Barracuda Firewall (PDFDrive)

1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.1 Release Notes 7.1.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.1 Release Notes 7.0.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 Release Notes 6.8.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.1.3 Barracuda Firewall Release Notes 6.7.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.4 Barracuda Firewall Release Notes 6.6.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.1.5 Barracuda Firewall Release Notes 6.5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.2.1 Deploy as Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.2.2 Deploy as Remote Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.3 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.3.1 How to Configure WAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1.3.1.1 Example - Configuring a Static WAN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.3.1.2 How to Configure a PPPoE Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1.3.1.3 How to Configure a 3G Dial-In Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1.3.1.4 How to Configure a DHCP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.3.2 How to Configure Static Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.3.3 How to Configure Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.3.4 How to Configure a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
1.3.5 How to Configure a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1.3.6 How to Configure a Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.3.7 How to Configure a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1.3.8 How to Configure the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1.3.9 How to Configure a DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
1.3.10 How to Configure a Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1.3.11 Authoritative and Caching DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
1.3.11.1 How to Add Domains and DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1.3.12 How to Change the Management IP Address and Network Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
1.3.13 How to Configure and Use High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
1.4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
1.4.1 Firewall Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
1.4.1.1 Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
1.4.1.2 Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
1.4.1.3 Connection Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
1.4.1.4 Application Based Connection Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
1.4.1.5 NAT Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
1.4.1.6 User Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
1.4.1.7 Schedule Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
1.4.2 Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
1.4.2.1 Pre-Installed Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
1.4.2.2 Firewall Rules Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
1.4.2.3 How to Create User-Aware Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
1.4.2.4 Example - Allowing Access to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
1.4.2.5 Example - Handling SMTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
1.4.2.6 Example - Allowing SIP-based VoIP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
1.4.2.7 Example - Blocking ICMP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
1.4.2.8 Example - Configuring a DNAT Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
1.4.2.9 Example - Configuring an Access Rule for the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 113
1.4.2.10 Example - Creating Time-Based Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
1.4.2.11 How to Configure a Transparent Redirection to a Barracuda Web Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . 117
1.4.3 Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
1.4.3.1 How to Introduce Application Control to Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
1.4.3.2 Application Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
1.4.3.3 How to Configure and Use the URL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
1.4.3.4 How to Configure an Application Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
1.4.3.5 Example - Adjust Bandwidth for Application Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
1.4.4 Link Balancing and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
1.4.4.1 How to Configure Outbound Loadbalancing and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
1.4.5 Intrusion Prevention System or IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
1.4.6 How to Configure SSL Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
1.4.7 URL Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
1.4.7.1 URL Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
1.4.7.2 How to Configure URL Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
1.4.7.3 How to Configure URL Filter Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
1.4.7.4 How to Grant URL Category Overrides - User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
1.4.8 Virus Protection in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
1.4.8.1 How to Configure Virus Protection in the Firewall for Web Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
1.4.8.2 How to Configure Virus Scanning in the Firewall for FTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
1.4.9 Advanced Threat Detection (ATD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
1.4.9.1 How to Configure ATD in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
1.4.9.2 How to Manually Upload Files to ATD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
1.4.10 Mail Security in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
1.4.10.1 How to Configure Mail Security in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
1.4.11 How to Enforce Safe Search in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
1.4.12 How to Enforce YouTube for Schools in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
1.4.13 Custom Block Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
1.4.14 How to Configure Bandwidth Policies or QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
1.4.15 How to Create Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
1.4.16 How to Configure the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
1.4.17 How to Configure Google Accounts Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
1.5 Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
1.5.1 How to Configure Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
1.5.2 How to Configure an External Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
1.5.2.1 How to Configure Barracuda DC Agent Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
1.5.2.2 How to Configure MSAD Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
1.5.2.3 How to Configure NTLM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
1.5.2.4 How to Configure LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
1.5.2.5 How to Configure RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
1.5.2.6 How to Configure TS Agent Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
1.5.2.7 How to Join a Windows Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
1.5.2.8 How to Configure Wi-Fi Access Point Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
1.5.2.8.1 Wi-Fi AP Authentication Aerohive Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
1.5.2.8.2 Wi-Fi AP Authentication Ruckus Wireless Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
1.5.2.8.3 Wi-Fi AP Authentication Aruba Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
1.5.3 How to Set Up a Guest Access Confirmation Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
1.5.4 How to Set Up Guest Access with Ticketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
1.5.5 How to Manage Guest Tickets - User's Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
1.6 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
1.6.1 Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
1.6.1.1 How to Configure a Client-to-Site VPN with Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
1.6.1.2 How to Configure a Client-to-Site VPN with Shared Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
1.6.1.3 How to Configure the Apple iOS VPN Client for IPsec Shared Key VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
1.6.1.4 How to Configure Apple iOS VPN Client for IPsec VPN with Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . 229
1.6.1.5 How to Configure the Android VPN Client for IPsec Shared Key VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
1.6.1.6 Troubleshooting Client-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
1.6.1.7 How to Configure a Client-to-Site VPN with PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
1.6.2 Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
1.6.2.1 How to Configure a Site-to-Site VPN with IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
1.6.2.2 How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
1.6.2.3 How to Configure a Site-to-Site IPsec VPN to the Microsoft Azure VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
1.6.2.4 Example - Configuring a Site-to-Site IPsec VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
1.6.2.5 Troubleshooting Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
1.6.2.6 How to Configure Authentication Through a Site-to-Site VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
1.6.3 How to Allow VPN Access via a Dynamic WAN IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
1.6.4 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
1.6.4.1 How to Enable SSL VPN and CudaLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
1.6.4.2 How to Configure SSL VPN Access via DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
1.6.4.3 SSL VPN User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
1.6.4.3.1 SSL VPN Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
1.6.4.3.2 SSL VPN Web Portal User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
1.6.4.4 SSL VPN Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
1.6.4.4.1 How to Configure an Outlook Web Access Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
1.6.4.4.2 How to Configure a SharePoint Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
1.6.4.4.3 How to Configure a Generic Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
1.6.4.4.4 How to Configure a Tunneled Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
1.6.4.4.5 How to Configure Single Sign-On for Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
1.6.4.5 SSL VPN Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
1.6.4.5.1 How to Configure SSL VPN Applications for RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
1.6.4.6 How to Configure SSL Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
1.6.4.7 How to Configure Network Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
1.6.4.8 How to Use and Create Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
1.6.4.9 How to Configure NAC for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
1.6.4.10 How to Configure VPN Templates in the SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
1.6.4.10.1 Self-Service VPN Provisioning for iOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
1.6.4.10.2 Self-Service VPN Provisioning on macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.6.4.10.3 Self-Service VPN Provisioning on Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
1.7 Cloud Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
1.7.1 How to Configure the Barracuda Web Security Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
1.7.2 How to Connect to Barracuda Cloud Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
1.8 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
1.8.1 Monitoring Active and Recent Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
1.8.2 How to Configure SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
1.8.3 Barracuda NextGen Firewall X SNMP MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
1.8.4 Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
1.8.5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
1.8.6 How to Configure Log Streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
1.8.7 How to Configure Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
1.9 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
1.9.1 How to Update the Firmware on Your Barracuda NextGen Firewall X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
1.9.2 How to Backup and Restore the Barracuda NextGen Firewall X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
1.9.3 How to Recover the Barracuda NextGen Firewall X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
1.9.4 How to Use and Manage Certificates with the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
1.10 Management Tools and Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
1.10.1 Barracuda Report Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
1.10.1.1 How to Create Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
1.10.2 CudaLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
1.10.2.1 CudaLaunch for Windows and macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
1.10.2.2 CudaLaunch for iOS and Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
1.10.3 Barracuda Network Access and VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
1.11 Specifications of Hardware Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
1.11.1 Hardware Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Overview
The Barracuda NextGen Firewall X-Series is an application-aware network firewall appliance that is designed for organizations without dedicated
IT personnel to manage firewalls. It leverages cloud resources to extend next-generation security and networking beyond the capabilities of
typical security gateways or legacy firewalls. The Barracuda NextGen Firewall X-Series delivers application control, user awareness, secure
VPNs, link optimization, dynamic traffic prioritization, and advanced malware protection. It combines application-control and network-security
features with cloud technologies to provide up-to-date and dynamically scalable malware protection and content filtering. With the Barracuda
Cloud Control centralized management portal, you can use a web browser or app to deploy, configure, and manage the Barracuda NextGen
Firewall X-Series from any location.
Where to start
For detailed instructions, start here:
Getting Started
You can also download the Barracuda NextGen Firewall X-Series Quick Start Guide:
Quick Start Guide: English, German, Spanish, Italian, Turkish
Key features
Firewall – Provides powerful next generation capabilities. Application Control and user-identity awareness enable the enforcement of
granular access policies. You can define policies based on any combination of criteria, such as application, user, group ID, and time.
Barracuda Web Security Service – Leverages cloud resources by offloading processor-intensive content filtering and malware protection
to the cloud.
VPN – Enables secure remote access for users and provides business continuity by securing Site-to-Site connectivity.
Barracuda Cloud Control – Lets you manage and configure multiple Barracuda NextGen X-Series Firewalls from a single management
portal.
WAN Interfaces – Eliminate the need for costly high-capacity backup links by aggregating disparate links such as MPLS, T1, DSL, cable,
and 3G.
Bandwidth Policies (QoS) – Balance and shape traffic among links, according to policies based on applications, traffic loads, and link
status.
Documentation for Barracuda NextGen Firewall X-Series Version 6.1 is available as a PDF file.
Copyright Barracuda Networks 2015

Release Notes 7.1.X
Before you begin
Before updating, back up your configuration and read through the release notes for all versions more current than the version you are
currently running on your firewall.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Upgrading can take up to 10 minutes. If the process takes longer, please contact Barracuda Networks Technical
Support for further assistance.
Due to most modern browsers removing SSL VPN Java applet support CudaLaunch is required to retain SSL VPN functionality
previously handled via Java applets. An additional Remote Access Premium subscription is required. By default a one-user demo
license for CudaLaunch is included.
For more information, see How to Configure a Tunneled Web Forward and SSL VPN Applications.
What's new in Barracuda NextGen Firewall X-Series version 7.1.1.010
Barracuda NextGen Firewall X-Series version 7.1.1.010 is a maintenance release and contains no new features.
Firmware improvements
Updated bind to version 9.9.9-P4 to fix security vulnerability CVE-2016-8864. (BNF-6696)
Remote Access Gateway wizard
You can now deploy your X-Series Firewall as a remote access gateway behind your border firewall. This allows you to leverage the remote
connectivity options offered by the SSL VPN and client-to-site VPN services on the X-Series Firewall to offer easy remote connectivity for all your
users. The remote access gateway wizard can be launched separately or during the deployment.
For more information, see Getting Started and Deploy as Remote Access Gateway.
The Top 10 Application element now works as expected. (BNF-6583)

Health checks for a DNS record in the Authoritative DNS service now work as expected. (BNF-6595)
The Autostart wizard is now started automatically after the basic setup wizard. (BNF-6609)
Checking for duplicate certificate names by the Certificate Manger is now case insensitive. (BNF-6628)
OpenSSL update to resolve security vulnerability CVE-2016-6304. (BNF-6644)

Multiple SSL VPN improvements. (BNF-6591)

Virus Scanner and ATD startup improvements. (BNF-6579)
Site-to-site VPN tunnel stability improvements. (BNF-6570)
IPsec client-to-site VPN tunnel rekeying now works as expected. (BNF-6565)
Advanced Threat Detection (ATD)
Advanced Threat Detection offers protection against advanced malware, zero-day exploits, and targeted attacks that are not detected by the virus
scanner or intrusion prevention system. ATD analyzes files in the Barracuda ATD cloud and assigns a risk score. Local ATD policies then
determine how files with a high, medium, or low risk score are handled. You can configure administrator email notifications and/or enable one of
the automatic blacklisting policies. To check local files, you also have the option to manually upload a file via the management web interface.
For more information, see Advanced Threat Detection (ATD)
SSL VPN web portal redesign
The web portal is redesigned to give desktop and mobile devices a single responsive interface. The web portal is designed to automatically
display a version customized for the device type you are using.
For more information, see SSL VPN User Interfaces.
SSL VPN tunneled web forward
A tunneled web forward uses an SSL tunnel established by CudaLaunch to connect to a web server behind the firewall. The user's browser
connects to a localhost address (e.g., http://localhost:5678 ). A direct connection to the resource located behind the SSL VPN is then

established through the SSL tunnel. This type of web forward will only work as long as all links stay on the same destination host; it does not
modify the data stream.
For more information, see How to Configure a Tunneled Web Forward.
SSL VPN applications
Some tasks require the use of client-server applications. To connect with a service behind the SSL VPN service on the X-Series Firewall,
CudaLaunch establishes a secure tunnel and then automatically launches the locally installed application. The connection is terminated if the
session is closed or times out.
For more information, see SSL VPN Applications.
CudaLaunch 2.0
CudaLaunch 2.0 for iOS, Android, and now also for Windows and macOS is an update for the app that offers secure remote access to your
organization's applications and data from mobile devices. CudaLaunch 2.0 now also supports SSL Tunnels and SSL VPN Applications.
For more information, see CudaLaunch.
Time stamps on the BASIC > Alerts page now match the configured time zone settings. (BNF-6143)
Improved filtering on the LOGS > Firewall Log page. (BNF-6343, BNF-6344, BNF-6481)
Entering IP addresses in the failover and load balancing settings of a custom connection object is now possible. (BNF-6359)
Incoming NetBIOS traffic is no longer allowed on WAN interfaces. (BNF-6407)
The virus scanning block page now shows the correct URL for FTP over HTTP Proxy connections. (BNF-6465)
SSL Interception with certificate chains now works as expected. (BNF-6466)
The virus scanner result cache is now cleared after a virus pattern update. (BNF-6468)
Manually setting the bit rate for the Wi-Fi interface no longer results in poor bandwidth.
Improved URL categorization for SSL-intercepted hosts. (BNF-6474)
Editing the custom block page for the virus scanner now works as expected. (BNF-6480)
The BASIC > Status page no longer fails if the firewall has an uptime of more than a year. (BNF-6488)
Tool tips on the BASIC > Status pages now display the time correctly when set to auto refresh. (BNF-6130)
It is now possible to filter for Scan Exception on the BASIC > Recent Threat page. (BNF-6298)
You can now add a filter on the LOGS > Firewall Log page by clicking on the mouse-over magnifying glass icon next to the value you
want to filter for. (BNF-6378)
Migration instructions
Due to most modern browsers removing SSL VPN Java applet support CudaLaunch is required to retain SSL VPN
functionality previously handled via Java applets. An additional Remote Access Premium subscription is required. By
default a one-user demo license for CudaLaunch is included.
For more information, see How to Configure a Tunneled Web Forward and SSL VPN Applications.
Support for webDAV SSL VPN resources is discontinued and is no longer available after updating.
Known issues
IPsec client-to-site connections using the Android 6.0 and 6.1 native IPsec client are not possible. As a work-around, you can use
CudaLaunch instead. CudaLaunch requires a Remote Access Premium subscription.
Only first DNS and WINS servers are used for client-to-site tunnels.

Barracuda Report Creator is only available for Microsoft Windows 7, 8, and 10.
HA boxes in Barracuda Cloud Control are not read-only.
Virus scanning requires TCP Stream Reassembly to be enabled. The product will automatically do this when switching on Malware
Protection.

Release Notes 7.0.X
Please Read Before Upgrading
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
What's New in Barracuda NextGen Firewall X-Series Version 7.0.1.005
Firmware Improvements
Fixed a rare case where configuring access rules caused an error in the WebUI. (BNF-6494)
Improvements to active and recent connections pages. (BNF-6494)
Updated OpenSSL to fix the following security vulnerabilities:

CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 (BNF-6413)
Creating log filters with empty values no longer breaks the LOG page. (BNF-6492)
Restoring from a cloud backup now works as expected. (BNF-6340)
Known Issues
Client-to-site VPN connections currently only use the first DNS and WINS server.
The Barracuda Report Creator is available only for Microsoft Windows 7, 8, and 10.
The secondary firewall in an HA cluster is not read-only when accessing the configuration through Barracuda Cloud Control.
Increased firewall engine stability. (BNF-6348)
Mail Security in the Firewall

The X-Series Firewall enforces mail security in the firewall by transparently scanning incoming and outgoing SMTP and SMTPS connections for
malware and by checking the reputation of the sender's IP address via a DNS blacklist (DNSBL).
For more information, see Mail Security in the Firewall and Virus Protection in the Firewall.
Virus Protection for FTP in the Firewall
The X-Series Firewall can transparently scan FTP traffic passing through the Forwarding Firewall service for malware. If malware is detected, the
file is discarded and the file transfer is terminated.
For more information, see Virus Protection in the Firewall and How to Configure Virus Scanning in the Firewall for FTP Traffic.
DHCP Relay
DHCP relaying allows you to share a single DHCP server across logical network segments that are separated by the firewall.
For more information, see How to Configure a DHCP Relay.
CudaLaunch
CudaLaunch offers secure remote access to your organization's applications and data from mobile devices. CudaLaunch is available for iOS and

Android devices via the Apple App Store or Google Play Store. Both versions offer the same functionality. Full Device VPN uses the same VPN
group policy.
NAC for SSL VPN
SSL VPN Network Access Control (NAC) limits access to the web portals of the SSL VPN service according to a variety of factors that are not
connected to the user. Users who fail the NAC check are not allowed to log in until they have a conforming system.
For more information, see How to Configure NAC for SSL VPN.
SSL VPN Web Forwards Improvements
Create web forwards to allow SSL VPN users to access web-based internal applications. There are predefined web forward types for Outlook
Web Access and SharePoint servers as well as generic settings that allow you full control over how the web content is rewritten.
For more information, see How to Configure an Outlook Web Access Web Forward, How to Configure a SharePoint Web Forward, and How to
Configure a Generic Web Forward.
SSL VPN User Attributes
User attributes are placeholder variables used to personalize web forwards or to configure single sign-on authentication. They are created by the
admin and filled in by the end user in either the desktop or mobile portal.
For more information, see How to Use and Create Attributes.
Single Sign-On for Web Forwards
Web forwards can be configured to automatically log the user in when accessing web forwards requiring authentication. Both HTTP and
form-based (POST, GET, and JavaScript) authentication is supported. User attributes allow you to use different user credentials than those used
to log into the SSL VPN to authenticate to a web application made available as a web forward.
For more information, see How to Configure Single Sign-On for Web Forwards.
SSL VPN Self-Provisioning for VPN Templates
The SSL VPN service allows end users to self-provision their VPN client on Windows, macOS, or iOS devices. To automatically download and
install the configuration, the user must log into one of the SSL VPN portals and click the VPN Template provisioning link. VPN templates are
created as a part of the client-to-site VPN configuration.
For more information, see How to Configure VPN Templates in the SSL VPN.
Barracuda Mobile Device Manager BETA

The Barracuda Firewall now supports connecting to the Barracuda MDM using your Barracuda Cloud Control account. Configurations for
Client-to-site VPN, PPTP and Wi-Fi connections can be pushed to your MDM managed mobile phones. This is a beta feature and should not be
used in a production environment. MDM support is enabled on the BASIC > Cloud Control page.
For more information, see Barracuda Mobile Device Manager.
Disabling IPS in an access rule is now displayed correctly in the access rule list. (BNF-6068)
Disabling a Wi-Fi access no longer requires you to enter a passphrase. (BNF-6041)
Generating certificates on smaller appliances no longer times out. (BNF-6039)
Removing VPN certificates now works as expected. (BNF-5994)
Restoring a backup to a unit with a different serial number now works as expected. (BNF-5987)
Deleting entries with capital letters in the Authoritative DNS configuration now works as expected. (BNF-5889)
Management web interface now uses the following cipher string: HIGH:!aECDH:!ADH:!3DES:!MD5:!DSS:!RC4:!EXP:!eNULL:!NULL:!
aNULL. (BNF-5913)
Migration
Existing SSL VPN web forwards are automatically migrated to generic web forwards during the update. Verify the functionality of the web
forwards and, if necessary, recreate the web forwards. For more information, see How to Configure an Outlook Web Access Web
Forward, How to Configure a SharePoint Web Forward, and How to Configure a Generic Web Forward.

Release Notes 6.8.X
If you are using local antivirus scanning, Barracuda Networks recommends upgrading all Barracuda NextGen Firewall X-Series
(versions 6.6X, 6.7X, and 6.8X) to this firmware version for uninterrupted antivirus security coverage.
In order for the changes to take effect, please restart the Virus Protection service by performing the following actions:
1. Go to Firewall > Settings

2. In the Virus Protection section, set Enable Virus Protection to No.
3. Click Save to apply the changes.
4. Enable Virus Protection by setting Enable Virus Protection to Yes.
5. Click Save to apply the changes.
Updates the authorization key for the embedded Avira Anti-Virus engine (BNF-6577)
To protect yourself against CVE-2016-0800 (DROWN) Barracuda Networks recommends to disable SSLv2 for all services. SSLv2 is
disabled in the factory default settings. Check your SSLv2 settings in the following service configurations:
Firewall > Captive Portal > HTTPS CONFIGURATION > Encryption

VPN > SSL VPN > Server Settings
Disabling SSLv2 disables the SSLv2 protocol not just SSLv2 ciphers for captive portal, URL Filter override and guest access web
interfaces. (BNF-6267)
Updated glibc library to mitigate potential remote code executions via specially crafted DNS response messages. (CVE-2015-7547)
Entering the certificate name and SUBALT name in the TS Agent authentication advanced settings now works as expected. (BNF-6061)
Entering data in the time dialogues using Firefox browsers now works as expected. (BNF-6054)
Updated online help for the HTTPS Configuration on the FIREWALL > Captive Portal page to match the UI. (BNF-6006)
Removing certificates assigned to the VPN service now works as expected. (BNF-5994)
Accessing ADVANCED > Backup via Barracuda Cloud Control now works as expected. (BNF-5976)

Saving Balancing settings for DNAT access rules now works as expected. (BNF-5972)
The SIP proxy now passes the correct connection information to internal phones. (BNF-5962)
Saving health check probe IP addresses now works as expected. (BNF-5945)
Updated BIND to fix security vulnerability CVE-2015-8704 and CVE-2015-8705. (BNF-6139)
Updated glibc library to mitigate potential remote code executions via specially crafted DNS response messages. (CVE-2015-7547)
Updated BIND to fix security vulnerability CVE-2015-8704 and CVE-2015-8705. (BNF-6139)
The SIP proxy now passes the correct connection information to internal phones. (BNF-5962)
Updated BIND to version 9.9.8P2 to fix the security vulnerability CVE-2015-8000.
URL Filter Override
URL Filter Overrides grant temporary access to otherwise blocked URL categories. URL categories that are set to the override policy redirect the
user to the customizable Override Block page. The override admin must grant the request for a specified time. After the request is granted, the
user is automatically forwarded to the website. Overrides are always granted for the entire URL category.
For more information, see URL Filtering in the Firewall, How to Configure URL Filter Overrides and How to Grant URL Category Overrides - User
Guide.
Wi-Fi AP Authentication
The Barracuda NextGen Firewall X-Series can authenticate users by using the authentication information from Aerohive, Aruba, and Ruckus
wireless access points.
For more information, see How to Configure an External Authentication Service.
Release a DHCP Lease

The Barracuda NextGen Firewall X-Series now supports clearing existing DHCP leases for inactive DHCP clients. The DHCP lease is then
available for other DHCP clients.
For more information, see How to Configure the DHCP Server
It is no longer possible to create static interfaces using main as the interface name. (BNF-5918)
Creating access rules no longer shows a warning in Firefox. (BNF-5910)
Disabling SSLv3 in ADVANCED > Secure Administration now works as expected. (BNF-5908)
Added option to use a VLAN interface for PPPoE connections. (BNF-5890)
Initiating a manual backup no longer changes the language of the web interface to the default language of the browser. (BNF-5855)
The Protect my Network wizard now shows the correct error message when configuring overlapping subnets. (BNF-5829)
Editing list-based application objects now works as expected. (BNF-5816)
Accessing the recovery console via directly attached VGA monitor and keyboard now works as expected. (BNF-5775, BNF-5813)
Enabling Barracuda Web Security Service now works as expected. (BNF-5798)
It is now possible to enter up to four DNS servers in the DHCP subnet configuration. (BNF-5763)
It is now possible to change the local certificate used for client-to-site VPN connections. (BNF-5749)
Newly created access rules are now displayed correctly in the ruleset. (BNF-5728)
Spotify on iOS devices is now detected correctly. (BNF-5554)
Updated OpenSSL to version 0.9.8zf to fix multiple vulnerabilities. (BNF-4718, BNSEC-5294)
Added option to configure VLAN ID for PPPoE connections. (BNF-5887)

Updated bootloader configuration. (BNF-5869)
Fixed a memory leak in the Firewall service. (BNF-5862)
It is now possible to set 0.0.0.0/0 as remote gateway IP address for IPsec VPN connections.
Barracuda NextGen Firewall X-Series now supports SHA256 and SHA512 as a choice for VPN site-to-site hash algorithms.
Changed the Block Page editor font to be monospace instead of proportional. (BNF-5692)
Added a user authentication timeout to the Web Security Service settings so that customers can decide for how long the userid
submitted to the Web Security Service should be considered valid. (BNF-5669)
Changed the default in the Certificate Manager for creation of new certificates. The check box: Disallow Private Key Download is now
enabled per default for newly uploaded or created certs. (BNF-5731)
Log file rotation now works and starts as expected. (BNF-5759)
Fixed an issue where under heavy load the logs could fill up the log space before being automatically deleted. (BNF-5745)
Fix for CVE-2015-5477. (BNF-5753)
Fixed an issue where the VPN wizard created a certificate in the Certificate Manager that could not be deleted. (BNF-5744)
Fixed an issue where DHCP over a Wi-Fi interface that is also part of a bridge setup did not work correctly after box reboot. (BNF-5741)
Fixed an issue where the pop-up dialog for time and date in BASIC > Administration > TIME settings disappeared before the user could
enter data. (BNF-5740)
Fixed an issue where the VPN CERTIFICATE POOL check failed when default was selected as certificate. (BNF-5715)
Fixed an issue where the Certificate Manager on model X100 showed SSL-VPN as usage although the X100 does not support SSL
VPN. (BNF-5712)
Fixed an issue where it was not possible to add more than one SRV DNS record in the Authoritative DNS configuration. (BNf-5708)
Fixed an issue where the Summary screen of the Protect my network wizard contained incorrect information. (BNF-5700)

Fixed an issue where the weight values of network connection objects could not be changed. (BNF-5682)
Fixed an issue where the pop-ups in Advanced > Troubleshooting remained empty if the Barracuda NextGen Firewall X-Series was
running for several days. (BNF-5671)
Fixed an issue where the CUSTOM FIREWALL ACCESS RULES window did not show a scroll bar. (BNF-5665)
Safe Search
Protect users behind a Barracuda NextGen Firewall X-Series from undesired content in search results by enabling Safe Search for the access
rules handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL when
the request is forwarded by the X-Series Firewall. Safe Search is supported for Google, Bing, and Yahoo search engines.
For more information, see How to Enforce Safe Search in the Firewall.
YouTube For Schools
The Barracuda NextGen Firewall X-Series can transparently add YouTube for Schools restrictions for all connections the X-Series
Firewall forwards to YouTube without the need to configure the clients. YouTube for Schools is configured directly in the access rules matching
HTTP and HTTPS traffic connecting to YouTube.
For more information, see How to Enforce YouTube for Schools in the Firewall.
Custom Block Pages
You can customize the block pages for Virus Scanner, URL Filter, Application Control, and SSL Inspection. Each page has a predefined list of
placeholder objects that are replaced on-the-fly by the Barracuda NextGen Firewall X-Series when the block page is delivered to the client. HTTP
connections blocked by a Block or Reset access rule can be redirected to an HTTP block page.
For more information, see Custom Block Pages.
Transparent Redirection
The Barracuda NextGen Firewall X-Series can transparently redirect all HTTP and HTTPS traffic to a Barracuda Web Filter or any other HTTP or
HTTPS processing device. The Web Filter can then process the HTTP/HTTPS request using the original source and destination IP addresses.
This allows the Web Filter to create meaningful statistics and connection information.
For more information, see How to Configure a Transparent Redirection to a Barracuda Web Security Gateway.
URL Filter Improvements

In addition to Allow and Block, URL categories can now also be set to Warn or Alert. Warn allows the user to access the websites after clicking
Continue on the URL Filter warning page. Alert silently logs that the user has accessed the website.
For more information, see URL Policy Objects.
Schedule Objects
Schedule objects are used as an additional matching criteria to restrict access and/or application rules to specific times and intervals. Schedule
objects offer time granularity in minutes and completely replace time objects.
For more information, see Schedule Objects.
The Connection Object pop-over no longer displays the section title twice. (BNF-5622)
Setting encryption settings for the Captive Portal now works as expected. (BNF-5620)
It is now possible to create certificate signing requests (*.csr) with the Certificate Manager. (BNF-5598)
Added support for SHA256 and SHA512 to Phase 2 of the IPsec site-to-site configuration. (BNF-5595)
It is now possible to restart the authentication service on the ADVANCED > Expert Settings page. Append &expert=1 to the URL to
enable expert mode. (BNF-5592)
Encapsulation for IPsec tunnels using NAT-T is now set correctly. (BNF-5571, BNF-5495)
Cloning Application Based Connection Objects now works as expected. (BNF-5559)
Migrating SSL Interception certificates containing multiple (intermediate) certificates now works as expected. (BNF-5541)
Alerts listed on the BASIC > Alerts page are now sorted from newest to oldest. (BNF-5536)
The Directory browser now also works in combination with DC Agent authentication. (BNF-5513, BNF-5401)
It is now possible to use an @ in the SSID name. (BNF-5511)
Client-to-Site VPN traffic is no longer blocked if there is a MAC-based access rule. (BNF-5479)
Health check for external zones now works as expected. (BNF-5339)
Client-to-Site IPsec PSK connections no longer fill up the hard drive with excessive logging. (BNF-5241)
YouTube for Schools now works as expected when applying configuration changes to the unit. (BNF-5670)
Important Migration Steps
If the VPN Certificate Pool on the VPN > Settings page is set to default, make a dummy change to the VPN > Client-to-Site VPN confi
guration.
Known Issues and Limitations for 6.8
After saving an access rule or application policy for which you used the inline Create New feature, you must reload the page twice for the
rule or policy to be displayed in the ruleset.
The Barracuda NextGen Firewall X-Series is designed to be used with a display resolution of 1280x1024 or higher. Use the browser
zoom function to use the management interface on screens with a lower resolution.
When editing an access rule on a screen with a resolution of less than 1280x1024, the browser zoom function must be used to view the
entire pop-over.
Safe Search cannot be enforced on Google Chrome browsers using the experimental QUIC protocol. Blocking UDP port 80 and 443 for
clients using Google Chrome resolves this issue.
Smaller Barracuda NextGen Firewall X-Series models may take up to 10 minutes to verify the update package causing a browser
timeout. Log in again to apply the update.
The SIP proxy cannot be used for external Barracuda Phone appliances. Use access rules to open the necessary ports instead.
If appending a port to the first target IP address of a DNAT access rule, the port is applied to all target IP addresses.
Barracuda NextGen Report Creator is only available for Windows 7, 8, and 8.1.
Inline editing or creation of connection objects is not possible for application-based connection objects.
Application-based connection objects cannot be renamed.
Application-based connection objects must be saved before adding link policy objects.

Barracuda Firewall Release Notes 6.7.X
What's New in Barracuda Firewall Version 6.7.0.022
Application-Based Link Selection
Application-based connection objects allow you to select the Internet connection based on the application. Application-based link polices can be
defined for individual applications or application categories. Traffic that does not match one of these policies is sent using the default connection
object.
For more information, see Application Based Connection Objects.
Certificate Manager
The Barracuda Firewall uses the Certificate Manager as a central repository to manage all X.509 certificates on the device. You can create
self-signed certificates or upload your own certificates. All certificates are available for all Barracuda Firewall services, as long as they meet the
requirements for that service.
For more information, see How to Use and Manage Certificates with the Certificate Manager.
Email Notification

The Barracuda Firewall can alert the administrator of important system events by sending notification emails. You can configure a notification
email policy for each event. To limit the number of emails for frequently occurring events, you can define up to three thresholds. Thus, the
administrator will receive an email only when the number of events exceeds the threshold set in the timespan. The following events can trigger
email notifications:
For more information, see How to Configure Email Notifications.
Destination NAT Load Balancing
To redirect to more than one server in cycle (round robin) or fallback mode, you can enter multiple IP addresses or use a network object
containing multiple IP addresses for DNAT access rules. It is also possible to redirect to a different port by appending the port after the IP
address.

For more information, see Firewall Rules and Example - Configuring a DNAT Access Rule.
Inline Editing of Firewall Objects

Barracuda Firewall firmware 6.7.0 adds the option of editing or creating objects directly in the UI element they are referenced from. For example,
you can now create a network object in a second popover when creating an access rule without having to break the workflow.
Usability Improvements for DHCP Server Configuration
The DHCP server configuration has been reworked to improve useability. The DHCP server subnet list now also shows which port is used by the
DHCP subnet.
Authoritative DNS Server Improvements
The DNS server now allows you to distinguish between internal, external, and combined zones on a per-domain basis and automatically creates
PTR records when creating A records.
For more information, see Authoritative and Caching DNS.
VPN Split Tunnel Mode
Enabling the split tunnel mode for a Client-to-Site VPN allows only the client access to the networks published for the Client-to-Site VPN. This
feature is available only for Windows clients using the full-featured Barracuda Network Access Client.
SSL VPN Mobile Portal
The Barracuda Firewall SSL VPN mobile portal provides a user-friendly interface with a service bar where users can launch available web
resources that have been made accessible by the Barracuda Firewall. Users can navigate through the resources and add shortcuts to a favorites
list.The Barracuda Firewall SSL VPN mobile portal supports most commonly used devices, e.g., Apple iOS, Android and Blackberry.
For more information, see SSL VPN for the Barracuda NextGen Firewall X, Mobile Portal User Guide and Supported Mobile Devices.
Local Disk Backup and Restore
The Barracuda Firewall now automatically creates up to 24 hourly backups directly on the local disk of the unit. These backups can be restored
directly via Web UI or from the recovery console.
For more information, see How to Backup and Restore the Barracuda NextGen Firewall X.
Improved stability of the virus scanner engine during pattern updates. (BNF-5175)
Using the URL Filter when accessing heavy, interactive websites now works as expected. (BNF-5276)
You can now block just a subset of a URL. (BNF-5269)
The SIP Proxy now reacts gracefully when failing to open additional dynamic ports. (BNF-5220)
Custom application objects are now displayed correctly in the Application and Details columns on the BASIC > Active and Recent
Connections pages. (BNF-5193)
A warning popup is displayed when an SNMP source IP address is not a part of the Management ACL. (BNF-4881)
Added popup to advise user to enable TCP Stream reassembly when enabling virus scanning in the Firewall. (BNF-4859)
DC Agent authentication now works as expected. (BNF-4845)
It now possible to use * wildcards when filtering on the BASIC > Active and Recent Connection pages. (BNF-4723)
MSAD authentication now supports multi-domain login management by enabling Check Domain Names in the MSAD configuration.
(BNF-4690)
Yahoo Japan (yahoo.jp), Yahoo Mail Japan, and AOL Japan (aol.jp) are now detected by Application Control. (BNF-4683)
The support tunnel now reliably starts when triggered via the WebUI. (BNF-4644)
Editing service objects now works as expected. (BNF-4598)
The Directory Browser now correctly displays error messages. (BNF-4565)
Reverse Lookup zones are automatically created when adding an A-type DNS record. (BNF-4252)
Filtering for information contained in the Info column on the Recent Connections page now works as expected. (BNF-4217)
Added a validation check to avoid the HA partner from being excluded by the Management ACL. (BNF-4148)
In an HA cluster the Wi-Fi ticketing information is now synced to the secondary box. (BNF-3733)
When using Barracuda Cloud Control, the secondary unit of an HA cluster now mirrors the behavior of standalone secondary units.
(BNF-2636)
PPTP clients now show the username in the Name column on the VPN > Active Clients page. (BNF-1386)
If you are using an intermediary certificate bundled with a root certificate or a certificate chain as the SSL Inspection root certificate the
certificate is not migrated to the new certificate manager. You must reupload the complete certificate bundle to the new certificate
manager.

Replace all certificates with a expiration date after 01.01.2038 before updating to 6.7.0. Please note that certificates with an expiration
date after 01.01.2038 are not supported by this firmware version.
If the VPN Certificate Pool on the VPN > Settings page is set to default make a dummy change to the VPN > Client-to-Site VPN confi
guration.
Known Issues and Limitations for 6.7.0.022
In some cases certificates with a expiration date after 01.01.2038 are unusable after updating from 6.6.2 to 6.7.0.
Smaller Barracuda Firewall models may take up to 10 minutes to verify the update package causing a browser timeout. Login again to
apply the update.
The SIP proxy can not be used for external Barracuda Phone appliances. Use Access rules to open the necessary ports instead.
If appending a port to the first target IP address of a DNAT access rule, the port is applied to all target IP addresses.
Barracuda Report Creator is only available for Windows 7, 8 and 8.1.
Creating / Editing Firewall Access Rule: In the “Connection” portion the inline creation only allows to create a regular connection object,
not an application based connection object.
Inline edit of connection objects is not possible for application based connection objects.
Application based connection objects can not be renamed.
Application based connection objects must be saved before adding link policy objects.
Certificate manager and application based connection objects currently can not be configured via the Barracuda Control Center.
In rare cases, using the Ping, Telnet, or Dig commands in Advanced > Troubleshooting results in an empty pop-up window. Clicking Relo
ad in the Basic > Administration tab resolves this issue.

Barracuda Firewall Release Notes 6.6.X
Security Advisories
Barracuda Firewall Release 6.6.2.006
6.6.2.008 includes OpenSSL updates to fix vulnerabilities described in the following security advisories:
CVE-2015-0286
CVE-2015-0287
CVE-2015-0289
CVE-2015-0292
CVE-2015-0293
All Barracuda Firewalls automatically received BNSEC-2.1.15715 (2015-01-30) to fix vulnerabilities described in security advisory
CVE-2015-0235 (GHOST). If you disabled Automatic Updates, update to version 6.6.1.002.
6.6.0.019 includes updates to mitigate potential man in the middle attacks due to security vulnerability CVE-2014-3566 (POODLE). The
following software modules are vulnerable to attacks described in the security advisory:
User Interface – As of version 6.6.0.019, SSLv3 is disabled by default. If you must support older browsers without
TLS support, you can enable SSLv3 in the expert settings on the ADVANCED > Secure Administration page.
Append &expert=1 to the URL to display expert variables.
SSL VPN, Captive Portal, and Guest Access – Old browsers that include support only for SSLv3 can connect to
these services by using the SSLv3 protocol. Connections by browsers supporting the newer TLS protocols are not
allowed to fall back to SSLv3.
What's New in Barracuda Firewall Versions 6.6.2.006 and 6.6.2.008
Barracuda Firewall version 6.6.2.008 is a maintenance release and contains no new features.
Improved HTTP and HTTPS stability and connectivity when using SSL Inspection and Virus Protection in the Firewall. (BNF-4860)
It is now possible to use more than 64 URL Filter whitelist or blacklist entries. (BNF-4877)
Content of predefined Service objects is now displayed as expected. (BNF-4556)
DC Agent authentication now works as expected. (BNF-4865)
Using wildcard characters on the Live and Recent Connection pages now works as expected. (BNF-4632)
Joining the Barracuda Web Security Service now works as expected. (BNF-4876)
Improved connection handling for MSAD authentication. (BNF-4778)
Enable TCP Stream Reassembly in FIREWALL > Settings if you are using Virus Protection in the Firewall.

The correct format for the Path of a custom application object is: Remove the first / and escape wildcard characters (* and ?) that are part
of the Path with a backslash (\). For example if the URL is https://example.com/user/search.do?resetForm=yes the path can be entered
as: user/search.do\?resetForm* where the * is used as a wildcard character and ? is escaped with a backslash because it is part
of the original URL.
Barracuda Firewall version 6.6.1.005 is a maintenance release and contains no new features.
It is now possible to open the support tunnel via Barracuda Cloud Control. (BNF-4918)
Changing timezone and management IP address via wizard now works as expected. (BNF-4964)
Test at my desk wizard no longer offers the option to set the default gateway. (BNF4953)
DNS servers are optional in the Basic Setup Wizard. (BNF-4952)
Checking the Barracuda Websecurity subscription expiration now works as expected. (BNF-4977)
The offline activation link is no longer shown in the dashboard. (BNF-4951)
Barracuda Firewall version 6.6.1.002 is a maintenance release following 6.6.1.001 EA to fix the security vulnerability described in CVE-2015-0235
(GHOST).
New Basic Setup Wizard
To make setting up a new Barracuda Firewall easier, the new Basic Setup Wizard will guide you through configuring all basic settings required to
get up and running. You can also launch the Wizard from the ADVANCED > Wizard page.
Firmware Notification
The Barracuda Firewall now notifies the admin if a new firmware version is available. If automatic updates for Security Definitions are disabled,
you will also be notified if new Security Definition updates are available.
Configurable Gateway Health Check for PPPoE and PPTP

You can now configure how frequently the gateway IP address for a PPPoE or PPTP connection is pinged and after how many failed probes the
connection is restarted.
Virus Protection
The Barracuda Firewall now scans these additional MIME types by default:
MS Office
Android APK
PDF
Web Interface
Opening a support tunnel in the web interface now works as expected. (BNF-4663)
BASIC > Active Connections now display values in the Bytes/s column as expected. (BNF-4596)
Filters for the Info column on the BASIC > Recent Connections page now work as expected. (BNF-4577)
Testing the configuration for external authentication servers defined in Users > External Authentication no longer return false positives.
(BNF-4566)
The SSL Inspection section on the FIREWALL > Settings page now displays as expected when using Mozilla Firefox. (BNF-4543)
Input validation was fixed to avoid Active Directory users in the DOMAIN\user format. (BNF-4415)
Increased web interface timeout to fix "Internal Error Occurred" messages. (BNF-4333)
Save and Cancel buttons are now disabled after the form has been submitted. (BNF-4286)
Firewall
Adding additional entries to an existing NAT object now works as expected. (BNF-4503)
Redirect to Service Access rules with the redirecting to the SSL VPN service now work as expected when the Barracuda Web Security
Service is enabled. (BNF-4410)
Fixed rare Traffic Shaping issue causing the system to crash. (BNF-4393)
By default SSLv3 is disabled for SSL Inspection to mitigate the OpenSSL POODLE vulnerability. If needed, you can enable SSLv3 for
SSL Inspection in FIREWALL > Settings. (BNF-4641)
Barracuda OS
Network interruptions no longer occur on Barracuda Firewalls that do not have a Web Security Subscription. (BNF-4665)
Dynamic network interfaces with PPTP enabled no longer start automatically when the connection start method is set to manual.
(BNF-4497)
MS-CHAP authentication configuration no longer requires a WINS server. (BNF-4463)
Barracuda Cloud Control
Health State for the Barracuda Firewall is now displayed as expected on the Status page of the Barracuda Control Center. (BNF-4510)
Charts on the Status page now display as expected in the Barracuda Control Center (BNF-4510)
Help button now works as expected in Barracuda Cloud Control. (BNF-4511)
Report Creator
The login to the Barracuda Firewall from the Barracuda Report Creator works as expected. (BNF-4417)
Barracuda Web Security Service
Unauthenticated users are now able to connect via Web Security Service when Enforce Authentication is set to No, and Include User
Information is set to YES. (BNF-4317)
Firmware Update – Your session may time out during verification of the update package on the smaller X100 and X200 Barracuda
Firewalls. Log in again to complete upgrading.

