QoS Band To create a new QoS band, complete the following steps: 1. 2. 3. 4. 5. 6. 7. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping. Click Lock. Click the QoS Band tab. Right-click the QoS Band table and select Add new QoS Band. In the Name field, enter a descriptive name. (The ID field specifies the index number of the new QoS band.) Click OK. In the QoS Band Rule window, you can edit the following settings to specify the priority, interface, and conditions for traffic that is handled by the QoS band: Setting Description Priority From this list, select the priority class that is assigned to data packets that are handled by the QoS band. Virtual Device From this list, select the virtual interface into which the data packets will be fed, should this rule apply. TOS To specify a value that must be matched by the TOS in the IP header, select this check box. Traffic Limit To specify a data limit that must not be exceeded by network sessions, select this check box. Time Period To specify specific dates and times during which this rule can be applied, select this check box. Weekday/Hour To specify specific weekdays and times during which this rule can be applied, select this check box. 8. Click 9. OK. Click Send Changes and Activate. Example Scenario 2. Apply the QoS Band to a Firewall Rule To apply traffic shaping to an access or application rule, complete the following steps: 1. Go to CONFIGURATION > Configuration Tree > Box >Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 497 2. Click Lock. 3. Create or double-click the access or application rule to which you are applying the QoS Band. For example, LAN-2-INTERNET-https. To apply the QoS Band to an access rule: Select the QoS Band from the QoS Band (Fwd) and QoS Band (Reply) list in the Policy section. For example, Backgr ound. The outbound and inbound rate of a virtual interface is ignored when the QoS Band policy in the corresponding firewall rule is set to No-Shaping. To apply the QoS Band to an application rule: Select the Change QoS Band (Fwd) check box in the Policy section and select the QoS Band from the list. 4. Click OK. 5. Click Send Changes and Activate. You can also apply traffic shaping settings to multiple rules. In the rule editor window for the rules, specify the following settings: In the Rule Settings section, configure the Forward Band and Reverse Band settings. In the TCP Policy section, configure the Syn Flood Protection setting. For more information, see How to Edit, Copy, Clone, Deactivate, or Delete Access Rules. Applying Traffic Shaping to VPN Tunnels You can implement traffic shaping with VPN. For more information, see Copyright © 2015, Barracuda Networks Inc. How to Apply Traffic Shaping to a VPN Tunnel. Barracuda NG Firewall 6.1 Administrator's Guide - Page 498 How to Configure Basic Traffic Shaping When deploying traffic shaping, consider the CPU resources of the system. Especially on low-end machines, shaping on highly used links may cause performance degradation, resulting in high CPU loads and reduced network connectivity. Depending on the system configuration, Barracuda Networks recommends a maximum interface shaping bandwidth of 10 MB/s on systems with a CPU clock of 800MHz or lower. There are different ways to configure traffic shaping on the Barracuda NG Firewall. You can use the predefined Basic profile template or configure all settings manually (see How to Create a QoS Profile ). The step-by-step instructions provided in this article explain how to configure basic traffic shaping. The basic traffic shaping scheme employs a simple virtual tree named Default with a single virtual interface named NoDelay attached to it. Step 1. Apply the Basic Profile Template 1. 2. 3. 4. 5. 6. 7. 8. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping. Click Lock. From the Predefined Profiles list at top of the page, select Basic profile. Click Yes to apply the template. From the Select Interface list, select the interface to which you want to apply the basic profile. Click OK. This assigns the virtual tree to the interface. From the Interfaces table, double-click an interface to configure its bandwidth limit. In the Rate section of the Interface Tree Mapping window, select Enable Shaping and enter a limit for the inbound and outbound bandwidth. 9. Click OK. 10. Click Send Changes and Activate. Step 2. Apply Traffic Shaping to Access Rules Select the QoS Band in the Policy settings of an access or application rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Create or double-click the access or application rule to which you are applying the QoS Band. To apply the QoS Band to an access rule: Select the QoS Band from the QoS Band (Fwd) and QoS Band (Reply) list in the Policy section. For more information, see How to Create and Apply QoS Bands. The outbound and inbound rate of a virtual interface is ignored when the QoS Band policy in the corresponding access rule is set to No-Shaping. To not use the QoS To apply a different QoS Band to an application rule Select the Change QoS Band (Fwd) check box in the Policy section and select the QoS Band from the list. 4. Click OK. 5. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 499 How to Apply Traffic Shaping to a VPN Tunnel If you want to configure Quality of Service for a virtual interface as in this example, a VPN tunnel, adapt the traffic shaping configuration. Assign a QoS Profile to a VPN Tunnel 1. Create a TINA VPN Tunnel. 2. Configure the traffic shaping settings. To configure basic traffic shaping settings with the Basic profile template, see How to Configure Basic Traffic Shaping. To configure advanced traffic shaping settings, see How to Create a QoS Profile. 3. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site. 4. Open the TINA Tunnel configuration window. 5. Click the TI - Bandwidth Protection tab. 6. 7. 8. 9. From the Bandwidth Policy list, select Assign QoS Profile. From the Assigned QoS Profile list, select your QoS profile. In the Estimated Bandwidth field, enter the maximum rate for outbound traffic in KB/s. If you enter 0, no shaping occurs. In the Reverse field, enter the maximum rate of inbound traffic in KB/s. If you enter -1, the same maximum rate is used for outbound and inbound traffic. 10. Click OK. 11. Click Send Changes and Activate. 12. Create the access rules for the VPN tunnel traffic. For more information, see How to Create Access Rules for Site-to-Site VPN Access. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 500 Example - Traffic Shaping for WAN Connections This article provides information on how to apply the default traffic shaping scheme to a new interface and how to add the basic QoS profile to a static and a dynamic ISP link. The steps in this article uses the following example settings: ISP 1 ISP 2 (dynamic) Firewall Rule Port eth1 Port dhcp Name LAN-2-INTERNET Traffic Outbound Rate 10 Mbit/Sec Traffic Outbound Rate 2 Mbit/Sec Service HTTPS Traffic Inbound Rate 10 Mbit/Sec Traffic Inbound Rate 2 Mbit/Sec Step 1. Create a New Interface To create a new interface and assign it to the default Basic profile, complete the following steps. 1. 2. 3. 4. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping. Click Lock. In the Interface section, right-click and select Add new Interface. In the Interface Tree Mapping window, set the following settings: Setting Description Interface The name of the interface. For example, enter eth1 for ISP 1 and dhcp for ISP 2. To apply traffic shaping, select or enter your specific port name as it is listed on the CONTROL > Network page. For dial-up connections like xDSL, ISDN, UMTS, or 3G, you must enter the correct port name in order to apply traffic shaping that uses dynamic IP addresses. For example, if your xDSL port is listed as xDSL(ppp1 ), enter ppp1 in the Interface field. Assigned Profile The QoS profile to assign to this interface. For example, Default. Rate In this section, select Enable Shaping and specify limits for the O utbound and Inbound bandwidth settings. For example, enter 1 0 Mbit/Sec as the bandwidth limits for ISP 1 and 2 Mbit/Sec as the bandwidth limits for ISP 2. 5. Click OK. 6. Click Send Changes and Activate. For advanced options, see How to Create a QoS Profile. Step 2. Apply the QoS Band to a Firewall Rule Select the QoS Band in the Policy settings of an access or application rule. 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Create or double-click the access or application rule to which you are applying the QoS Band. For example, LAN-2-INTERNET-https. To apply the QoS Band to an access rule: Select the QoS Band from the QoS Band (Fwd) and QoS Band (Reply) list in the Policy section. For example, Backgr ound. The outbound and inbound rate of a virtual interface is ignored when the QoS Band policy in the corresponding access rule is set to No-Shaping. To apply the QoS Band to an application rule: Select the Change QoS Band (Fwd) check box in the Policy section and select the QoS Band from the list. 4. Click OK. 5. Click Send Changes and Activate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page On the FIREWALL > Live page, verify that the correct QoS band was applied to your session. Copyright © 2015, Barracuda Networks Inc. 501 Barracuda NG Firewall 6.1 Administrator's Guide - Page 502 How to Create a QoS Profile When deploying traffic shaping, consider the CPU resources of the system. Especially on low-end machines, shaping on highly used