Backup – It is not possible to restore old 6.0.X, 6.1.X or 6.5.X backups on a Barracuda Firewall using firmware 6.6.0 or newer.
Barracuda Report Creator – Only available for Microsoft Windows 7 and 8.
If you are experiencing problems with accessing streaming video or audio for connections using SSL Inspection, enable TCP Stream
Reassembly in FIREWALL > Settings.
What's New with Barracuda Firewall Version 6.6.0.019
Virus Protection
The Barracuda Firewall now supports both virus protection on the box and in the Cloud using the Barracuda Web Security Service. On-box virus
protection is enabled individually for each access rule. If a virus or malware is detected, the file is discarded and the user is redirected to a block
page. Detected viruses and malware are displayed on the BASIC > Recent Threats page. An active Web Security subscription is required to use
virus protection on the Barracuda Firewall.
SSL Inspection for Virus Protection and IPS
SSL inspection can now be used in combination with virus protection and the Intrusion Prevention System (IPS). If you do not want to scan
certain websites you can now define URL Filter categories which will be exempted from SSL inspection.
Authoritative DNS
The updated ADNS service can now serve ADNS requests on both static and dynamic interfaces. You can define a health check per IP entry in a
DNS record. IP entries for which the health check fails are excluded from DNS responses.
Terminal Server Agent
The Terminal Server Agent allows the Barracuda Firewall to enforce user policies for users logged in to a Microsoft Terminal Server 2008 R2 or
newer. The Barracuda Terminal Server Agent on the Microsoft Terminal Server will transmit all user information to the Barracuda Firewall over an
optionally SSL encrypted connection.
SIP Proxy Enhancements
The Barracuda Firewall now provides more control and access to advanced settings for the SIP proxy.
Health Checks for Static Routes
You can now define health check targets for a static routes. The Barracuda Firewall will periodically ping all IP addresses defined as a reachable
IP for the custom route. When one or more of these IP addresses are no longer reachable, the route is disabled until they are reachable again.
You can define the heath check targets by clicking Options next to the custom route and adding IP addresses to the reachable IPs list.
Wizard for VPN Setup
It is now possible to create client-to-site VPN connections by using the Remote Access For my Users wizard (ADVANCED > Wizards). The
wizard will guide you through the process of creating a client-to-site VPN for your mobile devices and remote users.
Additional DHCP Server Options
The Barracuda Firewall now provides additional DHCP options. Vendor Options and Client IDs can now be specified in the DHCP server
configuration.
LDAP and Active Directory Authentication Browser
To simplify the creation of user and group policies the Barracuda Firewall now provides an easy-to-use interface to search through your LDAP or
Active Directory servers. Users and groups can be added directly from the authentication browser to user objects.
Web Interface
Unknown applications are now displayed correctly. (BNF-4116)

It is no longer possible to save a SNMP configuration without setting the SNMP version parameter. (BNF-4057)
Browser certificate for SSL Inspection can now optionally be downloaded directly by users. (BNF-4021)
The MAC address column in the Interface table on the NETWORK > Routing page now displays the MAC addresses as expected.
(BNF-4001)
Input and output interface now displayed correctly in BASIC > Active Connections. (BNF-3930)
Saving the dashboard presets now works as expected. (BNF-3877)

Filtering for Type in BASIC > Application Monitor now works as expected. (BNF-3876)
Fixed input validation for creating a new connection object. (BNF-3872)
Fixed input validation for creating a new service object. (BNF-3869)
Filtering for Severity on the VPN > Service Log now works. (BNF-3863)
Fixed duplicate custom widget issue on the BASIC > Status page. (BNF-3444)
Firewall
Fixed activating/disabling redirect-to-service access rule for Barracuda Web Security Service. (BNF-3786)
Barracuda OS
The Protect My Network wizard now works as expected when creating a new interface of the same type on the same interface.
(BNF-3926)
DHCP Server
The DHCP server now works as expected on bridged interfaces. (BNF-4072)
QoS
Values entered for QoS Choke Limit are now validated correctly. (BNF-4073)
QoS Internet Degradation Threshold now works as expected. (BNF-4056)
Fixed the QoS profile for system updates. (BNF-3976)
Resetting the QoS values now works as expected. (BNF-3820)
Bandwidth Policies are now displayed and assigned correctly. (BNF-3685)
High Availability
Users > Guest Access Login page options are no longer editable on the secondary HA unit. (BNF-3919)
PPTP options are no longer editable on the secondary HA unit. (BNF-3918)
Forwarding Proxy settings are no longer editable on the secondary HA unit. (BNF-3917)
SNMP Manager settings are no longer editable on the secondary HA unit. (BNF-3916)
VPN
Static IP address assignment is no longer allowed when using PPTP with MS-CHAPv2 or NTML authentication. (BNF-3876)
Uploading password protected PEM certificates is no longer allowed. (BNF-3757)
Fixed automatic network objects for site-to-site VPNs. (BNF-3711)
Displayed route status for PPTP client-to-site VPN interface fixed. (BNF-3642)
SSL VPN
The Tunnel Client Application parameter is no longer disabled after selecting IMAP4, POP3 and SMTP for an application resource.
(BNF-3915)
Fixed missing WebDAV sharename parameter when editing Network Places. (BNF-3914)
Wi-Fi
A warning message displays if you try to edit a static Wi-Fi interface or a DHCP Server configuration using a disabled Wi-Fi interface.
(BNF-4051)
Fixed Wi-Fi configuration validation. (BNF-4030)
Guest Networks
RADIUS authentication now works with the captive portal as expected. (BNF-3905)
The Wi-Fi networks are now selectable as a guest network. (BNF-3861)
Captive portal authentication errors are now logged to LOGS > Authentication Log. (BNF-3434)
Backup
It is now possible to use a relative path for FTP backups. (BNF-3458)
Firmware Update – Your session may time out during verification of the update package on the smaller X100 and X200 Barracuda
Firewalls. Log in again to complete upgrading.
Backup – It is not possible to restore old 6.0.X, 6.1.X or 6.5.X backups on a Barracuda Firewall using firmware 6.6.0 or newer.
Web Interface – On the BASIC > Active Connections page the Bytes/s column always shows 0.00.
Notifications – System alert email notifications are currently not correctly delivered to configured recipients.

If you are using one of the following features, complete the listed instructions to complete the migration:
Traffic Shaping (QoS) – Go to FIREWALL > QoS and do a dummy change to activate new QoS settings for firmware updates.

Barracuda Firewall Release Notes 6.5.x

6.5.3.002 includes updates to mitigate potential man in the middle attacks due to a security vulnerability in the SSLv3 protocol.
Some software modules of the Barracuda Firewall are vulnerable to attacks described in the security advisory CVE-2014-3566
(POODLE).
Barracuda Networks highly recommends to update your Barracuda Firewall to version 6.5.3.002.
Affected portions of the Barracuda Firewall and possible attack vectors
User Interface – Starting with version 6.5.3.002 SSLv3 is disabled per default. If you must support older browsers without TLS
support, you can enable SSLv3 in the expert settings on the ADVANCED > Secure Administration page. Append &expert=
1 to the URL to display expert variables.
SSL VPN, Captive Portal and Guest Access – Old browsers which only include support for SSLv3 can connect to these
services using the SSLv3 protocol. Connections by browsers supporting the newer TLS protocols are not allowed to fall back
to SSLv3.
This firmware version is a maintenance release only. No new functionality has been added.
When the Barracuda Firewall is not connected to the Internet or has no route to the Internet, network configuration now works as
expected. (BNF-4426)
It is now possible to configure Static Network Interfaces on unactivated Barracuda Firewalls. (BNF-4482)
Web Interface
Added expert setting to disable SSLv3 for the web interface.
Web Interface
The user interface now displays warning messages, if disabled static Wi-Fi interfaces are configured. (BNF-4050)
The Wi-Fi configuration now works as expected. The number sign (#) is no longer supported in pre-shared keys, location
information is now mandatory, SSID must be unique across all Wi-Fi access points, and Wi-Fi configuration automatically enables
corresponding DHCP ranges if configured. (BNF-4029)
The Preferences configuration of IPs events now works as expected. (BNF-3086)

Firewall
Redirect to Guest Ticketing now also works on a Barracuda Firewall X100. (BNF-4028)
Barracuda OS
Updating Barracuda Firewalls deployed behind a proxy server now works as expected. (BNF-3964)
Support tunnels can now also be initiated from a secondary unit of a HA cluster. (BNF-3870)
Configuration backups erroneously included secondary management IP addresses of the unit. (BNF-4017)
DHCP
The DHCP service now starts correctly if the configuration contains a disabled Wi-Fi interface. (BNF-3963)
Web Interface
When saving a form the Save and Cancel buttons can no longer be clicked multiple times. (BNF-4285)
Logout button in Basic > User Activity now works as expected. (BNF-3596)
It is no longer possible to change the management IP address when using the Barracuda Cloud Control. (BNF-3608)
Network interface configuration is now disabled when displayed in group context on the Barracuda Cloud Control. (BNF-3607)
Showing two identical static network interfaces in group context on Barracuda Cloud Control now works as expected. (BNF-3653)
Network, service, connection, NAT and user objects now work in group context on the Barracuda Cloud Control. (BNF-3640)
Web Interface
Fixed a security issue when invoking the Logout action. (BNF-3598)

Entering the password on the BASIC > Cloud Control page when connecting to Barracuda Web Security Service now works as expected.
(BNF-3618)
The log navigation and preference elements now display as expected on the Log pages. (BNF-3574)
Task manager items are now removed when task is complete. (BNF-3284)
Renaming elements on the Status page now works as expected when using Firefox. (BNF-3366)
Improved input validation for IP addresses and networks. (BNF-3287)
Changes naming for current VPN throughput from "bps10" and "BPS" to Bytes/10seconds. (BNF-3484)
Input validation for DynDNS usernames corrected to allow dashed in the username. (BNF-3669)
Fixed UI bug in source column of FIREWALL > Application Rules. (BNF-3369)
Network interface table on the BASIC > IP Configuration page now shows duplex and state information for every link. (BNF-2168)
The Add Dynamic Network Interfaces button on the BASIC > IP Configuration page is disabled if all ports are already in use.
(BNF-3515)
A warning is displayed if you enter a gateway route which cannot be reached directly. (BNF-3235)
NTP is automatically activated for the management IP if it is enabled on BASIC > Administration. (BNF-3544)
Barracuda OS
Upgrade of OpenSSL to fix CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and
CVE-2014-0076. (BNF-3714)
Authentication Logs now contain information on captive portal authentications. (BNF-2719)
Querying multiple domain controllers now works as expected even if the user credentials are not valid for one of the domain controllers.
(BNF-3688)
Firmware Upgrades are no longer possible if a network activation is still outstanding. (BNF-3584)
Firewall
It is no longer possible to upload an expired certificate for SSL Inspection. (BNF-3332)

Minimum timeout value for connection objects is now three seconds. (BNF-3313)
Duplicate IP addresses are now visible on the NETWORK > Routing page. (BNF-3344)
Terminating a session in BASIC > Active Connections now works as expected. (BNF-3695)
A warning is displayed if you attempt to use a connection object for a connection which does not exist. E.g., SNAT with 3G IP without 3G
being configured. (BNF-3236)
VPN
VPN Network Object VPN-Local-Networks now works as expected. (BNF-3711)

Warn when importing a VPN certificate with an empty CN value. (BNF-3725)

Dynamic IP addresses for site-to-site VPN tunnels can only be used if Use Dynamic IPs is enabled. (BNF-3410)
Fixed labeling for client-to-site authentication from "Shared Key and Certificate" to "Shared Key or Certificate". (BNF-3448)
Added option to restart the VPN service in the Expert Variables. (BNF-3568)
SSL VPN
Fixed issue of the SSL VPN service was not handling requests until restarted. (BNF-3701)
Added SharePoint type for webforwards. (BNF-3799)
High Availability
HA synchronization now works as expected with non-ASCII characters. (BNF-3830)
Barracuda Cloud Control – In some cases the labeling of the time axis in the FIREWALL STATISTICS element on the Status page in
the Barracuda Cloud Control is illegible.
Barracuda Cloud Control – It is not possible to directly show the list of Recent Connections for a detected application from the Applicat
ion Monitor page in the Barracuda Cloud Control.
Guest Access – The ticketing web interface is not accessible on the management interface.
Backup – It is not possible to restore old 6.1.X or 6.0.X backups on a Barracuda Firewall using firmware 6.5.0 or newer.
VPN – When using the Barracuda VPN client it currently not possible to connect to a client-to-site VPN using user/password and client
certificate authentication.
New Web Interface
The 6.5 firmware includes a completely redesigned user interface. The updated user interface is now even easier to use as it uses a new visual
style, icons and popover screens instead of popup windows. The BASIC > Status and BASIC > Application Monitor overview pages are build
out of small movable and configurable elements. Each element contains specific information such as connection, blocked applications, link status
and many more. Elements can be dragged and dropped freely on the status page. You can also remove or add application monitor elements to
the dashboard.
Application Control
Barracuda Firewall 6.5.0 integrates and updates the Application Control engine into the core firewall. Now the Barracuda Firewall can identify and
enforce more than 1200 applications, even those that may hide their traffic inside otherwise "safe" protocols, such as HTTP. You can define
dynamic application polices to establish acceptable use policies for users and groups by application, application category, location or time of day:
Block unwanted applications for certain users and groups.

Control and throttle acceptable traffic.
Preserve bandwidth and speed-up business critical applications to ensure business continuity.

Enable or disable specific subapplications (e.g., Facebook Chat, YouTube postings or MSN file transfers).
Inspect SSL-encrypted application traffic.
Use the new application monitor to analyze application traffic, receive real-time and historical information on traffic passing through your
Barracuda Firewall. Drill down through the application data by using filters based on a combination of user, time, application or risk factor. Up to
20 of these customized elements can be included on your dashboard to offer an instant system and network overview every time you log in to
your Barracuda Firewall.
URL Filter
With the Barracuda Firewall 6.5.0 customers with an active Web Security subscription now have the option to use the URL Filter on the
Barracuda Firewall itself, instead of having to route all internet traffic through the Web Security Service cloud. The on-box URL Filter is tightly
integrated with application control in the firewall and allows creation and enforcement of effective Internet content and access policies based on
the Barracuda URL database. The URL database is hosted in the cloud and continuously updated by Barracuda Networks, ensuring that your
policies are always using the latest information. URL categorization performs an online lookup of the categorization for the domain in question
and the Barracuda Firewall subsequently caches this categorization information.
Client-To-Site IPsec VPN with Pre-Shared Keys
To make it easier for your Apple iOS or Android device to remotely connect to your network you can use the new client-to-site IPsec VPN with
pre-shared keys. You do not have to manage X.509 certificates which have to be installed on the mobile devices.
VPN Site-2-Site Remote and Local Networks
As of Barracuda Firewall Release 6.5.0 there is no more need to create specific firewall rules to allow network traffic from two networks
connected via VPN. The defined Local Networks and Remote Networks in the site-to-site VPN configuration are added automatically to these
newly created dynamic network objects. The VPN-SITE-2-SITE firewall rule is disabled by default and enabled automatically when a site-to-site
VPN is configured.
Reporting
Reporting is one of the major tasks to be managed in an enterprise. It is crucial to make bandwidth usage and all other security related
information visible, reportable and presenting it in an easy-to-read format. With Barracuda Firewall 6.5.0 the new Barracuda Report Creator,
directly downloadable from the BASIC > Administration page, makes creating IT security reports on a regular basis easy. Simply select the
appliances and the required types of reports, define the layout and way of delivery and the Report Creator does the rest. (please note that the
Barracuda Report Creator is only compatible to Microsoft Windows 7 and 8).

Backup to the Cloud
You now have the option to store your backups in the Cloud using your Barracuda Cloud Control account. Configure automated backups to
always have a working off-site configuration backup for your Barracuda Firewall, enhancing your data security.
If you are using one of the following features, complete the listed instructions to complete the migration:
Barracuda DC Agent – After the migration do a dummy change in USERS > external Authentication > DC Agent to activate the
automatic logout in case the DC Agent or the Active Directory Server the DC Agent is installed on is not available.
Application Control – Before you can make use of the improved Application Control you have to migrate your existing firewall rules: A
migration wizard will appear every time the BASIC > Status page is accessed until you complete the migration. If you do not want to
migrate these settings at the time of the upgrade you can continue using Application Control in legacy mode, However, certain
functionality (such as new BASIC > Status page) will not be available until migration has been completed. During the migration the
application control logic is transferred to the new FIREWALL > Application Policy page. Due to the different and enhanced functionality
it is not possible to provide an automated migration. Parts of your application control settings will need to be re-done after upgrading to
6.5.
VPN – If firmware version 6.5.0 was not preinstalled on your Barracuda Firewall you must manually add the network objects VPN-Local-
Networks and VPN-Remote-Networks as well as the firewall rule VPN-SITE-2-SITE to take advantage of automatic updates of the VPN
network objects and firewall rule when creating a site-to-site VPN.
VPN-SITE-2-SITE firewall access rule
Action – Select Allow.

Name – Enter VPN-SITE-2-SITE.
Source – Select VPN-Local-Networks.
Network Services – Select Any
Destination – Select VPN-Remote-Networks.
Connection – Select No SNAT.
Adjust Bandwidth – Select Business.
Network Object VPN-Local-Networks
Name – Enter VPN-Local-Networks.

Include Network Address – Enter all local networks used in existing site-to-site VPNs. If no site-to-site VPN are
configured enter dummy values. They will be overwritten when a site-to-site VPN is configured.
Network Object VPN-Remote-Networks
Name – Enter VPN-Remote-Networks.

Include Network Address – Enter all remote networks used in existing site-to-site VPNs. If no site-to-site VPN are
configured enter dummy values. They will be overwritten when a site-to-site VPN is configured.

Fixed error message which users who are not logged in would receive if the Include User Information option was set. (BNF-1835)
Barracuda Control Center
Fixed misleading error message when login to Barracuda Cloud Control fails. (BNF-3303)
In some cases it was not possible to see connection objects in the BCC. (BNF-2967)
The VPN > Certificates page is now displayed correctly in the Barracuda Control Center. (BNF-1788)
The NETWORK > DHCP Server page is no longer accessible when using group context in the Barracuda Control Center. (BNF-3636)
Adding identical configurations in group context now works as expected. (BNF-3653)
VPN
In some cases port 443 for client-to-site vpn was blocked. (BNF-2610)
VPNs using the blowfish cipher now work as expected. (BNF-3109)
Client-to-site VPN IPsec Phase 2 configuration is only mandatory if IPsec clients are enabled. (BNF-2415)
Wi-Fi
Improved Wi-Fi stability by fixing rekeying issues resulting from missing entropy. (BNF-2722)
Fixed issues resulting in kernel panics. (BNF-2721)
Changes to the Wi-Fi settings are now executed as expected. (BNF-3549)
Firewall
Minimum timeout for connection objects lowered to three seconds. (BNF-3309)

Firewall objects can now only be renamed if they are not in use. (BNF-3053)
Traffic Shaping using the low and lowest QoS bands now work as expected. (BNF-3685)
Web Interface
Firewall objects can no longer be deleted if they are still in use. (BNF-3169, BNF-3258)
It is no longer possible to delete all NTP server entries in Basic > Administration. At least one NTP server has to be configured at all
times. (BNF-3120)
When downloading csv log files a different name is now used for every log file. (BNF-3138)
PPPoE username and password configuration in protect my desk wizard is now works as expected. (BNF-3297)
Barracuda logo is updated. (BNF-3549)
Fixed security vulnerability when invoking logout action. (BNF-3598)
Session termination in Active Connections now works as expected. (BNF-3695)
SIP Proxy
The SIP proxy will now be enabled if you enable the LAN-2-INTERNET-SIP or INTERNET-2-LAN-SIP firewall access rules. (BNF-2679)
SIP clients can now receive calls on non-standard SIP ports. (BNF-2879)
SIP video (multi-port) calls now work as expected. (BNF-3115)
DHCP
The DHCP server now checks if an interface is disabled when creating a DHCP service pool. (BNF-2709)
High Availability
The Advanced > Backup and Network > Bridging pages are now read only on secondary unit. (BNF-2820, BNF-3231)
Forwarding sessions on dynamic interfaces are no longer synchronized to secondary unit. (BNF-3386)
Barracuda OS
Upgrade of OpenSSL to fix a potential man-in-the-middle attack for SSL/TLS clients and servers. (CVE-2014-0224, BNSEC-4402,
BNF-3713)
Upgrade of OpenSSL to version 1.01g to fix the openSSL heartbleed bug. (CVE-2014-0160)
The syslog daemon now restarts automatically if needed. (BNF-2919)
RADIUS authentication now works as expected. (BNF-3224)
After a reboot due to a power outage the system clock will not be reset to UTC time anymore. (BNF-3367)
DynDNS over HTTPS now works as expected. (BNF-3524)
Fixed security issues for the captive portal and guest ticketing authentication pages. (BNSEC-4395, BNSEC-4402)
Known Issues and Limitations
Barracuda Control Center – In some cases the labeling of the time axis in the FIREWALL STATISTICS element on the Status page in
the Barracuda Control Center is illegible.

Barracuda Control Center – It is not possible to directly show the list of Recent Connections for a detected application from the Applica
tion Monitor page in the Barracuda Control Center.
Guest Access – The ticketing web interface is not accessible on the management interface.
Web Interface – After the Barracuda Firewall update and reboot you may have to wait up to 5 minutes (depending on your hardware)
until you can successfully log in to your system.
Backup – It is not possible to restore old 6.1.X or 6.0.X backups on a Barracuda Firewall using firmware 6.5.0 or newer.
Backup – The option to backup to SMB shares has been removed. Use Barracuda Cloud Control or FTP/FTPS server as an alternative.
Firewall – Removed the firewall rule tester.
Firewall – After migration to the new Application Control some Application Control settings and policies have to be re-done manually.
Firewall – Before migration to the new Application Control some elements on the BASIC > Status dashboard do not display any
information.
VPN – IPsec client-to-site VPN with pre-shared keys ignore external group conditions. (BNNGF-22043, BNF-3225)


What's New with Barracuda Firewall Version 6.1.6
6.1.7.003 includes an update of OpenSSL to fix a potential Man-in-the-middle attack for SSL/TLS clients and servers. (CVE-2014-0224,
BNSEC-4402, BNF-3715)
Some software modules of the Barracuda Firewall incorporate versions of OpenSSL, which are vulnerable to attacks described in
security advisory CVE-2014-016 (OpenSSL Heartbleed bug).
Barracuda Networks highly recommends to update your Barracuda Firewall to firmware version 6.1.5.005.
Affected portions of the Barracuda Firewall and possible attack vectors
User Interface – Eavesdrop on communication with the Barracuda Firewall's user interface.
VPN – The VPN functionality of the Barracuda Firewall was never compromised since the service uses OpenSSL version
0.9.8g. However, if the VPN service and management interface share the same certificate (delivered default certificate),
Barracuda Networks recommends to also change the VPN certificates as described below.
Actions required
1. Update your Barracuda Firewall to version 6.1.5.005. This will upgrade OpenSSL to version 1.0.1g which is not vulnerable to
the Heartbleed bug.
2. ADVANCED > Secure Administration – Replace the Barracuda Firewall's default certificate with a newly created Private
(Self-signed) or Trusted (Signed by a trusted CA) certificate.
3. ADVANCED > Secure Administration – If your are using a Private (Self-signed) or Trusted (Signed by a trusted CA) certi
ficate, you must replace them with newly created certificates.
4. VPN > Certificates – Delete existing SAVED CERTIFICATES and create or upload new VPN certificates.
5. VPN > Site-To-Site – Reconfigure all IPsec tunnels to use the newly created certificates as Local Certificate and for
authentication (if applicable).
6. VPN > Client-To-Site – Replace the Local Certificate with the newly created certificate. This is valid for all client-to-site VPN
access policies.
7. VPN > SSL VPN – Select the newly created certificate in the Server Settings tab.
8. FIREWALL > Captive Portal – Replace the Signed Certificate with the newly created certificate.
9. Barracuda Networks recommends to follow best practices and change all passwords.
After installing release version 6.1.3.003 on your Barracuda Firewall, it is necessary to perform a configuration update to correctly apply
all improvements.
Open USERS > External Authentication > DC Agent and perform a temporary configuration change of one of the available
settings, and click Save Changes.
Important
Barracuda Firewall version 6.1.2.002 fixes a log rotation issue to prevent filling up the SSD. [BNF-2217]
Barracuda Networks strongly recommends updating to version 6.1.2.002 or contacting Barracuda Networks Technical Support for
assistance.

Barracuda OS
Updated OpenSSL to fix a potential Man-in-the-middle attack for SSL/TLS clients and servers. (CVE-2014-0224, BNSEC-4402,
BNF-3715)
What's New with Barracuda Firewall Version 6.1.6
Barracuda OS
The default certificates have been re-keyed and re-issued. Old certificates are being revoked. After updating your Barracuda Firewall, all
services using the unit's default certificates, will automatically use the re-issued certificates. (BNF-3480)
Network
DynDNS over HTTPS now works as expected. (BNF-3525)
Barracuda OS
Update of OpenSSL to version 1.0.1g to fix the OpenSSL heartbleed bug. (CVE-2014-0160)
Firewall
Fixed access to expert settings. (BNF-3452)

Stability improvement that prevents possible appliance reboots. (BNF-2925)
VPN
Updated Java archive manifest information of SSL VPN applets. (BNF-3376)

The VPN service with Local Address set to dynamic will now listen on every IP address. (BNF-3402)
VPN
The VPN service with Local Address set to dynamic will now listen on every IP address. (BNF-3402)
Web Interface
Fixed access to expert settings. (BNF-3452)
Firewall
Stability improvement that prevents possible appliance reboots. (BNF-2925)
VPN
Updated Java archive manifest information of SSL VPN applets. (BNF-3376)

Web Interface
Adding source or destination networks, with netmasks higher than /24, to firewall rules now works as expected. (BNF-2869)
The smart pre-submission input validation now also works correctly with DNAT firewall rules.
It is now possible to access release notes for the latest general and early release through the ADVANCED > Firmware Updates page. (
BNF-2790)
Configuration wizards now successfully finish, even if the Barracuda Firewall receives wrong time information from an NTP
server. (BNF-2777)
Viewing product documentation within the user interface, now also works correctly when switching to a different language. (BNF-2672)
Adding Group Filter Patterns in USERS > External Authentication now works as expected. (BNF-3178)
VPN
It is now possible to add IPsec VPN tunnel remote IP addresses containing .255 octets. (BNF-2913)
The SSL VPN Java security warning no longer occurs after an update to Java 7 version 54 or higher. (BNF-3049)
Firewall
The SIP proxy now works as expected with SIP providers outside of internal network segments. (BNF-2859, BNF-2879, BNF-2691)
Fixed a display issue in the Basic > Active Connections screen. (BNF-2887)
Networking
Dynamic interface control commands in Network > IP Configuration now work as expected with multiple configured dynamic network
interfaces. (BNF-2886)
High Availability
Static network interfaces introduced by a wizard are now correctly synchronized to the secondary Barracuda Firewall. (BNF-2797,
BNF-2796)
When enabling an HA cluster, the firmware now performs a validity check to ensure that the units' Management IP addresses reside
within the same network and subnet.
Administration & Reporting
The SNMP service now works as expected and occasional crashes no longer occur. (BNF-2775)
When utilizing all three possible Wi-Fi Access Points, the Barracuda Firewall models X101 and X201 may freeze and/or crash under
certain circumstances.
Security
A potential internal resource exhaustion issue was fixed. (BNSEC-3144)

A potential nginx request line parsing vulnerability was fixed. (BNSEC-2865 / CVE-2013-4547)
Web Interface
The Barracuda Firewall User Interface is now fully Japanese localized. Note that entering multi-byte characters is not yet supported.
Guest networks for Wi-Fi networks can now only be configured in USERS > Guest Access. (BNF-2650)
Barracuda Firewall OS
Improved stability due to kernel upgrade and various improvements: Updated underlying Linux kernel to 2.6.28.
Time zone upgrades for South Africa and Israel per new 2013 DST settings.
Web Interface
The configuration progress spinner animation now loads correctly while saving configuration changes. (BNF-2350)
High Availability

Secondary Barracuda Firewall units now correctly synchronize configuration data after an outage. (BNF-2746)
Barracuda Firewalls with configured dynamic WAN interfaces can now be deployed in HA clusters as expected. (BNF-2685)
Various stability related firmware improvements. (BNF-2742, BNF-2740, BNF-2738, BNF-2703, BNF-2686)
VPN
A certificate upload issue in VPN > Certificates was fixed. (BNF-2699, BNSEC-2398)
The Barracuda Firewall now accepts all ASCII characters, except #, as Site-to-Site IPsec pre shared key. (BNF-2648)
SSL-VPN now also supports RDP for Microsoft Windows Server 2003 editions and higher. (BNF-2731)
Firewall
Manually overriding bandwidth policies is Basic > Active Connections is now correctly disabled, if QoS is disabled in the respective
firewall rule. (BNF-2443)
Enabling or disabling PAT in Connection Objects now works as expected. (BNF-2668)
The configured name of dynamic network interfaces is now correctly displayed in NETWORK > Routing. (BNF-2713)
Authentication Services
Received login information from the Barracuda DC Agent now expire after a certain period of time. (BNF-2434)
When utilizing all three possible Wi-Fi Access Points, the Barracuda Firewall models X101 and X201 may freeze and/or crash under
certain circumstances.


Firewall
The internal interface assignment of the QoS bandwidth policy Internet now works as expected. (BNF-2072)
Networking
The DHCP TFTP Host Name field now also accepts IP address and host name combinations. (BNF-2121)
VPN
Phase 2 settings of IPsec Site-to-Site VPN tunnels are now loaded correctly. (BNF-2098)
Administration
The Barracuda Firewall can now be connected to Web Security Service accounts containing a hash (#) in the password. (BNF-2098)
Security
A potential shell command injection issue has been removed. (BNSEC-1422)

A potential minor security issue related to local file permissions has been fixed. (BNSEC-1646)
A potential minor security issue related to support connections has been fixed. (BNF-2084)
Web Interface
It is now possible to disable the SIP Proxy. (BNF-1900)

To simplify the firewall rule tester, time settings are no longer available. (BNF-1872)
PPPoE connections now accept usernames not containing the @ symbol. (BNF-1846)
Network activations are now possible in any configuration tab, even if the product is not yet activated. (BNF-1824)
Firewall
The Active Connections screen now allows performing a Barracuda Labs reputation search for globally routable IP
addresses. (BNF-1800)
The Weight setting of Connection Objects is now saved correctly. (BNF-1870)
ICMP reply packets from already terminated sessions are not leading to orphaned sessions any more. (BNF-1833)
Networking
The DHCP server now consumes a lower amount of available memory. (BNF-1896)
Security

An authentication bypass issue in proxied environments has been removed. (BNSEC-1226)
It is now possible to disable the SIP Proxy. [BNF-1900]

To simplify the firewall rule tester, time settings are no longer available. [BNF-1872]
The Active Connections screen now allows performing a Barracuda Labs reputation search for globally routable IP
addresses. [BNF-1800]
The product documentation has been updated and improved to reflect the latest firmware changes. [ BNF-1801 - 1802], [BNF-1804 -
1813]
The DHCP server now consumes a lower amount of available memory. [BNF-1896]
The Weight setting of Connection Objects is now saved correctly. [BNF-1870]
PPPoE connections now accept usernames not containing the @ symbol. [BNF-1846]
ICMP reply packets from already terminated sessions are not leading to orphaned sessions any more. [BNF-1833]
Network activations are now possible in any configuration tab, even if the product is not yet activated. [BNF-1824]
An authentication bypass issue in proxied environments has been removed. [BNSEC-1226]
Web Interface
The Include User Information checkbox was permanently visible, although not available when using proxy forwarding. (BNF-1609)
Firewall
NAT Objects are now able to introduce Proxy ARPs. (BNF-1705)

IP addresses are now saved correctly when adding IPS Exceptions. (BNF-1602)
Networking
The DHCP service is now automatically restarted if a network activation occurs. (BNF-1591)
Source based routing for certain multi ISP configurations now work as expected (BNF-1630)
Secondary IP addresses are now also available through the default network bridge P1-P3. (BNF-1668)
The DHCP server is now able to assign DHCP options 66 (TFTP server name), 67 (Bootfile name) and 150 (TFTP server address) to
clients. (BNF-1761)

Getting Started
These instructions are an expanded version of the Barracuda NextGen Firewall X-Series Quick Start Guide that was shipped with your
appliance. If you have already completed the steps in the Quick Start Guide, go to Step 4.
To get started with your Barracuda NextGen Firewall X-Series, you must complete the activation procedure and integrate the firewall into your
existing network. You can also directly replace an existing firewall if your ISP assigns the WAN IP address via DHCP. For all other types of
Internet connections, you must first complete activation and basic setup in the existing network. After completing the basic setup wizard, you can
evaluate the X-Series Firewall as a firewall, using one of the firewall configuration wizards, or as a remote access gateway, using the Remote
Access Gateway wizard.
Barracuda NextGen Firewall X-Series in an existing network
Barracuda NextGen Firewall X-Series directly attached to a DHCP ISP connection
Before you begin
Unpack the NextGen X-Series Firewall and verify that you have all of the following accessories:
Barracuda NextGen X-Series Firewall (verify that you have received the correct model)
AC power cord
Power supply (X100/X101/X200/X201 only)
Wi-Fi antenna (X101/X201 only)
Mounting brackets (X300 and above)
Ethernet cable
If any items are missing or damaged, contact your Barracuda sales representative.
Step 1. Connect your PC to the NextGen X-Series Firewall
The number of ports depends on your model. By default, the ports are configured as follows:
Port 1: Management port (access to the management interface)

Port 2: DHCP client
Port 3-8: Not configured

1. Plug in your client PC to Port 1 of the firewall.
2. Plug in your Internet connection to Port 2 of the firewall.
The X-Series Firewall must be assigned an IP address by a DHCP server in your network or a DHCP server of your ISP.
Step 2. Set a static IP address on the client PC
Configure your client PC to use the following static IP address configuration for the network interface connected to the firewall:
IP Address – 192.168.200.100
Netmask – 255.255.255.0
Gateway – 192.168.200.200
DNS Servers – Enter DNS servers in your network, or use public DNS servers such as the Google DNS servers 8.8.8.8 and 8.8.4.4.
Click here to see Instructions for Microsoft Windows ...
Windows 8 / 8.1
You must have administrative rights to set the IP address on Microsoft Windows 8 / 8.1.
1. Open the Control Panel and click View network status and tasks. The Network and Sharing Center window opens.
2. In the View your active networks list, click on the name of the network interface connected to the firewall. For example, if you click
on Ethernet, the Ethernet Status window opens.
3. Click Properties and double-click on Internet Protocol Version 4 (TCP/IPv4). The Internet Protocol Version 4 (TCP/IPv4)
Properties windows opens.

4. Select Use the following IP address:. Enter the static IP address, netmask, default gateway, and DNS servers.
5. Click OK.
You are now using a static IP address.
Step 3. Log into the web interface
Access the web interface of the X-Series Firewall.
1. Go to https://192.168.200.200 in your browser.

2. Proceed at the certificate warning.
3. Log into the web interface with the default user credentials:
Default username – admin
Default password – admin

4. The Basic Setup wizard automatically launches.
Step 4. Complete the basic setup wizard
The basic setup wizard automatically starts when you first log into the firewall.
1. Change the Password: The default password is admin.

2. Enter the default domain for your network.
3. Enter the System Contact Email Address. You will receive emails from Barracuda Central at this email address.
4. Select the Time Zone.
5. Click Next.
6. (optional) Change the Management IP Address to match your existing network.
7. (optional) Change the Management Netmask to match the management network.
8. Enter the Primary and Secondary DNS Server.

9. (optional) If the network segment connected to P2 requires an HTTP proxy to access the Internet, set Upstream Proxy to Yes.
Proxy Server – Enter the IP address of your proxy server.
Proxy Port – Enter the port the proxy server is listening on. E.g., 3128
(optional) Proxy Username – Enter the username used to authenticate to the proxy.
(optional) Proxy Password – Enter the proxy password.
10. Click Next.

11. (optional) Click Print.
12. Review your configuration settings and click Apply Now.
If you changed the time zone, the X-Series Firewall will now reboot.

Next steps
After the reboot, select a wizard for a customized setup, or configure the appliance manually:
As a firewall, by completing the configuration wizard matching your use case. For more information, see Deploy as Firewall.
As a remote access gateway using the Remote Access Gateway wizard. This wizard takes you through the necessary steps to configure
a client-to-site VPN. For more information, see Deploy as Remote Access Gateway.

Deploy as Firewall
The initial setup wizard automatically starts when you first log into the firewall and guides you through the first configuration steps. Use the
wizards to deploy the firewall into production or to evaluate it.
You can also start the wizards at a later time: Go to ADVANCED > Wizards.
Step 1. Complete the setup wizard
The initial setup wizard automatically starts when you first log into the firewall. (When using another wizard, go to ADVANCED > Wizards, and
click Start to launch the wizard.)
Evaluation mode – Sets up the firewall for evaluation at your desk or in a test lab. All network traffic is transparently forwarded from
network interface p1 to p3. Verify p1 is connected to your LAN, and p3 to your test PC or test network.
Protect my network – Configures a primary and a secondary Internet uplink as well as up to two internal networks, including DHCP
server configuration. To complete this, wizard the following information is required:
Local area network preferences (LAN IP address, gateway IP address, required DHCP settings)
Internet service provider (ISP) uplink information
Failover Internet service provider information (optional)
Manual configuration – Click Close to exit the setup wizard.
Step 2. Configure administrator IP/range
If administrators always use the same IP range, you can restrict access to the web interface of the firewall by specifying a range of allowed IP
addresses or networks to increase security.
Misconfigurations of the administrator IP/range may cause the management web interface of the firewall to be unreachable. Contact
Barracuda Networks Technical Support to recover connectivity.
1. Go to BASIC > Administration.

2. In the ADMINISTRATOR IP/RANGE section, enter the IPNetwork Address and Netmask for the networks allowed to access the web
interface. For a single IP address, set the Netmask field to 255.255.255.255.
3. Click Add.
Step 3. (Optional) Additional configuration steps
You may need to complete the following tasks to finish the basic setup for your firewall:
If needed, configure additional WAN connections. For more information, see How to Configure WAN Interfaces.
If you are using VLANs, configure the virtual interfaces. For more information, see How to Configure a VLAN.
Configure free ports for other networks. For more information, see How to Configure Static Network Interfaces.
Step 4. Explore the Barracuda NextGen Firewall X-Series
After setting up the firewall, explore the following areas to learn where to get necessary information when working with your firewall and its
services:
Subscription Status
To verify the status of your licenses, go to the BASIC > Status page and view the Subscription Status section. The status for all purchased
licenses displays as Current. While the firewall is connected to the Internet, it automatically downloads licenses. If the firewall cannot be
activated, please contact Barracuda Technical Support.
Firmware Update

To verify that the firewall is using the latest available firmware, go to the ADVANCED > Firmware Update page. For production, use the latest
general release firmware version. Before updating the appliance, read the release notes for information on new features, bug fixes, and possible
migration instructions.
Network
To view the status of the following:
Network routes and interfaces – Go to the NETWORK > Routing page.

Network interface links – Go to the BASIC > Status page and move the mouse over the ports displayed in the Link Status section.
To view the configurations:
Network interfaces – Go to the NETWORK > IP Configuration page and view the Network Interface Configuration section.
Bridges – Go to the NETWORK > Bridging page. Before you deploy the firewall for use in production, delete the port 1—port 3 bridge.
For more information on networking, see Networking.
Firewall
To view access rules, go to the FIREWALL > Firewall Rules page.
To monitor currently active and recently established and completed connections, go to the following pages:
BASIC > Active Connections

BASIC > Recent Connections
For more information on the firewall and firewall rules, see Firewall.
Next steps
After setting up and exploring the firewall, you can complete the following tasks:
Connect the firewall to your existing authentication service or create a built-in database for user information. For more information, see M
anaging Users and Groups.
If supported by your firewall model, configure Wi-Fi. For more information, see How to Configure Wi-Fi.
Configure site-to-site VPN. For more information, see Site-to-Site VPN.
Configure client-to-site VPN access. For more information, see Client-to-Site VPN
Link the firewall with your Barracuda Cloud Control account for central management and configuration. For more information, see How to
Connect to Barracuda Cloud Control
Configure the Barracuda Web Security Service, a cloud-based web filtering and security service. For more information, see How to
Configure the Barracuda Web Security Service
Set up an authoritative DNS. For more information, see Authoritative and Caching DNS.
Configure a DMZ. For more information, see How to Configure a DMZ

Deploy as Remote Access Gateway
Deploy the Barracuda NextGen Firewall X-Series as a remote access gateway for VPN traffic. The Remote Access Gateway wizard takes you
through the necessary steps to configure a client-to-site VPN and enable SSL VPN with support for CudaLaunch. A remote access premium
subscription is required.
Before you begin
Make sure you have the following information on hand:
If you are using Active Directory as your method of authentication, you need to have the Active Directory configuration information.
The network that the client-to-site VPN clients will be assigned to (client network).
The networks that will be available to the client-to-site VPN clients (published networks).
Step 1. Complete the Remote Access Gateway wizard
This wizard allows you to configure the Barracuda X-Series Firewall as a remote access gateway that can work in conjunction with your existing
firewall.
1. To launch the wizard, go to Advanced > Wizards and click Start next to Remote Access Gateway.
2. Enter the VPN IP address(es) for the VPN service. Click + after each entry.
3. Click Next.
4. Select the authentication Type for the VPN service. When choosing Local Authentication,
Enter Username and Password.
5. When choosing Active Directory, specify the following settings:
Domain Controller Name – Enter the fully qualified name of the domain controller.
Domain Controller IP – Enter the IP address of the domain controller.
When using SSL, the name should be used instead of the IP address.
Searching User – Enter the username of the MSAD searching user.
Searching User Password – Enter the password for the MSAD searching user.
Base DN – Enter the Distinguished Name (DN) at which to start the search in the LDAP database, specified as a sequence of
Relative Distinguished Names, connected with commas, with or without blank spaces. Make the base DN as specific as possible
in order to speed the lookup and avoid timeouts. For example, if your domain is yourcompany.com, your search base DN might
be as follows: DC=yourcompany, DC=com, OU=sales
Cache MSAD Groups – Enable caching of MSAD groups.
Offline Sync – Enable offline synchronization.
Use SSL – Select to use SSL for connections to the authentication server.

6. Click Next.
7. Configure the settings for client–to–site VPN:
a. Enter a VPN Policy Name. This name is referred to as group name (iOS) or IPsec identifier (Android) on mobile VPN clients.
b. In the Client Network field, enter an unused network in CIDR notation (e.g., 192.168.222.0/24). IP addresses from this network
will be assigned to connected VPN clients. Ensure that this network is not already defined on the NETWORK > IP
Configuration page.
c. Enter a Shared Key to authenticate the client.
a. In the Published Networks field, enter all of the networks that the VPN clients will be able to access. Enter IP addresses and
networks in CIDR format (X.X.X.XX) and click + after each entry.
8. Click Next.
9. Configure the settings for SSL VPN:
a. Enable CudaLaunch to give end users remote access to corporate resources.
b. (optional) Customize the Welcome Message for the SSL VPN portal.
c. (optional) Customize the Help Text to be displayed to the user. Only ASCII characters are allowed in the Welcome Message an
d Help Text fields.

10. Click Next. The summary screen opens.
11. (optional) Click Print.
12. Review your configuration settings and click Apply Now.
Step 2. Configure administrator IP/range
If administrators always use the same IP range, you can restrict access to the web interface of the Barracuda Firewall by specifying a range of
allowed IP addresses or networks to increase security.
Misconfigurations of the administrator IP/range may cause the management web interface of the firewall to be unreachable. Contact
Barracuda Networks Technical Support to recover connectivity.
1. Go to BASIC > Administration.

2. In the ADMINISTRATOR IP/RANGE section, enter the IPNetwork Address and Netmask for the networks allowed to access the web
interface. For a single IP address, set the Netmask field to 255.255.255.255.
3. Click Add.
Next Steps
Configure the SSL VPN resources: For more information, see SSL VPN.

Networking
From the NETWORK tab, you can view and configure the following basic network, connectivity, and service settings:
Management IP address, DNS, static and dynamic interfaces, and Wi-Fi

Network routes
Interface groups
Bridges
DHCP server
Authoritative DNS
Proxy
Management IP address, DNS, static and dynamic interfaces, and Wi-Fi
On the NETWORK > IP Configuration page, you can view a list of each network interface (static, dynamic and virtual) that has been configured
for the Barracuda NextGen Firewall X-Series. You can also configure the following basic network configurations:
IP Configuration Description Article
Management IP Address The management IP address is used to Getting Started with the Barracuda Firewall
administer and configure the firewall from a
web browser.
DNS Servers The primary and secondary DNS server. You Getting Started with the Barracuda Firewall
can also cache the DNS responses to speed
up DNS queries.
Static Interface Static interfaces for static IP addresses and How to Configure Static Network Interfaces
networks.
Dynamic Interface Dynamic interfaces for DSL, DHCP, or 3G. How to Configure WAN Interfaces
Virtual Interface Virtual interfaces for VLANs. You must use How to Configure a VLAN
properly configured 802.1q capable
switches.
Wi-Fi Link If available for your model, you can create up How to Configure Wi-Fi
to three different Wi-Fi networks.
3G Network Interface With a Barracuda M10 3G/UMTS USB How to Configure a 3G Dial-In Connection
modem, you can configure 3G connectivity.
Network routes
On the NETWORK > Routing page, you can add static routes. For more information, see How to Configure a Static Route.
On the Routing page, you can also view the following tables for a list of network routes and network interfaces for the NextGen Firewall X-Series:
Table Description
Network Routes This table contains all the routing information sorted by routing table.
Routing information is processed from top to bottom.
Network Interfaces This table contains all interfaces, their current state visualized by a
graphical icon, and the IP addresses assigned to the interface.
Interface groups

On the NETWORK > Interface Groups page, you can organize multiple interfaces belonging to the same network in interface groups. In firewall
rules, the interface group specifies the source address that the interface is allowed to use.
For more information on interface groups, see How to Create Interface Groups.
Bridges
To transparently connect two networks, you can configure a bridge. For more information, see How to Configure a Bridge.
DHCP server
Every X-Series Firewall can act as a DHCP server. You can configure DHCP servers on a per-network basis. For more information, see How to
Configure the DHCP Server.
Authoritative DNS
You can configure a split level and authoritative DNS server. For more information, see Authoritative and Caching DNS.
Proxy
To free the local firewall capabilities of the X-Series Firewall, you can use the cloud resources of the Barracuda Web Security Service to intercept
and scan all HTTP and HTTPS traffic for malware. To use this service, you must have an additional Barracuda Web Security subscription. You
must also be connected to the Barracuda Cloud Control.
If you already have an ICP-enabled proxy server running in your network, see How to Configure a Forward Proxy.

How to Configure WAN Interfaces
By default, ports p2 and p3 are preconfigured. If you want to configure a WAN interface for either of these ports, you might need to remove the
default configurations:
Port p2 – Initially, the network interface for port p2 is configured as a dynamic network interface named dhcp. If you want to configure
either a static or other dynamic connection besides DHCP (PPTP or PPPoE) on port p2, delete the default DHCP interface.
Port p3 – Initially, port p3 is bridged to port p1. Both interfaces are also configured as management ports in the LAN. To use port p3 for
another connection, delete the P1-P3 bridge. However you might lose connectivity to the network from your administrative PC.
After removing the default configurations for ports p2 and p3, you can reconfigure them as WAN interfaces. For any other ports, just begin
configuring the WAN interface. You can configure the WAN interface with either static or dynamic IP address assignment.
Be sure to add the gateway to create the default route over the WAN interface, either when you add or edit a static network interface, or on the N
ETWORK > Routing page.
Remove the default configurations for port p2 and port p3
If you want to use port p2 or p3, first remove their default configurations.
1. If you want to use port p2:

a. Go to the NETWORK > IP Configuration page.
b. Delete the default DHCP interface from the Dynamic Interface Configuration section.
2. If you want to use port p3:
a. Go the NETWORK > Bridging page and delete the P1-P3 bridge.
b. Go the the FIREWALL > Firewall Rules page. Delete the P1-P3-BRIDGE firewall rule.
Configure a WAN interface
To configure a WAN interface:
1. Go to the NETWORK > IP Configuration page.

2. If your WAN interface has a static IP address:
a. In the Static Interface Configuration section, click Add Static Network Interface.
b. Configure the static interface settings, including the gateway address.
c. Click Add.
3. If you have a dynamic connection such as PPTP or PPPoE:
a. In the Dynamic Interface Configuration section, click Add Dynamic Network Interface.
b. Configure the dynamic interface settings.
c. Click Add.
4. At the top of the page, click on the warning message to execute the new network configuration.

Example - Configuring a Static WAN Connection
This article provides example settings to configure an interface for an ISP that statically assigns an IP address for a WAN uplink. For instructions
on how to configure a static network interface, see How to Configure Static Network Interfaces.
The static WAN interface and ISP gateway for this example are shown in the following figure:
The interface must be configured on port p4 with an IP address of 69.122.23.58 and a netmask of 255.255.255.0 (or /24). The default gateway of
the ISP is 69.122.23.254.
Configure the static network interface with the following settings:
Setting Value
Network Interface Select p4.
IP Address Enter 69.122.23.58.
Netmask Enter 255.255.255.0.
Classification Click WAN.
Gateway Enter 69.122.23.254.

How to Configure a PPPoE Connection
Follow these instructions if your WAN interface is provided using PPPoE. This protocol is typically used by ISPs that offer DSL. If your ISP
provides a modem, connect the Ethernet port of the modem to a free network interface of your Barracuda NextGen X-Series Firewall. Use the
Ethernet cable that is delivered with the modem. If a cable was not delivered with the modem, please clarify if the modem must be connected to
another device with a standard Ethernet cable or a crossover cable.
Configure a PPPoE connection

2. In the Dynamic Interface Configuration section, click Add Dynamic Network Interface.
3. From the Network Interface list, select the network interface that the ISP modem is connected to on the firewall.
4. Enter a name for the new connection.
5. Select the following settings:
Network Protocol: PPPoE
Classification: WAN
6. Configure the remaining settings for your network requirements.
If your dial-in connection requires Synchronous PPP mode, select the check box. If you are not sure which mode to use,
contact your ISP.
For the initial configuration, keep the default Metric value of 100. In a multiprovider configuration, the firewall chooses the
interface with the lowest metric for outgoing traffic.
You can make the firewall reachable with a unique identifier (DNS-resolvable name). For Use Dynamic DNS, select Yes and
enter your DynDNS credentials. For more information on the DynDNS service, see http://dyn.com/dns/.
You can manually start and stop the link. For Connection Start Method, select Manual. To control the link, go to the Dynamic
Network Interfaces section of the NETWORK > Interfaces page.
To monitor the Internet connection, select a type of Health Check to perform. Most ISPs support LCP to continuously monitor
successful data transmission. However, you can use ICMP requests for monitoring the Internet connection. If you use ICMP for
link monitoring, add a target IP address to the Health Check Target list.
7. Click Add.
9. After committing your changes, log back into the X-Series Firewall.

How to Configure a 3G Dial-In Connection
To establish wireless Internet connections, you can install the external Barracuda 3G USB modem on the Barracuda NextGen Firewall X-Series.
3G connections are ideal for backup lines and for use in mobile offices or locations without terrestrial Internet links.
After you connect the Barracuda USB modem to the X-Series Firewall, configure the provider settings. Then verify that the default network route
and network interface of the 3G WAN link have been successfully introduced and are available.
Step 1. Connect the Barracuda 3G modem
To connect the Barracuda modem:
1. Follow the steps in the Barracuda 3G Modem Quick Start Guide to insert the SIM card into the Barracuda USB modem.
2. Connect the Barracuda modem to an empty USB port of the X-Series Firewall.
3. Connect the antenna to the Barracuda modem and place it in a stable location.
4. Restart your firewall so that it recognizes the Barracuda modem.
a. Go to the BASIC > Administration page.
b. In the System Reload/Shutdown section, click Restart.
Step 2. Configure the provider settings

2. In the 3G Network Interface section, select the following settings:
Enable 3G Network Interface: Yes
Classification: WAN
3. Configure the remaining 3G Network Interface settings for your network requirements.
You can configure the Barracuda modem to automatically choose the transmission standard with the best transmission
performance. For Radio Preference, click Auto.
If authentication is required, enter the username and password for establishing a connection to your ISP. If authentication is not
required, select the No Auth check box.
If a pin number is required to unlock your SIM card, enter it in the SIM PIN field.
To use the DNS server that is assigned by your ISP, set Use Assigned DNS to Yes. The firewall then uses the DNS servers of
the ISP for DNS requests.
To make the firewall reachable with a unique identifier (DNS-resolvable name), set Use Assigned DNS to Yes and enter your
DynDNS credentials.
For more information on the DynDNS service, see http://dyn.com/dns/.
To start the link automatically, set Connection Start Method to Automatic.

To manually start and stop the link , set Connection Start Method to Manual. To control the link, go to the Dynamic Network
Interfaces section of the NETWORK > Interfaces page.
To monitor the 3G Internet connection, select a test type from the Health Check list. Most ISPs support LCP to continuously
monitor successful data transmission. However, you can use ICMP requests for monitoring the Internet connection. If you use
ICMP for link monitoring, add a target IP address to the Health Check Target list.
4. Click Save Changes.
7. To verify that the Barracuda modem can establish a connection to your ISP, check its status LED lights. For information on the meaning
of the LED lights, see the Barracuda 3G USB Modem Quick Start Guide.
Step 3. Verify the uplink and default network route
Verify that the X-Series Firewall can establish an Internet connection and that the default network route was introduced.
1. Go to the BASIC > Active Routes page.

2. In the Network Routes section, verify that a default network route for the 3G WAN link was introduced.
3. In the Network Interfaces section, verify that the network interface of the 3G WAN link is available.

How to Configure a DHCP Connection
If the IP address is dynamically assigned by your ISP, follow the instructions in this article to configure the interface.
Before you begin
If your ISP provides a modem, connect the Ethernet port of the modem to a free network interface on the back of your Barracuda X-Series
Firewall. Use the Ethernet cable that is delivered with the modem. If a cable was not delivered with the modem, determine if the modem must be
connected to another device with a standard Ethernet cable or a crossover cable.
Configure the WAN interface

2. In the Dynamic Interface Configuration section, click Add Dynamic Network Interface.
3. Enter a name for the new connection.
4. Set Network Protocol to DHCP.
5. From the Network Interface list, select the network interface that the ISP modem is connected to on the firewall.
6. Set Classification to WAN.
7. Configure the remaining settings for your network requirements.
In the MTU field, enter the MTU size. If the MTU size is too large, network packets passing the ISP line are fragmented and
might decrease the performance of your network performance. For the correct MTU size, contact your ISP.
To automatically introduce a network route for this Internet connection, set Create Default Route to Yes.
To use the DNS server that is assigned by your ISP, set Use Assigned DNS to Yes. The firewall then uses the DNS servers of
the ISP for DNS requests.
To make the firewall reachable with a unique identifier (DNS-resolvable name), set Use Dynamic DNS to Yes and enter your
DynDNS credentials.
For more information about the DynDNS service, visit http://dyn.com/dns/.
Specify the Connection Timeout for this link. The connection timeout specifies the time in seconds that the firewall waits for an
IP address to be assigned. If the defined limit is exceeded, the link is marked as unreachable.
To start the link automatically, set Connection Start Method to Automatic.
To manually start and stop the link, set Connection Start Method to Manual. To control the link, go to the Dynamic Network
Interfaces section of the NETWORK > Interfaces page.
To add IP addresses to monitor the Internet connection beyond the gateway, add a target IP address to the Health Check
Target list.
8. Click Add.

How to Configure Static Network Interfaces
Follow the instructions in this article to configure a static network interface. You can add a subnet to a free physical or virtual interface.
Configure a static network interface

2. In the Static Interface Configuration section, click Add Static Network Interface.
3. In the Add Static Network Interface window, select an interface from the list and enter a Name.
4. Enter IP address and netmask of the interface and configure the settings as follows:
From the Classification list, you can select the following options to specify if the network is added to a network object:
Unclassified – The network is not added to any network objects.
Trusted – The network is added to the Trusted LAN network object.
DMZ – The network is added to the DMZ Networks network object.
WAN – The network is added to the Internet network object.
If you do not enter a Gateway, the default gateway (0.0.0.0) is used.
5. Click Save.

How to Configure Wi-Fi
Barracuda NextGen Firewall X101 and X201 are equipped with a Wi-Fi network module supporting IEEE 802.11 b/g/n with a maximum
transmission rate of 54 Mbps and 108 Mbps in SuperG mode for compatible client devices. Using WPA and WPA2 with a RADIUS authentication
server, you can encrypt wireless networks. The Barracuda NextGen Firewall X-Series can serve up to three independent Wi-Fi networks with
different SSIDs. You can configure each Wi-Fi network with a landing page serving either a confirmation message or a ticketing system for guest
network access.
Step 1. Configure the Wi-Fi interface
To configure basic network settings for the Wi-Fi module:

2. In the Static Interface Configuration section, edit one of the available Wi-Fi interfaces (ath0, ath2, ath3) if you want to change the IP
address configuration.
3. Click Save.
Step 2. Configure the Wi-Fi settings
When the static Wi-Fi network interface is available, Wi-Fi can be activated. The SSID, wireless security, and authentication can also be adjusted.

2. In the Wi-Fi Link Configuration section, select the Activate Wi-Fi check box to enable Wi-Fi.
3. From the Location list, select the country that your firewall is located in.
Configure radio settings
To configure the radio channel and transmission rate:
1. Click Configure Radio and edit the radio settings.

For more transmission power and a bigger range of radio reception, select a higher mW value from the Power list.
For higher data throughput, select a higher Mbps value from the Bitrate list.
To bond two channels for a transmission rate of up to 108 Mbps, set SuperG to Yes. When you enable this setting, verify that all
clients connecting to this access point support SuperG mode.
3. At the top of the page, click the warning message to execute the new network configuration.
4. Log into the firewall again.
Configure a Wi-Fi access point
To edit a Wi-Fi access point:
1. Click Edit for the access point you want to enable (Wi-Fi, Wi-Fi2, Wi-Fi3).
2. In the SSID field, enter the Service Set IDentifier (SSID). This name is displayed to Wi-Fi clients that search for available Wi-Fi signals.
3. From the Security Level list, select one of the following options:
High – WPA2 (Recommended).
Medium – WPA.
None – No encryption.
4. From the Authentication list, select one of the following options:
WPA-PSK – Use this option when key management should be done locally on the firewall. Then define a preshared key.
WPA-RADIUS/EAP – Use this option when key management is done by a RADIUS server. Then enter the RADIUS server
information into the RADIUS Configuration section.
5. To forward clients to a landing page that displays a Confirmation Message or serves a Ticketing system, enable the feature. To give
clients direct access to the Wi-Fi network, select None.
6. Click Save.
Step 3. Enable the DHCP server
To assign IP addresses to clients that are connected to the Wi-Fi network, enable the DHCP server of the firewall.
1. Go to the NETWORK > DHCP Server page. Clients with an active lease are listed in the Active Leases section.
2. In the DHCP Server section, set Enable DHCP Server to Yes.
3. If you change the network configuration of the default Wi-Fi and Wi-Fi2 interfaces, modify the available subnets or create a new one.
Step 4. Configure the access rule for Wi-Fi

There is a predefined access rule named WIFI-2-INTERNET that only applies to the first Wi-Fi network (ath0). To allow other networks, you can
either edit a copy of the rule for the other networks or edit the rule directly to include all subnets.
1. Go to the FIREWALL > Firewall Rules page.

2. To edit a copy of the WIFI-2-INTERNET rule:
a. Copy the WIFI-2-INTERNET rule. The rule copy is created at the bottom of the rule set.
b. Edit the WIFI-2-INTERNET-COPY rule.
c. Click the Advanced tab and change Interface Group to Wi-Fi2 or Wi-Fi3.
3. To directly edit the the WIFI-2-INTERNET rule to include all subnets:
a. Edit the WIFI-2-INTERNET rule.
b. Click the Advanced tab and select Matching from the Interface Group list.
c. Click the General tab and change Source to specify the Wi-Fi subnets.
4. At the top of the rule editor window, click Save.
Step 5. Verify the order of the access rules
Because rules are processed from top to bottom in the rule set, arrange your rules in the correct order. Also verify that your rules are placed
above the BLOCKALL rule; otherwise, the rules are blocked.
After adjusting the order of rules in the rule set, click Save Changes.

How to Configure a VLAN
Requirement
You must have a properly configured 802.1q-capable switch to support VLANs and at least one unconfigured port on your X-Series
Firewall.
You can use VLANs to simulate several LANs on one physical network interface (but only one MAC address). The physical interface behaves as
if it were several interfaces, and the switch behaves as if it were multiple switches. VLANs let multiple virtual networks share switches, cables,
and routers. All VLANs created on a host interface share the bandwidth of the physical interface. However, you can configure bandwidth policies
(QoS) to specify how much bandwidth an interface can use. The Barracuda NextGen Firewall X-Series can use up to 256 VLANs on one physical
network interface and a maximum of 4096 VLANs globally. Only unconfigured ports can be used to create VLAN interfaces.
Create a virtual interface

2. In the Virtual Interface Configuration section, add an entry for the VLAN. In the VLAN configuration.
You can only select ports that are not in use, capable of supporting VLANs and connected to a correctly configured VLAN
switch.

4. At the top of the page, click on the warning message to execute the new network configuration. It can take up to two minutes for the
settings to be applied.
The VLAN interface then appears in the Network Interface Configuration section. VLAN interface names are displayed in the format: p<port
number>.<vlan id>
Next steps
After adding the virtual interface, you can use it in your network configurations as if it were a physical interface. Continue with any of the following
network configuration articles:

How to Configure Static Network Interfaces
How to Configure a Static Route
How to Configure a Bridge
How to Configure Bandwidth Policies or QoS

How to Configure a Static Route
Create a static route to specify a gateway for an unassociated network so that the return traffic can take the correct path. In general, you must
add a static route when you want to reach networks that are not directly attached to the Barracuda NextGen X-Series Firewall or the default
gateway.
Add a static route
1. Go to the NETWORK > Routing page.

2. In the Target Network field of the Static Route Configuration section, enter the IP address and netmask of the target network in CIDR
format, e.g., 192.220.1.0/24
3. In the Gateway field, enter the IP address of the next hop or gateway. This gateway must be reachable by a direct route.
4. If you have to specify the source IP address that is used with this gateway, enter it in the Source Address field.
5. From the Classification drop down menu, select the relevant network.
6. Specify Metric and Maximum Transmission Unit (MTU) for the route if required.
If more than one route to the same target network exists, you must assign a unique metric value to each route. The lowest
metric (or preference number) specifies the preferred route. If the gateway becomes unreachable, the route with the next
lowest metric will be used.
7. Click Add.
The static route is now displayed in the NETWORK ROUTES table.

How to Configure a Bridge
The Barracuda NextGen Firewall X-Series supports layer 2 bridging of one or more network interfaces to create an aggregated network or to
physically separate LAN segments in a flat network structure. Configure Layer 2 bridging to transparently connect two networks.
For example:
You can bridge a wireless network with one of your local networks.
If you have servers with external IP addresses, you can bridge that traffic with the ISP gateway.
You can not create bridged groups containing dynamic interfaces like DHCP, PPPoE, PPTP or 3G.
After configuring your bridge, create an access rule to allow traffic between both networks. To help you configure the bridge, you can use the
pre-installed bridge between ports p1 and p3 and the predefined firewall rule for the bridge.
Step 1. Configure the bridge
Before you begin, verify that least one interface has a static route configured.
To configure the bridge:
1. Go to the NETWORK > Bridging page.

2. Click Add Bridged Group.
3. Enter a name for the bridge and add the interfaces to be bridged.
4. Click Save.
Step 2. Create an access rule for the bridge
Create an access rule to allow traffic between the bridged networks. For example, if you are bridging servers with external IP addresses with the
ISP gateway, create a rule that only allows traffic on port 443 and port 80 to pass.
1. Go to FIREWALL > Firewall Rules page.

2. Click ADD ACCESS RULE to create a new rule.
3. Specify the settings according to your requirements (see below example: Port p1-Port p3 Bridge).
4. Click Save.
Verify the order of the access rules. Because rules are processed from top to bottom in the rule set, ensure that you arrange your rules in the
correct order. You must especially ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. After adjusting
the order of rules in the rule set (use 'drag and drop'), click Save Changes.
Port p1-Port p3 bridge
To aid you in evaluation and initial setup, the X-Series Firewall has a pre-installed bridge between ports p1 and p3. You can see the bridge on
the NETWORK > Bridging page. The firewall rule that allows all traffic to pass between ports P1 and P3 is called P1-P3-BRIDGE. That rule has
the following settings:
Action Source Destination Service Bi-directional Interface Group Connection
Allow Port-p1 Port-p3 Any Yes Matching (match No SNAT (origin

es all interfaces) al source IP
address is used)

How to Configure a DMZ
In some cases, you might want to redirect network traffic from the Internet to a network host residing in a network segment protected by the
Barracuda NextGen X-Series Firewall. For example, you have a web server hosting a website that is reachable through the Internet. For
additional security, you can put the web server in the DMZ segment to logically separate hosts in the DMZ from other hosts in different network
segments.
With a DMZ configuration, you have full control over network traffic from the Internet to the web server, as well as traffic from other network
segments to the web server. This configuration might be necessary if hosts from other network segments must access the same web server.
If your web server listens on TCP port 8080 instead of 80 and you do not want to change the listening socket of your web server, you can use the
Port Address Translation (PAT) feature of the DNAT rule to modify the destination port of IP packets passing the firewall. In the Redirect To field
of the rule settings, append the port to be translated to the IP address field (e.g., 172.16.10.1:8080).
Step 1. Configure the interface
Create a network segment (e.g., 172.16.0.0/24 on port 3).

2. In the Static Interface Configuration section, click Add Static Network Interface.
3. In the Add Static Network Interface window, specify the following settings:
Network Interface – Select the interface connected to the DMZ (e.g., p3).
Name – Enter a name for the interface.
IP Address – Enter the interface IP address for the DMZ (e.g., 172.16.0.1). This IP address represents the default gateway
for clients within this network segment.
Netmask – Enter the netmask (e.g., 255.255.255.0).
Classification – Select DMZ.
4. Click Save.
Step 2. Configure the access rule
Create an access rule that allows HTTP traffic from the Internet to the web server residing in the DMZ.

2. Click Add Access Rule to create a new rule.
3. In the Add Access Rule window, enter a name and description for the rule.
4. Specify the following settings:

Action – Select DNAT.
Connection – Select Default (SNAT).
Source – Click Network Objects and add Internet.
Network Services – Add the service objects to redirect (e.g., HTTP).
Destination – Either click IP Address and enter the WAN IP address (e.g., 80.90.100.200), or click Network Objects and
select the object containing the WAN IP address (e.g., WAN-ISP1).
Redirected To – Enter the IP address and port number of the DMZ server (e.g., 172.16.0.10:8080).
5. Click Save.
Step 3. Verify the order of the access rules
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, you must arrange your
rules in the correct order. Ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information,
see Firewall Rules Order.
After adjusting the order of the rules in the rule set, click Save.

How to Configure the DHCP Server
The DHCP server of the Barracuda NextGen Firewall X-Series automatically assigns IP addresses to clients that reside in a defined subnet. This
article provides an example of how to configure a DHCP server on the NextGen Firewall X-Series.
Before you begin
Configure a static interface by using the network the DHCP server subnet is in. For more information, see How to Configure Static Network
Interfaces
Step 1. Enable the DHCP server
1. Go to the NETWORK > DHCP Server page.

2. In the DHCP Server section, select Yes to enable the DHCP server.
3. Click Save.
To use the DHCP server within the management network, go to the NETWORK > IP Configuration page and add a secondary IP
address in the Management IP Configuration section.
Step 2. Configure the DHCP server subnet
This example configures a DHCP server subnet named LAN that uses an IP range from 192.168.200.150 to 192.168.200.160, a subnet mask of
255.255.255.0, and an NTP server at ntp.barracudacentral.com.

2. Click Add DHCP Server Subnet. The Add DHCP Server Subnet popover opens.
3. Enter the DHCP server subnet settings:
Name – Enter the Name of the DHCP server subnet.
Beginning IP Address – Enter the first IP address in the DHCP server subnet. E.g., 192.168.200.150
Ending IP Address – Enter the last IP address in the DHCP server subnet. E.g., 192.168.200.160
Subnet Mask – Enter the subnet mask. E.g., 255.255.255.0
Gateway – Enter the gateway IP address. E.g., 192.168.200.200
DNS Server 1 to 4 – Enter the IP address(es) of your DNS server(s).
NTP Server 1 to 2 – Enter ntp.barracudacentral.com
(optional) Vendor Options – Enter any string containing DHCP options required by your DHCP clients. Make sure to use the
exact formatting and delimiters required by your DHCP clients.
4. (optional) Specify the Default Lease Time and Maximum Lease Time.
5. If you use WINS servers in your network, enter their IP addresses in the WINS Server 1 and WINS Server 2 fields.
6. Click Save.
Step 3. Configure the client

The DHCP server is now ready to assign DHCP leases to connected clients. For clients that currently have manually assigned IP addresses,
reconfigure them to receive IP addresses from the DHCP server.
Assigning static IP addresses via DHCP
For a client to always receive the same IP address, configure a static DHCP lease. The DHCP server uses the MAC address to identify the client.
1. In the ACTIVE LEASES section, click + in the Actions column. The Add DHCP static lease pop-over window opens.
2. Enter the following settings:

IP Address – Enter the IP address that you want to assign to the system. Click the plus sign (+) next to the address line.
Hostname – Enter a name for the system to be assigned a static address. For example, Workstation.
MAC Address – Enter the MAC address of the selected system. You can also copy the MAC address from the Active Leases s
ection.
(optional) Client ID – Enter the client identifier for this client.
3. Click Save.
In the Active Leases section of the DHCP Server window, the IP address lease is displayed as Static.
Removing a DHCP lease
To free up an IP address that is in use for another DHCP lease, you can delete DHCP leases for inactive DHCP clients. Power off or disconnect
the client for the DHCP lease to change its state from active to inactive.
You must force the client to renew the DHCP lease after removing the DHCP lease on the X-Series Firewall; otherwise, it will continue
using the original lease until the maximum lease time expires. This may result in duplicate IP errors in your network!
1. In the DHCP Server Subnets section, click the trashcan icon in the Actions column. The Clear dynamic lease pop-over window opens.
2. Verify the IP addresses matches the DHCP lease you want to delete, and click Clear.

3. Force the client using this DHCP lease to renew the DHCP lease.
Monitoring active leases
In the Active Leases section of the NETWORK > DHCP Server page, you can monitor active DHCP leases. The information for each lease is
displayed in the following columns:
Column Description
Range The IP range of the subnet.
Hostname The hostname of the Windows client.
IP Address The percentage of actively used IP addresses from the range.
State The current state of the lease pool and the number of addresses that
are in use.
Start The start lease time of the IP address range.
End The end lease time of the IP address range.
MAC Address The MAC address of the client.
Type The type of the IP address. The IP address can be either Static or D
ynamic.

How to Configure a DHCP Relay
DHCP relaying allows you to share a single DHCP server across logical network segments that are separated by the firewall. The DHCP relay
service only forwards DHCP traffic; it does not assign the IP addresses. When configuring DHCP relay, both the port the DHCP server is
connected to and all ports the clients are connected to must be added to the DHCP relay interfaces.
Configure the DHCP relay agent
1. Go to the NETWORK > DHCP Relay page.

2. Select Enable DHCP Relay.
3. From the Relay Interfaces list, select the network interfaces that are used by the DHCP relay agent to connect to the DHCP server and
client networks. To add the interface, click + after each selection.
4. In the DHCP Server IPs field, add the IP addresses of the DHCP servers. Click + after each entry.
5. Enter the UDP Port the relay agent is listening on. Default: 67
6. Enable Add Agent ID if you want the DHCP relay agent to add an Agent ID (AID) to the transmitted packets. An AID indicates that the
data has been relayed.
7. Enter the Max. DHCP packet Size in bytes. Default: 1400
8. From the Agent ID Relay Policy list, select how your DHCP relay agent handles DHCP packets that are already flagged by an AID from
another agent:
Append – (default) Attach your AID to the existing AID.
Replace – Replaces the existing AID with your AID.
Forward – Passes DHCP packets without any modification.
Discard – Discards DHCP packets that are already flagged by an AID.
9. From the Agent ID Mismatch Policy list, select how your DHCP relay agent handles DHCP server replies that do not contain its AID:
Discard – (default) Discards the DHCP packet.
Forward – Forwards the DHCP packet to the DHCP client.
The Agent ID Mismatch Policy setting is important when multiple relay agents serve the DHCP server.
10. Enter the Max. Packet Hop Count to avoid infinite packet loops (default: 10).
11. Select Forward Unicast Packets if Bootstrap/BOOTP unicast messages should be forwarded by the DHCP relay.
12. Click Save.

How to Configure a Forward Proxy
If your network has a proxy or you want to use an ISP proxy, you can configure a forward proxy. This article provides steps and example settings
to configure a forward proxy for the setup that is illustrated in the following figure:
Configure a forward proxy
1. Go to the NETWORK > Proxy page.

2. For Web Security, select Proxy Forwarding.
3. Configure the following settings that appear:
Proxy Forwarding – Enter the IP address of the forward proxy.
Port – Enter the port of the forward proxy. Default values are 3128 or 8080.
For example, if you are configuring a forward proxy for the setup in the figure above:
4. Click Save.

Authoritative and Caching DNS
The Barracuda NextGen Firewall X-Series can use a caching DNS to speed up frequently queried DNS requests in the network, or configured to
act as an authoritative DNS server for your domains. Enable Authoritative DNS to allow intelligent responses to DNS requests by evaluating link
state and source IP address before answering the DNS request. You can use either static or dynamic WAN IP addresses.To use the ADNS
server for internal clients the LOCALDNSCACHE access rule must be active.
Caching DNS intercepts DNS requests from your network to external DNS servers and if the answer to the request is present in the local cache,
replies to the query speeding up DNS queries in your network and saving bandwidth in the process. DNS caching is always active when ADNS is
enabled, all DNS requests are redirected to the local ADNS server.
Caching DNS
Enable Caching DNS for all connections by setting Caching DNS on the NETWORK > IP Configuration page to Yes. This setting is overridden
when the authoritative DNS server is enabled.
Authoritative DNS
You must change the settings at your domains registrar to allow the X-Series Firewall to act as the nameserver for your domain. After adding the
domain you can configure the following record types:
A — Use this DNS record to match an IPv4 IP address to a hostname. Each host in a domain should have an A record.
NS — NS records specify the authoritative name servers for the (sub)domain. If the domain name server is inside the domain, enter the
FQDN ending with a dot. E.g., ns.example.com.
MX — Use this type of DNS record to define the mail servers for the network. If multiple mail servers are used enter a preference
between 0 and 65535. The MX record with the lowest preference is used first by the sending agent. If not available the server with the
next higher preference is tried until a successful connection can be established.
TXT — This record associates a text string with the hostname. Use this for services which do not have a DNS record type of their own
such as SPF.
CNAME — This creates an alias for an already existing cannonical name. The link target does not have to be a part of the domain. E.g.,
Create a CNAME record which points www.cuda-inc.com to www.barracuda.com
SRV — Define services available in the domain such as LDAP or SIP.
PTR — PTR records point to a canonical name. Unlike CNAME the host name is returned and not resolved. Use for reverse DNS
lookups.
OTHER — Use this to define a DNS record which is not listed above.
DNS zone transfer blocking
The X-Series Firewall can be configured to block zone transfers on some or all of the domains that it hosts. An AXFR/IXFR query that is sent from
another DNS server to the firewall (to request a copy of the DNS records) is rejected if zone transfers are disabled for that domain. By default,
zone transfers are enabled for all domains created. This feature is necessary if you want to force all DNS requests to be handled directly by the
firewall and the results not to be cached by recursive DNS servers. DNS zones, which are only reachable internally are not transferred to other
DNS servers.
Split DNS
The X-Series Firewall can return different IP addresses depending on the source IP address of the DNS request. When configured a client in the
internal network receives the local IP address of the server while a client from the Internet is responded to with the external WAN IP address.
For more information, see How to Add Domains and DNS Records.
Link failover and monitoring

If multiple ISP connections are used, create a DNS records for each interface to return DNS answers based on which connection is used for the
incoming DNS request. During normal operation with all ISP connections up the DNS server returns the complete list of all IP addresses (for all
interfaces). The client will then choose the IP address out of the list that most closely resembles its own IP address (RFC-3484). This behavior
can not be influenced by the DNS server. The firewall continuously checks the health check targets defined in each DNS record. In case one of
the health check fails, the corresponding DNS record is removed from the list of returned IP addressed. This ensures that the clients will not try to
connect to an unavailable IP address. Depending on the time to live (TTL) configured, it will take some time for the change of the DNS response
to be propagated to all recursive DNS servers. Using shorter TTL will speed up this process, but increase the number of DNS queries on the
firewall.

How to Add Domains and DNS Records
Configure the Barracuda NextGen X-Series Firewall to be the authoritative DNS server for your domains or subdomains to take advantage of
Split DNS or dead link detection.
Step 1. Make the X-Series Firewall the authoritative DNS server at your domain registrar
To become the authoritative DNS server for a domain contact the registrar for your domain to use the static or dynamic WAN IP addresses of
your X-Series Firewall.
Hosting a subdomain
If you want to delegate a subdomain to the X-Series Firewall, add ns1 and ns2 records to the zone file of the domain where it is stored at the
registrar. If the domain is yourdomain.com, and you want to host subdomain.yourdomain.com add the following DNS records:
subdomain IN NS ns1
subdomain IN NS ns2
ns1 IN A <WAN IP 1 OF YOUR BARRACUDA FIREWALL>
ns2 IN A <WAN IP 2 OF YOUR BARRACUDA FIREWALL>
Step 2. Enable authoritative DNS on the X-Series Firewall
In the DNS Servers table, you can view a list of the static IP addresses for which the DNS Server service is enabled ( NETWORK > IP
Configuration). Dynamic IP addresses are not listed. An access rule is created in step 3 to redirect incoming DNS requests on dynamic
interfaces to the DNS service on the firewall. The access rule LOCALDNSCACHE must be active after enabling authoritative DNS for local
clients to access the DNS server.
1. Go to the NETWORK > Authoritative DNS page.

2. Enable Authoritative DNS.
3. Click Save.
Step 3. (Dynamic WAN connections only) Create a redirect access rule
To redirect DNS traffic for dynamic WAN interfaces you must redirect the incoming traffic to the authoritative DNS service.

2. Click on Add Access Rule.
3. Create a Redirect to Service rule:
Name – Enter a name for the access rule. E.g., DHCP-2-ADNS
Source – Select Internet and click +.
Destination – Select the network object for the dynamic interface and click +. Repeat for each dynamic WAN connection. E.g.,
DHCP1 Local IP
Redirect To – Select Authoritative DNS.
4. Click Save.

5. Place the access rule toward the top of the ruleset so that no access rule before it matches incoming DNS traffic on dynamic interface(s).
Step 4. Add a domain
Add a new domain to the ADNS configuration.

2. In the DNS RECORDS section click on Add New Domain. The DOMAIN windows opens.
3. Enter the settings for the domain or subdomain:

Domain – Enter the domain or subdomain. E.g., yourdomain.com or subdomain.yourdomain.com
Access to Domain/Zone
Internal and External – The DNS Server answers queries from all networks.
Internal – The DNS Server answers queries from trusted networks.
External – The DNS Server answers queries from untrusted networks.
TTL (Time to Live) – This value determines how long DNS records are cached by recursive DNS servers. Use D for days, H for
hours, W for weeks or nothing for seconds. Recommended TTL for a A records: 2D.
Zone Transfers – Enable to allow recursive DNS server to cache DNS records. Disable to force clients to query the DNS server
on the firewall directly for each DNS request. Default: enabled.
4. Click Save.
The domain or subdomain is now listed in the DNS RECORDS section. NS and SOA records are automatically created for the new domain. The
NS records are set to the static IP addresses with the DNS server listener enabled.
Step 5. Add DNS records for the domain

You can now create DNS records for your domain or subdomain.

2. In the DNS Records section click on the Add New Record button in the Record Data column for your domain. The DNS RECORD win
dow opens.
3. Select the Type of DNS Record. E.g., testrecord

4. Enter the parameters required for the chosen DNS record type.
Click here for more information on DNS Record Types
Record Description
Start of Authority (SOA) The SOA record defines the global settings for the hosted
domain or zone. Only one SOA record is allowed per hosted
domain or zone.
Name Server (NS) NS records specify the authoritative name servers for this
domain. One NS record for each name server in the DNS
Servers table is generated.
Address (A) A records map a hostname to an IP address. Each host inside

the domain should be represented by an A record. One A
record is created for each name server in the DNS Servers tab
le. An A record is also created for each matching domain name
found in 1:1 NAT and Port Forwarding rules.
Mail Exchanger (MX) MX records point to the email servers that are responsible for
handling email for a given domain. There should be an MX
record for each email server, including any backup email
servers. If an email server lies within the domain, it requires an
A record for each name server. If the email server is outside
the domain, specify the FQDN of the server, ending with a dot.
Example: mail.my-isp.net
Text (TXT) Text records allow text to be associated with a name. This can
be used to specify Sender Policy Framework (SPF) or
DomainKeys records for the domain.
Canonical Name (CNAME) A CNAME record provides a mapping between this alias and
the true, or canonical, hostname of the computer. It is
commonly used to hide changes to the internal DNS structure.
External users can use an unchanging alias while the internal
names are updated. If the real server is outside the domain,
specify the FQDN of the server, ending with a dot.
Example: server1.my-isp.net
If a domain name has a CNAME record associated with it, then

it cannot have any other record types. Do not use CNAME
defined hostnames in MX records.
Service (SRV) Service records are used to store the location of newer
protocols, such as SIP, LDAP, IMAP, and HTTP.
Pointer (PTR) PTR records point to a canonical name. The most common
use is to provide a way to associate a domain name with an IP
address.
Other (OTHER) Use an OTHER record to add a type of DNS record that is not
supported, such as NAPTR.
5. Configure IP Addresses for the record (do this for all interfaces you want to use:
LINKS – Select the interface for which this response is valid. ANY is valid for all interfaces, INTERNAL ONLY only for requests
coming from Trusted Networks.

5.
WAN IP ADDRESS – Enter the IP address which will be returned for DNS requests from the Internet.
LOCAL NETWORK – Enter the IP address which will be returned for DNS requests from Trusted Networks.
If a Internal Only and a WAN interface IP address exist for the same record, the WAN IP ADDRESS and the Internal
Only IP address will be returned when queried from the internal network. Always define a Local Network for WAN
interfaces to avoid this behavior.
HEALTH CHECK – Select the health check type: Ping, DNS, Host:Port. The TARGET will be checked by this method
periodically to verify that the link is still up. When the health check fails this IP address is removed from the DNS response.
TARGET – The IP address, DNS name, or Host:Port target which will be checked periodically. Use a health check target that
is behind the interface chosen as the LINK.
6. Click +
7. Repeat 5. and 6. for the other interfaces if necessary.

8. Click Save.
The DNS records are now listed in the DNS RECORDS section. Refresh the page until the health check checks for all records turn green.
Step 6. Test your DNS records
From a host on the Internet, run.
nslookup - [YOUR WAN IP WITH DNS SERVER ENABLED]
Enter the domain names and verify that the WAN IP address for the interface or ANY IP Address is returned.
Repeat with a host in your local network
nslookup - [LOCAL IP OF YOUR BARRACUDA FIREWALL WITH DNS SERVER ENABLED]
Enter the domain names and verify that the LOCAL NETWORKS IP for the interface or ANY IP Address is returned.
When not using the X-Series Firewall DNS directly, it might take some time for your changes to be distributed throughout the Internet. A new
domain name might take up to a day until it is accessible via other DNS servers. If the DNS record is modified, any server on the Internet that has
the old DNS records will not request an update until the TTL of the original record has expired.

How to Change the Management IP Address and Network Interface
The management IP address is used to configure and administer the Barracuda NextGen Firewall X-Series via web interface. By default, the
X-Series Firewall uses 192.168.200.200 as the management IP. You can change the management IP address and network to match your
existing network.
Make sure you can connect to the X-Series Firewall after changing the management IP address either by changing the IP address of
the client PC to be in the same network and plugging the client PC into the new management port, or via an allow access rules allowing
access from the the network the client PC is in to the new management IP address.
Change the management IP address and network

2. In the Management IP Configuration section, select a new Management Interface.
3. Enter the new Management IP Address and Management Netmask.
4. Select the Ping and/or NTP check boxes if you want this interface to respond to those requests.
6. At the top of the page, click on the warning message to execute the new network configuration. It may take up to two minutes for the
settings to be applied.
Use the new management IP address when you log into the web interface: https://<new management IP address>

How to Configure and Use High Availability
For redundancy and reliability, you can set up two Barracuda NextGen X-Series Firewalls in a high availability (HA) cluster. During normal
operations, the primary unit is active while the secondary unit waits in standby mode. The secondary unit has the same configurations as the
primary unit, and it only becomes available when the primary unit is down. The failover is reversed when the primary unit can resume operations.
Services should be configured on the secondary IP address, not the management IP address of the firewall, as only the secondary IP addresses
fail over to the secondary unit. For the same reason use the secondary IP address as the default gateway for your clients.
To execute a failover when a unit or networking component becomes unavailable, you can configure the monitoring of additional IP addresses
and interfaces. You can also manually execute a failover.
When installing two firewalls in a high availability cluster, ensure that the cabling is done exactly the same on both units. The management IP
addresses must also be configured on the same ports. For example, if port 3 on the primary box is connected to ISP 1, the secondary box must
also connect port 3 with ISP 1. If you install cabling incorrectly, HA failover does not work properly. For an example of correct cabling, see the
following diagram:
Before you begin
If you want to join a Windows domain, you must do so on both primary and secondary units before creating the HA cluster. For more
information, see How to Join a Windows Domain.
If you want to use the Barracuda Web Security Service, you must connect both primary and secondary units, before creating the HA
cluster. For more information, see Cloud Features.
Each X-Series Firewall must have a management IP address in the same subnet. Verify that they are not using the same IP addresses
as the management IP address.
Step 1. Add management IP addresses to the administrator IP/ranges
If you restrict administrative access to the firewall by defining administrators IP addresses or networks, you must add the management IP address
of the HA partner unit to the administrator IP/Ranges list. If you are not restricting the administrator IP address (0.0.0.0 entry is present) you can
skip this step.
Step 1.1 Administrator IP/range on the primary unit
Add the management IP of the secondary unit to the administrator IP addresses on the primary unit.
1. Log in to the primary unit.