links may cause performance degradation, resulting in high CPU loads and reduced network connectivity. Depending on the system configuration, Barracuda Networks recommends a maximum interface shaping bandwidth of 10 MB/s on systems with a CPU clock of 800MHz or lower. QoS profiles are constructed of a root virtual interface, which may be attached to a real network interface and an arbitrary number of subnodes forming a tree. The output of any number of virtual interfaces can be fed into the input of a superordinate virtual interface. A new virtual interface can be created on the subordinate level of an existing virtual interface. Each and every virtual interface of a QoS profile can be configured individually. QoS profiles are built as templates and will only operatively perform traffic shaping when they are referred to by a physical network interface. This way, the same QoS profile can be reused for several physical network interfaces. As a result, the limiting bandwidth rates are configured in relative numbers (percent), which become absolute values when assigning a physical network interface with absolute bandwidth values. When assigning QoS profiles to physical network interfaces, it is possible to decide if inbound and/or outbound traffic should be performed by the traffic shaping mechanism. With the assignment the effective rates (in- and outbound) of the physical network interfaces are specified. Note that these rates do not need to be identical with the rate the interface is capable of, but they should rather specify the expected effective bandwidth (for example, a 2 Mbit provider line accessed over a 100Mbit Ethernet interface). In this article: Step 1. Create a QoS Profile Step 2. Create a Virtual Interface Step 3. Create a QoS Band 4. Assign the QoS Profile to the Physical Interface 5. Apply Traffic Shaping to Application or Access Rules Step 1. Create a QoS Profile 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping. Click Lock. Click the QoS Profile tab. In the Virtual Interface list, right-click and select Add new QoS Profile. In the Profile Name field, enter a name for the QoS profile. In the Outbound section, select an Operation Mode for traffic that is sent over the device: Shape – The virtual interface limits traffic according to the Outbound settings. Passthrough – Packets are immediately passed to the next tree node or to the associated network interface. Drop – Packets are immediately discarded. Priority – Packets are passed through the shaping tree without being queued. 7. In the Priority Weights fields, you can specify the relative weight of the three priorities: class1, class2, and class3. These weights specify the ratio of the traffic being propagated, assuming that the input traffic is evenly distributed. 8. In the Inbound section, select an Operation Mode and specify the Priority Weights for the inbound traffic (traffic that is received by the device). If you want inbound traffic to be handled with the same settings as outbound traffic, select As-Outbound. 9. Click OK. 10. Click Send Changes and Activate. Step 2. Create a Virtual Interface 1. 2. 3. 4. 5. 6. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping. Click Lock. Click the QoS Profile tab. In the Virtual Interface list, right-click the new QoS Profile and select Add new virtual interface. In the Virtual Interface Name field, enter a descriptive name. In the Outbound section, select an Operation Mode for traffic that is sent over the device: Shape – The virtual interface limits traffic according to the Outbound settings. Passthrough – Packets are immediately passed to the next tree node or to the associated network interface. Drop – Packets are immediately discarded. Priority – Packets are passed through the shaping tree without being queued. 7. In the Assumed Rate field, enter the bandwidth limit (%) for the virtual interface. This value represents a hard bandwidth limit for this virtual interface. Do not produce values lower than 512 kbit. 8. When a datagram is passed to the next node in the tree, you can adjust the c settings before processing is continued. 9. From the Priority Adjustment list, specify the adjustment of priority weights when packets are passed to the next virtual interface. 10. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 503 10. The Queue Size (Bytes) field is the hardcoded size of the virtual interface's internal queue (in bytes). 11. In the Inbound section, select an Operation Mode, enter an Assumed Rate, adjust the Assumed Rate, and specify the Queue Size (Bytes). 12. Click OK. 13. Click Send Changes and Activate. Step 3. Create a QoS Band In order to assign traffic prioritization to the physical interface, you must apply the virtual interface to an existing QoS Band. 