2. Go to the BASIC > Administration page.
3. In the ADMINISTRATOR IP/RANGE section enter:
IP/NETWORK ADDRESS – Enter the management IP address of the secondary unit.
NETMASK – Enter 255.255.255.255
4.

4. Click ADD.
Step 1.2 Administrator IP/range on the secondary unit
Add the management IP of the primary unit to the administrator IP addresses on the secondary unit.
1. Log in to the secondary unit.

3. In the ADMINISTRATOR IP/RANGE section enter:
IP/NETWORK ADDRESS – Enter the management IP address of the primary unit.
NETMASK – Enter 255.255.255.255
4. Click ADD.
Step 2. Add a secondary IP address to the primary firewall
Add a secondary IP address to the primary Firewall and configure the services of the firewall that are to be used from the local network to listen
on this IP address. Use this secondary IP address as the default gateway for the clients in your network. In case of a failover this IP address is
transferred to the secondary firewall.
1. Go to the BASIC > IP Configuration page.

2. Enter a Secondary IP Address and select the services that should listen on this IP address.
3. Click Add.
Step 3. Enable NTP
Go to the BASIC > Administration page and verify that NTP is enabled on the primary unit.
Step 4. Enable high availability
Before you set up two X-Series Firewalls in an HA cluster, ensure that both units fulfill the following prerequisites:
Both firewalls must be the same model type and revision. They must also run the same firmware version.
The management IP addresses of both units must be in the same network and subnet.
System clocks and timezones must be accurately set on both units. If they are not, HA pairing can fail.
The Default Domain (BASIC > Administration) must be set on both units.
Enable HA on the secondary unit
1. Log into the secondary unit.

2. Go to the ADVANCED > High Availability page.
3. In the Setup section, click Enable High Availability.
4. In the Enable High Availability window, enter the management IP address, serial number, and administrator password for the primary
unit.
5. Click Enable. The HA pairing process can take several minutes. During this process, do not reload the configuration page or configure
any other settings.
After the HA pairing is successful, the Disable High Availability option appears in place of the Enable High Availability option. The IP
addresses and serial numbers of both HA units are also displayed.
Additionally, this warning message is displayed on every configuration page of the secondary unit:
While the secondary unit is part of the HA cluster, you can only configure the following settings:
ADVANCED > High Availability

NETWORK > IP Configuration > Management IP Configuration
NETWORK > IP Configuration > Dynamic Interface Configuration
(If 3G is available) NETWORK > IP Configuration > 3G Network Interface

Configure monitoring
You can configure the monitoring of additional IP addresses and interfaces. If these IP addresses and interfaces become unreachable, a failover
is executed.
On the ADVANCED > High Availability page, in the Monitoring section, add the Reachable IPs and Reachable Interfaces.
Verify the HA status
To verify the HA status of the firewall, go to the ADVANCED > High Availability page and see the Status section. This section indicates if the
appliance is active, standby, primary, or secondary. If the appliance is not part of an HA cluster, this section indicates that it is Stand-Alone.
This figure shows an example of the status for a firewall in a high availability cluster.
On the BASIC > Status page, you can also view the current HA status in the Services section. To see the status details, hover over Hi
gh Availability.
Note that the secondary X-Series Firewall is not visible in Barracuda Cloud Control.
Manually execute an HA failover
On the ADVANCED > High Availability page, you can manually execute an HA failover by clicking Manual Failover in the Status section of the
unit which is currently active.
If the X-Series Firewall is not part of an HA cluster, the Manual Failover option is disabled.
Settings not synced between units in a high availability cluster
The following settings are unique to each unit in the high availability cluster and are not synced:
Domain
Hostname
Timezone
HTTPS Port
Management Interface Configuration.
Content of DNS Cache
Dynamic Interfaces

Firewall
The basic job of the Barracuda NextGen Firewall X-Series is to manage traffic between various trusted and untrusted network segments.
Incoming network traffic is compared to the first firewall access rule in the ruleset. If it doesn't match the next rule is evaluated, continuing from
top to bottom until a matching rule has been found.
Criteria for matching access rules are:
Source IP address or network

Destination IP address or network
Service (protocol, port/range)
Application
Users
Time
Interface
The first matching access rule is executed. If none of the rules match the default Block-all rule will block the traffic.
Next Generation Firewall capabilities
Application Control (with or without SSL Inspection), a tightly integrated Intrusion Prevention System (IPS) and URL filtering for content security
offer granular control over your network traffic.
Application Control – Application Control enables you to manage traffic caused by applications on your network. Knowing which
applications use the most traffic lets you create rules to optimize bandwidth for business critical applications while limiting unwanted
application traffic.
SSL Inspection – Most of the application traffic is SSL encrypted. SSL Inspection transparently decrypts the SSL connections and after
passing through Application Control reencrypts the connection and forwards it to its destination. SSL Inspection enables Application
Control to detect sub-applications making it possible to block single features such as Facebook games, while still allowing access to the
rest of the site.
URL Filter – If you want to keep out inappropriate web based content from your network, the Barracuda Web Security Gateway enables
you to filter a large number of websites based on categories. The URL filter can be used to create a whitelist (blocking everything except
for selected sites) or a blacklist (blocking known unwanted content). If the site is not in the URL database you can define a custom URL
policy. The URL Filter can only filter based on the URL of the website. It does not offer the more granular control over sub-applications
that Application Control does. For more information, see Application Control.
Virus Protection – HTTP(S), FTP and SMTP(S) traffic can be transparently scanned for malicious content while the traffic passes
through the firewall. For more information, see Virus Protection in the Firewall.
Advanced Threat Detection (ATD) – Advanced Threat Detection secures your network against zero day exploits and other malware not
recognized by the IPS or virus scanner. You can choose between two policies, which either scan the files after the user has downloaded
them and, if perceived to be a threat, quarantine the user, or scan the file first and then let the user download the file after it is known to
be safe. For more information, see Advanced Threat Detection (ATD).
Mail Security – Check the source IP address of incoming SMTP(S) connections against a DNSBL and modify the header and subject of
the e-mail if the sender is listed in the DNSBL. For more information, see Mail Security in the Firewall.,
Intrusion Prevention System (IPS) – The tightly integrated Intrusion Prevention System will monitor the network for malicious activities
and block detected network attacks. For more information, see Intrusion Prevention System or IPS.
To create, edit, or change the order of access rules, go to the FIREWALL > Firewall Rules page. For more about matching criteria and possible
access rule actions, see Firewall Rules. If you are new to the Barracuda NextGen Firewall X-Series, see Pre-Installed Access Rules to review the
rules that are already set up in the appliance. You can use these preinstalled rules as a starting point for your own rules.

Firewall Objects
Firewall objects are named collections that represent specific networks, services, applications, user groups or connections when creating access
rules. You can use the firewall objects that are preconfigured on the Barracuda NextGen Firewall X-Series, but you can also create custom
firewall objects depending on your requirements. Firewall objects are re-usable which means that you can use one firewall object in as many
rules as required. The following section explains the firewall objects that are available for use and configuration on the NextGen Firewall X-Series
and contains articles on how to create the different firewall objects for your access rules.
Advantages of Firewall Objects
Using firewall objects gives you the following advantages:
Each firewall object has a unique name that is more easily referenced than e.g. an IP address or a network range.
Maintenance of the access rule set is simplified. When you update a firewall object, the changes are automatically updated in every rule
that refers to this object.
Firewall Object Types
The following types of firewall objects are available for use and configuration:
Network Objects — Reference networks, IP addresses, or interfaces when configuring firewall access rules.
URL Policy Objects — (requires a Barracuda Web Security Subscription) Reference access restrictions for web sites. The NextGen
Firewall X-Series provides a predefined list of URL categories that are available for blacklisting and whitelisting.
Service Objects — Create service objects to reference TCP/UDP ports for a service.
Connection Objects — Reference the egress interface and source (NAT) IP address for traffic matching a firewall access rule.
NAT Objects — Map IP addresses from one IP address range to another, e.g., to let two subnets communicate with each other.
User Objects — Reference lists of users and/or user groups for use within access rules.
Schedule Objects — Configure time restriction or scheduling tables that can be applied to access rules on an hourly, weekly or calendar
date basis.
Application Objects — Reference lists of web applications and/or sub-applications when creating application aware firewall access
rules. For more information, see Application Control.

Network Objects
Use network objects to reference networks, IP addresses, or interfaces when you create access rules. A network object can also include other
existing network objects.
By using network objects instead of explicit IP addresses, access rule management is simplified. For example, if an IP address changes, you do
not have to edit it in every rule that references it; you must only change the IP address in the network object. The IP address is then automatically
updated for every rule that references the network object.
Create a Custom Network Object
Before you begin, list the network addresses and ports that you want to add to the network object.
To create the network object:
1. Go to the FIREWALL > Network Objects page.

2. In the Custom Network Objects section, click Add Network Object. The Add Network Object window opens.
3. Enter a Name for the network object.
4. In the Include Entries section, either select existing network objects to add or explicitly define the network that you want to add and then
click the plus sign (+). You can add multiple entries. To explicitly specify an IP address, enter it in the Network Address field and then
click the plus sign (+). If applicable, you can also specify the MAC Address and Interface.
5. For any IP addresses and interfaces that must be excluded from the network object, add them to the Exclude Entries section.
6. Click Save. The custom network object then appears in the Custom Network Objects section.
Edit a Custom Network Object
To edit a custom network object:

2. In the Custom Network Objects section, click the edit symbol for the custom network object that you want to edit.
3. In the Edit Network Object window, edit the settings for the object.
4. Click Save.
Delete a Custom Network Object
To delete a custom network object:

2. In the Custom Network Objects section, click the trash can icon for the custom network object that you want to delete.
3. Click OK to confirm.

Service Objects
A service object contains a list of TCP/UDP ports and the used network protocols for a service. To reference network services when you create
firewall rules, you can use the predefined service objects. If you want to reference custom services that are not in the default list or services on a
non-standard port, you can create custom service objects.
Create a Custom Service Object
Before you begin, list the TCP ports and UDP ports that you want to add to the custom service object.
To create the custom service object:
1. Go to the FIREWALL > Service Objects page.

2. In the Custom Service Objects section, click Add Service Object.
3. Enter a Name for the service object.
4. In the Add Service Object window, include existing service objects or explicitly define each service that you want to add to the object.
5. Click Save. The custom service object appears in the Custom Service Objects section.
Edit a Custom Service Object
To edit a custom service object:

2. In the Custom Service Objects section, click the edit symbol for the custom service object that you want to edit.
3. In the Edit Service Object window, edit the services for the object.
4. Click Save.
Delete a Custom Service Object
To delete a custom service object:

2. In the Custom Service Objects section, click the trash can icon for the custom service object that you want to delete.

Connection Objects
A connection object defines the outgoing interface and source (NAT) IP address for traffic matching the access rule. If an explicit source IP
address is specified, the appropriate link will be selected based on the routing table. If the source interface is specified, the corresponding source
IP address from a routing table lookup is used.
You can use the predefined connection objects or you can create new connection objects.
Create a Connection Object
To create a new connection object:
1. Go to the FIREWALL > Connection Objects page.

2. In the Connection Objects section, click Add Connection Object.
3. Enter a Name for the connection object.
4. From the Nat Type drop down list, select the type of NAT to use.
This setting lets you specify which source IP address and interface are to be used in case of fallback. This is especially
important if you are using multiple ISPs. Connecting via the backup provider using the wrong source IP address causes the
return traffic routing to fail.
Dynamic Source NAT – The firewall uses the routing table to find a suitable interface for routing the packet and uses the IP
address of the relevant interface as the new source IP address.
No Source NAT – The original source IP address of the packet is not changed.
From Interface – Source NAT is using the first IP address on a specific interface.
Select the interface from the Interface list.
Explicit – Uses the IP address that is specified in the Explicit IP Address field.
a. Enter the IP address in the Explicit IP Address field.
If the IP address does not exist locally, select the Proxy ARP check box to create an appropriate Proxy ARP entry. Prox
y ARP makes it possible for ARP requests to be answered for IP addresses that are not implemented in the Barracuda
NextGen Firewall X-Series.
5. When using From Interface or Explicit as Nat Type, configure the following settings if required:
Select the PAT check box to use Port Address Translation (PAT, also known as NAT overloading). PAT extends NAT so that
port numbers are also translated. Use PAT to pool several private IP addresses to one public IP address.
6. Click Save.
The connection object appears in the Connection Objects section.
Failover and Link Load Balancing
You can specify multiple source IP addresses and interfaces in the same connection object. This allows failover or session-based balancing
between up to four links. Balancing can be achieved using either a round robin or weighted random algorithm.

2. In the Connection Objects section, click Add Connection Object.
3. Enter a Name for the connection object.
4. From the NAT Type list, select either Explicit (to use the IP address that you specify) or From Interface (to use the IP address of the
link).
5. In the Failover and Load Balancing section, configure the following settings:
Multilink Policy – Defines what happens if multiple links are configured. Available policies are:
None – No fallback or source address cycling. This is not what you want for this object.
Failover – Falls back to the first alternate addresses and interface, called Alternate 1. If Alternate 1 fails, fail over to
Alternate 2 and so on. When the original link (the one configured in the top section) becomes available, the firewall
automatically resumes directing traffic to that interface.
Weighted Round Robin – Uses the IP addresses and interfaces configured as Alternate 1, 2, and 3, along with this
interface, in weighted-round robin fashion.
Random – Randomly uses one of the available IP addresses and interfaces specified in this object.
Specify the following for each of the alternate links:
NAT Type – Select one of these options:
Interface – Source NAT using the first IP address on the interface selected from the Interface list.
Explicit – Uses the IP address in the IP address field.
Weight – Only used for the weighted round robin policy. The weight numbers represent the traffic balancing ratio of the
available links. The higher the relative number, the more the link is used. For example, if four links are configured in this
object, weight values of 6, 2, 1, and 1 mean that traffic is balanced over the configured interfaces in a ratio of 6:2:1:1. As
a result, 60% percent of the traffic passes over Link #1, 20% of the traffic passes over Alternate 1, 10% of the traffic is
directed to Alternate 2, and 10% to Alternate 3.
6. Click Add.
After you have successfully created this connection object, you can go to the FIREWALL > Firewall Rules page and apply it to a rule that directs

outgoing traffic.
Edit a Connection Object
You can edit new connection objects and copies of the predefined connection objects.
To edit a connection object:

2. In the Connection Objects table, under Actions, click the edit symbol for the object that you want to edit.
3. In the Edit Connection Object window, edit the settings for the object.
4. Click Save.
To edit a predefined connection object:
1. Click the copy symbol next to the object in the Predefined Connection Objects table. A copy of the connection object appears in the Co
nnection Objects section.
2. Edit the settings for the object.
3. Click Save.
Delete a Connection Object
To delete a connection object:

2. In the Connection Objects table, under Actions, click the trash can icon for the object that you want to delete.
3. Click OK to delete the connection object.
Example – HTTP and HTTPS Traffic to the Internet
To allow HTTP and HTTPS connections from the local 192.168.200.0/24 network to the Internet, the firewall must perform source-based NAT.
Instead of using the source IP address from the client residing in the LAN, the connection is established between the WAN IP address of the
firewall and the destination IP address. Reply packets belonging to this session are replaced with the client's IP address within the LAN.
For this example, use the predefined Default (SNAT) connection object. It automatically uses the WAN IP address of the ISP uplink with the
lowest metric according to the firewall's routing table.

Application Based Connection Objects
Use application-based connection objects to select the WAN connection based on the application. Add application-based link polices for each
application or application category. Each policy can use a different connection object. Traffic that does not match one of these policies is sent
using the default connection object.
Before you Begin
(optional) Create custom connection objects for each Internet connection.
Step 1. Create the Application Based Connection Object
1. Go to FIREWALL > Connection Object

2. In the APPLICATION BASED CONNECTION OBJECTS section, click Add Connection Object.
3. Enter a Name.
4. Select the Default Connection.
5. Click Save.
Step 2. Add Application Based Link Policies
Edit the application-based connection object you just created and add the application-based link policies. Applications can be added individually,
through the application browser, or by application category. All selected applications will use the connection object selected for this policy.
1. Stay on the FIREWALL > Connection Object page.
2. Click to edit the application-based connection object you created in Step 1.

3. Click Add. The Add Application Based Link Policy pop-over opens.
4. Select the connection object from the Connection dropdown.

5. Add applications to the links policy by name, application browser and/or category:
Start typing the application name in the Select applications textbox and then click on the application from the list.
Click Browse to select the applications in the application browser.

Select the application categories from the Categories list.

6. Click Save.
The application-based link policy is now listed in the in the application-based connection object.
Step 3. Edit the Access Rule to use the Application Based Connection Object
1. Go to FIREWALL > Firewall Rules.

2. Double-click on the access rule you want to use the Application Based Connection Object. The Edit Access Rule pop-over opens. E.g.,
LAN-2-INTERNET
3. Select the application-based connection object created in Step 1 from the Connection dropdown.
4. Click Save.
To check which outgoing interface is used for a connection, go to BASIC > Active Connections or BASIC > Recent Connections and check
the SNAT column.

NAT Objects
map IP addresses from one IP address range to another. For example, if you have two
Create NAT objects to
subnets in the same range that need to communicate with each other, you can map each subnet to a different
set of IP addresses, allowing them to communicate using the mapped addresses.
Create a NAT Object
To create a NAT object:
1. Go to the FIREWALL > NAT Objects page.

2. Click Add NAT Object.
3. Enter a Name for the NAT object.
4. If you want to use Port Address Translation, select the PAT check box.
5. Enter the IP address pair and then click the plus sign (+).
6. Click Save.
The NAT object appears in the NAT Objects section.
Edit a NAT Object
To view the properties of a NAT object:
1. Go to the FIREWALL > NAT Objects page.

2. Click the expand icon next to the NAT object in the list.
To edit a NAT object:

1. Click the edit symbol for the NAT object that you want to edit.
2. In the Edit NAT Object window, edit the settings for the object.
3. Click Save.
Delete a NAT Object
To delete a NAT object:
1. Click the trash can icon for the NAT object that you want to delete.

User Objects
A user object contains a list of users that can be used in firewall rule conditions. You can use the set of predefined user objects that are provided
by the Barracuda NextGen Firewall X-Series and create custom user objects. Your custom user objects can contain other user objects.
Create a User Object
To create a new user object:

1. Go to the FIREWALL > User Objects page.
2. In the Custom User Objects section, click Create User Object.
3. Enter a Name for the user object.
4. Select the user objects and enter patterns for the users and groups that you want to include in the user object.
Under the User tab, enter the patterns for the login names that you want to add and then click the plus sign (+).
You can use the question mark (?) and asterisk (*) as wildcard characters. To use the wildcard sequence of ?*, you must specify
at least one character.
To select and add other user objects, click the User Object tab.
To enter patterns for the groups that you want to include, click the Group tab.
You can combine fields. For example, you can enter VPN user patterns (to enforce a VPN connection) with X.509 certificate
patterns (to require X.509 certificates to be installed in the browser application).
5. Click Save.
The user object appears in the User Objects section.
Edit a User Object
To edit a user object:

2. In the Custom User Objects table, under Actions, click the edit symbol for the object that you want to edit.
3. In the Edit User Expression window, edit the settings for the object.
4. Click Save.
Delete a User Object
To delete a user object:

2. In the Custom User Objects table, under Actions, click the trash can icon for the object that you want to delete.
3. Cick OK to delete the user object.

Schedule Objects
Create schedules to configure time restrictions on an hourly, weekly, or calendar-date basis that can be applied to access rules and application
policies. Rules and policies that include a schedule are only active for the date and/or timespan defined in the schedule. Schedules use the time
of the Barracuda NextGen X-Series Firewall they are running on.
Create a Schedule
1. Go to FIREWALL > Schedules.

2. Click Add Schedule to create a new schedule. The Add Schedule window opens.
3. Enter a Name for the schedule.
4. Select Terminate Existing Sessions if open connections should be closed as soon as the time restriction applies.
5. To activate the schedule for specific day and time intervals:

a. Select the Recurring check box.
b. Select the days and enter the daytimes for the schedule to be active.
c. Click the plus sign (+) to add the time interval.
A time schedule entry can cover up to one week, starting on Mon-00:00, and ending on Mo 0:00 of the next week. To
enable the schedule for an interval crossing the Mo 00:00 threshold, split the entry. E.g., Fri-15:00 to Mo 0:00 and
Mon-00:00 to Tue-10:30.
6. To activate the schedule only in a specific date range:

a. Select the One-Time check box.
b. Specify the date range using the From and To fields.
7. Click Save.
The schedule is now displayed in the SCHEDULES list and can be used when creating access rules and application policies.

Edit / Delete a Schedule
To edit a schedule, click the edit symbol next to the entry. In the Edit Schedule window, edit the settings for the object, and click Save. To delete
a schedule, click the trash can icon next to the entry and c lick OK.
Apply the Schedule to an Access Rule or Application Policy
To apply the schedule to an access rule:

2. Create a new access rule or edit the rule you want to apply the schedule to.
3. In the Add / Edit Access Rule window, click the Advanced tab.
4. Select the schedule from the Apply only during this time dropdown list.
5. Finish editing the rule and click Save.
To apply the schedule to an application policy:
1. Go to FIREWALL > Application Policy.

2. Create a new policy or edit the rule you want to apply the schedule to.
3. In the Add / Edit Policy Rule window, click the Advanced tab.
4. Select the schedule from the Time dropdown list.
5. Finish editing the application policy and click Save.

Firewall Rules
Access rules are used to manage traffic going through the Barracuda NextGen Firewall X-Series. The firewall service is tightly integrated with
Application Control, IPS, and the URL Filter service.
About Firewall Objects
Use firewall objects to reference specific networks, services, user groups or connections when creating firewall access rules. You can use the
firewall objects that are preconfigured on the NextGen Firewall X-Series or create custom firewall objects. The main purpose of firewall objects is
to simplify creation and maintenance of access rules. Firewall objects are re-usable which means that you can use one firewall object in as many
rules as required. Each firewall object has a unique name that is more easily referenced than an IP address or a network range (see Firewall
Objects).
Access Rule Settings
For each access rule you can configure the following settings:
Name – The name of the access rule. This name is displayed on the BASIC > Active Connections, Recent Connections, and IPS
Events pages.
Description – An additional description field for the access rule.
Action – Specifies how the firewall handles network traffic that matches the criteria of the rule. The following actions are available:
Allow/Block – The firewall passes all network traffic that matches the access rule; / The firewall ignores all network traffic that
matches the access rule and does not answer to any packet from this particular network session.
Reset – The firewall dismisses all network traffic that matches the access rule. Matching network sessions are terminated by
replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, and ICMP Denied by Filter for other IP
protocols.
DNAT – The firewall rewrites the destination IP address, network or port to a predefined network address. Enter multiple
destination IP addresses for loadbalancing or fallback configurations. To additionally forward to a different port you can append
the port number to the IP address. E.g., 172.16.0.10:80
Redirect to Service – The firewall redirects the traffic locally to one of the following services that are running on the firewall:
Caching DNS, SIP Proxy, HTTP Proxy, VPN, SSL VPN or NTP.
Connection – Defines the outgoing interface and source (NAT) IP address for traffic matching the access rule. The following table lists
the five default connection objects:
Predefined Connection Object Outgoing Interface and IP Address Determined by
Default (SNAT) Change the source IP address of network packets to the IP

address of the interface with the lowest metric according to the
routing table.
No SNAT Connection is established using the original source IP address.

Use if simple routing with NAT is desired.
SNAT with DSL IP Source NAT with the IP address of the DSL uplink.
SNAT with 3G IP Source NAT with the IP address of the 3G uplink.
SNAT with DHCP IP Source NAT with the IP address of the DHCP uplink.
You can also create custom connection objects. For example, multiple source IP addresses and interfaces can be specified in the same
connection object. This allows failover or session-based balancing between up to four links. Balancing can be achieved using either a
round robin or weighted random algorithm.
Service – Describes the protocol and protocol/port range of the matching traffic. You can define one or more services for the access
rule. You can select a predefined service object or create your own service objects (see: Service Objects).
Source – The source IP address/netmask of the connection that is affected by the rule. You can select a network object
or explicitly enter a specific IP address/netmask. You can also create your own network objects (see: Network Objects).
Destination – The destination IP address/netmask of the connection that is affected by the rule. You can select a network object or
explicitly enter a specific IP address/netmask.
Bandwidth Policies
You can adjust the bandwidth for all matching traffic:
Bandwidth policies protect the available overall bandwidth of the Internet connection. Network traffic is classified and throttled or
prioritized within each access rule. To adjust the overall bandwidth of each network interface, go to the NETWORK > IP Configuration p
age. There are eight predefined bandwidth policies. For additional information, see How to Configure Bandwidth Policies or QoS.
Bandwidth policies for application traffic are configured in the application policy rules. For more information, see How to Configure an

Application Policy.
Users/Time
For more granular control, you can configure access rules that are only applied to specific users or during specific times.
Users can be used as a criteria for the rule. Use the Barracuda DC Agent to enable the firewall to be aware of which connection belongs
to a specific user. You can also create users objects (see: User Objects).
You can create access rules that are only active for specific times or dates. For example, you can create a time object that only includes
Mondays and the hours of 8:00 am to 9:00 am. An access rule including this time object will only allow traffic during the time span
defined in the time object (see: Schedule Objects).
Advanced
You can also configure the following advanced firewall settings:
Interface Group – When creating a access rule, you can assign interfaces that the source address is allowed to use. Arriving packets of
traffic that matches the rule are then processed to the specified network interfaces according to the interface group settings. For more
information, see How to Create Interface Groups.
SYN Flood Protection – SYN flood protection protects from a popular kind of DoS attack against computer systems. The firewall can
eliminate SYN flooding attacks for inbound or outbound attacks. The firewall completes the handshake and only then performs a
handshake with the actual target. This helps to protect the target from SYN flood attacks. Disabling SYN flood protection can cause an
overhead in packet transmission but can speed up interactive protocols like SSH.
In this Section
Pre-Installed Access Rules

Firewall Rules Order
How to Create User-Aware Access Rules
Example - Allowing Access to the Internet
Example - Handling SMTP Traffic
Example - Allowing SIP-based VoIP Traffic
Example - Blocking ICMP Traffic
Example - Configuring a DNAT Access Rule
Example - Configuring an Access Rule for the Barracuda Email Security Gateway
Example - Creating Time-Based Access Rules
How to Configure a Transparent Redirection to a Barracuda Web Security Gateway

Pre-Installed Access Rules
The Barracuda NextGen Firewall X-Series comes with a set of pre-installed access rules. Initially, you can use the appliance without any changes
to these rules. Eventually, you might want to customize the rules or enable the pre-installed rules that are disabled initially. Understanding the pre
-installed rules can help you create your own rules.
On the FIREWALL > FIREWALL RULES page, you can view the following pre-installed firewall access rules:
Firewall Rule Description
P1-P3-BRIDGE This rule creates a bridge between port p1 and port p3. All traffic
passes between the two ports. The rule is useful when you first get
the X-Series Firewall and want to evaluate the appliance at your
desk. Follow the instructions in the Barracuda NextGen Firewall
X-Series Quick Start Guide to connect port p1 to the LAN and port p3
to your PC. This configuration gives the firewall access to the
Internet, lets you look at traffic, and lets you continue to use your PC
for other purposes during the evaluation period.
When you are finished with your evaluation and move the firewall into
production, you can delete this rule.
LAN-2-BARRACUDA-SERVERS This rule allows the traffic from the trusted LAN to reach the
Barracuda Networks update servers. The rule is required for initial
activation as well as ongoing firmware and security updates.
LOCALDNSCACHE-WIFI This rule automatically redirects all DNS requests from a separate
Wi-Fi network on interface ath0 to the local caching DNS service of
the firewall. The rule is useful for reducing the amount of DNS traffic
over the WAN connection and improving DNS resolution speed as
well as security.
If you configure a DNS server in your local network, create a firewall

rule that allows TCP and UDP traffic on port 53 from the IP
addresses of your local DNS servers to the Internet. Place this rule a
bove the LOCALDNSCACHE and LOCALDNSCACHE-WIFI rules.
LOCALDNSCACHE This rule automatically redirects all DNS requests from the trusted
LAN to the local caching DNS service of the firewall. The rule is
useful for reducing the amount of DNS traffic over the WAN
connection and improving DNS resolution speed as well as security.
If you configure a DNS server in your local network, create a firewall

rule that allows TCP and UDP traffic on port 53 from the IP
addresses of your local DNS servers to the Internet. You should
place this rule above the LOCALDNSCACHE and
LOCALDNSCACHE-WIFI rules.
TRANSPARENT-PROXY-WIFI If enabled, this rule automatically redirects all HTTP requests on TCP
port 80 from a separate Wi-Fi network on interface ath0 to the local
proxy of the firewall. Depending on the proxy configuration (NETWO
RK > Proxy), web traffic is either scanned by Barracuda Web
Security Flex or forwarded to a different proxy service.
TRANSPARENT-PROXY If enabled, this rule automatically redirects all HTTP requests on TCP
port 80 to the local proxy of the firewall. Depending on the proxy
configuration (NETWORK > Proxy), web traffic is either scanned by
Barracuda Web Security Flex or forwarded to a different proxy
service.
LAN-2-INTERNET-SIP If enabled, this rule automatically redirects all SIP requests from the
trusted LAN to the local SIP proxy. It allows SIP communication
through the firewall.
INTERNET-2-LAN-SIP If enabled, this rule automatically redirects all SIP requests from any
IP address to the local SIP proxy. It allows SIP communication from
the Internet through the firewall.

LAN-2-INTERNET This rule allows network traffic for all types of data from the trusted
LAN to the Internet. It allows unrestricted access to the Internet for all
hosts within the trusted LAN segment.
WIFI-2-INTERNET This rule allows traffic from the Wi-Fi network coming in through
interface ath0 unrestricted access to the Internet.
LAN-2-LAN This rule allows network traffic for all types of data from one trusted
LAN to another. It allows unrestricted network traffic between hosts
residing in different LAN segments that are classified as trusted.
VPNCLIENTS-2-LAN This rule allows unrestricted access for VPN clients coming in
through interface pvpn0 to the trusted LAN. This includes
PPTP-based access.
VPN-SITE-2-SITE This rule allows unrestricted access to remote networks connected to

the firewall via site-to-site VPN connection.
WIFI-2-LAN This rule allows unrestricted access from the Wi-Fi network coming in
through interface ath0 to the trusted LAN.
BLOCKALL This rule blocks all incoming and outgoing network traffic that is not
handled by the access rules that are placed above it in the rule set.

Firewall Rules Order
You can view the access rules on the FIREWALL > Firewall Rules page. The access rules are processed from top to bottom. The first matching
rule is executed to process the traffic, all rules located below this rule are not evaluated. If no rule matches the last rule in the list is always the
BLOCKALL rule. The BLOCKALL rule will block all traffic. New access rules are always inserted below the BLOCKALL rule. You need move the
new access rule up the list, so it is evaluated before a more general rule further down the list matches.
To change the order of the access rules:

2. Drag rules up or down in the table. If you want a rule to be executed, drag it above the BLOCKALL rule.
3. After you finish adjusting the order of the firewall rules, click Save Changes. Otherwise, your changes will not take effect.

How to Create User-Aware Access Rules
To control traffic for certain users, you can configure a user-aware access rule. First, create a user object that includes the users whose traffic
you want to control. Because users are included by their login names or authentication groups, ensure that you have set up your external or local
authentication method. After creating the user object, apply it to the access rule.
Step 1. Create a User Object
Before you begin:
Because users are included by their login names or authentication groups, verify that you have set up authentication. For more information, see:
How to Configure an External Authentication Service

How to Configure Local Authentication
To create the user object:

2. Click Create User Object.
3. Enter a Name for the user object.
4. To include a specific user, enter the username under the User tab. You can use an asterisk (*) and question mark (?) as wildcards.
5. To include an existing user object, click the User Object tab.
6. To include users by group, click the Group tab. You can use an asterisk (*) and question mark (?) as wildcards.
7. Click Save.
Step 2. Apply the User Object to an Access Rule
To apply the user object to a access rule:

2. Create or edit a access rule.
3. In the rule editor window, click the ADVANCED tab.
4. In the VALID FOR USERS section, add the user objects that include the users whose traffic should be handled by the rule.
Step 3. Verify the Order of the Access Rules
Because rules are processed from top to bottom, ensure that you arrange your rules in the correct order. You must especially ensure that your
rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.
After adjusting the order of the rules, click Save.

Example - Allowing Access to the Internet
When you configure access rules to allow network traffic, you can choose to allow traffic only for certain types of traffic that are passing to and
from specific networks. You might want to create rules that allow wanted traffic to pass, and then use the BLOCKALL rule to block all other types
of traffic.
This article provides an example of how to configure a access rule that only allows HTTP and HTTPS connections from the local
192.168.200.0/24 network to the Internet.
Video
Watch the video below to see an example of an ALLOW access rule configured on the Barracuda NextGen Firewall X-Series.
Videos are not visible in the PDF export.
Step 1. Create the Access Rule to Allow Traffic to the Internet

2. Click Add Access Rule to create a new access rule.
Action Connection Service Source Destination
Allow Default (SNAT) Any Trusted LAN Internet
To allow connections from the local network to the Internet, the X-Series Firewall must perform source-based NAT. The source IP
address of outgoing packets is changed from that of the client residing in the LAN to the WAN IP address of the X-Series Firewall, so the
connection is established between the WAN IP address and destination IP address. The destination address of reply packets belonging
to this session is rewritten with the client's IP address.
5. Click Save.
New rules are created at the bottom of the firewall rule set. Rules are processed from top to bottom in the rule set. Drag your access rule to a slot
in the rule list, so that no access rules before it matches this traffic. Verify that your rules are placed above the BLOCKALL rule. Otherwise, the
rule never matches.
After adjusting the order of rules in the rule set, click Save.

Example - Handling SMTP Traffic
You must configure at least one access rule to control mail traffic. Direct SMTP traffic to your Barracuda Email Security Gateway or your mail
server. If your mail server supports POP/IMAP access, configure a rule that allows this access. If you have more than one external IP address,
configure a access rule to ensure that outgoing traffic uses the correct IP address.
Incoming Traffic
If your mail server or Barracuda Email Security Gateway is on the public network, you might want to allow your Barracuda NextGen X-Series
Firewall to provide protection and move your mail system onto the internal network. The mail traffic passes through the firewall in both directions.
If the advertised method of receiving email is a dynamically-assigned IP address, use a service such as DynDNS to make a permanent identifier
for your mail server or Email Security Gateway. For more information on the DynDNS service, see http://dyn.com/dns/.
As you can see on the FIREWALL > Service Objects page, the Any-EMAIL service object contains the following email protocols: POP2,
POP3S, POP3, IMAP, IMAPS, and SMTP. You can use this object or just the protocols that you want to support. The rules below specify the
protocols explicitly. Configure the access rules for the cases that match your scenario, and then verify your access rule order.
Case 1 – Barracuda Email Security Gateway
Configure a rule to redirect incoming mail traffic for the Barracuda Email Security Gateway. If you have an Email Security Gateway and your mail
server does not support POP or IMAP, this is the only rule that you will need for incoming email traffic.
Go to the FIREWALL > Firewall Rules page and configure the following rule to redirect the incoming mail traffic:
SMTP-2-SPAMFW Values:
Action Source Destination Service Connection Redirected To
DNAT Either the Internet n The destination SMTP No SNAT (the The internal static IP
etwork object or a depends on the original source IP address of the
specific public IP advertised method address is used) Barracuda Email
address. For of receiving email. Security Gateway.
example, the IP
If it is one or
address of the
more external
hosting provider.
static IP
addresses,
enter those
addresses (a
CIDR
summarization
of addresses
can also be
used).
If it is a domain
name which
maps to a
dynamically-ass
igned IP
address, select
the network
object named A
ny .
Case 2 – Barracuda Email Security Gateway and a POP/IMAP Mail Server
If you have a Barracuda Email Security Gateway and you also want to support POP/IMAP traffic from your mail server, then you must add this
rule in addition to the above rule for the Email Security Gateway.
Go to the FIREWALL > Firewall Rules page and configure the following rule to redirect the incoming POP/IMAP traffic only to the mail server:
POP-2-INTERNAL Values:
Action Source Destination Service (select Connection Redirected To

relevant ones)

DNAT Either the Internet n The destination POP2 No SNAT (the The internal static IP
etwork object or a depends on the POP3 original source IP address of the mail
specific public IP advertised method POP3S address is used) server.
address. For of receiving email. IMAP
example, the IP IMAPS
If it is one or
address of the
more external
hosting provider.
static IP
addresses,
enter those
addresses (a
CIDR
summarization
of addresses
can also be
used).
If it is a domain
name which
maps to a
dynamically
assigned IP
address, select
the network
object named A
ny.
Case 3 – Mail Server Only
If you do not have a Barracuda Email Security Gateway, you can redirect the incoming traffic to the mail server that is on your internal network.
Go to the FIREWALL > Firewall Rules page and configure the following rule to redirect the incoming mail traffic:
EMAIL-2-MAIL-SERVER Values:
Action Source Destination Service (select Connection Redirected To

relevant ones)
DNAT Either the Internet n The destination SMTP No SNAT (the The internal static IP
etwork object or a depends on the POP2 original source IP address of the mail
specific public IP advertised method POP3 address is used) server.
address. For of receiving email. POP3S
example, the IP IMAP
If it is one or
address of the IMAPS
more external
hosting provider.
static IP
addresses, ente
r those
addresses (a
CIDR
summarization
of addresses
can also be
used).
If it is a domain
name which
maps to a
dynamically
assigned IP
address, select
the network
object named A
ny.
Verify the Order of the Access Rules
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, arrange your rules in
the correct order. You must especially ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. After
adjusting the order of rules in the rule set, click Save Changes.

Outgoing Traffic
Outgoing SMTP traffic (for outgoing email) must also be allowed to pass. Depending on the location of your mail server, this traffic might already
be allowed by the pre-installed LAN-2-INTERNET rule. If it is not, or if you want to make an explicit rule anyway, you must add a rule.
Configure the access rules for the case that matches your scenario. If you have multiple public IP addresses, follow the instructions in Case 2 -
Multiple Public IP Addresses to ensure that the traffic leaves on the same IP address that the public MX record points to. If you do not have
multiple IP addresses, follow the instructions in Case 1 - Mail Server Not on Trusted LAN. After configuring the required access rule, verify your
access rule order.
Case 1 – Mail Server Not on Trusted LAN
Go to the FIREWALL > Firewall Rules page and configure the following rule to allow outgoing SMTP traffic:
SMTP-2-INTERNET Values:
Action Source Destination Service (select relevant Connection

ones)
Allow The internal IP address of Internet SMTP Default (SNAT)

the mail server
Case 2 – Multiple Public IP Addresses
If you have multiple external IP addresses and want to force outbound SMTP traffic to use a specific IP address :
1. Go to the FIREWALL > Connection Objects page and create a connection object that specifies the IP address that is in the MX record.
2. Go to the FIREWALL > Firewall Rules page and add the following rule to direct the outgoing mail traffic:
SMTP-2-INTERNET Values:
Action Source Destination Service Connection
Allow The internal IP address of Internet SMTP A connection object with

the mail server the IP address used for
email.
Verify the Order of the Firewall Rules
Move the firewall rule above the pre-installed LAN-2-INTERNET rule. If this rule is under the LAN-2-INTERNET rule, traffic goes out on the
primary IP address, which might not be the correct path. After adjusting the order of rules in the rule set, click Save Changes.

Example - Allowing SIP-based VoIP Traffic
This article provides the following examples of how to configure the Barracuda NextGen Firewall X-Series to allow SIP-based VoIP traffic:
Allowing SIP-based VoIP Traffic for VoIP Phones – Steps for configuring access rules for VoIP phones that use the same network subnet
as the internal SIP server. The VoIP phones and SIP server are located in the the 192.168.200.0/24 network.
Allowing SIP-based VoIP Traffic for Barracuda Phone System – Steps for creating the access rules and network object required to allow
SIP-based VoIP traffic when using Barracuda Phone System with the NextGen Firewall X-Series.
Allowing SIP-based VoIP Traffic for VoIP Phones
Create a forwarding access rule that redirects traffic to the internal SIP proxy of the X-Series Firewall. The SIP proxy dynamically opens all
necessary RTP ports for successful SIP communication through the firewall. You must also create a separate access rule to allow traffic from the
Internet to the SIP proxy.
On the X-Series Firewall version 6.5.0 and above, the required LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP firewall access rules
are preconfigured. However, when upgrading from older firmware releases, you might have to create new rules or edit and configure
existing ones.
Step 1. Configure an Access Rule for the Connection from the SIP Server to Internet
To let SIP-based VoIP communication pass the firewall, create a forwarding firewall access rule that redirects traffic to the SIP proxy. You can
create a new access rule or edit an existing rule. This example edits the LAN-2-INTERNET-SIP rule.

2. Edit the LAN-2-INTERNET-SIP rule. Ensure that the rule is enabled and that the following settings are specified:
Action Source Destination Redirected To
Redirect to Service Trusted LAN Internet SIP
In this rule, the Source includes the SIP server and the phones. The Destination specifies the destination of the SIP network traffic that
is allowed. Usually, the destination is the public IP address of your SIP provider. Here, Destination is the predefined Internet network
object, but you can also enter the network address of your SIP provider.

3. At the top of the Edit Access Rule window, click Save.
Step 2. Configure an Access Rule for the Connection from the Internet to the SIP Server
Configure a separate forwarding access rule to allow connections from the Internet to the SIP server. You can create a new access rule or edit an
existing rule. This example edits the INTERNET-2-LAN-SIP rule.

2. Edit the INTERNET-2-LAN-SIP rule. Ensure that the rule is enabled and that the following settings are specified:
Action Source Destination Redirected To
Redirect to Service Any Internet SIP
The Source specifies the origin of the network traffic that should be allowed. The Destination specifies the public IP address that is
allowed to receive SIP traffic.

3. At the top of the Edit Access Rule window, click Save.
Because rules are processed from top to bottom in the rule set, arrange your rules in the correct order. You must especially ensure that your rules
are placed above the BLOCKALL rule; otherwise, the rules are blocked.
Allowing SIP-based VoIP Traffic for the Barracuda Phone System
When using Barracuda Phone System with the X-Series Firewall, you must create two firewall access rules to allow SIP-based VoIP traffic from
the Internet to the Phone System and vice versa. For the access rule that allows SIP-based VoIP traffic from the Phone System to the Internet,
you must create a connection object that does not use port address translation (PAT) .
Step 1. Create an Access Rule for the Connection from the Internet to the Barracuda Phone System

2. Click Add Access Rule.
3. In the Add Access Rule window, enter a name and description for the rule and then specify the following settings:
Action Connection Source Network Services Destination Redirected To
DNAT No SNAT Any SIP Public IP address Barracuda Phone

of the X-Series System IP address.
Firewall.
4. Click Save.
Step 2. Create a Connection Object

2. Click Add Connection Object.
3. In the Add Connection Object window, enter a name and description for the object and then specify the following settings:
NAT Type Interface PAT
From Interface Select your WAN interface. Clear the check box.

4. Click Save.
Step 3. Create an Access Rule for the Connection from the Barracuda Phone System to the Internet

3. In the Add Access Rule window, enter a name and description for the rule and then specify the following settings:
Action Connection Source Network Services Destination
Allow Select the connection The Barracuda Phone SIP Any

object that you created. System IP address.
4. Click Save.

Example - Blocking ICMP Traffic
If you use the default rule set, all traffic is allowed from the LAN to the Internet. If you keep the rules that include the parameter Service set to An
y, you might want to add access rules that BLOCK or RESET traffic with specific profiles. For example, you can deny specific service types or
traffic from certain users. Using BLOCK causes the Barracuda NextGen Firewall X-Series to simply not respond to the connection request. The
source client will then receive a timeout. To actively deny access, select RESET. The connection is then closed by the X-Series Firewall as soon
as a connection attempt is made.
This article provides an example of how to configure a access rule that blocks all ICMP traffic from the local LAN to the Internet.
Video
Watch the video below to see an example of an ALLOW access rule configured on the Barracuda NextGen Firewall X-Series.
Step 1. Create an Access Rule to Block ICMP Traffic

Action Source Network Services Destination
Block Trusted LAN ICMP Internet
5. At the top of the Add Access Rule window, click Save.
New rules are created at the bottom of the firewall rule set. Rules are processed from top to bottom in the rule set. Drag your access rule to a slot
rule never matches.

Example - Configuring a DNAT Access Rule
To reach services running on servers in the DMZ behind the firewall, configure a Destination NAT (DNAT) rule to forward the traffic arriving on
the WAN port to the correct server and port in the DMZ.
Video
Watch the video below to see an example DNAT access rule configured on the Barracuda NextGen Firewall X-Series:
Before you Begin
Create a new network object containing the IP addresses of all web servers you want to redirect traffic to. If you want to redirect to a
different port, you cannot use network objects.
Create a network object containing your public IP address. For this example, our public IP address is 62.99.0.51.
Verify that there is no local firewall service listening on that IP address. To forward IPsec traffic, go to VPN > Settings and set Use
Dynamic IPs to No.
Step 1. Configure a DNAT Access Rule
This example creates a DNAT access rule that allows HTTP traffic from the Internet to the web server residing in the DMZ.

Action Connection Source Network Services Destination Redirect
DNAT No SNAT Internet HTTP+S Either 62.99.0.5 network object

1 or the WAN-ISP1 containing one or
Network Object more IP addresses
or
IP
address:port 17
2.16.0.10:8080

5. Click Save.
Step 2. (optional) Load Balancing Additional Web Servers in the DMZ
To redirect to more than one web server in cycle (round robin) or fallback mode, you can either add additional IP addressees to the network
object, or enter additional IP addresses to the Redirect list. In fallback mode, all traffic is sent to the first IP address in the list (or network object).
If that IP address is no longer reachable, traffic is sent to the second, and so forth. In cycle mode, the traffic is distributed to all IP addresses in
the Redirect list based on the source IP address of the traffic. In this example, we used a network object containing 2 IP addresses (172.16.0.11
and 172.16.0.12) and left the original IP address 172.16.0.10 on port 8080 from step 2. HTTP and HTTPS traffic is now cycled between:
172.16.0.10:8080
172.16.0.11 port 80 or 443 as the chosen network services HTTP+S allows for those ports
172.16.0.12 port 80 or 443 as the chosen network services HTTP+S allows for those ports
New rules are created at the bottom of the firewall ruleset. Rules are processed from top to bottom in the ruleset. Drag your access rule to a slot
rule never matches.
After adjusting the order of the rules in the ruleset, click Save.

Example - Configuring an Access Rule for the Barracuda Email Security Gateway
When deploying a Barracuda Email Security Gateway behind the Barracuda NextGen Firewall X-Series, configure a Destination NAT (DNAT) ac
cess rule to route SMTP traffic to the Email Security Gateway. For more information on the Barracuda Email Security Gateway, see: Overview.
This article provides instructions on how to configure an access rule for the following setup:
Before you Begin
Install and configure the Barracuda Email Security Gateway in your LAN as described in: Deployment Behind the Corporate Firewall.
Step 1. (Optional) Create a Service Object for SMTPS
To also forward SMTPS traffic to your Email Security Gateway, create a service object to redirect the traffic to port 465. For more information, see
Service Objects.
Use the following settings:
Protocol – TCP
Port Range – 465
Step 2. Configure a DNAT Access Rule
Create a DNAT access rule that forwards all incoming SMTP traffic to the IP address of the Email Security Gateway.
2. Click Add Access Rule to create a new firewall rule.
Action Connection Source Network Services Destination Redirected To
DNAT No SNAT Internet SMTP, SMTP SSL Enter the public IP Enter the IP
(optional) address of the address or select
X-Series Firewall. the network object
E.g.: 62.99.0.50 for your Barracuda
Email Security
Gateway. E.g.: 10
.10.10.3

5. Click Save.
Because rules are processed from top to bottom in the rule set, arrange your access rules in the correct order.
Make sure that this rule is the first access rule that matches SMTP traffic on the WAN port of the X-Series
Firewall.
After adjusting the order of the rules in the rule set, click Save.

Example - Creating Time-Based Access Rules
With the Barracuda NextGen Firewall X-Series, you can configure access rules that are only active for specific times or dates. Create a time
object for the times that the access rule should be active. Then apply this time object to the access rule.
This article provides an example of how to configure a access rule that blocks Internet (HTTP and HTTPS) access for two trainees from Monday
to Friday, except during the hours of 11:00 AM to 01:00 PM. The two trainees reside in the 192.168.200.0/24 network segment and use
computers with the 192.168.200.100 and 192.168.200.101 IP addresses.
Step 1. Create a Time Object
This example configures a time object named TraineeOfficeHours that includes all office hours except lunch time from 12am to 1pm.
1. Go to the FIREWALL > Time Objects page.

2. In the Time Objects section, click Add Time Object.
3. In the Name field, enter TraineeOfficeHours.
4. To terminate existing sessions when the access rule is applied, set Terminate Existing Sessions to Yes.
5. To define a date range for this time object, select the Use Date Range check box.
6. In the time table of the configuration window, select all days and times when the access rule should be active.
7. Click Add to create the time object.
Step 2. Create an Access Rule using the Time Object
This example configures an access rule named Block-HTTPs-for-Trainees that blocks HTTP and HTTPS network traffic from the
192.168.200.100 and 192.168.200.101 IP addresses.
1. Go to the FIREWALL > access rules page.

2. Click Add Access Rule to create a new access rule. The Add Access Rule window opens.
3. Enter a name and description for the rule.
Name Action Connection Service Source Destination
Block-HTTPS-fo Block Default (SNAT) HTTP+S 192.168.200 Internet

r-Trainees .100
192.168.200
.101
Because all other clients in the 192.168.200.0/24 network should not be affected by this rule, the source network is limited to the
192.168.200.100 and 192.168.200.101 IP addresses.

5. Click the ADVANCED tab.
6. From the APPLY ONLY DURING THIS TIME list, select the time object that you created. For this example, select the TraineeOfficeHou
rs object.
7. At the top of the window, click Save.
Access rules are processed from top to bottom. Place your access rule before any other access rule that matches the same traffic. For this
example, place your time-based block rule before any rule that allows Internet access. Click Save to save the changes to the order of the access
rules.

How to Configure a Transparent Redirection to a Barracuda Web Security Gateway
The Barracuda NextGen Firewall X-Series can transparently redirect all HTTP and HTTPS traffic to a Barracuda Web Security Gateway or any
other HTTP/S processing device. The Barracuda Web Security Gateway can then process the HTTP/HTTPS request using the original source
and destination IP addresses. After the Barracuda Web Security Gateway applies all local policies and collects the statistics, the web traffic is
then forwarded to the Internet via the X-Series Firewall. This configuration allows the proxy to apply all policies as if it were directly connected to
the client. It also allows the proxy to create meaningful statistics and connection information.
The Barracuda Web Security Gateway may be any device processing HTTP or HTTPS.
Before your Begin
The X-Series Firewall and the Barracuda Web Security Gateway must be connected to the same subnet (within the same ARP domain).
Step 1. Create a Transparent Redirect DNAT Access Rule
Create the DNAT access rule to forward all HTTP traffic to the Barracuda Web Security Gateway.

3. Create an access rule to transparently redirect all HTTP and HTTPS traffic through your Barracuda Web Security Gateway:
Source – Select Trusted LAN. Alternatively, select IP Address and enter the network the client using the Barracuda Web
Security Gateway is in.
Destination – Select Internet.
Network Services – Select HTTP+S.
Redirect – Select IP Address and enter the IP address of the Barracuda Web Security Gateway. E.g.. 172.16.0.10
Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname
or FQDN.

Application Control – Set to No.

4. In the Add Access Rule window, click the Advanced tab.
5. In the Other section, set Transparent Redirect to Yes.
6. Click Save.
7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located
above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
8. Click Save.
Step 2. Create an Allow Access Rule for the HTTP Proxy to Access the Internet

3. Create an ALLOW rule to allow the Barracuda Web Security Gateway to access the Internet:
Source – Select IP Address and enter the IP address of the Barracuda Web Security Gateway.
Connection – Select Dynamic SNAT.

5. In the Denial of Service and Spoofing Protection section, set Interface Group to Any.
6. Click Save.
7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located
above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
8. Click Save.
Step 3. Create an Allow Access Rule for the Barracuda Web Security Gateway to Access the Client
To allow the Barracuda Web Security Gateway to access the client, create an access rule with the following settings:

Source – Select IP Address and enter the IP address of the Barracuda Web Security Gateway.
Destination – Select Trusted LAN.

Step 4. Configure the Barracuda Web Security Gateway
In order to successfully send the connection from the Barracuda Web Security Gateway to the Internet you must configure the device to:
Route to the Internet using the X-Series Firewall as the gateway.

Route to the internal client network using the X-Series Firewall as gateway.
HTTP traffic must use the IP address of the Barracuda Web Security Gateway as the source IP for outgoing connections.
For more information, see Barracuda Web Security Gateway - Overview.

Application Control
As a powerful next-generation Firewall feature, Application Control allows the Barracuda NextGen Firewall X-Series to control application traffic,
including sub-applications (e.g., chat function and picture uploading). It includes the following features:
Application Policy – A list of policy rules to detect and control application traffic. You can create rules to drop or adjust the bandwidth of
detected applications. Traffic patterns are compared to predefined application objects containing detection patterns to detect the latest
applications. The application pattern database is updated with every NextGen Firewall X-Series firmware update. You can also
customize application definitions based on previously analyzed network traffic. To classify applications and threats, all application objects
are categorized based on risk, bandwidth, or vulnerabilities.
URL Filtering – Based on the Barracuda Web Security Gateway URL category database. The URL filter uses a large online database to
filter according to the URL of the website. The websites are organized into URL categories based on the content of the website. You can
use the URL filter as a whitelist or blacklist. To use the URL Filter you must have a Barracuda Web Security Subscription.
SSL Inspection – Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection intercepts and decrypts encrypted
traffic to let Application Control detect and handle embedded features or sub-applications of the main application. For example, you can
create a policy that permits the general usage of Facebook but forbids Facebook chat. If you choose not to enable SSL Inspection, the
main applications can still be detected. For example, Facebook can still be detected without SSL Inspection, but you will not be able to
determine if the Facebook chat or a Facebook app is being used.
Understanding Application Control
Because applications either are web-based or connect via SSL- or TLS-encrypted connections to servers in the Internet, they can be detected
and then controlled as they pass the X-Series Firewall. If Application Control and SSL Inspection are enabled in the firewall rule that handles the
application traffic, then the traffic is evaluated by the application policies and processed as follows:
1. SSL traffic is decrypted.

2. Application policy rules are processed from top to bottom to determine if they match the traffic. If no rule matches, the default application
policy is applied.
3. If a matching application rule is found, the detected application is handled according to the rule settings. The application can be reported,
blocked, or restricted by time, bandwidth (QoS), user information, or content (e.g., MPEG).
4. If the traffic was decrypted, it is re-encrypted.
5. The traffic is sent back to the forwarding firewall, which forwards it to its destination.
In this Section:
How to Introduce Application Control to Your Network

Application Objects
How to Configure and Use the URL Filter
How to Configure an Application Policy
Example - Adjust Bandwidth for Application Traffic

How to Introduce Application Control to Your Network
To use application control efficiently, it is recommended that you first monitor your application traffic over a certain period of time. Analyzing your
bandwidth usage helps you determine how to improve the use of available resources and then configure policies to manage application traffic
accordingly.
After your analysis, create application policies to ensure that business-critical applications receive the bandwidth that they need. Then configure
application and URL policies to block or choke any unwanted applications and websites. You can adjust and tune these policies by defining
exceptions for certain resources or users.
Step 1. Activate Application Control
Enable Application Control and activate it in a firewall rule to start gathering application data. Configure one or more firewall rules that forward
traffic from the clients to the internet. If you want to use pre-installed rules, configure the LAN-2-INTERNET and WIFI-2-INTERNET rules. If you
are not using the pre-installed firewall access rules, use the corresponding firewall rules.
1. Go to the FIREWALL > Settings page, enable Application Control, and click Save.
3. Edit the LAN-2-INTERNET and WIFI-2-INTERNET rules to enable Application Control and SSL Inspection.
4. Install SSL certificates on the client computers to avoid SSL warnings when using SSL Inspection. For more information, see How to
Configure an Application Policy.
The Barracuda NextGen Firewall X-Series can now start collecting information on the application-based traffic that is handled by these firewall
rules. If you configured a captive portal or the Barracuda DC Agent, user information is also collected.
Step 2. Analyze Application Traffic
Go to the BASIC > Application Monitor page to view information about the application traffic that passes through the X-Series Firewall and
determine which applications use the most bandwidth. You can either use filters or create custom reports to track this information and view it in
more detail.
Example - Define a Filter to see all Employees Using High Risk Applications.
If you want to see all data about high risk applications that were used in you network, configure a filter for the application monitor:
1. Go to the BASIC > Application Monitor page.

2. Click the plus sign (+) to create a new filter.
3. In the Filter window, select >=3 from the Risk list.

4. Click Ok.
You can now see a list of all the data for high risk applications in the time period that you selected in the Last list. To remove the filter click the x i
con next to the filter.
Example - Create a Custom Report on How much Bandwidth is used by Business Applications
You can create daily reports using the Barracuda Report Creator (BASIC > Administration). You can define custom report types to get daily
update on how much traffic your business critical applications are using.
For more information, see Barracuda Report Creator.
Step 3. Create Application Policies to Prioritize Business-Critical Applications
Create an application policy to ensure that important applications receive enough bandwidth.
1. Create a list based application object to include all the business-critical applications that you want to prioritize.
2. Create an Allow application policy rule with Adjust Bandwidth set to Business.
You are not limited to a single application object for important applications. If you are using VOIP applications like Skype or Facetime, you can
define an application object with Adjust Bandwidth set to VOIP, to ensure that these time-sensitive applications are forwarded without delay.
Step 4. Create Application Policies to Block or Limit Unwanted Applications
Unwanted applications can either be blocked or limited. When applications are blocked, they display connection errors to inform users that the
resource is not available. Some applications try to evade being blocked by changing protocol or port. As an alternative, you can limit, or choke,

the bandwidth of the applications. When applications are choked, they can still connect but at such an extremely limited rate that they are
unusable. If you want to block only parts of an application (e.g., Facebook chat) you can define the application policy to only block the
subapplication, while still allowing access to the rest of the site.
1. Create list- or category-based application objects to include the applications that you want to block or limit.
2. To block applications, create a BLOCK application policy and add all the applications that you want to block.
3. To limit applications, create an ALLOW application policy. In the policy settings, add all the applications that you want to limit and set Adj
ust Bandwidth to Choke.
Step 5. Create URL Filter Policies
The URL filter can be configured as a blacklist, allowing all sites except specifically blocked URL categories, or as a whitelist blocking everything
except for specifically allowed categories.
1. Create an URL object.

2. Define the default policy and behavior for all unlisted sites.
3. Go through the URL categories and select Allow or Block for each one.
4. Edit the application policies and select which URL policy to include.
Step 6. Define Exceptions
If exceptions are required for special use cases or privileged users, you can configure exceptions for your policies:
To specify exceptions to the categories of websites that you allow or block, click the URLs tab in the URL policy settings. Then explicitly
enter the URL of websites that must always be allowed or blocked.
To create exceptions to your application policies, create new application policies. Then place the new application policies over the
policies that they are overriding.
Example - Block Everyone from using Facebook Except for Exempt Users
To define an exception from the standard policy, create an application policy specifically allowing access for the exempted users.
1. On the FIREWALL > User Objects page, create a user object that includes all users and groups who are allowed to access Facebook.
2. On the FIREWALL > Application Policy page, create an ALLOW application policy that includes the user object you just configured for
allowed users and groups.
3. Place the new exception application policy above the policy rule blocking Facebook for everyone.
Step 7. Monitor Your Changes to Application Traffic
View the application monitor to detect changes in application usage, and adapt and tune the application policies. Configure the Barracuda Report
Creator to send regular updates of what passes through your X-Series Firewall.

Application Objects
Application objects are used to reference lists of applications when creating application aware firewall access rules. An application object can
contain a combined list of applications and/or sub-applications (e.g. Facebook; Facebook Chat). It can also include already existing application
objects. You can use predefined applications when creating an application object, but you can also create custom application objects. You can
use an application object in as many application policies as required. Application definitions are provided by Barracuda Networks and are updated
with each firmware update.
Create a List Based Application Object
Use list based application objects if you want to create a list of applications which do not belong to the same category or do not share common
traits. For example, a list of business critical applications.
To create a list based application object:
1. Go to the FIREWALL > Application Objects page.

2. In the List Based Application Objects section, click Add Object.
3. In the Add List Based Application Object window, enter a name for the application list.
4. To simplify the search for applications to select, use the filter functions:
Show: – Click a button to choose, whether you want to display all applications and objects in the
list for selection, or just applications, objects or custom applications.
Category: – From the drop down list, select the category the application or object belongs to.
Properties: – Select the properties option that applies to the applications or objects you are searching for.
Risk: – Select the appropriate risk classification of the applications or objects you are searching for.
Filter: – If already known, enter the name of the application or object in this field.
The applications or objects that match all filters are instantly displayed in the dynamically generated SELECT list.
5. From the Select list, add the desired applications or objects to Selected by clicking the + icon next to
their names. If an application consists of more than one component, you can expand the parent
application and all the child objects will be visible.
To exclude specific items from selected applications containing more than one component, expand the application in the Selected sectio
n and click the - icon next to the application features that you want to exclude.
6. Click Save.
The new application object is now displayed in the List Based Application Objects section.

Create a Filter Based Application Object
Create a filter based application object if you want to create a list of applications based on risk factor, property or category. For example, a list of
all applications with a high (4) risk factor or belonging to the Instant Messaging category.
To create a filter based application object:

2. In the Filter Based Application Objects section, click Add Object.
3. In the Add Filter Based Application Object window, enter a name for the application object.
4. In the Category section, select the applicable boxes to filter for applications and objects within a specific category.
5. In the Property section, select the applicable boxes to filter for application or object properties.
6. In the Risk section, select the applicable boxes to filter for risk classification of applications and objects.
7. Click Save.
The new application object is now listed in the Filter Based Application Objects section.
Create a Custom Application Object
If the application list does not contain the application or website you want to add to an object, you can create custom application objects.
To create a custom application object:

2. In the Custom Application Objects section, click Add Object.
3. In the Add Custom Application Object window, enter a name for the application object.
4. Select the application type from the Base Type drop down list.
5. Select the application category from the Category list.
6. In the Properties section, select a property for the application object and click + to add it. Add all properties under which the application
object should appear in the list.
7. Select a Risk. from the drop down. A risk of 1 is low, 4 is high.
8. Enter the URL. E.g., If the website is http://www.barracuda.com/user/search.do?resetForm=232 the enter www.barracuda
.com
9. Click + to add the URL entry.
10. Enter the Path of the URL. Remove the first / and escape wildcard characters (* and ?) that are part of the path with a backslash \.

10.
E.g., If the website is http://www.barracuda.com/user/search.do?resetForm=232 enter the path as: user/search.do\?r
esetForm* where the * is used as a wildcard character and ? is escaped with a backslash because it is part of the original URL.
11. Click + to add the Path entry..
12. Click Save.

The new application object is now listed in the Custom Application Objects section.
Edit an Application Object
To edit an application object:

2. In the appropriate section under Actions, click the pen icon for the application object that you want to edit.
3. In the Edit Application Object window, edit the settings for the object.
4. Click Save.
Delete an Application Object
To delete an application object:

2. In the appropriate section under Actions, click the trash can icon for the application object that you want to delete.

How to Configure and Use the URL Filter
A Barracuda Web Security Subscription is required to use the URL Filter.
To block broader access to a category of websites, you can enable the URL filter in your firewall and application policy rules. When the user
connects to a website, the Barracuda NextGen Firewall X-Series compares the URL against a large online database. You can allow or block
access website to based on predefined URL categories and define exceptions to exclude single websites from being blocked or allowed.
Step 1. Create an URL Policy
Create URL policy objects to specify the URL categories that you want to allow or block. You can define exceptions to these categories by
explicitly entering the URL of websites that you want to always allow or block.
For instructions, see URL Policy Objects.
Step 2. Enable the URL Filter in the Firewall Access Rule
If you want to use the URL filter in combination with application control, enable it in the firewall access rule.

2. Create or edit a firewall access rule for the connections that you want to apply the URL filter to (e.g., INTERNET-2-LAN).
3. In the access rule settings, enable Application Control and URL Filter.
4. (Optional) Enable SSL Inspection if you want to filter SSL-encrypted traffic.

5. Click Save.
Step 3. Configure an Application Policy Rule to Use the URL Filter Policy
You can create an application policy to just filter based on the selected URL policy or you can combine application control and the matching URL
policy in a single application policy rule.
1. Go to the FIREWALL > Application Policy page.

2. Click Add Policy Rule or edit an existing application policy rule.
3. Enter a Name.
4. Select the URL Filter you want to use.
5. Click Save.
6. (Optional) Reorder the application policies and click Save.

How to Configure an Application Policy
Enable Application Control to block, allow, report, or choke network traffic for specific application types. Application Control uses deep packet
inspection to detect and manage the bandwidth for web applications and services like instant messaging, social networking, or video streaming. It
can also detect applications that try to evade pattern-based detection mechanisms by port-hopping, protocol obfuscation, or traffic encryption.
You can enable Application Control for each firewall rule individually. When the rule is executed, the application policy rules are processed from
top to bottom.
Application policies can allow or block application traffic based on:
Application or sub-application
Time
User
Content
Source network
Protocol
Step 1. Enable Application Control and SSL Inspection
To detect and manage application traffic, you must first enable application control.
1. Go to the FIREWALL > Settings page.

2. Enable Application Control in the Application Control section.
3. (Optional) Enable SSL Inspection in the SSL Inspection section.
4. Click Save.
Step 2. Install SSL Certificates on the Client
To avoid SSL certificate errors in the browser when a user connects to an SSL-encrypted website, install the self-signed SSL certificate of the
Barracuda NextGen X-Series Firewall on your client computers.

2. In the Active Root CA section, click Download.
3. Choose the certificate format (e.g., CER if you are on a Windows computer).
4. Install the root certificate in your local certificate store.
With the certificates installed, your clients no longer receive SSL certificate warnings when SSL inspection is used.
Step 3. Configure the Firewall Rule
Configure firewall rules to use Application Control. The pre-installed LAN-2-INTERNET firewall rule allows network traffic for all types of data from
the trusted LAN to the Internet. You can edit the LAN-2-INTERNET rule or create a new firewall rule if required.
Because Application Control can impact the performance of the X-Series Firewall, be as specific as possible with firewall rule settings.

2. Edit the rule that you want to add Application Control to by clicking the Edit icon.
3. Set Application Control to Yes.
4. Click Save.
Step 4. Verify the Order of the Firewall Rules
Because rules are processed from top to bottom, verify that your rules are arranged in the correct order. Click Save.

Your firewall rule must be placed above the BLOCKALL rule.
Step 5. Create Application Policies
Create an application policy for every application you want to modify or block.
Adjust the Bandwidth of an Application

2. Click Add Policy Rule.
3. In the Add Policy Rule window, enter a Name for the policy rule.
4. Select Allow from the Action list.
5. Select the applications that this policy should apply to. You can either:
Start typing the name of the application, and then select the application from the dynamically generated applications list.
Click Browse and use the Application Browser to add multiple applications by category or properties.
6. Optionally, you can add more matching criteria in the ADVANCED tab:
Time
Source Network
Content - You can block specific kinds of content like FLASH or MPEG videos.
Users
Protocols
7. Click Save.
Block an Application

3. In the Add Policy Rule window, enter a Name for the policy rule.
4. Select Block from the Action list.
5. Select the applications this policy should apply to. You can either:
Start typing the name of the application, and then select the application from the dynamically generated applications list.
Click Browse and use the Application Browser to add multiple applications by category or properties.
6. Optionally, you can add the more matching criteria in the ADVANCED tab:
Time
Source Network
Content - You can block specific kinds of content like FLASH or MPEG videos.
Users
Protocols
7. Click Save.
Monitoring Blocked and Throttled Connections
To view blocked or throttled connections, go to the BASIC > Recent Connections page. In the Application column for each connection, the
controlled application is listed. To view specific connections, you can filter the list of recent connections.

Example - Adjust Bandwidth for Application Traffic
Application Control lets you detect and manage application-based traffic. You can create policies to prioritize, limit, or block specific applications
or application categories. This article provides an example of how to configure an application policy and a firewall rule to slow all connections to
Facebook.
Step 1. Enable Application Control
To enable Application Control,

2. Click Yes to Enable Application Detection.
3. Click Save.
Step 2. Create an Application Policy
Create an application policy to assign a lower bandwidth priority to Facebook traffic.

3. In the ADD POLICY RULE window, specify the following settings:
Name – Enter a name, e.g.: ThrottleFacebookTraffic
Adjust Bandwidth – Select Choke. This will slow the connection so that the application becomes unusable, blocking use
without error messages.
Applications – Type the name of the application (e.g., Facebook) in the text box and then select Facebook from the APPLICA
TIONS list.
The selected application including all sub-applications is now displayed in the APPLICATIONS section.
4. Click Save.
Step 3. Enable Application Control for a Firewall Rule

Because Application Control can impact the performance of the Barracuda NextGen Firewall X-Series, be as specific as possible with
firewall rule settings.
Create a specific firewall rule for application traffic.

3. In the ADD ACCESS RULE window, specify the following settings under the General tab:
Name – Enter a name, e.g.: ThrottleFacebook
Source – Select Trusted LAN Networks.
Network Services – Select HTTP+S (Facebook only communicates over HTTP and HTTPS.)
4. Click Save.
Because rules are processed from top to bottom, you must place this rule before the LAN-2-INTERNET rule. After adjusting the order of the
rules, click Save.
For more information, see Firewall Rules Order.
Monitoring Traffic for Detected Applications
To view blocked or throttled connections, go to the BASIC > Active Connections or BASIC > Recent Connections page. In the Application an
d Bandwidth Policy columns for each connection, the detected application and the assigned bandwidth policy is listed. To view specific
connections, you can filter the list.

Link Balancing and Failover
On the Barracuda NextGen Firewall X-Series, you can configure inbound link balancing, outbound link balancing, and outbound link failover. Link
balancing is also sometimes called 'link aggregation'.
Outbound Link Balancing and Failover
To achieve outbound link load balancing, create a connection object that balances the traffic among multiple links. Then use this connection
object in the firewall rules that direct outgoing traffic. The connection object specifies what happens if multiple links are configured. Options
include:
If one interface becomes unavailable, the traffic fails over to the next available link in the sequence.
Use a set of interfaces in weighted round robin fashion. You can specify the weights for each interface in the connection object.
Randomly choose one of a list of interfaces.
For more information about configuring connection objects, see How to Configure Outbound Loadbalancing and Failover.
Inbound Link Balancing and Failover Using DNS
You can use DNS to balance inbound traffic among multiple links. Associate your domain name (or names) with multiple IP addresses, each of
which represents an external interface. When the DNS request for the domain name is resolved, all of these IP addresses are included in the
answer. The DNS server can vary the order of the IP addresses, and the client uses the first entry in the list to access your site. You can add
multiple DNS entries with the same IP address to send more queries to the preferred WAN interface. Configure the X-Series Firewall as the
authoritative DNS resolver for the domain name.
For more information, see How to Configure Authoritative DNS.
Inbound Failover and Load Balancing Using DNAT Access Rules
You can use load balancing and failover in a DNAT access rule to distribute incoming traffic to multiple internal servers. Add additional IP
addresses to the network object referred to in the rule, or enter them in the Redirect list of the rule. Depending on the configuration, all traffic is
initially sent to the first IP address and, if this address is no longer reachable, to the second, and so forth (fallback mode), or distributed to all IP
addresses depending on the mode set in the rule: round robin or cycle.
For more information, see Example - Configuring a DNAT Access Rule.

How to Configure Outbound Loadbalancing and Failover
To balance traffic among multiple links, create a firewall rule that uses a connection object that you configure. This connection object references
all of the links and configures how to balance the traffic among them. You can also specify one link that is used for all the traffic matching the
firewall rule, as long as it is available. If that link fails, then the next link is used in its place.
Failover - Dual ISP Routing
In case one ISP connection fails, the Barracuda NextGen Firewall X-Series will automatically use the remaining Internet connection. Configure
the routing metric for both connections:

2. In the configurations for the primary and secondary interfaces, edit the Metric setting to specify the route priority. In a multiprovider confi
guration, the X-Series Firewall selects the interface with the lowest metric value for outgoing traffic, assuming that it is available. Specify
a higher metric value for the secondary or backup ISP uplink. For example, use the following values for your primary and secondary
interfaces:
Primary ISP Metric: 100
Secondary ISP Metric: 200
Link and Loadbalacing
If you want to use both your Internet Connections to send outgoing traffic create and use a custom connection object.

2. Click Add Connection Object.
3. From the NAT Type list in the Add Connection Object window, select either Explicit (to use the IP address that you specify) or From I
nterface (to use the IP address of the link).
4. In the Failover and Load Balancing section, configure the following settings:
Multilink Policy – Defines what happens if multiple links are configured. Available policies are:
None – No fallback or source address cycling. This is not what you want for this object.
Failover – Falls back to the first alternate addresses and interface, called Alternate 1. If Alternate 1 fails, fail over to
Alternate 2 and so on. When the original link (the one configured in the top section) becomes available, the X-Series
Firewall automatically resumes directing traffic to that interface.
Weighted Round Robin – Uses the IP addresses and interfaces configured as Alternate 1, 2, and 3, along with this
interface, in weighted-round robin fashion.
Random – Randomly uses one of the available IP addresses and interfaces specified in this object.
Specify the following for each of the alternate links:
NAT Type – Select one of these options:
From Interface – Source NAT using the first IP address on the interface selected from the Interface list.
Explicit – Uses the IP address in the IP address field.
Weight – Only used for the weighted round robin policy. The weight numbers represent the traffic balancing ratio of the
available links. The higher the relative number, the more the link is used. For example, if four links are configured in this
object, weight values of 6, 2, 1, and 1 mean that traffic is balanced over the configured interfaces in a ratio of 6:2:1:1. As
a result, 60% percent of the traffic passes over Link #1, 20% of the traffic passes over Alternate 1, 10% of the traffic is
directed to Alternate 2, and 10% to Alternate 3.
5. Click Add.
After you have successfully created this connection object, you can go to the FIREWALL > Firewall Rules page and apply it to a rule that directs
outgoing traffic.

Intrusion Prevention System or IPS
To report and instantly block suspicious network traffic from passing the Barracuda NextGen Firewall X-Series, the Intrusion Prevention System
(IPS) actively scans forwarded network traffic for malicious activities and known attack patterns. The IPS engine analyzes network traffic and
continuously compares the bitstream with its internal signature database for known attack patterns. To increase security, the IPS system offers
TCP stream reassembly to prevent IP datagram fragmentation before packets are scanned for vulnerabilities. The IPS engine can also inspect
HTML requests passing the firewall.
IPS must be globally enabled on an X-Series Firewall. However, you can enable or disable IPS for each firewall rule. Enabling IPS on a per-rule
basis lets you select which network traffic is scanned for threats. For example, you can choose to enable IPS scanning only for network traffic that
travels from and to the DMZ. When IPS is enabled in a firewall rule, the default IPS policy of Report Mode or Enforce Mode is used. In Report
Mode, the X-Series Firewall reports detected attacks instead of immediately blocking network traffic. This mode is recommended after the initial
deployment of IPS to prevent traffic from being incorrectly blocked. However, you can prevent false positives when the IPS engine operates in
Enforce Mode by creating IPS exceptions.
Enable and Configure IPS
To enable and configure IPS, complete the following steps:
Step 1. Enable IPS
1. Go to the FIREWALL > Intrusion Prevention page.

2. In the Intrusion Prevention section, set Enable Intrusion Prevention System to Yes.
3. (Optional) If required, you can choose to enable TCP Stream Reassembly and/or HTML Inspection.
These options can decrease the performance of the X-Series Firewall.
4. For Default IPS Policy, select either Report Mode or Enforce Mode.
5. Click Save.
Step 2. Adjust the Event Policy
In the Event Policy section of the FIREWALL > Intrusion Prevention page, define the actions to be taken when the IPS engine detects
suspicious network traffic with the following threat levels: Critical, High, Medium, Low, and Information. When the X-Series Firewall operates in
Report Mode, you can only adjust the Log settings. When the firewall operates in Enforce Mode, you can also modify the Action for each
severity.
Available Action settings include:
Drop – Blocks network traffic where malicious activities were detected.

Log Only – Reports network traffic where malicious activities were detected.
None – No action is taken.
Available Log settings include:
Alert
Warn
Notice
You can view detected threats on the BASIC > Recent Threats page.
Step 3. Configure IPS in Firewall Rules
To configure IPS in a firewall rule:

2. Open an existing rule or create a new one.
3. In the Add/Edit Access Rule window, click the Advanced tab.
4. Next to Intrusion Prevention, select an option to disable or enable IPS:
Default (Report Mode or Enforce Mode) – Applies the default IPS policy to the rule.
Disabled – Disables IPS scanning for the rule.
5. Click Save.
Configure IPS Exceptions
If you must allow network traffic that the X-Series Firewall has detected as a threat, you can create an IPS exception.
Before you create the IPS exception, get the description or CVE-ID of the threat:
1.

1. Go to the BASIC > Recent Threats page.
2. Browse through the list of detected threats or apply filters to locate specific entries.
3. Get the attack description text in the Info column, or, if available, the CVE-ID of the detected threat.
To create the IPS exception:
1. Go to the ADVANCED > IPS Exceptions page.

2. Click Add IPS Exception.
3. In the IPS Exceptions window, specify the traffic to be handled and the action to be performed by the exception.
4. Click Save.

How to Configure SSL Inspection
Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection transparently unencrypts and re-encrypts HTTPS traffic to allow
Application Control features (such as the Virus Scanner, IPS, URL Filter, or Safe Search) to inspect the content of SSL-encrypted connections
that would otherwise not be visible to the Firewall service. Before configuring SSL Inspection, you must install the SSL Inspection security
certificate (root certificate). The root certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NextGen Firewall
X-Series can then inspect the HTTPS connections by presenting the client with a SSL certificate that is derived from this root CA.
Do not use SSL Inspection in combination with Barracuda Web Security Service or forward proxy.
Before You Begin
Create or upload the SSL Inspection root certificate in the Certificate Manager. You must use a CA certificate (Certificate Authority). For
more information, see How to Use and Manage Certificates with the Certificate Manager.
Step 1. Enable SSL Inspection
Enable SSL Inspection and prepare the root certificate for client download.
1. Go to FIREWALL > Settings.

2. In the SSL Inspection section, select the Enable SSL Inspection checkbox.
3. Select the uploaded root certificate from the Select Certificate dropdown list.
4. Select Enable Browser Certificate Download.

5. Select Allow SSLv3 if you must support clients that use SSLv3 only.
6. In the Domain Exemptions section, add domains that should be excluded from SSL Inspection:
Enter the domain name and click +.
7. In the URL Category Exemptions section, add website categories that should not be SSL-inspected.
8. To automatically check for revoked CA certificates:
Click Show Advanced Options.
Select the Enable CRL checks checkbox.
In the CRL validation fail behavior section, select the action to be taken if the CRL check fails.
In the Additional Certificates section, add additional trusted CA certificates. These certificates are deemed valid even if the
CRL fails.
9. Click Save.
Step 2. Install the SSL Inspection Root Certificate on all Clients
Download and install the security certificate on all clients. To prevent browser warnings and allow transparent SSL Inspection, install the
certificate into the operating system's or web browser's certificate store.
On every client computer,
1. Go to:
https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=cer
OR
https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=pem
2. Download the certificate to the client computer.

3. Double-click the certificate to import it.
4. Click Install Certificate.

5. Select Local Machine as the certificate Store Location, and click Next.

6. Select the path where to save the certificate (recommended: default), and click Next.
7. Check the installation settings and click Finish.
Step 3. Enable SSL Inspection in Access Rules
SSL Inspection can now be enabled on a per-access rule basis. To use SSL Inspection, you must also enable Application Control. For more
information, see Firewall Rules.

URL Filtering in the Firewall
The Barracuda NextGen Firewall X-Series offers real-time URL filtering for web and application traffic. URL filtering is handled as part of the
application policy. In combination with Application Control, URL filtering can also be enabled on a per-access-rule basis. To use URL filtering, you
must have a Barracuda Web Security Subscription.
URL Filter Policies
URL Filter policies define access restrictions for URL categories. To restrict or allow access to specific URL categories and/or websites, create
URL policy objects. When applied to an application policy, the URL policy object defines how the application policy handles user access to
websites based on the URL Filter policy. When configuring a URL policy object, assign a policy for every URL category with the option of
including custom URL block and allow lists. The following actions are available for each URL category:
Allow – Allows access to all URLs defined in the category.

Warn – Users are redirected to a warning page and must click Continue to access the website. Set Warn and Continue override to
configure the timeout after which the user is redirected to the warning page again.
Alert – Users are allowed to access websites in this category, but the action is silently logged. Go to BASIC > Application Monitor to
see the websites that trigger the alert action.
Override – Users are redirected to the URL Filter Override page and can request temporary access from an administrator to a URL from
a denied category.
Block – Blocks access to all URLs defined in the category.
For more information, see URL Policy Objects.
Configure URL Filtering
To configure URL filtering, apply URL policy objects to application policies. A URL policy object defines the action to be performed by the
X-Series Firewall when your users connect to a website and the application policy applies. The X-Series Firewall sends the visited URL to a large
online database for URL categorization and then performs the action specified in the URL policy object. To use application policies with URL
policy objects for web and application traffic, you must also enable URL filtering separately in the matching access rule.
For more information, see How to Configure URL Filtering in the Firewall.
Configure URL Filter Overrides
If the action for the detected URL category is set to override in the URL Filter Policy object, the user can request permission for a URL category
override. A URL Filter override admin must grant the request and set the duration of the override request. Override requests are granted per URL
category.
For more information, see How to Configure URL Filter Overrides.

URL Policy Objects
As part of the Barracuda NextGen Firewall X-Series URL Filter, URL policy objects define access restrictions for URL categories and websites.
URL policy objects can be applied to application policies and define the action to be performed by the X-Series Firewall when users try to access
URLs. To use URL Filtering, you must have a Barracuda Web Security Subscription.
Create a URL Policy Object
Create a URL policy object to specify access restrictions for URL categories. You can also define exceptions to these categories by explicitly
entering the URL of websites that you want to always allow or block.
1. Go to FIREWALL > URL Objects.

2. Click Add URL Policy. The Add URL Policy window opens.
3. Enter a Name for the URL policy.
4. Select the default action when the online URL categorization database is unavailable:
Allow All – Access to all URLs is allowed.
Block All – Access to all URLs is denied.
5. Enter the timeout for Warn and continue override valid for 'n' minutes.
6. In the Categories section, select the action to be performed when users try to access a URL category. You can define the following
actions for each category:
Allow – Allow access to all URLs defined in the category.
Warn – Allow access to the URL category. Access is silently logged by the X-Series Firewall.
Alert – Allow access after accepting a warn and continue message. This action is logged by the X-Series Firewall.
Override – User request time limited access from a URL Filter override admin. If the request is accepted the user is allowed to
access the URL. This action is logged by the X-Series Firewall.
Block – Block access to all URLs defined in the category.
7. (optional) To define exceptions for specific URLs, click the URLs tab.
In the Always ALLOW field, enter whitelisted URLs and for each entry click plus (+).
In the Always BLOCK field, enter blacklisted URLs and for each entry click plus (+).
8. Click Save.
The URL policy is displayed in the URL POLICY OBJECTS list and can now be used in your application policies. For more information, see Appl
y the URL policy object to an application policy.
Edit / Delete a URL Policy

To edit a URL policy, click the edit symbol next to the entry. In the Edit URL Policy window, edit the settings for the policy, and click Save.
To delete a URL policy, click the trash can icon next to the entry and click OK.

How to Configure URL Filtering in the Firewall
To allow or block web and application traffic to websites based on predefined URL categories, enable the URL filter in your access rules and
configure application policies with URL policy objects. URL policy objects define which URL categories should be allowed or restricted. To use
URL Filtering, you must have a Barracuda Web Security Subscription.
Before You Begin
Create a URL policy object to specify the URL categories that you want to allow or block. You can define exceptions to these categories by
explicitly entering the URL of websites. For instructions, see URL Policy Objects.
Step 1. Enable URL Filtering in Access Rules
To use application policies with URL policy objects for web and application traffic, enable Application Control and URL filtering in your access
rules.

2. Create or edit an access rule for the connections that you want to apply the URL filter to. E.g., INTERNET-2-LAN
3. Enable Application Control and URL Filter.
4. (Optional) Enable SSL Inspection to filter SSL-encrypted traffic.

5. Click Save.
Step 2. Apply the URL Policy Object to an Application Policy
Configure application policies to restrict access to URL categories specified in the URL policy object.
1. Go to FIREWALL > Application Policy.