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping. Click Lock. Click the QoS Band tab. Right-click the QoS Band table and select Add new QoS Band. In the Name field, enter a descriptive name. (The ID field specifies the index number of the new QoS band.) Click OK. In the QoS Band Rule window, you can edit the following settings to specify the priority, interface, and conditions for traffic that is handled by the QoS band: Priority – From this list, select the priority class that is assigned to data packets that are handled by the QoS band. Virtual Device – From this list, select the virtual interface into which the data packets will be fed, should this rule apply. TOS – To specify a value that must be matched by the TOS in the IP header, select this check box. Traffic Limit – To specify a data limit that must not be exceeded by network sessions, select this check box. Time Period – To specify specific dates and times during which this rule can be applied, select this check box. Weekday/Hour – To specify specific weekdays and times during which this rule can be applied, select this check box. Click OK. Click Send Changes and Activate. 4. Assign the QoS Profile to the Physical Interface To apply traffic shaping settings to a physical interface, such as port1, complete the following steps: 1. From the Interface table, double-click the interface to which the QoS profile should be assigned to. 2. From the Assigned Profile list, select the new QoS profile. 3. In the Rate section of the Interface Tree Mapping window, select Enable Shaping and enter a limit for the inbound and outbound bandwidth. 4. Click OK. 5. Click Send Changes and Activate. 5. Apply Traffic Shaping to Application or Access Rules 1. Go to CONFIGURATION > Configuration Tree > Box >Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules. 2. Click Lock. 3. Create or double-click the access or application rule to which you are applying the QoS Band. For example, LAN-2-INTERNET-https. To apply the QoS Band to an access rule: Select the QoS Band from the QoS Band (Fwd) and QoS Band (Reply) list in the Policy section. For more information, see How to Create and Apply QoS Bands. The outbound and inbound rate of a virtual interface is ignored when the QoS Band policy in the corresponding access rule is set to No-Shaping. To apply the QoS Band to an application rule: Select the Change QoS Band (Fwd) check box in the Policy section and select the QoS Band from the list. 4. Click OK. 5. Click Send Changes and Activate. You can also apply traffic shaping settings to multiple rules. In the rule editor window for the rules, specify the following settings: Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page In the Rule Settings section, configure the Forward Band and Reverse Band settings. In the TCP Policy section, configure the Syn Flood Protection setting. For more information, see How to Edit, Copy, Clone, Deactivate, or Delete Access Rules. Copyright © 2015, Barracuda Networks Inc. 504 Barracuda NG Firewall 6.1 Administrator's Guide - Page 505 Example - Simple Traffic Prioritization For this example, traffic must be classified into three types, according to source IP address and network service. The types should be prioritized with a ratio of 5:2:1 (C1 : C2 : C3). For this example, you must configure the following: 1. 2. 3. 4. A virtual tree consisting of a single virtual interface with a partition priority of 5:2:1. Three QoS bands that point to the root node. One QoS band results in a high priority, one in a medium priority, and one in a low priority. A firewall ruleset that consists of three rules, each referring to one of the three QoS Bands. A physical network device to which network traffic is delivered with the virtual tree attached to it. With this configuration: The configured total for inbound and outbound bandwidth is never exceeded. The three types of network traffic (low, medium, and high) share the bandwidth. If all three types of traffic are not in operation, the total bandwidth is divided amongst the available traffic according to the partition priority. If the preset bandwidth limit is not reached, traffic shaping does not occur and there is no prioritization. Prioritization only occurs when the available bandwidth is insufficient. Because all three types of traffic operate on the same limiting unit datagram and share the same datagram queue, the delivery latency of a specific traffic type is highly dependent on the amount of traffic of the other types. The configured priority partition is an estimated ratio. As more network traffic is sent, the closely the actual ratio matches this estimate. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 506 Example - ISP Customer Bandwidth Assignment In this example, an ISP with an Internet access provides a total bandwidth of 100 Mbits. The bandwidth should be assigned to four customers. One customer should get 40 Mbits and the other three customers should get 20 Mbits each. The assigned bandwidth of each customer should not be exceeded, even if the total bandwidth is not saturated. For this setup, you must configure the following: 1. A virtual tree consisting of a virtual root interface and four subnodes (A-D) with a limiting bandwidth of 40% for one node and 20% for the remaining three nodes. 2. Four QoS bands where each one results in medium priority selection and points to each one of the subnodes. 3. A firewall ruleset with four rules that each refer to one of the four QoS bands. 4. A physical network device where network traffic should be delivered with the virtual tree attached to it. With this configuration: The total bandwidth (sum over all customers) is never exceeded. The available bandwidth per customer is never exceeded. There is no bandwidth borrowing between customers (nodes). The setup can be extended by introducing more than one QoS band per customer with varying priorities. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 507 Example - Traffic Shaping for the HTTP Proxy Service In this example, traffic shaping for the HTTP Proxy service must be configured to ensure that HTTP, HTTPS, and FTP traffic is prioritized below other traffic, such as VPN. To make source-based traffic shaping possible, the traffic shaping engine uses the shaping connector of the matching inbound rule and replicates this shaping connector to the outbound session of the HTTP Proxy service for the Barracuda NG Firewall. Traffic for the CEO must be given the higher prioritization than that for other people in the company. Two firewall rules are required in the inbound ruleset, as illustrated in the following figure. Note that the QoS band for Rule 24: Band ID100 CEO is configured with higher priority than the QoS band for Rule 25: Band ID105 Staff. Also the source addresses for Rule 24: Band ID100 CEO are limited from 10.0.10.90 to 10.0.10.99. With this configuration: The outbound ruleset is still default. No changes are necessary. The configured QoS bands are taken from the inbound ruleset. In the firewall interface, LOUT-sessions are tagged with the correct shaping band. These sessions are fed into the assigned shaping tree. This can be verified on the Firewall > Shaping page. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 508 Example - Advanced Traffic Shaping In this advanced traffic shaping example, the prioritization of Example 1 and the bandwidth assignment of Example 2 are used. Furthermore, the dynamic parameters of the session download volume are used to demonstrate the purpose of the QoS band rules. The setup describes an Internet gateway which services the following: An application which needs low delivery latency (such as for VoIP). Internet access from the internal network (mainly HTTP traffic). VPN traffic over the Internet. Web access from the Internet (Web shop). A multiprovider setup with a fallback ISDN line (bundled to 512 Kbits). ISDN fallback is implemented with redundant network routes. From this setup, we expect the following: Low latency delivery for the VoIP application by feeding the VoIP traffic directly into the root node. Other traffic must pass either the B2B or Web node, where it is queued (delayed) if bandwidth saturation occurs. This way, the VoIP traffic may even overtake the traffic waiting in the Web or B2B queues. A minimum of 40% of the Internet bandwidth for VPN traffic. By limiting the Web node to 60%, it is guaranteed that the B2B node will get at least 40% of the available bandwidth (assuming that the amount of VoIP traffic is negligible). High priority treatment for Web access from the Internet (Web Shop). Medium priority treatment for Web access from the internal network to the Internet. Low priority treatment for downloads from the internal network which are larger than 10 MB. For ISDN Fallback operation (provider failure), only the VPN and the VoIP application traffic should be delivered. This is achieved by setting the Web node for the ISDN tree to operate in DROP mode. This way, the ISDN line is protected against unwanted web traffic. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 509 Bridging A layer2 bridge checks the destination MAC address of each incoming frame. If the MAC address is assigned to the bridge computer, the frame is processed by it as the destination. If the MAC address is not assigned to the bridge computer, the Network Bridge notes the source address of the frame and the port on which the frame was received and either creates or refreshes an entry in a layer 2 bridge table. The port is a number that identifies the network adapter and its corresponding LAN segment. Each entry in the layer 2 bridge table consists of a MAC address, the port number corresponding to the LAN segment on which a frame from the MAC address was received, and a timeout value. Entries in the layer 2 bridge table persist for 5 minutes before being removed. How to Configure Layer 2 Bridging How to Configure Routed Layer 2 Bridging How to Configure Layer 3 Bridging For more information on bridging parameters, see Bridging Configuration Settings. Bridging Type Feature Comparison To help you decide which method to use, the following table compares the features that are available for each bridging method: Features Transparent Layer 2 Bridging Routed Layer 2 Bridging Layer 3 Bridging MAC Transparent Yes Yes No Routing-Bridging-Forwarding No Yes Yes Local Firewall Traffic (Gateway) No Yes Yes Auto Learning of Network Nodes Yes Yes No Active Learning of Network Nodes No Yes No Next Hop Bridging Yes Yes No Broad-Multicast Propagation Yes Yes Yes High Availability Yes Yes Yes VLAN capable Yes Yes Yes IP and ARP Forwarding Yes Yes Yes Non IP Protocols Forwarding No No No IPv6 No No No IPS No Yes Yes Application Control 2.0 (Application Detection) Yes Yes Yes SSL Interception No Yes - default route required Yes - default route required Yes - default route required Yes - default route required Yes - default route required Virus Scanning No Yes - default route required Yes - default route required ATD No Yes - default route required Yes - default route required Safe Search No Yes - default route required Yes - default route required YouTube for Schools No Yes - default route required Yes - default route required URL Filter Bridging on VMware ESXi Before configuring a layer2 bridge on a virtual Barracuda NG Firewall running on a VMware ESXi hypervisor, you must enable promiscuous mode for all network interfaces and vSwitches that are used by the bridge. Security Weaknesses and Solutions Because bridging heavily depends on broadcasts for establishing connectivity, this results in a few weak points that you must carefully consider. Try to implement bridging in a trusted environment. Broadcasts in large environments also consumes a lot of bandwidth. The Barracuda NG Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 510 Firewall offers different methods to help prevent the following common attacks. Preventing IP or ARP Spoofing over Layer 2 Bridges Network nodes may use the IP addresses of fake ARP responses in order to fake network traffic with arbitrary IP addresses. Because firewall security is enforced on Layer 3, the security policy is bypassed. These issues can be solved by taking the following measures: Segment Access Control Lists (Bridging Interface ACLs) – Specify which IP addresses are allowed on a segment. Static Bridge ARP Entries – Statically specify IP addresses, MAC addresses, and segments to avoid learning via ARP. MAC-based Firewall Rules – Define source MAC conditions for network objects. ARP Change Reporting – Specify which types of the IP-MAC-Segment relationship changes must be reported in the access cache and log. Prevent Destination MAC Spoofing Another security issue in bridged environments is the possible exploitation of security enforcement on Layer 3 and traffic delivery on Layer 2. You can prevent these issues by enforcing Layer 2 when a Layer 3 session is granted. MAC addresses for a session are fixed when the session is created and remain enforced until the session ends. In the figure below, a client from LAN 1 tries to force a connection grant to a client in LAN 3. To do so, it sends a packet to the client in LAN 2 using MAC-A as a destination MAC address and 10.0.8.10 as the destination IP address. After the session has been granted through the bridge and communication has been allowed, it sends a second packet exchanging the MAC address for the client in LAN2 with the MAC address for the client in LAN3 leaving the IP address the same.If MAC enforcement is configured, the connection with the spoofed MAC address will not be allowed. Copyright © 2015, Barracuda Networks Inc. Barracuda NG Firewall 6.1 Administrator's Guide - Page 511 How to Configure a Local Bridge for Evaluation To transparently connect your local workstation with the network across a Barracuda NG Firewall use a local bridge. This configuration allows you to explore the Barracuda NG Firewall’s advanced traffic and application inspection features by using traffic that your workstation generates on the LAN. To make the connection transparent you must configure a loca