2. Create a new policy rule or edit the entry you want to apply the URL policy to.
3. In the Add / Edit Policy Rule window, select the URL policy object from the URL Filter drop-own list.
4. Finish editing the policy rule and click Save.

5. (Optional) Reorder the application policies and click Save.

How to Configure URL Filter Overrides
Use the Override feature of the URL Filter to grant temporary access to otherwise blocked URL categories. URL categories that are set to the
override policy redirect the user to the customizable Override Block page of the URL Filter. The user can then select the URL Filter Override
admin and request an override. The URL Filter Override admin must log into the Override Admin interface and grant the request for a specified
time. When the request has been granted, the user is automatically forwarded to the website. URL Filter overrides are always granted for the
entire URL category.
Before You Begin
Create or edit existing URL Policy objects and select Override All as the action for the categories of your choice. For more information,
see URL Policy Objects.
Configure URL filtering in the firewall. For more information, see How to Configure URL Filtering in the Firewall.
Step 1. Add Your URL Filter Override Admin Users

2. In the URL FILTER section, click Show to open the URL Filter Override Users window.
3. Click Add to add an administrative user.
4. Enter the user details in the respective fields. To add more users, click Add.
Name – The administrative user's login name. This is the username used to log into the override admin interface.
Full Name – The full name of the administrative user. When requesting an override from a specific admin, users can select this
name from the drop-down list on the Override Block page.
Password – Define a password for the administrative user to access the Override Admin portal.
E-mail – Email address of the administrative user.
5. Click Save.
Step 2. Create an Access Rule for the Override Admin Portal
Create a Redirect to Service access rule to redirect the URL Filter Override admin user to the Override Admin portal. This rule will also allow
access to the guest user ticketing system.

2. Add an access rule with the following settings:
Action – Select Redirect to Service.
Source – Select the source network allowed to access the URL Filter Override Admin portal.
Redirect to Service Details – Select Guest Ticketing HTTPS.
Destination – Enter the IP address the Override Admin interface is accessed through. You can use any free IP address (e.g.,
1.2.3.4) or an IP address on the Barracuda NextGen X-Series Firewall that does not have a listener on port 443.

3. Click Save.
4. Place the access rule so that it is the first rule to match for HTTPS traffic to the chosen admin override IP address.
The URL Filter Override admin interface is now reachable via https://1.2.3.4/cgi-bin/override-admin (if you used 1.2.3.4 as the destination IP
address in the access rule).
Granting URL Filter Override Requests
JavaScript must be enabled in the client browser for the override request to be sent.
When attempting to access a website that is in an override URL category, the URL Filter Override block page is displayed.
To access such a blocked page, select from a drop-down list an override admin to send your access request to and then click Request Access.
After the override admin grants the request, click Request Access again to continue to the previously blocked website. If the admin denies the
override request, the URL category is blocked for the set duration.
For more information, see How to Grant URL Category Overrides - User Guide.

How to Grant URL Category Overrides - User Guide
When users request temporary access to URL categories with Override configured in the URL Filter policy, access requests are redirected to the
Override Admin page. If you are a URL Filter Override admin, you can grant users access to these URL categories for a specific length of time.
Before You Begin
Get the following information from the Barracuda NextGen Firewall X-Series administrator:
The IP address of the ticketing web interface (e.g., 1.2.3.4)

The username and password for your admin user.
Your browser must allow JavaScript on the Override Block and Admin pages.
Grant URL Category Overrides
To grant users access to URL categories that are normally blocked by the URL Filter, proceed as following:
1. In a browser, go to: http://IP address for the override web interface/cgi-bin/override-admin

2. Enter your Username and Password.
3. Click Login.
4. Set the number of minutes the override will remain valid for, and click the green button or the red X button to deny the request.
If the request was allowed, the user is now permitted to access websites in this URL category for the timespan you set. If you denied the request,
this URL category is blocked for the set timespan.

Virus Protection in the Firewall
The Barracuda NextGen Firewall X-Series can transparently scan HTTP, HTTPS, FTP, SMTP, and SMTPS traffic for malware. For in-depth
scanning of more advanced malware for which there are no virus scanner patterns available, the X-Series Firewall can also scan traffic using
Advanced Threat Detection. The following subscriptions are required to use Virus Scanning and ATD in the firewall:
Energize Updates – Needed for virus scanner pattern updates.

Web Security – Required for the virus scanning service.
Advanced Threat Detection – This subscription is required to use ATD.
Virus protection for web traffic
To scan HTTP and HTTPS traffic for malware, configure an access rule to match your web traffic and enable Application Control, SSL Inspection
(optional), and Virus Protection. If malware is detected, the file is discarded and the user is redirected to a customizable block page.
SSL-encrypted HTTP and SMTP connections can be scanned only if SSL Inspection is enabled.
For more information, see How to Configure Virus Protection in the Firewall for Web Traffic.
Virus protection for FTP
To scan FTP traffic for malware, configure an access rule to match your web traffic and enable Application Control and Virus Protection. Since
the FTP protocol does not include MIME-type information, all files are scanned. If malware is detected, the file is discarded and the file transfer is
terminated. When malware in a FTP transfer is found, a local file is created by the FTP client before the transfer starts, so the user may see a file
with 0 bytes or a small, partially downloaded file.
For more information, see How to Configure Virus Scanning in the Firewall for FTP Traffic.
Virus protection for mail traffic
The X-Series can scan incoming and outgoing SMTP and SMTPS mail traffic. To scan mail traffic ,you must configure mail security in the firewall.
For more information, see Mail Security in the Firewall.
ATD scans HTTP, HTTPS, FTP, SMTP and SMTPS traffic for advanced malware on a per-access-rule basis. Malicious files are treated
according to configurable policies. When malware is detected in HTTP and FTP traffic, the user/IP address who downloaded the malware is
placed in quarantine. To use ATD you must have an Energize Updates, Web Security and Advanced Threat Detection subscription.
For more information, see Advanced Threat Detection (ATD).
Default MIME types
Only the MIME types listed in the Virus Protection configuration are scanned. The X-Series Firewall comes with a preconfigured list of MIME
types:
Click here for a full list of the factory default MIME types...
application/zip
application/x-msdos-program
application/x-zoo
application/mac-binhex40
application/x-apple-diskimage
application/x-tar
application/x-bzip2
application/x-archive
application/x-rpm
application/x-gzip
application/x-rar
application/rar

application/x-gtar
application/x-7z-compressed
application/x-stuffit
application/x-iso9660-image
application/x-dosexec
application/x-msdownload
application/x-msdos-windows
application/x-download
application/bat
application/x-bat
application/com
application/x-com
application/exe
application/x-exe
application/x-winexe
application/x-winhlp
application/x-winhelp
application/x-javascript
application/hta
application/x-silverlight-app
application/x-ms-application
application/x-ms-shortcut
application/octet-stream
application/pdf
application/x-pdf
application/vnd.android.package-archive
application/vnd.ms-word.document.macroenabled.12
application/vnd.ms-word.template.macroenabled.12
application/vnd.ms-excel
application/vnd.ms-excel.addin.macroenabled.12
application/vnd.ms-excel.sheet.binary.macroenabled.12
application/vnd.ms-excel.template.macroenabled.12
application/vnd.ms-excel.sheet.macroenabled.12
application/vnd.ms-powerpoint
application/vnd.ms-powerpoint.addin.macroenabled.12
application/vnd.ms-powerpoint.slide.macroenabled.12
application/vnd.ms-powerpoint.presentation.macroenabled.12
application/vnd.ms-powerpoint.slideshow.macroenabled.12

application/vnd.ms-project
application/x-mspublisher
application/x-msaccess
application/x-msschedule
application/msword
application/onenote
application/vnd.visio
application/vnd.ms-works
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.openxmlformats-officedocument.presentationml.slide
application/vnd.openxmlformats-officedocument.presentationml.slideshow
application/vnd.openxmlformats-officedocument.presentationml.template
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.spreadsheetml.template
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/vnd.openxmlformats-officedocument.wordprocessingml.template

How to Configure Virus Protection in the Firewall for Web Traffic
The NextGen Firewall X-Series scans web traffic for malware on a per-access-rule basis when Virus Protection is enabled. If a user downloads a
file containing malware, the firewall detects and discards the infected file and redirects the user to a customizable block page. You can combine
Virus Protection with SSL Inspection to also scan HTTPS connections.
Before you begin
To scan HTTPS traffic, enable SSL Inspection. For more information, see How to Configure SSL Inspection.
Step 1. Enable Virus Protection in the firewall
Enable Application Control and Virus Protection.

2. In the Firewall Policy Settings section, enable TCP Stream Reassembly.
3. Make sure that Application Control is enabled.
4. In the Virus Protection section,
a. Set Enable Virus Protection to Yes.
b. Set Enable for HTTP & HTTPS to Yes.
5. (optional) Click Show to configure Advanced Options:
Changing settings for the virus scanner also affects virus scanning for mail traffic.
a. Change the default behavior If Virus Scanner is not available.

Block All – (default) Block all files.
Allow All – All pages will be allowed.
b. Configure the following settings:
Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files.The
large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will
not be scanned. Instead, they will be delivered directly to the client.
Scanned MIME Types – If applicable, you can add MIME types of files you want the X-Series Firewall to scan to the Sc
anned MIME Types list. To add a file type, enter the file path and click +. To remove a file type, click - next to the file
entry in the list. Click Reset to Defaults to restore the default list. For more information, see Default MIME Types in Vir
us Protection in the Firewall.
Exemptions – Define exemptions from scanning based on IP addresses and hostnames.
Archives – Enable, to scan archives and block archive files that are encrypted and cannot be scanned.
Data Trickling – Change how fast and how much data is transmitted. Change these settings if your browser times out
while waiting for the file to be scanned.
c. Click Save.
6. Click Save.
Step 2. Enable Virus Protection in access rules

Create or edit an access rule for the HTTP / HTTPS connections that you want to apply Virus Protection to. Virus Protection can be enabled for
all Allow and DNAT rules.

2. Create an access rule with the following settings:
Source – Select Trusted LAN, and click +.
Network Services – Select HTTP+S, and click +.
Destination – Select Internet, and click +.
3. Enable Application Control and Virus Protection.
4. (optional) Enable SSL Inspection.
5. Click Save.
Monitoring and testing
You can test the virus scanner setup by downloading EICAR test files from http://www.eicar.com. The block page is customizable. For more
information, see Custom Block Pages.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.

How to Configure Virus Scanning in the Firewall for FTP Traffic
The X-Series Firewall scans FTP traffic for malware on a per-access-rule basis when FTP virus scanning in the firewall is enabled. Both active
and passive FTP is supported; SSL-encrypted FTP is not supported. Depending on the access rule, you can either protect your FTP server from
uploads containing malware, or scan files downloaded from external FTP servers. Since the FTP protocol does not contain any MIME-type
information, all files are scanned regardless of the MIME-type list configured for the virus scanner. When an FTP download is initiated, the FTP
client creates a local, zero-byte file. Normally, the transferred data would be written to this file until the download is finished. However, if the file is
determined to be malware, the connection is terminated immediately, leaving the zero-byte file or file fragment (if data trickling is enabled) on the
client. Depending on the FTP client, it may attempt to download the file multiple times; each time the connection will be reset by the firewall.
Step 1. Enable Virus Protection for FTP
Enable support for virus scanning FTP connections in the firewall.

b. Set Enable for FTP to Yes.
4. (optional) Click Show to configure Advanced Options:
Changing settings for the virus scanner also affects virus scanning for other services.
a. Change the default behavior If Virus Scanner is not available.

Block All – (default) Block all files.
Allow All – All files will be allowed.
b. Configure the following settings:
Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files. The
Data Trickling – Change how fast and how much data is transmitted. Change these settings if your FTP client times out
while waiting for the file to be scanned.
c. Click Save.
5. Click Save.
Step 2. Create an access rule for FTP client downloads
To scan files downloaded from external FTP servers, create a matching access rule and enable Application Control and Virus Protection.

Source – Select Trusted LAN, and click +.
Network Services – Select FTP, and click +.

3.
4. Click Save.
Step 3. (optional) Create a DNAT access rule to protect an internal FTP server
To protect an internal FTP server from receiving infected files, create a matching DNAT access rule, and enable Application Control and Virus
Protection.

Source – Select Internet, and click +.
Network Services – Select FTP, and click +.
Destination – Enter the public IP address or FQDN used for your FTP server, and click +.
Redirect – Enter the IP address(es) of your internal FTP server(s), and click +.
4.

4. Click Save.
You can test the virus scanner setup by downloading EICAR test files from an FTP server. Files that are malware are not downloaded. 0-byte
stub files are created by the FTP client.

Advanced Threat Detection (ATD) offers protection against advanced malware, zero-day exploits, and targeted attacks, which are not detected by
the virus scanner or Intrusion Prevention System. ATD analyzes files in the Barracuda ATD cloud and assigns a risk score. Local ATD policies
then determine how files with a high, medium, or low risk scores are handled. You can configure email notifications of the administrator and/or
enable one of the automatic blacklisting policies. To check local files, you can also manually upload a file. ATD can be used for HTTP, HTTPS,
FTP, SMTP, and SMTPS traffic in combination with the firewall service on a per access rule basis.
The following file types are scanned by the Barracuda ATD Cloud:
Microsoft Office files

Microsoft Executables
PDF documents
Android APK files
ZIP archives
RAR archives
Licensing
The following subscriptions are required to use ATD in the firewall:
Energize Updates – Needed for virus scanner pattern updates.

Web Security – Required for the virus scanning service.
Advanced Threat Detection – This subscription is required to use ATD.
You must have Energize Updates, Web Security and Advanced Threat Detection subscriptions for each X-Series Firewall using ATD. Depending
on the model size, there are burst (number of files uploaded per minute) and monthly limits on the number of files you can upload to the
Barracuda ATD cloud.
Model Burst limit (files/min) Files per month
X50, X51, X100, X101, X200 5 108,000
X300 10 216,000
X400 15 324,000
X600 25 540,000
If you exceed the burst limit (files/min), files will be queued and uploaded at the beginning of the next minute. If you exceed the monthly limit, files
will not be uploaded. Instead, they will be either passed through or blocked according to the fail policy of the virus scanner.
ATD file scanning
The virus scanner scans files up to the Large File Watermark size set in the security policy. If no malware is found by the virus scanner and the
file size is 8 MB or smaller, a hash of the file is created. Files larger than 8 MB are not processed by ATD. The hash of the file is then compared
to the local cache and online hash database in the Barracuda ATD Cloud. If the file was previously scanned, it is immediately blocked or
forwarded, depending on the result of the previous scan and your local ATD block threshold. If the hash of the file is unknown, the ATD scan
policy set for that file type is executed.
Deliver first, then scan:
This ATD scan policy takes effect when Deliver before scan complete is enabled and is available for HTTP and HTTPS. FTP, SMTP, and
SMTPS connections.The user receives the downloaded file immediately after the virus scan and the hash DB lookup. Simultaneously, the file is
uploaded to the Barracuda ATD threat cloud and emulated in a virtual sandbox. Depending on the behavior of the file, it is assigned a threat level
and the result transmitted to the firewall. If the threat level exceeds the ATD threat level threshold, an email notification is sent to the administrator

and the automatic blacklisting policy is enforced. This policy is least disruptive to users because they receive the file immediately and are only
blocked if the file is a threat. It is also less secure because potential malware can bypass detection for the time period it takes to upload and
emulate the file.
For more information, see How to Configure ATD in the Firewall.
Scan first, then deliver:
This ATD scan policy takes effect when Deliver before scan complete is disabled and is supported for HTTP and HTTPS only. The user must
wait for ATD to finish scanning the file. In the interim, a browser window informs the user of the scan in progress. When the scan is complete and
the file is not classified higher than the ATD block threat threshold, the download begins. This scan policy offers higher security at the expense of
the user having to wait for sandboxing of the file to finish. Detected malware never enters your network.
Automatic Blacklisting
Configuring a quarantine policy allows automatic blacklisting of connections by the infected source. Automatic blacklisting fills a dynamic network
object with the infected users and/or IP addresses. You must create an access rule using that network object to block these users and IP
addresses. Management access to the firewall is exempt from the blacklist policy. Automatic blacklisting is not available for SMTP or SMTPS
connections.
No automatic blacklisting – No connections are blocked.

User – All connections by the infected user are blocked regardless of the source IP address.
IP – All connections by the infected source IP address are blocked regardless of the user.
User AND IP – All connections originating from the infected source IP address and the infected user are blocked. If a different user logs
in to the infected computer, all connections are allowed because only one criteria, the source IP address, matches. If the username for
the connection is unknown, only the IP address is blocked.
User OR IP – All connections coming from the infected source IP address and/or the infected user are blocked. If a different user logs
into the infected computer, all connections are blocked because the source IP is blocked. If the infected user logs in to a different
workstation, connections are blocked because the infected user is blocked.
Quarantine Block Page
To inform blacklisted users, you can add a HTTP Block Page to the Block access rule. When the user tries to access HTTP content, the
connection is automatically redirected to the quarantine page. The quarantine page can be customized to fit your needs.
For more information, see Custom Block Pages.
Risk Scores
The ATD service classifies all files in one of four categories:
High – Files classified as high risk exhibit behavior normally only found in malware.
Medium – Files classified as medium risk pose a potential risk.
Low – Files classified as low risk are considered to be harmless. Some residual risk remains.
None – No suspicious activity was detected.
Reporting
You can view a short or detailed report on the scan results for every file uploaded to the Barracuda ATD Cloud.

How to Configure ATD in the Firewall
Configure when and which types of files are uploaded to the Barracuda ATD Cloud. You can also configure if users will receive files immediately
or have to wait until the file analysis is completed to continue with the download. Users who downloaded files with a risk factor higher than the
defined risk threshold are placed in quarantine. Create access rules to define what is blocked for the infected users and/or IP addresses.
Before you begin
Configure a System Notification Email address. For more information, see How to Configure Email Notifications.
Enable virus scanning in the firewall for web, mail, and/or FTP traffic. For more information, see How to Configure Virus Protection in the
Firewall for Web Traffic, How to Configure Mail Security in the Firewall, and How to Configure Virus Scanning in the Firewall for FTP
Traffic.
Verify that all file types you want to scan with ATD for HTTP and SMTP connections are also listed in the scanned MIME types of the
virus scanner. For more information, see How to Configure Virus Protection in the Firewall for Web Traffic.
Step 1. Enable ATD in the firewall and configure scan policies
Enable ATD and configure the ATD scan policies for HTTP, HTTPS, SMTP and SMTPS connections. Depending on the policy, the user will have
to wait for scanning to complete before the file is forwarded. FTP traffic is always scanned with the Deliver before scan complete policy.

2. In the Advanced Threat Detection section, enable Advanced Threat Detection.
3. Next to Deliver before scan complete, select the global scan policy:
Yes – The user receives the file or email immediately. If malware is found, the quarantine policy applies.
No – The user is redirected to a scanning page. If no malware is found during the scan, the download starts.
4. Select the Block Threats policy:
High only – Files classified as high risk are blocked.
High and Medium only – Files classified as high or medium risk are blocked.
High, Medium and Low – Files classified as high, medium or low risk are blocked. Only files with classification None are
allowed.
5. Configure automatic blacklisting for HTTP and HTTPS traffic:
From the Quarantine Policy drop down, select the policy for automatic blacklisting:
No automatic blacklisting – No connections are blocked.
User – All connections by the infected user are blocked regardless of the source IP address.
IP – All connections by the infected source IP address are blocked regardless of the user.
User AND IP – All connections originating from the infected source IP address and the infected user are blocked. If a
different user logs in to the infected computer, all connections are allowed because only one criteria, the source IP
address, matches. If the username for the connection is unknown, only the IP address is blocked.
User OR IP – All connections coming from the infected source IP address and/or the infected user are blocked. If a
different user logs into the infected computer, all connections are blocked because the source IP is blocked. If the
infected user logs in to a different workstation, connections are blocked because the infected user is blocked.
6. Click Save.
Step 2. Configure advanced scan settings
If needed, set the individual scan policies for each file type:

2. In the Advanced Threat Detection section, select Show next to Advanced Options.
3. In the General section, configure the following settings:
Encrypted Archives handling – Specify what happens if encrypted archives were detected. Default: Report only
Max. Archive size – Maximum allowed archive size. Default: 1024. Set to 0 to disable.
Large Archives handling – Specify what happens if Max. Archive size is exceeded. Default: Report only
Send Notification E-mails – To system settings Address sends a notification mail for every malicious file found by ATD.

ATD Report Page size – Select the page format for ATD reports.
4. If needed, set the individual HTTP and HTTPS scan policies for each file type:
Apply Global Policy (default) – This file type is scanned according to the policy configured in the basic ATD settings.
Do not scan – The file is not scanned and immediately forwarded to the user.
Deliver First, then Scan – The user receives the file immediately. If malware is found, the quarantine policy applies.
Scan First, then Deliver – The user is redirected to a scanning page. After the scan is complete, the download starts.
5. Click Save.
After specifying the ATD settings, click Save to save your configuration changes.
Step 3. Create two quarantining access rules
To block users and/or IP addresses, you must create access rules using the ATD User Quarantine network object. Place the Block rules before
any other access rules handling traffic for these IP addresses and/or users. Enable HTTP Block Page to redirect HTTP traffic from quarantined
users or IP addresses to the custom quarantine block page. You must allow DNS queries from quarantined users to display the HTTP block
page. Non-HTTP traffic is simply blocked or denied.
Create a new access rule to allow DNS queries:

Allow Select a connection DNS Select ATD Quarantine Enter the IP addresses
object to allow you to network object. of your DNS servers.
connect to the DNS
server.
5. Click Save.
6. Place the access rule so that no rule before it matches the same traffic.
Create a second access rule:


Block Select a connection Select Any. Select ATD Quarantine Select Any (0.0.0.0/0) n
object to allow you to network object. etwork object.
connect to the DNS
server.

6. In the Other section, set HTTP Block Page to Quarantine Page.
7. Click Save.
8. Place the access rule directly below the rule allowing DNS queries from the quarantine so that no rule before it matches the same traffic.
Quarantined users or users connecting via HTTP from quarantined IP addresses are automatically redirected to the customizable quarantine
page. For more information, see Custom Block Pages.

Step 4. Edit access rules to use ATD
Enable ATD by editing the access rules handling traffic you want to be scanned. E..g, LAN-2-INTERNET

2. Create or edit an access rule.
3. Edit the access rule handling the traffic you want analyzed by ATD.
4. On the General page, select the following options:
Application Control – required.
SSL Inspection – optional.
Virus Protection – required.
ATD – required.
5. Click Save.
All traffic handled by access rules with ATD enabled are now scanned by the ATD service. Blocked files are listed on the BASIC > Recent
Threats page. To view scan results, go to BASIC > ATD.
File scanning on the ATD page
The ATD page displays results and processes file scanning via Advanced Threat Detection. Use the global filter settings to adjust the amount of
displayed files. To access the information about the files scanned by ATD, click the tabs.
Files in Progress tab
This tab displays all files that are currently scanned or waiting in the queue. The information displayed on this page is listed in columns. The State
column shows the ATD scan status.
Scanned Files tab
Clicking this tab queries the ATD list and displays all files that were scanned by ATD.

The Action column provides a set of icons, offering the following options:
Details – Opens the ATD File Details window.

Download – Offers the option to download a scan report.
Move to Quarantine – Moves the file to the Quarantine page.
Delete Entry – Deletes the file entry.
Download a scan report
Scanned files are displayed on the Scanned Files page. You can download a basic or detailed version of the scan report.
1. Go to BASIC > ATD.

2. Select the scanned file.
3. From the Action menu, select the Download Report icon.
4. Select the report type:
Summary Report – Download a basic summary report
Full Report – Download a detailed report
5. Save the report to your desired location.
Malicious Files tab
This tab displays all files that were blocked by ATD.
The Action column provides the same options as on the Scanned Files tab. If you want to remove a file from the list, click the trash can icon and
choose the action Delete Entry to delete the file entry. To remove all files, select Remove all entries on this page.
Quarantine tab
Displays all files that are quarantined due to the Quarantine Policy.
If you want to remove a file from the quarantine, click the trash can icon and choose the action Remove from Quarantine. To remove all files
from the list, select Remove all entries on this page.
Quarantined users and/or IP addresses are also shown on the BASIC > Status page.

Manual File upload
If you want to manually check a local file using ATD, you can upload the file to the ATD cloud. After the file has been scanned, you are mailed a
report with the scan results.
For more information, see How to Manually Upload Files to ATD.
Next step
(Optional) To protect SMTP and SMTPS traffic, enable ATD in the Mail Security settings. For more information, see Mail Security in the Firewall.

How to Manually Upload Files to ATD
It is sometimes necessary to manually check files using ATD. You can upload a file on the ATD page. You can also have an email notification
sent when the scan has been completed. Supported filetypes are: EXE, MSI, APK, PDF, RAR, ZIP, and MS OFFICE with a maximum size of 8
MB.
Before you begin
Enable ATD. For more information, see How to Configure ATD in the Firewall.
To receive a notification email, you must configure the system notification email address. For more information, see How to Configure
Email Notifications.
Step 1. Upload the file

2. Click Manual Upload.
The ATD File Upload window opens.

3. Click Browse and select the file you want to upload.
4. (optional) Enable E-Mail Notification and enter the notification email address.
5. Click Upload.
The file is now uploaded to the Barracuda ATD Cloud and listed on the Files in Progress page.
Step 2. (optional) Download the scan report
After the file is scanned, it is displayed on the Scanned Files page. You can download the scan report from there.

2. Select the scanned file.
3. From the Action menu, select the Download Report icon.
4. Select the report type:
Summary Report
Full Report
5. Save the report to your desired location.

Mail Security in the Firewall
The Barracuda NextGen X-Series Firewall enforces mail security in the firewall by transparently scanning incoming and outgoing SMTP
connections for malware and checking the reputation of the sender's IP address via a DNS blacklist (DNSBL). SMTP connections are supported
on the following ports:
SMTP and SMTP with StartTLS – TCP 25, TCP 587

SMTPS – TCP 465
SSL inspection for mail
SSL-encrypted SMTP connections are decrypted differently for inbound and outbound connections. Outbound SSL-encrypted SMTP connections
are SSL-inspected by using a dynamically generated SSL certificate derived from the root certificate uploaded in the SSL Inspection
configuration. Inbound SSL-encrypted connections are inspected by using the same SSL certificate chain as is installed on the internal mail
server. The SSL certificates are bound to the IP address on the X-Series Firewall that the mail server domain's MX record resolves to. This allows
remote MTAs to use the information included in the SSL certificate to verify the identify of the server it is connecting to. To avoid certificate errors,
you must install the SSL Inspection root certificate on all mail clients connecting to a mail server via an SSL-inspected SMTP connection.
Virus Protection for mail
Both inbound and outbound email attachments are scanned by the virus scanner. If malware is detected in an email attachment, the infected file
is removed and replaced by an attachment containing a customizable text. The virus scanner Block All / Allow All policy does not apply to SMTP
and SMTPS connections. If Application Control and Virus Protection is not enabled, emails with attachments are not scanned. Instead, they are
delivered as-is to the internal mail server.
ATD scans SMTP and SMTPS traffic against advanced malware, that is not detected by the virus scanner or Intrusion Prevention System. ATD
analyzes files in the Barracuda ATD cloud and assigns a risk score. Local ATD policies determine how files with a high,medium, or low risk
scores are treated. To use ATD you must have an Energize Updates and Advanced Threat Detection subscription.
DNS blacklisting
Inbound email can also be classified according to DNS blacklists (DNSBL), such as the Barracuda Reputation Block List. For sender IP
addresses blacklisted by the DNSBL, [SPAM] is prepended to the subject line of the email, and the MIME headers of the email are modified to
allow the email to be immediately identified as spam by the mail server. If the DNSBL server is not available, the email is not modified.The email
itself is delivered to the internal mail server.
For more information, see How to Configure Mail Security in the Firewall.

How to Configure Mail Security in the Firewall
The Barracuda NextGen Firewall X-Series scans SMTP traffic in two steps:
1. SSL Inspection decrypts SSL-encrypted SMTP connections. For incoming connections, your mail server's SSL certificates are used.
2. The DNS blacklist database is queried via a DNS lookup using the sender's IP address. If the DNS reputation database is not available,
the email is not modified. If the domain or IP address is blacklisted, the email's subject line is modified to start with [SPAM] and the
following non-configurable MIME type headers are set:
X-Spam-Prev-Subject: Your email subject without the [SPAM] tag.
X-Spam-Flag: YES
X-Spam-Status: Yes
X-Spam-Level: ***
3. Email attachments are scanned by the virus scanner. If malware is found, the attachment is stripped from the email and replaced by a
customizable text informing the user that the malicious attachment has been removed.
Before you begin
Enable and configure SSL Inspection. If needed, adjust the SSL Inspection settings to support MTAs requiring SSLv3. For more
information, see How to Configure SSL Inspection.
Step 1. Import the mail server certificates
Import the SSL certificates of your internal mail server(s). For more information, see How to Use and Manage Certificates with the Certificate
Manager.
Step 2. Enable virus protection for mail traffic
Enable virus scanning and SSL Inspection in the firewall.

2. In the Firewall Policy Settings section, enable TCP Stream Reassembly.
b. Set Enable for SMTP & SMTPS to Yes.
5. (optional) Configure advanced virus scanner settings:
Changing settings for the virus scanner also affects virus scanning for other services.
a. In the Advanced Options section, click Advanced / Show.

b. (optional) Change the default behavior If Virus Scanner is not available.
Block All – (default) All pages will be blocked.
Allow All – All pages will be allowed.
c. Configure the following settings:
Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files.The
Scanned MIME Types – If applicable, you can add MIME types of files you want the X-Series Firewall to scan to the Sc
anned MIME Types list (see: Default MIME Types in Virus Protection in the Firewall). To add a file type, enter the file
path and click +. To remove a file type, click - next to the file entry in the list. Click Reset to Defaults to restore the
default list.
d. At the bottom of the page, click Save.
6. (Optional) Enable Advanced Threat Detection. For more information, see Advanced Threat Detection (ATD).
7. In the Mail Security section, enter the public IP address that your mail server domain's MX record resolves to in the Mail Server SSL
Certificates section, select the mail server SSL certificate from the Certificate list, and click +.
8. Enter the FQDN of the DNS Blacklist Server. Default: b.barracudacentral.org

8.
9. Click Save.
Step 3. Create a DNAT access rule for incoming SMTP traffic
Enable Application Control, SSL Interception, and Virus Protection in the access rule.

Network Services – Select SMTP, and click +.
Destination – Enter the public IP address that your mail server domain's MX record resolves to, and click +.
Redirect – Enter the IP address(es), or select a network object for your internal mail server(s), and click +.
3. Enable Application Control, SSL Inspection, Virus Protection, and Mail Blacklist Checks.
4. Click Save.
Step 4. (optional) Create an access rule for outgoing SMTP connections
Create an access rule to scan outgoing SMTP traffic from your internal mail server or mail clients for malware.

Connection – If used for an internal mail server, create and select a connection object using the public IP address that your mail
server's MX record resolves to as the source IP address. If this rule applies to SMTP clients, select Dynamic SNAT.
Source – Create and select a network object containing your mail server IP addresses, or for SMTP client connections the
network containing the SMTP clients, and click +.
Network Services – Select SMTP for outgoing mail server traffic, or create a service object for TCP port 587 for outgoing mail
client traffic, and click +.
3. Enable Application Control, SSL Inspection, and Virus Protection.

3.
4. Click Save.
You can test the virus scanner setup by sending EICAR test files from http://www.eicar.com via email to a mail server located behind the firewall.
Next steps
Customize the text used to replace removed email attachments. For more information, see Custom Block Pages.

How to Enforce Safe Search in the Firewall
You can protect users behind a Barracuda NextGen Firewall X-Series from undesired content in search results by enabling Safe Search for the
access rule handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL
when the request is forwarded by the X-Series Firewall. Safe Search is supported for Google, Bing, Yahoo, and YouTube search engines.
Limitations
Safe Search relies on the supported search engines to honor and filter the search results. The X-Series Firewall can enable this feature,
but the execution is left up to the search engine.
Safe Search is not enforced for mobile search apps.
Safe Search is always set to strict.
Step 1: Create an Access Rule to Enforce Safe Search
You can enforce the usage of Safe Search for all web traffic matching an access rule by enabling the Safe Search settings in Application Control.
1. Go to Firewall > Firewall Rules.

2. Under Custom Firewall Access Rules, click the Edit icon for Lan-2-Internet. xxx change this last phrase xxx
3. In the General tab, set Safe Search to Yes.
4. In the General tab, set SSL Inspection to Yes.
5. Click Save.
Every search query handled by this access rule now automatically enforces the Safe Search feature of the search engine provider.
Step 2: Verify Safe Search is Working
You can test if your search engine is using Safe Search by looking at the URL after a search query. Each search engine includes a specific URL
parameter that indicates Safe Search is on.
Safe Search for Google includes the string safe=active in the URL. In addition, Google also includes messages on the web page stating
that Safe Search is on or active.

Safe Search for Bing includes the string adlt=strict in the URL.
Safe Search for Yahoo includes the string vm=r in the URL.
YouTube handles Safe Search through setting a parameter in a cookie. That means you will not see a specific Safe Search string in the URL.

How to Enforce YouTube for Schools in the Firewall
YouTube for Schools will be discontinued as of July 1, 2016. Google is offering current YouTube for Schools users and all G Suite
users a new way restrict YouTube content, per this Google article.
If you already have a YouTube for Schools token, you can continue using YouTube for Schools with the Barracuda NextGen
Firewall until July 1, 2016. Google has stopped issuing YouTube for Schools tokens.
The Barracuda NextGen Firewall X-Series can transparently add YouTube for Schools restrictions for all connections that the X-Series Firewall
forwards to YouTube without the need to configure the clients. Enable YouTube for Schools for access rules matching HTTP and HTTPS traffic
connecting to YouTube.
Limitations
YouTube for Schools relies on YouTube to honor and filter the search results. The X-Series Firewall can enable this feature, but the
execution is left up to YouTube.
YouTube for Schools is not enforced for mobile YouTube apps.
Before You Begin
Create a YouTube for Schools account. For more information, see Signing Up and Getting Started with YouTube for Schools
Step 1. Enter the YouTube for Schools Token
The YouTube for Schools token is a unique ID identifying your YouTube for Schools account.
1. Go to Firewall > Settings.

2. Enter your YouTube for Schools token.
Step 2. Create an Access Rule to Enforce YouTube for Schools

3. Create a PASS access rule with the following settings:
Name – Enter Name for the access rule. For example, LAN-2-YOUTUBEFORSCHOOLS
Source – Select a network object containing the subnets for which YouTube for Schools must be enforced and click +.
Network Services – Select to HTTP+S and click +.
Destination – Select Internet and click +.
Connection – Select Default (SNAT).
4. Set Application Control to Yes.
5. Set SSL Inspection to Yes.

5.
6. Click the Advanced tab.

7. Set YouTube for Schools to Yes.
8. Click Save.
Step 3. Verify the Order of the Access Rule
New rules are created at the bottom of the firewall ruleset. Rules are processed from top to bottom in the ruleset. Drag your access rule to a slot
rule never matches.
After adjusting the order of rules in the ruleset, click Save.
Step 4. Verify that YouTube for Schools is Working
1. Open your browser and go to www.youtube.com.

2. Verify that the parameter edufilter followed by your YouTube for Schools token is appended to the URL.

Custom Block Pages
The Barracuda NextGen Firewall X-Series uses generic, unbranded block pages by default. You can change the HTML source of these pages to
adjust the content and style to fit your needs. Each page has a predefined list of placeholder objects that are replaced on-the-fly by the X-Series
Firewall when the block page is delivered to the client. Custom block pages can be used for services such as Application Control, Virus
Protection, and URL Filter.
Block Page Action Triggering the Block Page
Access Block Page Matching Block or Reset access rule with the advanced setting HTT
P Block Page enabled.
Application Control Block Page Connection blocked due to the action set in the matching application
policy.
Fail-Close Block Page URL Filter, Virus Protection, or SSL Inspection is unavailable.
Configuration settings prevented the virus scanning engine from
scanning the file. E.g., Block encrypted archives.
Internal errors.
Mail Security Virus Scan Text Placeholder text to replace email attachments removed due to the
mail security DNSBL check.
Quarantine Warning Page Connection blocked for users in ATD quarantine.
URL Filter Block Page Connection blocked due to a URL Filter category.
URL Filter Warning Page Connection blocked due to a URL Filter category.
URL Filter Override Page Connection blocked due to a URL Filter category. Users can request
temporary access from an administrator.
Virus Scanner Block Page Connection/Download blocked due to detected malware.
Edit a block page
You can use HTML, CSS, and JavaScript code. Images up to 30 kB are inserted as base64 encoded HTML code.

2. In the Response Messages section, click the edit icon next to the block page you want to edit. The Edit Response Message window
opens.
3. Click Browse to upload a custom image.
For security reasons, images are stored as base64 encoded string in the HTML source.
4. Click Open Preview to display a live preview of the message in the browser.
5. Edit the HTML source code of the block page. Changed text immediately appears in the live preview window.

6. Click Save.
Placeholder values
Each block page has a set of placeholder variables that are processed on-the-fly by the X-Series Firewall before delivering the block page to the
user.
Block Page Variable Value
Access Block Page User Name {{USER}}
Access Rule Name {{ACCESS_RULE}}
Hostname of the Requested Website {{URL_HOST}}
Path of the Requested Website {{URL_PATH}}
Barracuda NextGen Firewall X-Series {{GATEWAY}}

Hostname
Application Control Block Page User Name {{USER}}
Application Rule Name {{APP_RULE}}
Application Name {{APP_NAME}}
Application Category {{APP_CATEGORY}}
Application Risk Rating {{APP_RISK}}

Hostname
Fail-Close Block Page User Name {{USER}}
Full URL {{REQUESTED_URL}}
Block Reason {{BLOCK_REASON}}

Hostname
Mail Security Virus Scan Text User Name {{USER}}
Blocked File Name {{REQUESTED_FILE}}
Alert Type {{ALERT_TYPE}}
Threat Name {{ALERT_NAME}}
Threat Description {{ALERT_DESC}}

Hostname
Quarantine Warning Page User Name {{USER}}

Hostname
URL Filter Block Page User Name {{USER}}
URL Category {{URL_CATEGORY}}

Hostname
URL Filter Warning Page User Name {{USER}}

Hostname
Click-to-Continue Button (required) {{CONTINUE_BUTTON}}
URL Filter Override Page User Name {{USER}}

Hostname

Address that permission requests should be {{REQUEST_PERMISSION_COMBO_BOX}}

sent to
Permission Request Status {{REQUEST_STATUS}}
Permission Request Button {{REQUEST_PERMISSION_BUTTON}}
Virus Scanner Block Page User Name {{USER}}
Alert Type {{ALERT_TYPE}}
Threat Name {{ALERT_NAME}}
Blocked File Name {{REQUESTED_FILE}}
Full URL {{REQUESTED_URL}}

Hostname

How to Configure Bandwidth Policies or QoS
Limited network resources make bandwidth prioritization necessary. To ensure that important business critical applications are given enough
bandwidth, the Barracuda NextGen Firewall X-Series provides traffic shaping (also known as "packet shaping" and "Quality of Service") methods
to let you prioritize network resources according to factors such as the time of day, application type, and user identity. You can identify the traffic
and assign its priority using firewall rules.
Bandwidth Policies
There are eight different bandwidth policies. They are listed in the following table, in order of decreasing priority:
Bandwidth Policy Description
VoIP Highest priority before all other bandwidth policies. Traffic is sent with
no delay.
Interactive Highest priority.
Business Very high priority.
Internet Medium priority. If more than 10 MB of data is transferred in one

session, then the priority of the traffic in that session drops to the
same as Background.
Background Next lower priority.
Low Low priority. Low and Lowest Priority are limited to 5% of the
available bandwidth.
Lowest Priority Lowest priority. Low and Lowest Priority are limited to 5% of the
available bandwidth.
Choke Applications assigned this are unusable but will not seek another way
to send traffic. For example, if you wish to block Skype traffic, assign
this policy to the Skype application.
Queues and Rate Limits
The following diagram shows how the eight bandwidth policies are divided into queues:
The Priority Queues always take precedence.

The Regular Queues can use unlimited bandwidth.
The Rate Limiting Queues are collectively limited to 5% of the maximum link bandwidth.
The rate limits always apply, so even if there is no other traffic, the traffic in the Rate Limiting Queues never uses more than 5% of the bandwidth.
The classes within the Regular and Rate Limiting queues are weighted relative to the other classes in the same queue. Class weights are
enforced only when the link is saturated.
Customize the Class Weights and Rate Limits

On the FIREWALL > QoS page, you can set the weight ratios for the classes within the same queue and modify some of the rate limits.
Assign a Bandwidth Policy to a Firewall Rule
Before you begin, verify that you specified a bandwidth for each interface on which you want to enable QoS:

2. In the Network Interface Configuration section, select the interface and click the No/Yes link in the Use QoS column.
3. Enter the bandwidth assigned by your ISP for outbound and inbound connections.
To assign a bandwidth policy to an access rule:
1. Go to FIREWALL > Firewall Rules and edit the rule.

2. Select the bandwidth policy from the Adjust Bandwidth drop-down.
Monitor Bandwidth Policy Assignment
To monitor which bandwidth policy is assigned to active network sessions, go to the BASIC > Active Connections page. The assigned policy of
a network session is displayed in the Bandwidth Policy column. You can also manually override the assigned bandwidth policy by using the
drop-down menu in the Bandwidth Policy column.

How to Create Interface Groups
In a firewall rule, the interface group specifies the interface that the source address is allowed to use. When you create firewall rules, you can use
the predefined groups, or if you want to reference custom interfaces that are not in the default list, you can create custom interface groups.
Predefined Interface Groups
The following table describes the predefined interface groups:
Interface Group Description
Matching Ensures that arriving packets are processed through the same
interface that is used to forward the corresponding reply packets. The
source and destination addresses are the same. This method helps
prevent a network attack in which an attacker might try using internal
addresses from outside the internal network (IP spoofing).
Any Uses the first interface matching the request, according to the routing
table. The packet source is not verified. Reply packets might be
forwarded through another interface, if another interface that is
capable of doing so is available. In very special configurations,
checking the physical source of packets cannot be required. For
security reasons, this option should only be used in very limited
situations.
DSL/DHCP Explicitly restricts rule processing to the specified dynamic network

interface (if installed and configured).
WIFI/WIFI2/WIFI3 Explicitly restricts rule processing to the specified Wi-Fi network

VPNClients Explicitly restricts rule processing to the specified virtual network

interface of a VPN client (if installed and configured).
3G Explicitly restricts rule processing to the specified 3G network

Create an Interface Group
To create a custom interface group:
1. Go to the NETWORK > Interface Groups page.

2. In the Interface Group Configuration section, click Add Interface Group.
3. Enter a Name for the new interface group.
4. From the Interfaces drop down list, select the interfaces you want to include and add them by clicking + after each entry.
5. Click Save.
The custom interface group appears in the Interface Group Configuration section.
Edit a Custom Interface Group
To edit a custom interface group:

2. In the Interface Group Configuration section, click the edit symbol for the group that you want to edit.
3. In the Edit Interface Group window, edit the settings for the interface group.
4. Click Save.
Delete a Custom Interface Group
To delete a custom interface group:

2. In the Interface Group Configuration section, click the trash can icon for the group that you want to delete.
3. Click OK to delete the custom interface group.

How to Configure the Captive Portal
The captive portal intercepts unauthorized users HTTP or HTTPS connections and redirects them to a login page. After successful authentication
the user is forwarded to the original destination. This type of authentication is used to allow HTTP/HTTPS access to authenticated users. Access
rules using inline authentication do not block non HTTP or HTTPS traffic even from unauthorized users. To avoid browser certificate errors, use a
signed SSL certificate or install the root certificate of the self-signed certificate on all client computers using Inline Authentication.
Before you begin:
Verify that the confirmation message and ticketing features are disabled. Go to the NETWORK> IP Configuration page and edit the
relevant Wi-Fi interface to specify that there is no Landing Page.
Before configuring the captive portal for use with Wi-Fi, see How to Configure Wi-Fi to verify that you have correctly configured Wi-Fi.
Also ensure that users are connected to the Wi-Fi network of the Barracuda NextGen X-Series Firewall.
Configure the Captive Portal
1. Go to the FIREWALL > Captive Portal page.

2. In the Basic Configuration section, enable the captive portal, specify the networks from which unauthenticated users are redirected to
the captive portal, select the method of authenticating users, and edit the user access policies.
3. If you are using local authentication, go to the USERS > Local Authentication page to create your list of allowed users and groups.
4. On the FIREWALL > Firewall Rules page, set up a firewall rule (plus one for Wi-Fi, if applicable) to allow traffic for authenticated users.
For example, you can create a firewall rule with the following settings to allow successfully authenticated users from a Wi-Fi network at
192.168.201.0/24 to access the Internet. When using the default firewall rules of an X-Series Firewall, no additional rule is necessary
because the LAN-2-Internet rule allows Internet access from the trusted LAN.
General tab
Action: Allow
Connection: Dynamic SNAT
Service: HTTP+S
Source: 192.168.201.0/24
Destination: Internet (Network Object)
Users/Time tab
Add All Authenticated Users.
5. Add a BLOCK access rule to block unauthenticated users with a source IP address in the captive portal network. Place this rule below
your custom rule or below the LAN-2-Internet rule.
General tab
Action: Block
Service: Any
Source: 192.168.201.0/24
Destination: Any (Network Object)
Users/Time tab
Authenticated Users must be empty.
Barracuda Networks recommends that you select Unclassified for the Classification of the network interface that serves the captive
portal.
SSL Certificate and Encryption Settings
To avoid browser warnings caused by using a self-signed certificate, you can upload a signed certificate or your own trusted server certificate to
the Barracuda NextGen Firewall Certificate Manager.
1. Go to ADVANCED > Certificate Manger page.

2. Upload or create an SSL certificate for the captive portal. For more information, see How to Use and Manage Certificates with the
Certificate Manager.
The Common Name of the certificate must contain an IP address or hostname resolving to the IP address the captive portal is
listening on.
3. Go to the FIREWALL > Captive Portal page.

4. In the HTTPS Configuration section, select the Encryption:
TLS Strong Encryption– (Recommended) TLS with strong ciphers. Currently the following cipher string is used for strong
encryption: HIGH:!aECDH:!ADH:!3DES:!MD5:!DSS:!RC4:!EXP:!eNULL:!NULL:!aNULL.
TLS/SSLv3 – TLS and SSLv3 with no restriction on which ciphers can be used.
TLS/SSLv3/SSLv2 – TLS, SSLv3, and SSLv2 with no restriction on which ciphers can be used.
TLS All Ciphers – TLS with no restriction on which ciphers can be used.
5. Select the SSL certificate you created or uploaded to the Certificate Manager from the Singed Certificate list.
6.

6. Click Save:
Monitoring and Managing Authentication Users
On the BASIC > User Activity page, you can view currently authenticated users. You can also disconnect specific users.

How to Configure Google Accounts Filtering in the Firewall
The X-Series Firewall can filter traffic to Google services based on the domain attached to the G Suite account. This allows you to block access
to personal Google accounts and other non-whitelisted G Suite accounts, while still allowing your whitelisted G Suite domains. Google Accounts
are enforced on a per-access-rule basis. Since Google requires HTTPS for almost all services, SSL Inspection is required. Google Chrome uses
the QUIC protocol by default to communicate with Google servers. To force Chrome to use the HTTPS fallback, you must block QUIC traffic.
Before you begin
Enable SSL Inspection. For more information, see How to Configure SSL Inspection.
Step 1. Add your domains to the Google domain whitelist
Google accounts using the domains in the whitelist will be exempted from filtering when a Google account-enabled access rule matches.

3. In the Google Accounts section, add domains to the Domain White List. Click + after each entry.
4. Click Save.
Step 2. Create an access rule to block non-whitelisted Google accounts
You can block Google accounts not on the whitelist for all web traffic that matches an access rule by enabling Google Accounts in the advanced
settings of the access rule.

Source – Select the source addresses of the traffic.
3. Enable Application Control and SSL Inspection.
4. In the Add/Edit Access Rule window, click the Advanced tab.

5. (optional) Set additional matching criteria:
Valid for Users – For more information, see User Objects.
Apply only during this time – For more information, see Schedule Objects.
6. In the Other section, set Google Accounts to Yes.

7. Click Save.
8. Drag and drop the access rule in the ruleset, so that no access rule above it matches this traffic.
Step 3. Block QUIC for Google Chrome browsers
To force Google Chrome browsers to use HTTPS instead of QUIC on UDP port 443, you must create a BLOCK access rule.

Action – Select Block.
Source – Add the source addresses of the traffic. Use the same source as the access rule in step 2.
Network Services – Create and select the service object for UDP 443. For more information, see Service Objects.
3. (optional) Set additional matching criteria:
Valid for Users – Use the same user object as in step 2.
Apply only during this time – Use the same schedule object as in step 2.
4.

4. Click Save.
5. Drag and drop the access rule above the rule created in step 2.
Web traffic matching this rule can now only access Google accounts for domains that are included in the whitelist. When users access a
non-whitelisted domain, they are automatically redirected to a Google block page.

Managing Users and Groups
For user and group authentication, you can either administer users locally on the NextGen X-Series Firewall or integrate the X-Series Firewall
with an external authentication server. You can use the information from these authentication services when you configure VPNs, user-aware
firewall rules, and the captive portal. You can also manage guest access to the network, using a confirmation page or a guest ticketing system.
Local Authentication
If no external authentication servers are available, you can administer users with the local authentication service. For instructions on how to set
up local authentication, see How to Configure Local Authentication.
External Authentication Servers
The X-Series Firewall supports the following external authentication servers:
Microsoft Active Directory

Barracuda DC Agent
NTLM
MS-CHAPv2
LDAP
RADIUS
OCSP
For instructions on how to integrate the X-Series Firewall with these servers, see How to Configure an External Authentication Service.
Guest Access
To grant guest users access to the network, you can use the following methods:
Confirmation Page – Prompts guests to agree to Terms of Service before they can access the network. For more information, see How
to Set Up a Guest Access Confirmation Page.
Guest Ticketing – Assigns guests with tickets that give them credentials to temporarily access the network. For more information, see H
ow to Set Up Guest Access with Ticketing and How to Manage Guest Tickets - User's Guide.

How to Configure Local Authentication
If you do not have an external authentication service available, you can create and maintain a list of local users and groups on the Barracuda
NextGen Firewall X-Series. You can refer to these users and groups when creating firewall rules, VPNs, or when configuring the captive portal.
To set up local authentication,
1. Go to the USERS > Local Authentication page.

2. In the Local Users and Groups table, configure the following settings for each user:
Username — Log-in name for the user.
Password — The user's password.
Group — Name of the user group this user belongs to.
Ensure that you enter the correct group names. If you misspell a group name (e.g., tst instead of test), a new group
is created and permissions are not applied correctly to the group.
3. Click Add.
4. Click Save to confirm your settings.
The user entry is now listed in the Local Users and Groups table.

How to Configure an External Authentication Service
By integrating the Barracuda NextGen Firewall X-Series with your existing authentication server, you can configure access rules that apply to
specific users and groups without having to create local user accounts on the X-Series Firewall. The X-Series Firewall supports the following
external authentication services:
Barracuda DC Agent
Barracuda Terminal Server Agent (TS Agent)
Active Directory
NTLM
LDAP
RADIUS
Wi-Fi Access Point
OCSP
Barracuda DC Agent
The Barracuda DC Agent runs on the domain controller or a dedicated Windows PC in the office network. The DC Agent continuously checks the
domain controller for login events to create a list of users and their associated IP addresses. The list of authenticated users is provided to the
X-Series Firewall, allowing for true single sign-on capabilities. You can download the Barracuda DC Agent directly from the X-Series Firewall Web
UI.
For information, see How to Configure Barracuda DC Agent Authentication and Barracuda DC Agent for User Authentication
Barracuda Terminal Server Agent (TS Agent)
The Barracuda Terminal Server Agent (TS Agent) authenticates users logged into a Microsoft Terminal Server. Because users on a Terminal
Server all use the same source IP address, the Barracuda TS Agent maps each user to a specified source port range and sends this mapping to
the X-Series Firewall. The X-Series Firewall can thus determine the user for each connection from the terminal server by the source port.
For more information, see How to Configure TS Agent Authentication.
Active Directory
Microsoft Active Directory (MSAD) is a directory service that allows authentication and authorization of users in a network. It has been included
with all Windows Server operating systems since Windows 2000 Server. MSAD is used for single sign-on for many services. Permissions are
managed by group. Users inherit the permissions of all the groups that they are members of. Backward-compatibility for older services is provided
by NTLM/MS-CHAP options that you can activate and configure on the MSAD server. All information is kept in a single directory information tree.
For more information, see How to Configure MSAD Authentication.
NTLM
If your network uses an NT LAN Manager (NTLM) authentication server, your NTLM domain users are transparently authenticated using their
Microsoft Windows credentials. This single sign-on method of access control is provided by transparent proxy authentication against your NTLM
server. To enable transparent proxy authentication against your NTLM server, you must join the X-Series Firewall to the NTLM domain as an
authorized host.
For more information, see How to Configure NTLM Authentication.
LDAP
Lightweight Directory Access Protocol (LDAP) is used for storing and managing distributed information services in a network. LDAP is mainly
used to provide a single sign-on solution. It follows the same X.500 directory structure as MSAD.
For more information, see How to Configure LDAP Authentication.
RADIUS
Remote Access Dial In User Service (RADIUS) is a networking protocol providing authentication, authorization, and accounting. The X-Series
Firewall uses RADIUS authentication for the IPsec, Client-to-Site, and SSL VPN.
For more information, see How to Configure RADIUS Authentication.
Wi-Fi Access Point
The X-Series Firewall can parse authentication information contained in the syslog stream of supported wireless access points. Wi-Fi access
points typically use authentication services such as RADIUS servers to authenticate users before allowing them to connect. The X-Series Firewall
monitors the syslog files sent by the Wi-Fi access points for usernames and the associated IP address of logged-in users. Depending on the

access point, the X-Series Firewall receives login and/or logout information.
For more information, see How to Configure Wi-Fi Access Point Authentication.
OCSP
Online Certificate Status Protocol (OCSP) is a protocol used to check if X.509 certificates have been revoked by their respective certificate
authorities (CAs). The X-Series Firewall uses the information provided by OCSP to verify the authenticity of a certificate. For integration with
OCSP-based online digital certification verification:
1. Go to the USERS > External Authentication page.

2. Click the OCSP tab.
3. Enter the settings for your OCSP server and then click Save.

How to Configure Barracuda DC Agent Authentication
The Barracuda DC Agent enables the Barracuda NextGen Firewall X-Series to transparently track user login activity in your Windows domains.
When installed on a domain controller that runs either Windows Server 2003 with Service Pack 2 (SP2) or Windows Server 2008 or above, the
Barracuda DC Agent monitors the user authentication logs. Configure the X-Series Firewall to query the Barracuda DC Agent so that it can learn
which IP address is used by a network user.
Before you Begin
Download and install the Barracuda DC Agent on your domain controller or dedicated Windows PC. The DC Agent can be downloaded directly
from your X-Series Firewall:
Do not install the Barracuda DC Agent on Windows Server domain controllers that are configured to use NTLM.

2. Click the DC Agent tab.
3. Click Download DC Agent.
4. Install the DC Agent. For more information, see How to Get and Configure the Barracuda DC Agent.
When configuring the Barracuda DC Agent, add the IP address(es) of your X-Series Firewall and configure local audit policies to generate an
account login event whenever a user authenticates via the domain controller.
Configure DC Agent Authentication
Configure the X-Series Firewall to communicate with the Barracuda DC Agent and specify the domain controllers where the Barracuda DC Agent
is installed.

2. Click the DC Agent tab.
3. Set Enable Single Sign-On to Yes.
4. In the Domain Controller IP field, enter the IP address of the domain controller running the DC Agent. The X-Series Firewall polls the
DC Agent to obtain the list of users authenticated against this domain controller.
5. Enter the DC Agent Listening Port. Default: 5049.
6. In the Synchronization Interval field, specify the time interval in seconds at which the X-Series Firewall should poll the DC Agent for the
list of authenticated users. The recommended value is 15 seconds.
7. Click Add.
8. Enter the username in the Exempt User Name field to exclude specific domain users. You can use Perl-compatible regular expression
(PCRE) pattern-matching notation, such as \w for any alphanumeric character or \W for any non-alphanumeric character.
9. Click Add.

How to Configure MSAD Authentication
Configure the Barracuda NextGen Firewall X-Series to allow authentication and authorization of domain users on a Microsoft Active Directory
(MSAD) server. To reduce load querying for large environments, you can also filter unwanted group membership information by creating group
filter patterns.
Configure MSAD Authentication
Connect the X-Series Firewall with your Microsoft Active Directory (MSAD) server and configure MSAD as external authentication scheme.

2. Click the Active Directory tab.
3. In the Basic section, click Add.
4. Enter the Domain Controller IP address.
5. In the Searching User field, enter the MSAD Searching User in the user@domain format:
Do not use the domain\user format.
6. Enter the Searching User Password.

7. Specify the Base DN where the lookup should be started. E.g., CN=trainee,OU=sales,DC=mycompany,DC=com
Do not use spaces between the entries.
8. Set Cache MSAD Groups to Yes to reduce network traffic and server load on the domain controller.
9. Select Use SSL if your Active Directory server is configured to use SSL.
10. (Optional) Select Follow Referrals to use Active Directory's global catalog and follow the referrals. When a requested object exists in the
directory but is not present on the contacted domain controller, the referral gives the client a location that holds the object or is more
likely to hold the object. It is also possible for the referred-to domain controller to refer to a next hop location. The number of next hops is
defined in Maximum Hops for Referrals.
11. Click Save.
12. (Optional) Add Group Filter Patterns to filter unwanted group information. Wlldcards are allowed.
Example: When using pattern: *SSL*, and the following group membership strings are used:
User01 group membership string: CN=xyz,OU=sales,DC=mycompany,DC=com
User02 group membership string: CN=SSL,DC=mycompany,DC=com
Only User02 will match.
13. Click Save.
The configuration is now added to the EXISTING AUTHENTICATION SERVICES table and you can use the MSAD authentication service on the
X-Series Firewall.

Troubleshooting
To test, if the connection is working, try to login as the user from another network host. When a user, for whom the authentication scheme
applies, logs into the network, a log entry is created showing the login details such as source address, success or failure, time, etc. To access
authentication logs, go to the LOGS > Authentication Logs page.
If the connection cannot be established:
Make sure that you have entered the MSAD searching user in the Searching User field in the correct format: user@domain. Do not use
the domain\user format.
Verify that the entry for the Base DN where the lookup should be started does not contain spaces.
Check the Logs > Authentication Log page for error messages when connecting to your Active Directory server.

How to Configure NTLM Authentication
Integrate the Barracuda NextGen Firewall X-Series with your NT LAN Manager (NTLM) authentication server to authenticate NTLM domain users
via their Microsoft Windows credentials. To enable transparent authentication against your NTLM server, join the X-Series Firewall to the NTLM
domain as an authorized host.
Step 1. Configure NTLM Authentication

2. Click the NTLM tab.
3. Enter the NTLM/Kerberos realm name in the Domain Realm field.
Always enter the Domain Realm in uppercase letters. E.g., MYDOMAIN.COM
4. Enter the Netbios Domain Name.

5. (Optional) Enter the MS Active Directory Workgroup Name.
6. In the Domain Controller field, enter the hostname or IP address of the domain controller.
The hostname must be DNS resolvable.
7. (Optional) Enter the hostname of the domain's Windows Internet Name Service server in the WINS Servers field.
8. Select the authentication scheme to retrieve group information from.
9. Click Save.
The configuration is now added to the EXISTING AUTHENTICATION SERVICES table.
Step 2. Join the X-Series Firewall to the Domain
Join the X-Series Firewall to the NTLM domain as an authorized host.

3. Enter the Windows Domain Username.
4. Enter the Windows Domain Password.
5. Click Save.
6. Click Join Domain.

You can check the status of the domain registration by clicking Registration Status.
Your NTLM domain users can now authenticate on the X-Series Firewall using their Microsoft Windows credentials.

How to Configure LDAP Authentication
To authenticate users on a Lightweight Directory Access Protocol (LDAP) server, configure the Barracuda NextGen Firewall X-Series to use
LDAP as an external authentication scheme. You can add LDAP configurations for one or more LDAP servers. Connect the X-Series Firewall
with your LDAP servers and specify the search settings for the LDAP directory. To reduce load querying for large environments, you can filter
unwanted group membership information by creating group filter patterns.
Configure LDAP Authentication
Configure the X-Series Firewall to look up users on your LDAP server.

2. Click the LDAP tab.
3. In the Basic section, click Add.
4. In the Base DN field, enter the Distinguished Name (DN) where the search in the LDAP directory should be started at. Separate multiple
entries with a comma. E.g., OU=yourcompany,OU=external,O=sales,O=world,C=AT
5. (Optional) Select Use SSL if your LDAP server supports SSL connections.
6. Enter the IP address or hostname of the LDAP server in the Server Name field.
7. In the User Field, enter the name attribute of the LDAP searching user field used in your LDAP directory. E.g, cn
8. Enter the LDAP Password Field used in your LDAP directory.
9. Select Anonymous if authentication is not required.
10. In the Admin DN field, enter the Distinguished Name of the administrator who is authorized to perform requests.
11. Enter the Admin Password for the administrative user.
12. In the Group Attribute field, specify the name of the attribute field on the LDAP server containing group information.
13. Select whether to use LDAP Encryption (SSL) for data exchanged with the LDAP directory.
14. Enter LDAP fields containing email addresses in the Additional Mail Fields. Separate multiple entries with a comma.
When selecting Logon to Authenticate, the authenticator will log on to the LDAP server to verify user authentication data.
Use this option when the LDAP server does not expose user passwords, not even to the administrator.
15. Click Save.

The configuration is now added to the EXISTING AUTHENTICATION SERVICES table, and your LDAP domain users can use the LDAP
authentication service to be authenticated on the X-Series Firewall.

How to Configure RADIUS Authentication
Integrate the Barracuda NextGen Firewall X-Series with a Remote Access Dial In User Service (RADIUS) server and configure RADIUS for
external authentication with the X-Series Firewall.
Configure RADIUS Authentication

2. Click the RADIUS tab.
3. Select Enable RADIUS Authentication to enable integration with RADIUS.
4. Enter the Server Address and Server Port (default: 1812) of your RADIUS server.
5. In the Server Key field, enter the pre-shared secret to authorize requests (no backslashes allowed).
6. In the Group Attribute field, adjust the name of the attribute field on the RADIUS server if required (default: Login-LAT-Group).
7. If your RADIUS server requires NAS credentials to be set, enter the NAS identifier (NAS ID), the NAS IP Address, and the NAS IP Port.
8. Select the authentication scheme if group information should be retrieved from a different scheme.
9. Click Save.
RADIUS authentication is now configured and can be used for IPsec, Client-to-Site, and SSL VPN.

How to Configure TS Agent Authentication
The Barracuda Terminal Server Agent enables the Barracuda NextGen Firewall X-Series to identify network users on a Microsoft Terminal
Server. The TS Agent must be installed on the Microsoft Terminal Server. On the X-Series Firewall, configure TS Agent authentication and add
the management IP address to the TS Agent on the Microsoft Terminal Server. The TS Agent then sends authentication information to the
X-Series Firewall over an optionally SSL-encrypted connection. The Barracuda TS Agent also writes a debug log that helps you monitor your
Terminal Server and identify possible problems.
Barracuda TS Agent Components
The Barracuda TS Agent comprises the following:
TSAgentDrv – Windows Filtering Platform driver. TSAgentDrv intercepts the network traffic and assigns the specific source port number.
TSAgentSvc – Service that communicates with the TSAgentDrv driver and the X-Series Firewall. It automatically starts on system start
and recovers when terminated unexpectedly.
TSAgentConfig – Configuration utility. TSAgentConfig also shows the current debug log and helps identify problems.
Before You Begin
Download and install the Barracuda TS Agent on the Microsoft Terminal Servers. The TS Agent can be downloaded directly from the
X-Series Firewall:
2. Click the TS Agent tab.
3. Click Download TS Agent.
For more information, see Barracuda Terminal Server Agent.
(Optional) Use SSL certificates for authentication.
Configure TS Agent Authentication
On the X-Series Firewall, enter the IP address of the Terminal Server running the Barracuda TS Agent. The TS Agent must be configured to allow
connections to the management IP address of the X-Series Firewall.

3. Set Enable Terminal Server Agent to Yes.
4. Enter the IP address for the Terminal Server running the TS Agent and click + .
The X-Series Firewall will now receive authentication information from the TS Agent on the Microsoft Terminal Server.
Use Custom SSL Certificates
If you enable SSL, the connection between the X-Series Firewall and the TS Agent is SSL encrypted. By uploading your own SSL certificates to
the TS Agent and X-Series Firewall, the connection will only be established if the SSL certificate is valid.
If the TS Agent is configured to use SSL, an SSL-encrypted connection will be established, even if the Use SSL option is disabled on
the X-Series Firewall.

3. Click Show Advanced Options.
4. Enable Use SSL.
5. Enter the Subject Alternative Name of the SSL client certificate.
6. Upload the SSL client certificate.
7. Click Save.
The X-Series Firewall will now use SSL and verify the SSL certificate when connecting to the TS Agent.

How to Join a Windows Domain
To successfully join the Barracuda NextGen Firewall X-Series to a Windows domain, you must first configure DNS, Active Directory
authentication, and NTLM authentication. Joining a domain is required for NTLM or MS-CHAP authentication requests to be accepted by the
domain controller. This is important for Client-to-Site VPN access and user-based firewall rules.
Step 1. Configure DNS
Because many of the requests for a domain join and subsequent authentication must query the domain controller directly, you must specify your
domain controllers in the DNS configuration.

2. In the DNS Configuration section, enter the IP addresses of your first and second domain controllers.
4. Verify that the X-Series Firewall has a host entry in your Active Directory. By default, the hostname is the product model name. For
example, the hostname for a Barracuda NextGen Firewall X200 is X200.
Step 2. Configure Active Directory Authentication
To configure Active Directory authentication:

2. Click the Active Directory tab.
3. Add the information for your primary domain controller. It is critical that your settings are correct and match the domain.
If you want to use group selection with MS-CHAP authentication, enable Cache MSAD Groups.
For the domain join, you do not need to configure the settings in the Extended section.
Enter the Searching User as: user@domain .
Do not use domain\user formatting as this may cause problems with some Active Directory servers.
For more details about the settings, click Help on the page.
Step 3. Configure NTLM Authentication
To configure NTLM authentication:

3. Configure and save the NTLM settings.
It is not necessary to have WINS running on your domain, but you must configure the WINS Servers setting.
Step 4. Join the Domain
To join the domain:
1. Go to the USERS > External Authentication page and open the NTLM tab.
2. In the Windows Domain Username and Windows Domain Password fields, enter the credentials for a user account with permissions
to join the domain (such as an administrator). These user credentials are not saved and are only used once during the join attempt.
3. Click Join Domain.
4. To verify that the join was successful, click Registration Status.

How to Configure Wi-Fi Access Point Authentication
Configure Wi-Fi Access Point authentication for the Barracuda NextGen Firewall X-Series to be able to use the authentication
information contained in the syslog stream of supported Wi-Fi access points.
Supported Wi-Fi Access Points
Aerohive (login and logout)

Ruckus (login and logout)
Aruba (login only)
Before You Begin
To authenticate connecting users, you must enable syslog streaming on the access point. For more information, see:
Wi-Fi AP Authentication Aerohive Configuration

Wi-Fi AP Authentication Ruckus Wireless Configuration
Wi-Fi AP Authentication Aruba Configuration
Configure Wi-Fi Access Point Authentication

2. Click the Wi-Fi tab.
3. Select Enable Wi-Fi Access Point Authentication to enable integration with Wi-Fi.
4. In the Auto Logout After file, enter the timeout in hours. Enter 0 to disable the timeout.
5. Click Add to add a Wi-Fi endpoint. The Add External Authentication Wi-Fi AP Endpoint window opens.
6. In the IP/Subnet field, enter the IP address or network for your Wi-Fi access point. E.g., 10.0.33.1 or 10.0.33.0/24
7. Select the Protocol used by the Wi-Fi access point to send the syslog.
8. (SSL only) Enter the Subject Alternative Name of the SSL certificate.
9. (SSL only) Select the SSL certificate from the dropdown. You can upload or create certificates using the Certificate Manager. For more
information, see How to Use and Manage Certificates with the Certificate Manager.
10. Select the manufacturer of your Wi-Fi access point from the AP Model dropdown.
11. Click Save.
12. Depending on the protocols used by the Wi-Fi AP endpoints, enter the UDP, TCP, or SSL Listen Ports.
13. Click Save.
Wi-Fi Access Point authentication is now configured and can be used for wireless connections.

Wi-Fi AP Authentication Aerohive Configuration
To authenticate users connected to Aerohive access points, you must stream the syslog containing the authentication data to the Barracuda
Reference Devices/Versions:
Aerohive AP230 802.11ac Wireless AP Version 6.4r1a

Aerohive Networks HiveManager Online 6.4r1
Enable Syslog Streaming on the Aerohive AP
1. Log into the Aerohive Networks HiveManager.

2. Go to Configuration > Advanced Configuration > Management Services > Syslog Assignments.
3. Click New and configure syslog streaming:

Syslog Server – Select the IP address of the X-Series Firewall from the dropdown.
Severity – Select Info from the dropdown.
4. Click Apply.
5. Click Save.

Add Syslog Configuration to Network Policy
Add the syslog configuration to the Network Policy you are using for your access points.
You can now configure Wi-Fi Access Point authentication on the X-Series Firewall. For more information, see How to Configure Wi-Fi Access
Point Authentication.

Wi-Fi AP Authentication Ruckus Wireless Configuration
To authenticate users connected to Ruckus access points, you must stream the syslog containing the authentication data to the Barracuda
ZoneDirector 1100 (ZD1106) Version 9.10.0.0 build 21

ZoneFlex zf7321-u Access Point):
Step 1. Enable Syslog Streaming on the Ruckus Wireless AP
Enable Client Association in the debug log settings.
1. Go to Administer > Diagnostics.

2. In the Debug Logs section, enable Client Association.
3. Click Apply.
Step 2. Enable Syslog Streaming on the Ruckus Wireless AP
1. Go to Configure > System Log Settings.

2. Enable the Remote Syslog.
3. Enter the IP address of the X-Series Firewall.
4. Click Apply.

Wi-Fi AP Authentication Aruba Configuration
To authenticate users connected to Aruba access points, you must stream the syslog containing the authentication data to the Barracuda
Aruba Controller 651 Version 6.4.1.0

Aruba AP 105
Enable Syslog Streaming on the Aruba AP
1. Log into the Aruba Mobility Controller.

2. Click on the Configuration tab.
3. In the MANAGEMENT section of the left menu, click on Logging.
4. In the Logging Servers section, click New:
IP Address – Enter the management IP address of the X-Series Firewall.
Category – Select user.
Logging Facility – Select the logging facility to be able to differentiate between multiple Aruba APs.
Severity – Select notifications.
5. Click Add.
6. Click Apply.
7. Click on the Levels tab.

8. Set the Logging Levels in the User logs section to notifications.
9. Click Apply.

How to Set Up a Guest Access Confirmation Page
When setting up a guest network, you can configure the Barracuda NextGen Firewall X-Series to use a confirmation page that prompts guests to
agree to the Terms of Service before they can access the network. A confirmation page is typically used to grant network access to anonymous
users.
Before You Begin
Ensure that the X-Series Firewall has one unused network interface (Wi-Fi, Ethernet, or virtual, e.g., ath3, p3, or p3.100).
Identify the guest network that you want to use (e.g., 192.168.225.0/24).
Step 1. Set up the Guest Network Interface
You can use Wi-Fi or a wired network for guest access.
Configure a static network interface or a Wi-Fi interface. In the Static Interface Configuration, ensure that you specify the following settings:
Network -– The guest network (e.g., 192.168.225.0/24).

Services to Allow – Select DNS Server.
Classification – Click Trusted.
Step 2. Enable the DHCP Server for the Guest Network
To automatically assign IP addresses for guests, enable a DHCP server for the guest network.

2. In the DHCP Server section, enable the DHCP server.
3. In the Add DHCP Server Subnet section, configure the DHCP subnet. Ensure that you specify the following settings:
Beginning IP Address and Ending IP Address – The range of IP addresses to be assigned to clients. For example, if your
guest network is 192.168.225.0 with a netmask 255.255.255.0, the Beginning IP Address is 192.168.225.1 and the Ending
IP Address is 192.168.225.254.
DNS Servers – The IP addresses of the DNS servers.
4. Click Save. The guest network subnet appears in the DHCP Server Subnets section.
For more information on setting up a DHCP server, see How to Configure the DHCP Server.
Step 3. Set up the Guest Network
Specify the network using the confirmation page for guest access.
1. Go to the USERS > Guest Access page.

2. In the Guest Networks section, select your guest network (e.g., 192.168.225.1/24) from the Network column.
3. From the Type column, select Confirmation Message.
4. Click Add.
5. Click Save. The network then appears in the second Network table.

Step 4. (Optional) Configure the Confirmation Page
On the USERS > Guest Access page, you can configure the page that is displayed to guests when they log into the network.
In the Login Page Options section, edit the Welcome Message and upload a Welcome Image. The image can be up to 1 MB and must be in
JPG, GIF, or PNG format. The suggested image size is 170 x 40 pixels.
Step 5. Create a PASS Access Rule for DNS Traffic
Create an access rule to always allow DNS traffic from the guest network to the Internet.

3. In the Add Access Rule window, enter a name for the rule. E.g.: GUEST-DNS-2-INTERNET
Action Connection Adjust Bandwidth Source Network Services Destination
Allow Default (SNAT) Internet Guest Network DNS Internet
To allow connections from the guest network to the Internet, the X-Series Firewall must perform source-based NAT. The source IP
address of outgoing packets is changed from that of the client residing in the network to the WAN IP address of the X-Series Firewall, so
the connection is established between the WAN IP address and the destination IP address. The destination address of reply packets
belonging to this session is rewritten with the client's IP address.
5. At the bottom of the rule editor window, click Save.
Step 6. Create a PASS Access Rule for Authenticated Users
Create an access rule to allow HTTP/S traffic from guest network users to the Internet.

3. In the Add Access Rule window, enter a name for the rule. E.g.: GUESTNET-2-INTERNET
Allow Default (SNAT) Internet Guest Network HTTP+S Internet

6. In the Valid for Users section, select All Authenticated Users and click +.
7. At the bottom of the rule editor window, click Save.
Because rules are processed from top to bottom in the rule list, ensure that the rule to allow DNS traffic is placed above the rule to allow users,
and that both rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.

How to Set Up Guest Access with Ticketing
When you configure a guest network, you can set up a login or ticketing system to temporarily grant access to guests. Before guests can access
the network, they must enter a username and password from tickets that are assigned to them. The tickets expire after a set period of time.
Before tickets can be created, you must configure the ticketing system and set up ticket administrators. If the ticket administrator is located in a
different network segment, you must also create a firewall rule to allow access to the ticketing web interface.
Follow the instructions in this article to set up a guest network with ticketing.
Before You Begin
Ensure that the Barracuda NextGen Firewall X-Series has one unused network interface (Wi-Fi, Ethernet, or virtual, e.g., ath3, p3, or
p3.100).
Identify the guest network that you want to use (e.g., 192.168.223.0/24).
Step 1. Set up the Guest Network Interface
You can use Wi-Fi or a wired network for guest access. Configure a static network interface or a Wi-Fi interface. In the Static Interface
Configuration, ensure that you specify the following settings:
Network -– The guest network (e.g., 192.168.223.0/24).

Services to Allow – Select DNS Server.
Classification – Click Trusted.
Step 2. Enable the DHCP Server for Guest Network
To automatically assign IP addresses for guests, enable a DHCP server for the guest network.

2. In the DHCP Server section, enable the DHCP server.
3. In the Add DHCP Server Subnet section, configure the DHCP subnet. Ensure that you specify the following settings:
Beginning IP Address and Ending IP Address – The range of IP addresses to be assigned to clients. For example, if your
guest network is 192.168.223.0 with a netmask of 255.255.255.0, set the Beginning IP Address to 192.168.223.10 and the
Ending IP Address to 192.168.223.250. The IP address assigned to the network interface must not be part of the
management network.
DNS Servers – The IP addresses of the DNS servers.
4. Click Add Subnet. The guest network subnet appears in the DHCP Server Subnets section.
For more information on setting up a DHCP server, see How to Configure the DHCP Server.
Step 3. Set Up the Guest Network
If you configured the guest network on a wired interface, specify that the network uses ticketing for guest access.
1. Go to the USERS > Guest Access page.

2. In the Guest Networks section, select your guest network (e.g., 192.168.223.1/24) from the Network column.
3. From the Type column, select Ticketing.
4. For wired interfaces, click Add.
5. Click Save. The network appears in the second Network table.

Step 4. Set Up the Ticket Administrator
The ticket administrator can log into the ticketing system to create guest tickets but cannot log into the management interface of the X-Series
Firewall.
1. Specify the ticketing system login credentials.

a. Go to the USERS > Guest Access page.
b. In the Ticketing Administrator section, enter the username and password for logging into the ticketing system.
c. Click Save.
2. Ensure that ticket administrators have the following information:
The IP address of the ticketing web interface: http://<gateway-IP-address-for-the-guest-network>/lp/cgi-bin
/ticketing
The How to Manage Guest Tickets - User's Guide on how to create guest tickets.
Step 5. Add a Redirect Firewall Rule
Create a Network Object for the gateway IP address of the guest access network, and then add a Redirect to Service firewall rule.
Step 5.1 Create a Network Object

2. Click Add Network Object. The Add Network Object window opens.
3. Enter a Name (e.g., GuestNetworkGW).
4. In the Include Entries section, enter the Network Address of the gateway IP address of the guest network. The guest network gateway
IP address is the IP address that you assigned to the guest network interface in Step 1 (e.g., 192.168.223.1).
5. Click Save.
Step 5.2 Add a Redirect to Service Firewall Rule

3. In the Add Access Rule window, configure these settings:
Name – Enter a name.
Source – Select the network that the ticket admin's computer is located in (e.g., Trusted LAN Networks).
Destination – Select the Network Object for the guest network gateway IP address (e.g., GuestNetworkAccess).

4. Click Save.
5. Move the access rule above the BLOCKALL rule.
Step 6. (Optional) Configure the Login Page
On the USERS > Guest Access page, you can configure the page that is displayed to guests when they log into the network.
In the Login Page Options section, edit the Welcome Message and upload a Welcome Image. The image cannot be larger than 1 MB and
must be in JPG, GIF, or PNG format. The suggested image size is 170 x 40 pixels.
Step 7. Create a PASS Access Rule for DNS Traffic
Create an access rule to always allow DNS traffic from the guest network to the Internet.

3. In the Add Access Rule window, enter a name for the rule. E.g.: GUEST-DNS-2-INTERNET
Allow Default (SNAT) Internet Guest Network DNS Internet

To allow connections from the guest network to the Internet, the X-Series Firewall must perform source-based NAT. The source IP
address of outgoing packets is changed from that of the client residing in the network to the WAN IP address of the X-Series Firewall, so
the connection is established between the WAN IP address and the destination IP address. The destination address of reply packets
belonging to this session is rewritten with the client's IP address.
Step 8. Create a PASS Access Rule for Authenticated Users
Create an access rule to allow HTTP/S traffic from guest network users to the Internet.

3. In the Add Access Rule window, enter a name for the rule. E.g.: GUESTNET-2-INTERNET
Allow Default (SNAT) Internet Guest Network HTTP+S Internet

6. In the Valid for Users section, select All Authenticated Users and click +.

Because rules are processed from top to bottom in the rule list, ensure that the rule to allow DNS traffic is placed above the rule to allow users,
and that both rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.
Next Step
For instructions on how to create tickets for guests, see How to Manage Guest Tickets - User's Guide.

How to Manage Guest Tickets - User's Guide
If you are a ticketing administrator, you can create tickets in the Barracuda NextGen Firewall X-Series ticketing web interface to let guests
temporarily access your network.
Tickets assign guests with a username and password that expire after a preset amount of time. After tickets expire, they are automatically
deleted.
Before You Begin
Get the following information from the X-Series Firewall administrator:
The IP address of the ticketing web interface (e.g., 192.168.223.1)

The username and password for the ticket administrator
(Wi-Fi only) The SSID and passphrase for the Wi-Fi network
Create a Ticket
To create a guest ticket:
1. In a browser, go to: http://IP address for the ticketing web interface/lp/cgi-bin/ticketing

2. Log in with the username and password for the ticketing administrator.
3. Click the plus sign (+).
4. Enter the following information for the guest user:
Username – A descriptive username (e.g., BobSmith).
Password – A password.
Days and Hours – The number of days and hours that the ticket stays valid.
Delete a Guest Ticket
To delete a guest ticket before it expires:
1. In a browser, go to: http://IP address for ticketing web interface/lp/cgi-bin/ticketing

2. Next to the ticket that you want to delete, click the X symbol.

Print Ticket Information for Guests
To give guests their username and password for accessing the network, you can print their ticket information. The printed information also
specifies when the ticket expires.
To print the information for a guest ticket, click the printer symbol next to it.
If your guests are accessing a Wi-Fi network, you must also give them the SSID and passphrase for the network.

VPN
VPNs are a secure, efficient, and economical alternative to dedicated lines or dial-up RAS. With the Barracuda NextGen Firewall X-Series, you
can configure the following types of VPNs:
Site-to-Site VPN – Securely and transparently connects remote locations with your network.
Client-to-Site VPN – Lets remote users access the corporate network with VPN clients and mobile devices.
SSL VPN – Lets remote users access corporate resources over a secure and configurable web interface without the need to install or
configure a VPN client.
In this Section
Client-to-Site VPN
Site-to-Site VPN
How to Allow VPN Access via a Dynamic WAN IP Address
SSL VPN

Client-to-Site VPN
Client-to-site VPNs connect remote users to the corporate network.
Client-to-Site IPsec VPN
There are three types of IPsec VPNs available:
Shared Key – No external CA is required. A passphrase (shared key) is entered on the server and the client. This passphrase is used to
authenticate the connection.
Client Certificate – X.509 certificates are generated by an external CA. These certificates are used to authenticate the client. This
method is more secure.
Shared Key or Client Certificate – Client and server require either a shared key or valid client certificate to authenticate the remote
device.
Additionally, every user must authenticate using a username and password. Usernames and passwords can be stored in external authentication
services like Microsoft Active Directory, LDAP, or RADIUS. For more information, see How to Configure an External Authentication Service.
Supported VPN Clients
The following VPN clients are supported:
Barracuda VPN Client (Windows/macOS/Linux)

Third-party IPsec VPN clients
Apple iOS and Android devices
Setting Up an IPsec Client-to-Site VPN
For instructions on how to set up an IPsec VPN, see the following articles:
How to Configure a Client-to-Site VPN with Shared Key Authentication

How to Configure a Client-to-Site VPN with Certificate Authentication
How to Configure the Apple iOS VPN Client for IPsec Shared Key VPN
How to Configure Apple iOS VPN Client for IPsec VPN with Certificate Authentication
How to Configure the Android VPN Client for IPsec Shared Key VPN
SSL VPN Portal
The SSL VPN lets any user with a browser connect to published corporate resources—such as Exchange OWA, RDP connections to internal
servers/computers, or internal Wikis. You can also use the My Network feature to initiate a full routed network VPN from the SSL VPN portal.
Setting up a SSL VPN
For instructions on how to set up SSL VPN, see SSL VPN.
PPTP
Warning
As of 2012, PPTP is no longer considered secure. It is highly recommended that you switch away from PPTP because of the security
risks involved.
Point-to-Point-Tunnel-Protocol (PPTP) is offered with up to 128-bit of MPPE encryption. It provides the following:
Long standing widespread support across many platforms.

Use if no other VPN client is available for client platform.
Use if VPN performance is more important than security.

Support for external authentication over MS-CHAP-v2 or a local user database.
Limitations
PPTP VPNs have the following limitations:
No data integrity verification.

Weak encryption using only a 128-bit key.
Supported VPN Clients
Almost every modern operating system includes a PPTP client. The following clients are officially supported by Barracuda Networks:
Native VPN clients included in Windows, macOS, and Linux.

Native VPN clients included in iOS and Android.
Setting Up a PPTP Client-to-Site VPN
For instructions on how to set up a PPTP VPN, see How to Configure a Client-to-Site VPN with PPTP.

How to Configure a Client-to-Site VPN with Certificate Authentication
The Barracuda NextGen Firewall X-Series supports client-to-site VPN with certificate authentication. You can use either the Barracuda VPN
client, mobile clients running iOS or Android, as well as third-party IPsec clients supporting client authentication:
Mobile devices
The X-Series Firewall supports IPsec VPN connections for Apple iOS and Android devices. You must enable the IPsec client option in the
access policy to be able to connect with a mobile client.
Barracuda VPN client
The Barracuda VPN client authenticates with the certificate and username/password. You must enable the Barracuda VPN Client option in the
access policy to be able to connect with the Barracuda VPN client.
Third-party IPsec clients
The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN. You
must enable IPsec client in the access policy to use the IPsec VPN client.
Step 1. Enable the VPN service on a network interface
Enable the VPN service on a static IP address. If you do not have a static WAN IP address, you must enable the VPN service for a static internal
interface and then redirect incoming connections to the VPN service with a firewall rule.
Static (fixed) WAN IP address
To enable the VPN service for the static network interface:

2. In the Static Interface Configuration section click Edit to configure your static WAN interface.
3. In the Edit Static Network Interface window, select the VPN Server check box.
Disable Port 443 If Also Using the SSL VPN Service

If SSL VPN service is also enabled for this interface, go to the VPN > Site-To-Site VPN page and disable the Use TCP Port
443 setting for the VPN service.
4. Click Save.
Dynamic (DHCP/3G/PPPoE) WAN IP Address
Prerequisite for Using Dynamic WAN IP Addresses

You must have an active DynDNS account, so that the client can connect to the dynamic IP address. For more information on creating
a DynDNS account, see http://www.dyndns.org.

To use the VPN service with a dynamic WAN IP address, run the VPN service on an internal IP address. Do not use the management IP
address; instead, add a secondary IP address. Then, create an access rule to redirect all incoming VPN traffic from the dynamic interface to the
VPN service.

2. Enable dynamic DNS.
a. In the Dynamic Interface Configuration section, click Edit to configure the dynamic WAN interface.
b. In the Edit Dynamic Network Interface window, enable Use Dynamic DNS.
c. Enter the DynDNS Hostname and authentication information.
d. Click Save.
3. In the Management IP Configuration section, enter a secondary IP address:
IP ADDRESS – Enter an IP address that is free in the local network. For example, 10.0.10.6 if the MIP address is in the
10.0.10.0/24 network.
VPN SERVER – Select this check box.
4. Click Add.
5. Create an access rule to redirect incoming VPN connections on the dynamic interface to the VPN server listening on the local IP
address.
a. Go to the FIREWALL > Firewall Rules page.
b. Click Add Access Rule.
c. In the Add Access Rule window, configure a Redirect to Service firewall rule.
For the Destination, select the network object corresponding to your Internet connection type (DHCP, 3G, or DSL).
For the Redirected To setting, select the VPN network object.
d. Click Save.
6. Move the access rule above the BLOCKALL rule so it is the first access rule to match incoming VPN traffic. For more information, see Fi
rewall Rules Order.
7. Click Save.
Step 2. Upload or create certificates
Use a third-party PKI to create the VPN and client certificates. For more information on how to create certificates, see How to Create Certificates
with XCA and How to Create Certificates for a Client-to-Site VPN.
The SubAlt name of the VPN server certificate must be DNS: examplevpn.domain.com or DNS: *. If you are using an FQDN, it
must resolve to the IP address of the X-Series Firewall VPN service.
1. Go to the ADVANCED > Certificates page.

2. Click Upload.
Certificate Name – Enter VPN Certificate.

2.
Certificate Type – Select the type of certificate you want to upload.

Add to VPN Certificates – Enable the checkbox.
Certificate File – Select the certificate file you want to upload.
3. Click Save.
Step 3. Configure client-to-site VPN settings
Configure user authentication and IPsec settings.
Step 3.1 Configure user authentication and select the certificate
1. Go to the VPN > Client-To-Site VPN page.

2. In the Settings section, select a User Authentication method. You can use local or external user authentication.
3. From the Local Certificate list, select the certificate that you created in Step 2 (e.g., VPNCertificate).
4. Click Save.
Step 3.2 Configure IPsec settings for certificate authentication

Configure the authentication type and, if needed, the encryption algorithms for IPsec phase 1 and 2.

2. In the IPsec Settings section select Client Certificate as the Authentication type.
3. (optional) Configure the IPsec Phase 1 Settings and IPsec Phase 2 Settings.
Do not change the default IPsec Phase 1 and Phase 2 settings if you want to use iOS or Android devices as VPN clients,
4. Click Save.
Step 3.3 Create a VPN access policy
Define the VPN clients and network information to be passed to client.
Access policies are matched based on the Allowed Group of the access policy from top to bottom. Make sure access policies are
entered so the more specific allowed groups are on the top of the list and the generic * conditions are on the bottom of the list.

2. In the VPN Access Policies section, click Add Access Policy.
3. In the Add VPN Access Policy window, configure the following settings:
Name – A name for the access policy.
Access Policy Name on iOS and Android Devices

The name of the access policy is referred to as group name on iOS and Android devices.
Client Network – The network that the client will be assigned to (e.g., 192.168.100.0/24).
(Optional) Domain – The domain assigned to the client.
Primary DNS Server – The IP address of the DNS server.
Published Networks – The local networks available for the VPN client.

Add 0.0.0.0/0 to the Published Networks to allow the client to access the Internet through the VPN tunnel.
IPsec Phase 2 – The IPsec Phase 2 settings that you configured in Step 3.2 (e.g., Client2SiteVPNClients from the example
in Step 3.2).
No Split Tunnel Mode – Enable to lock down the client to only connect to the Published Networks of the VPN tunnel.
Windows hosts using the Barracuda VPN client only.
Enabling this option blocks VPN access for all non-Windows clients!
Allowed Peers – Enable IPsec Clients for mobile devices and third-party IPsec clients and Barracuda VPN client to be able to
connect with the Barracuda VPN client.
Allowed Groups – The groups that are allowed to connect. To allow all groups, enter an asterisk (*).
Use for CudaLaunch – Enable self-provisioning on Windows, macOS, or iOS devices for remote clients using the CudaLaunch
portal. For more information, see CudaLaunch.
Configure the following settings:
CudaLaunch Server – Enter the IP address of the server providing CudaLaunch.
Allowed Groups – Enter the user groups that the policy applies to. Click + after each entry. You can use question
marks (?) and asterisks (*) as wildcard characters.
4. Click Save.
Step 4. Configure clients
Configure VPN clients to connect to the IPsec VPN with certificate authentication.
Barracuda VPN clients
Configure the Barracuda VPN client to connect to the IPsec VPN with certificate authentication you just created.
1. Go to the VPN > Client-To-Site page.

2. Download and install the Barracuda VPN Client.
a. In the Settings section, select your operating system from the Download Barracuda VPN Client list and click Download.
b. Install the Barracuda VPN Client. You must have administrative rights.
c. Reboot the computer after the installation.
3. Configure a profile for connecting to the IPsec VPN.
a. Start the Barracuda VPN Client.
b. In the left pane, click Preferences.
c. In the Barracuda VPN Control window, right-click the default profile and select Modify Profile.
d. In the Properties window, specify these settings:
Certificate – Select X509 authentication.
Remote Server – Enter the WAN IP address or DynDNS name (e.g., 62.99.0.51 or bfw-vpn.dyndns.org) in the
Host names or IP addresses of remote server field.
e. Click OK.
4. Close the Barracuda VPN Control window.
After configuring the Barracuda VPN client, you can connect to the IPsec VPN:
1. Start the Barracuda VPN Connector.

3. Click Connect.
You are now connected to the client-to-site IPsec VPN with the Barracuda VPN Client.

The connection status is displayed on the VPN > Active Connections page.
Mobile clients
For instructions on configuring mobile clients, see these articles:
Mobile OS Supported Version Article
Apple iOS 5.2 and above How to Configure the Apple iOS VPN Client
for IPsec Shared Key VPN
Android 4.0 and above How to Configure the Android VPN Client for
IPsec Shared Key VPN
The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN.

How to Configure a Client-to-Site VPN with Shared Key Authentication
The Barracuda NextGen Firewall X-Series supports client-to-site VPN with shared key authentication. You can use either the Barracuda VPN
Client, mobile clients running iOS or Android, or third-party IPsec clients supporting client authentication.
The certificates for the VPN service must include the FQDN resolving to the external IP address the VPN service is listening on as the
Subject Alternative Name. E.g., DNS:vpn.mydomain.com Alternatively, you can also use a wildcard: DNS:*
Mobile devices
The X-Series Firewall supports IPsec VPN connections for Apple iOS and Android devices. You must enable the IPsec client option in the
access policy to be able to connect with a mobile client.
Barracuda VPN Client
The Barracuda VPN Client authenticates with username and password. The shared key configured for the IPsec client is not used for the
Barracuda VPN Client. You must enable the Barracuda VPN Client option in the access policy to be able to connect with the Barracuda VPN
Client.
Third-party IPsec clients

The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN. You
must enable IPsec client in the access policy to use the IPsec VPN client.
Step 1. Enable the VPN service on a network interface
Enable the VPN service on a static IP address. If you do not have a static WAN IP address, you must enable the VPN service for a static internal
interface and then redirect incoming connections to the VPN service with a firewall rule.
Static (fixed) WAN IP address
To enable the VPN service for the static network interface:
1. Go to NETWORK > IP Configuration.

2. In the Static Interface Configuration section, click Edit to configure your static WAN interface.
3. In the Edit Static Network Interface window, select the VPN Server check box.
Disable Port 443 If Also Using the SSL VPN Service

If SSL VPN service is also enabled for this interface, go to VPN > Site-To-Site VPN and disable the Use TCP Port 443 setting
for the VPN service.
4. Click Save.
Dynamic (DHCP/3G/PPPoE) WAN IP address

Prerequisite for Using Dynamic WAN IP Addresses
You must have an active DynDNS account, so that the client can connect to the dynamic IP address. For more information on creating
a DynDNS account, see http://www.dyndns.org.
To use the VPN service with a dynamic WAN IP address, run the VPN service on an internal IP address. Do not use the management IP
address; instead, use a secondary IP address. Then, configure a firewall rule to redirect all incoming VPN traffic from the dynamic interface to the
VPN service.

2. Enable dynamic DNS.
a. In the Dynamic Interface Configuration section, click Edit to configure your dynamic WAN interface.
b. In the Edit Dynamic Network Interface window, enable Use Dynamic DNS.
c. Enter the DynDNS Hostname and authentication information.
d. Click Save.
3. In the Management IP Configuration section, add a secondary IP address:
IP ADDRESS – Enter an IP address that is free in the local network. For example, 10.0.10.6 if the MIP address is in the
10.0.10.0/24 network.
VPN SERVER – Select this check box.
4. Create an access rule to redirect incoming VPN connections on the dynamic interface to the VPN server listening on the local IP
address.
a. Go to FIREWALL > Firewall Rules.
b. Click Add Access Rule.
c. In the Add Access Rule windows, configure a Redirect to Service firewall rule.
For the Destination, select the network object corresponding to your Internet connection type (DHCP, 3G, or DSL).
For the Redirected To setting, select the VPN network object.
d. Click Save.
5. Move the firewall rule above the BLOCKALL rule. For more information, see Firewall Rules Order.
6. Click Save.
Step 2. Configure client-to-site VPN settings for shared key IPsec VPN
Configure user authentication and IPsec settings.
Step 2.1 Configure User Authentication

1. Go to VPN > Client-To-Site VPN.
2. In the Settings section, select a User Authentication method. You can use local or external user authentication.
3. In the IPsec Settings section:
a. For Authentication, select Shared Key.
b. Enter the Shared Key.
c. Unless you are using iOS or Android devices as VPN clients, you can also configure the IPsec Phase 1 Settings and IPsec
Phase 2 Settings.
4. Click Save.
If you want to use iOS or Android devices as VPN clients, do not change the default IPsec Phase 1 and Phase 2 settings.
Step 2.2 Create the VPN access policy
Define the VPN clients and the network information to be passed to client.
Access policies are matched based on the Allowed Group of the access policy from top to bottom. Make sure access policies are
entered so the more specific allowed groups are at the top of the list and the generic * conditions are at the bottom of the list.

2. In the VPN Access Policies section, click Add Access Policy.
3. In the Add VPN Access Policy window, specify the following settings:
Name – A name for the access policy.
Access Policy Name on iOS and Android Devices

The name of the access policy is referred to as group name on iOS or IPSec-ID on Android devices.
Client Network – The network that the client will be assigned to (e.g., 192.168.100.0/24).
(Optional) Domain – The domain assigned to the client.
Primary DNS Server – The IP address of the DNS server.
Published Networks –The local networks available for the VPN client.
No Split Tunnel Mode – Enable to lock down the client to connect only to the Published Networks of the VPN tunnel. Add 0.0.
0.0/0 to the Published Networks to allow the client to access the Internet through the VPN tunnel.
IPsec Phase 2 – The IPsec Phase 2 settings that you configured in Step 2.2 (e.g., Client2SiteVPNClients from the example in
Step 2.2).
Allowed Peers – Enable IPsec Clients for mobile devices and third-party IPsec clients and Barracuda VPN client to be able to
connect with the Barracuda VPN Client.
Allowed Groups – The groups that are allowed to connect. To allow all groups, enter an asterisk (*).
Use for CudaLaunch – Enable self-provisioning on Windows, macOS, or iOS devices for remote clients using the CudaLaunch
portal. For more information, see CudaLaunch.
Configure the following settings:

CudaLaunch Server – Enter the IP address of the server providing CudaLaunch.
Allowed Groups – Enter the user groups that the policy applies to. Click + after each entry. You can use question
4. Click Save.
Step 3. Configure Clients
Configure VPN clients to connect to the IPsec VPN with shared key authentication.
Barracuda VPN Clients
Configure the Barracuda VPN Client to connect to the IPsec VPN with the certificate authentication you just created.
1. Go to VPN > Client-To-Site.

2. Download and install the Barracuda VPN Client.
a. In the Settings section, select your operating system from the Download Barracuda VPN Client list and click Download.
b. Install the Barracuda VPN Client. You must have administrative rights.
c. Reboot the computer after the installation.
3. Configure a profile for connecting to the IPsec VPN.
a. Start the Barracuda VPN Client.
b. In the left pane, click Preferences.
c. In the Barracuda VPN Control window, right-click the default profile and select Modify Profile.
d. (optional) Enter a description of this connection entry to change the VPN profile name.
e. In the Remote Server section, enter the WAN IP address or DynDNS name (e.g., 62.99.0.51 or bfw-vpn.dyndns.org) in
the Host names or IP addresses of remote server field.
f. Click OK.
4. Close the Barracuda VPN Control window.
After configuring the Barracuda VPN client, you can connect to the IPsec VPN:
1. Start the Barracuda VPN Connector.

3. Click Connect.
You are now connected to the client-to-site IPsec VPN with the Barracuda VPN Client.
The connection status is displayed on the VPN > Active Connections page.

Mobile clients
For instructions on configuring mobile clients, see these articles:
Mobile OS Supported Version Article
Apple iOS 5.2 and above How to Configure the Apple iOS VPN Client
for IPsec Shared Key VPN
Android 4.0 and above How to Configure the Android VPN Client for
IPsec Shared Key VPN
The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN.
Troubleshooting
If you are having trouble connecting to the client-to-site VPN, see Troubleshooting Client-to-Site VPNs.

How to Configure the Apple iOS VPN Client for IPsec Shared Key VPN
To use an Apple iOS device to connect to a client-to-site IPsec VPN without having to import a certificate, use shared key authentication.
Configure the Apple iOS Device
Before you configure the Apple iOS device:
Verify that the Apple device is running iOS version 5.1 or above.
Barracuda Networks reference device for IPsec PSK. Apple iPhone/iPad with iOS version 7.0.4.
Verify that a client-to-site IPsec VPN with shared key authentication has been properly configured. For more information, see How to
Configure a Client-to-Site VPN with Shared Key Authentication.
To configure an Apple iOS device for IPsec VPN connections with the Barracuda NextGen Firewall X-Series:
1. On the Apple iOS device, tap Settings > General > VPN > Add VPN Configuration.
2. On the Add VPN configuration screen, tap the IPSec tab.
3. Configure the following settings:
Server – The IP address or FQDN that the VPN service is listening on (e.g., 62.99.0.51).
Account and Password – Your username and password.
Group Name – The access policy name for the client-to-site VPN on the X-Series Firewall you want to connect to (e.g., IPsecV
PN).
Secret – The shared key.
4. Tap Save in the top right corner. The VPN configuration then appears on the VPN screen.

Connect to the VPN with the Apple iOS Device
After configuring the Apple device, you can connect to the IPsec VPN.
On your Apple iOS device, tap Settings and then turn on VPN. After a few seconds, the VPN icon appears in the status bar to indicate that the
connection is successful.
VPN and NAT

Establishing VPN through NAT can be problematic. If you experience connection losses, increase the UDP timeout on the NAT'd
device. For example, the iPhone sends keepalive packets every 60 seconds. To increase the UDP timeout for the iPhone, enter any
value over 60 seconds.
Unfortunately, many cell phone providers use NAT to connect mobile devices to the Internet. Contact your cell phone provider support
for help.

How to Configure Apple iOS VPN Client for IPsec VPN with Certificate Authentication
Because certificates longer than 512-bit do not work for iOS VPN clients with iOS version 6.0, it is recommended that you update to the
latest version of iOS.
For client-to-site IPsec VPN connections, you can use Apple iOS devices. Follow the steps in this article to configure Apple iOS devices for IPsec
VPN connections with the Barracuda NextGen Firewall X-Series.
Before you Begin
To use Apple iOS devices to connect to a client-to-site IPsec VPN, you must have the following:
Apple device with iOS 5.1 or above.

Client-to-Site IPsec VPN with certificate-based authentication.
Root, server, and client certificates that meet the requirements set by Apple.
The following table shows the required X.509 certificates, their settings, and where they must be installed.
X.509 Certificate Type Installation Device File Type Chain of Trust X.509 Extensions and
Values
Root Certificate Barracuda NextGen PEM Trust Anchor Mandatory option

Firewall X-Series + for key usage:
Apple iOS Device Certificate sign; C
RL sign.
Server Certificate Barracuda NextGen PKCS12 End Instance Subject

Firewall X-Series Alternative Name:
Only use the DNS
tag with a FQDN
which resolves to
the IP address the
VPN Service or a
wildcard certificate.
Do not use the IP
tag. E.g., DNS:vpn
server.yourdomain.
com or DNS:*
Key Usage - Inclu
ding the "Digital
Signature" flag.
Client Certificate Apple iOS Device PKCS12 End Instance Key Usage -
Including the
"Digital Signature"
flag.
When creating X.509 certificates:
Do not use identical Subject Alternative Names settings. Subject Alternative Names must also not contain the management IP
address of the X-Series Firewall.
Only use the X.509 extensions that are listed in the table above.
Example iOS Certificate Settings

Click here to expand...
Root Certificate
Tab Setting Value

Status Signature Algorithm sha1WithRSAEncryption
Subject RFC 2253 emailAddress=support@barracuda.com,O

U=documentation,O=Barracuda
Networks,L=Innsbruck,ST=Tirol,C=AT
Hash 7b6d2374
Extensions X509v3 Basic Constraints CA:TRUE
X509v3 Key Usage Digital Signature, Key Agreement,

Certificate Sign
Server Certificate
Tab Setting Value

U=docu,O=Barracuda Network
AG,L=Innsbruck,ST=Tyrol,C=AT
Hash cc0460b5
Issuer RFC 2253 emailAddress=support@barracuda.com,O

Hash 7b6d2374
Extensions X509v3 Key Usage Digital Signature, Key Agreement,

Certificate Sign
X509v3 Subject Alternative Name: DNS:vpnserver.yourdomain.com
Client Certificate
Tab Setting Value

Networks,L=Innsbruck,ST=Tyrol,C=AT
Hash c2b06d20
Issuer RFC 2253 emailAddress=support@barracuda.com,O

Hash 7b6d2374
Extensions X509v3 Key Usage Digital Signature
Configure the Apple iOS Device
Import the certificates
You must import the root and the client certificate on the Apple iOS device. You can import the certificate via email or by downloading it from a
web server. If you are using a Mobile Device Management (MDM) server, you can also push the certificates to your devices.
Configure the Client-To-Site VPN
To configure an Apple iOS device for IPsec VPN connections with the X-Series Firewall:
1. On the iOS device, tap Settings > General > VPN > Add VPN Configuration.
2. On the Add VPN configuration screen, tap the IPsec tab.
3. Configure the following settings:
Server – The Subject Alternative Name used in your certificates.

3.
Account and Password – The XAUTH username and password.

Use Certificate – Enable this setting.
Certificate – The X.509 client certificate.
4. Tap Save in the top right corner. The VPN configuration then appears on the VPN screen.
Connect to the VPN with the Apple iOS Device
After configuring the Apple device, you can connect to the IPsec VPN.
On your Apple iOS device, tap Settings and then turn on VPN. After a few seconds, the VPN icon appears in the status bar to indicate that the
connection is successful.
VPN and NAT

Establishing VPN through NAT can be problematic. If you experience connection losses, increase the UDP timeout on the NAT'd
device. For example, the iPhone sends keepalive packets every 60 seconds, so you can enter any value over 60 seconds.
Unfortunately, many cell phone providers use NAT to connect mobile devices to the internet. Contact your cell phone provider support
for help.

How to Configure the Android VPN Client for IPsec Shared Key VPN
To use an Android device to connect to a client-to-site IPsec VPN without having to import a certificate, use shared key authentication. Your
device must use Android version 4.0 or above.
Barracuda Networks reference device for IPsec PSK uses Android version 4.3.
Configure the Android VPN Client
1. On the Android device, tap Settings.

2. In the Wireless & Networks section, tap More.
3. Tap VPN.
4. Add the VPN by tapping the plus sign (+) next to VPN.
5. On the Edit VPN profile page, configure these settings:
Name – Enter a name for the VPN connection (e.g., IPsecWithSharedKeys).
Type – Select IPSec Xauth PSK.
Server address – Enter the network address for the VPN service (e.g., 62.99.0.51).
IPSec identifier – Enter the group policy name that you entered for the IPsec PSK VPN on the Barracuda NextGen X-Series
Firewall (e.g., IPsecVPN).
IPSec pre-shared key – Enter the PSK.
Connect to the VPN with the Android Device
After configuring the Android device, you can connect to the IPsec VPN.
1.

1. On the device, navigate to the VPN screen.
2. Tap the name of the VPN that you want to connect to (e.g., IPsecWithSharedKeys).
3. Enter your Username and Password, and then tap Connect.

Troubleshooting Client-to-Site VPNs
If your client-to-site VPN is not working as expected, try the solutions that are provided in this article for the following scenarios:
You Receive a Timeout Error on the Client
The client might not be able to reach the public listen IP address of the Barracuda NextGen Firewall X-Series. Try to ping the public listen
IP address of the appliance from the client.
Go to the VPN > Client-to-Site VPN page and verify that the tunnel is configured correctly.
You Receive an Authentication Error on the Client
Go to the VPN > Client-to-Site VPN page and verify that the correct user authentication method is selected.
Go to the Users > External Services page and verify that the external authentication method is correctly configured.
Ensure that the correct username and password are being used to log in.
Verify that special characters are not being used in the password. If there are any special characters, change the password and then try
to connect.
You are Able to Connect but Cannot Reach the Published Networks
On the client, see if traffic is being sent into the tunnel. You can either check the routing table of the client machine or use the tracert a
nd traceroute command-line utilities.
Go to the VPN > Client-to-Site VPN page and verify that the VPN Access Policies are configured correctly.
Ensure that the firewall rule for the VPN is allowing the traffic into the networks.
Verify the VPNCLIENTS-2-LAN Rule Matches Client-to-Site VPN Traffic
Per default the VPNCLIENTS-2-LAN access rule allows traffic from the client-to-site VPN to all networks in the Trusted LAN network object. Veri
fy that the rule matches by pinging a computer in the Trusted LAN from a connected VPN client. If the ping goes trough you are able to reach the
internal network through the client-to-site VPN. If the ping does not work, go to BASIC > Active Connections:
1. Find the connection of your ping by matching protocol (ICMP), source and destination.
2. If the access rule listed in the firewall rule column for the connection is not VPNCLIENTS-2-LAN move the VPNCLIENTS-2-LAN rule
above the rule which is currently handling the VPN traffic. For more information, see Firewall Rules Order.

How to Configure a Client-to-Site VPN with PPTP
Warning
As of 2012, PPTP is no longer considered secure. It is highly recommended that you switch away from PPTP because of the security
risks involved.
Using VPNs, mobile workers can securely access corporate information and resources. The Barracuda NextGen Firewall X-Series allows all
operating systems with PPTP clients to connect via a client-to-site VPN.
Follow the steps in this article to configure a client-to-site VPN using PPTP.
Step 1. Configure the X-Series Firewall VPN Server
The VPN server that runs on the X-Series Firewall must listen on the appropriate IP address for the clients. Depending on whether the X-Series
Firewall is connected to the Internet through an ISP that statically or dynamically assigns the WAN IP address, complete the steps in the Static
WAN IP Address or Dynamic WAN IP Address section.
Static WAN IP Address
If the X-Series Firewall is connected to the Internet through an ISP that statically assigns the WAN IP address:

2. In the Static Interface Configuration section, or on any Secondary IP Address of the management IP address, verify that the VPN
Server check box for the interface is selected.
Dynamic WAN IP Address
To allow VPN connections using a dynamically assigned WAN IP address on the X-Series Firewall, follow the steps in How to Allow VPN Access
via a Dynamic WAN IP Address.
Step 2. Configure the PPTP Settings on the X-Series Firewall
Configure PPTP to let remote devices access the X-Series Firewall VPN.
1. Go to the VPN > PPTP page.

2. In the PPTP Settings section, enable and configure PPTP.
3. On the same page, configure the user authentication method:
For local authentication, configure the settings in the Local PPTP Users section.
For MS-CHAPv2 and NTLM authentication, configure the settings in the User and Group Conditions (MS-CHAPv2/NTLM) sec
tion.
For more information on the PPTP and authentication settings, click Help on the VPN > PPTP page.
Step 3. Configure User Authentication
For user authentication, you can use local authentication or MS-CHAPv2/NTLM.
Local Authentication
To configure user access permissions with Local Authentication:

2. In the Local PPTP User section, add the username and password for each user who is allowed to connect to the VPN. If required,
specify a static IP address for the user.
MS-CHAPv2/NTLM
With MS-CHAPv2/NTLM, you can allow access on a per-user or per-group basis.

2. In the User and Group Conditions (MS-CHAPv2/NTLM) section, add the users and groups who are allowed to connect to the
client-to-site VPN.
Note that successful authentication is only possible for users that are matching the conditions in Allowed Users AND Allowed
Groups.
Step 4. Add the Firewall Rule to Allow Traffic Between VPN Clients and LAN

Create a new firewall rule to let PPTP traffic in the VPN tunnel pass between the VPN clients and the trusted LAN. The pre-installed
VPNCLIENTS-2-LAN firewall rule does not match PPTP connections because they do not use the pvpn0 virtual interface. As a result, PPTP
traffic is blocked by default.
Create a new firewall rule that lets VPN traffic from the PPTP clients access the Trusted LAN:
1. Go to the FIREWALL > Firewall Rules page and add this rule:
Action Source Destination Service Connection
Allow The network range Trusted LAN Any (or the No SNAT (the original
assigned to the PPTP allowed/required source IP address is
clients (configured in V services) used)
PN > PPTP > Client IP
Pool Begin/Client IP
Pool Size)
2. At the top of the Add Access Rule window, click Add.
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, arrange your rules in
the correct order. You must especially ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked.

Site-to-Site VPN
Site-to-site VPNs let offices in multiple locations establish secure connections with each other over a public network such as the Internet. A
site-to-site VPN extends the company´s network, making resources available to remote employees. The Barracuda NextGen Firewall X-Series
establishes strongly encrypted IPsec VPN tunnels, using DES, 3DES, AES-128, AES-256, etc. It supports active and passive tunnel initiation and
provides maximum flexibility.
Configuring Site-to-Site VPNs
For instructions on setting up site-to-site VPNs, see the following articles:
How to Configure a Site-to-Site VPN with IPsec

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway
How to Configure a Site-to-Site IPsec VPN to the Microsoft Azure VPN Gateway
Example - Configuring a Site-to-Site IPsec VPN Tunnel
Troubleshooting Site-to-Site VPNs
How to Configure Authentication Through a Site-to-Site VPN Tunnel

How to Configure a Site-to-Site VPN with IPsec
The Barracuda NextGen Firewall X-Series can establish IPsec VPN tunnels to any other appliance supporting the IPsec VPN protocol, including
another X-Series Firewall. To set up the IPsec VPN tunnel, you must create it on the X-Series Firewall and its remote appliance. For a successful
IPsec tunnel, configure identical Phase 1 and Phase 2 settings on both VPN gateways. The X-Series Firewall supports authentication with a
shared passphrase as well as X.509 certificate-based (CA-signed as well as self-signed) authentication. You must also configure a firewall rule to
allow traffic between both networks.
Video
Watch an example of a Site-to-Site VPN IPsec tunnel being configured on the X-Series Firewall:
Step 1. Create the IPsec Tunnel on the X-Series Firewall and on the Remote Appliance
To create the IPsec tunnel on the X-Series Firewall:
1. Go to the VPN > Site-to-Site VPN page.

2. In the Site-to-Site IPsec Tunnels section, click Add .
3. On the Add Site-to-Site IPsec Tunnels page, configure the settings. The Phase 1 and Phase 2 settings must be identical on both VPN
gateways.
4. After configuring the tunnel settings, click Save.
5. Configure the IPsec tunnel on the remote appliance.
Step 2. Configure the X-Series Firewall VPN Server
The VPN server that runs on the X-Series Firewall must listen on the appropriate IP address for its peer. Depending on whether the X-Series
Firewall is connected to the Internet through an ISP that statically or dynamically assigns the WAN IP address, complete the steps in the
following Static WAN IP Address or Dynamic WAN IP Address section.
Static WAN IP Address
If the X-Series Firewall is connected to the Internet through an ISP that statically assigns the WAN IP address:

2. In the Static Interface Configuration section, verify that the VPN Server check box is selected for the interface or for any Secondary
IP Address of the management IP address.
Dynamic WAN IP Address
If your X-Series Firewall is connected to the Internet through an ISP that dynamically assigns the WAN IP address, see How to Allow VPN
Access via a Dynamic WAN IP Address.
Step 3. Create the Access Rule for VPN Traffic
Create a firewall rule to allow network traffic between the two networks. If the tunnel is to be established between two X-Series Firewalls, create
the same rule on both appliances.

2. Add a firewall rule with the following settings:
Action Connection Bi-directional Service Source Destination
Allow No SNAT (the Select the Bi-direc Any The LAN 1 The LAN 2
original source IP tional check box. address. address.
address is used)
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, ensure that you
arrange your rules in the correct order. Take special care to place your rule above the BLOCKALL rule. Otherwise, the rule will never match and
all traffic is blocked. If you are configuring a tunnel between two X-Series Firewalls, verify the order of the firewall rules in the rule sets for both
appliances.
Step 5. Verify Successful VPN Tunnel Initiation and Traffic Flow
To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to the VPN > Site-to-Site Tunnels page. Verify that green check

marks are displayed in the Status column of the VPN tunnel.
Use ping to verify that network traffic is passing the VPN tunnel. Open the console of your operating system and ping a host within the remote
network. If no host is available, you can ping the management IP address of the remote X-Series Firewall. Go to the NETWORK > IP
Configuration page and ensure that Services to Allow: Ping is enabled for the management IP address of the remote firewall.
If network traffic is not passing the VPN tunnel, go to the BASIC > Recent Connections page and ensure that network traffic is not blocked by
any other firewall rule.

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.

How to Configure a Site-to-Site IPsec VPN to the Microsoft Azure VPN Gateway
You can configure your Barracuda NextGen Firewall X-Series to connect to the IPsec VPN gateway service in the Microsoft Azure cloud.
Before you Begin
Create and configure a Microsoft Azure static VPN Gateway for your virtual network.
You will need the following information:
VPN Gateway
External IP address for the X-Series Firewall
Remote and local networks.
Step 1.Create a Network in the Microsoft Azure cloud
Create a virtual Network in the Microsoft Azure cloud. Choose subnets which are not present in your local networks to avoid IP address conflicts.
1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com)

2. In the left pane click NETWORKS.
3. In the bottom left corner click + NEW.

4. Click CUSTOM CREATE. The create a virtual network windows opens.
5. Enter the Name for the network.
6. Select a Location. E.g., West Europe
7. Click NEXT .
8. (optional) Enter or select a DNS server.

9. In the right panel enable Configure site-to-site VPN.
10. Select Specify a New Local Network from the LOCAL NETWORK drop down.

11. Click Next .
12. Enter a NAME for your local on-premises network.
13. Enter the VPN DEVICE IP ADDRESS. This is the external IP address of the X-Series Firewall running the VPN service.
14. In the ADDRESS SPACE section enter the on-premise network(s). E.g., 10.10.200.0/24
15. Click Next .
16. In the Virtual Network Address Spaces section click add subnet:
Subnet – Enter a name for the subnet.
Starting IP – Enter the first IP of the IP Range for the subnet. E.g., 10.10.201.0
CIDR(ADDRESS COUNT) – Select the subnet mask from the list. E.g., /24 for 256 IP addresses
17. Click add gateway subnet:
Starting IP – Enter the first IP for the gateway subnet. E.g., 10.10.201.0
CIDR (ADDRESS COUNT) – Select the subnet mask from the list. E.g., /29 for 8 IP addresses
18. Click OK .
The Azure Virtual Network you have just created is now listed in the NETWORK menu in the Azure management interface.
Step 2. Create a VPN Gateway for the Microsoft Azure Network
Create the Azure VPN Gateway.
1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com).

2. In the left pane click NETWORKS.

2.
3. Click on the Network previously created in Step 1.
4. in the top menu click on DASHBOARD.

5. In the bottom pane, click CREATE GATEWAY.
6. Select Static Routing from the list. Creating the gateway will take a couple of minutes.
When the color of the gateway turns blue, the gateway has been successfully created. The Gateway IP is now displayed below the VPN Gateway
image.
Step 3. Configure IPsec Site-to-Site VPN on the X-Series Firewall
Create a active IPsec VPN connection on the X-Series Firewall.
1. Go to the Site-to-Site page (VPN > Site-to-Site).

2. If your are using a dynamic address (DHCP, xDSL, 3G) to connect to the Internet, or if you are behind a NAT enable Use Dynamic IPs i
n the GLOBAL SERVER SETTINGS section and click Save. The VPN service restarts.
3. In the Site-to-Site IPsec Tunnels section click on Add.
4. Enter the Name for the IPsec VPN. E.g., AzureVPNGateway
5. Configure the Phase 1 and Phase 2 encyption settings:
Phase 1:
Encryption – AES
Hash Method – SHA
DH Group – Group 2
Lifetime – 28800
Phase 2:
Encryption – AES
Hash Method – SHA256
Lifetime – 3600
Perfect Forward Secrecy – No
Local End – Active
Local Address – Dynamic or static if you are using a static WAN connection.

Local Networks – Enter your on-premise subnet(s). E.g.,
Remote Gateway – Enter the IP for the GATEWAY IPADDRESS listed on the DASHBOARD of your Azure network. E.g., 137
.117203.108
Remote Networks – Enter the remote VPC subnet. E.g., 10.10.201.0/24
Authentication – Select Shared Passphrase.
Passphrase – Enter the Shared Key generated by your Azure VPN Gateway. To view the shared key go to the DASHBOARD
of your Azure network and click on the Manage Key icon in the bottom pane.
Enable Aggressive – No,
6. Click Save.
Step 4. Create a Access Rule
If you do not have the VPN-SITE-2-SITE access rule you must create an access rule to allow traffic to allow traffic from your local network to the
Azure subnet.

2. Add a Access Rule:
Type – Select ALLOW.
Source – Enter your local network(s) or select a network object containing only your local network(s). E.g., 10.10.200.0/24
Destination – Enter the remote subnet in the Azure Network. E.g., 10.10.201.0/24
Network Services – Select Any.
Connection – Select No SNAT
3. Click Save.
4. Place the firewall rule so no rule matches the VPN traffic above it.
5. Click Save.
Your X-Series Firewall will now automatically connect to the Azure VPN Gateway.

Example - Configuring a Site-to-Site IPsec VPN Tunnel
To configure a Site-to-Site VPN connection between two Barracuda NextGen X-Series Firewalls, in which one unit (Location 1) has a dynamic
Internet connection and the peer unit (Location 2) has a static public IP address, create an IPsec tunnel on both units. In this setup, Location 1 ac
ts as the active peer. You will need to add an access rule to allow VPN traffic. Because the WAN IP address of Location 1 is chosen dynamically
via DHCP, the remote gateway on Location 2 must use 0.0.0.0/0 so that any incoming IP address is accepted. Using 0.0.0.0/0 as the remote
gateway is supported only for site-to-site tunnels in Aggressive mode. This setup does not require third-party DNS services such as DynDNS.
This example configuration uses the following settings:
X-Series Firewall Location 1 X-Series Firewall Location 2
Published VPN Network 172.16.0.0/24 10.0.0.0/25
Public IP Addresses dynamic via DHCP 62.99.0.74
Before you Begin
On the VPN > Settings page of both X-Series Firewalls, verify that you selected a valid VPN certificate. For more information, see Certificate
Manager.
Step 1. Enable VPN Listener on the Dynamic IP Address of the Active Peer
On the X-Series Firewall at Location 1, enable Use Dynamic IPs in the GLOBAL SERVER SETTINGS of the VPN > Settings page for the VPN
service to listen on all IP addresses.
Step 2. Create the IPsec Tunnel on Location 1
Configure the X-Series Firewall at Location 1 with the dynamic WAN IP as the active peer.
1. Log into the X-Series Firewall at Location 1.

3. In the Site-to-Site IPSec Tunnels section, click Add.
4. Enter a Name for the VPN tunnel.
5. Configure the settings for Phase 1 and Phase 2.

6. Specify the network settings:
Local End – Select Active.
Local Address – Select Dynamic.
Local Networks – Enter 172.16.0.0/24 (the network address for the locally configured LAN), and click +.
Remote Gateway – Enter 62.99.0.74 (the WAN IP address of Location 2).
Remote Networks – Enter 10.0.0.0/25 (the remote LAN), and click +.
7. Specify the authentication settings:
Passphrase – Enter the shared secret.
8. Enable Aggressive Mode.
9. Define the Aggressive Mode ID.
10. Click Add.
Step 3. Create the IPsec Tunnel on Location 2
Configure the X-Series Firewall at Location 2, with the static WAN IP as the passive peer. Use 0.0.0.0/0 as the IP address for the remote gateway
to allow the Location 1 unit to use dynamic WAN IP addresses.
1. Log into the X-Series Firewall at Location 2.

3. In the Site-to-Site IPSec Tunnels section, click Add.
4. Enter a Name for the VPN tunnel.
5. Configure the same settings for Phase 1 and Phase 2 as for Location 1.
6. Specify the network settings:
Local End – Select Passive.
Local Address – Select 62.99.0.74 (the WAN IP address of Location 2).
Local Networks – Enter 10.0.0.0/25 (the network address for the locally configured LAN), and click +.
Remote Gateway – Enter 0.0.0.0/0 because the WAN IP address of location 1 is chosen dynamically via DHCP.
Remote Networks – Enter 172.16.0.0/24. (the remote LAN), and click +.
7. Specify the authentication settings:
Passphrase – Enter the shared secret.
8. Enable Aggressive Mode.
9.

9. Define the Aggressive Mode ID.
10. Click Add.
Step 4. Configure the Access Rule for VPN Traffic
Remote and local subnets are automatically added to the VPN-Local-Networks and VPN-Remote-Networks network objects when saving the
Site-to-Site VPN configuration. If not present, go to FIREWALL > Network Objects and create these network objects. For more information, see
Network Objects.
Create PASS access rules on both Location 1 and Location 2 X-Series Firewalls to allow traffic in and out of the VPN tunnel.
1. Log into the X-Series Firewall.

2. Go to FIREWALL > Firewall Rules page.
Action – Allow
Connection – Select No SNAT
Bi-directional – Select the Bi–directional checkbox.
Service – Select Any. All types of network traffic are allowed between the remote and local network.
Source – Select the VPN-Local-Networks network object.
Destination – Select the VPN-Remote-Networks network object.

5. Use drag and drop to place the access rule above any other access rule matching this traffic.
6. Click Save.
Step 5. Verify Successful VPN Tunnel Initiation and Traffic Flow

To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to the VPN > Site-to-Site VPN page. Verify that green check
marks are displayed in the Status column of the VPN tunnel.
Use ping to verify that network traffic is passing the VPN tunnel. Open the console of your operating system and ping a host within the remote
network. If no host is available, you can ping the management IP address of the remote X-Series Firewall. Go to the NETWORK > IP
Configuration page and ensure that Services to Allow: Ping is enabled for the management IP address of the remote firewall.
If network traffic is not passing the VPN tunnel, go to the BASIC > Recent Connections page and ensure that network traffic is not blocked by
any other access rule.

Troubleshooting Site-to-Site VPNs
If your site-to-site VPN is not working correctly, try the solutions that are listed in this article.
Ensure that the Internet connection for both systems is active.

To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to the VPN > Site-to-Site VPN page. Verify that green
check marks are displayed in the Status column of the VPN tunnel.
Double-check the VPN configuration for both systems (Lifetime, Enycrption, Hash-Method, DH-Group, Local and Remote Networks,
Local and Remote Address, and Passphrase). Go to the VPN > Site-to-Site VPN page and verify the tunnel settings. The configurations
of the peers must match or the tunnel cannot be established.
Go to the LOGS > VPN Log page. Search the log for any failures and errors. Often, the problem is caused by Phase 1 and Phase 2
issues.
From a client in the local network, ping a host in the remote network. If no host is available, try to ping the management IP address of the
remote NextGen X-Series Firewall. If that does not succeed, go to the NETWORK > IP Configuration page on the remote X-Series
Firewall and ensure that Services to Allow: Ping is enabled for the management IP address.
View the the BASIC > Recent Connections page to verify that the correct firewall rule matches the traffic.
Using the tracert and traceroute command-line utilities, determine where traffic is being sent. You can begin a traceroute from the
Network Connectivity Tests section on the ADVANCED > Troubleshooting page. If traffic is being sent to the remote network but you
are not getting a reply, verify that the gateway of the remote network is the IP address of the remote X-Series Firewall.

How to Configure Authentication Through a Site-to-Site VPN Tunnel
If your authentication server is located at a remote location connected via a site-to-site VPN tunnel. By default the firewall uses source-based
VPN routing. To be able to connect to the remote authentication server the VPN routes must be added to the main routing table. VPN routes are
always added with a metric of 10.
Before you begin
Verify that at least one static interface configuration or the management IP address is part of the local published network you want to use
for the site-to-site VPN tunnel.
Go to NETWORK > Routing and verify that the VPN routes for the remote published networks will not break your existing routing
configuration.
Step 1. Configure a site-to-site VPN tunnel
Configure a site-to-site VPN tunnel. At least one local published network must be directly attached to the firewall and configuration as a static
network interface or as the management network.
For more information, see How to Configure a Site-to-Site VPN with IPsec or Example - Configuring a Site-to-Site IPsec VPN Tunnel.
Step 2. Change VPN settings to add VPN routes to main routing table
In expert mode, switch from the default source-based routing to adding the VPN routed to the main routing table.
Replacing VPN source-based routing without a proper migration plan may break your current setup and cause loss of connectivity.
VPN routes are always added with the metric set to 10.
1. Go to VPN > Settings.

2. Append &expert=1 to the URL to switch to expert mode.
3. In the VPN Routes section, set Add VPN Routes to Main Routing Table to Yes.
4. Enter the VPN Interface IP address. The IP address must meet the following criteria:
The IP address must be in one of the site-to-site VPN local published networks.
The IP address must be assigned to a static network interface as a primary or secondary IP address, or the management or
secondary IP address in the management network.

5. Click Save.
Go to NETWORK > Routing and verify that the VPN routes are now in the main routing table:
Step 3. Configure authentication server
Configure the external authentication server. Click Test Connection to verify that the firewall can connect to the remote authentication server
through the site-to-site VPN.
For more information, see How to Configure an External Authentication Service

How to Allow VPN Access via a Dynamic WAN IP Address
You can configure VPN connections to use a dynamically assigned WAN IP address on the Barracuda NextGen Firewall X-Series. In the VPN
settings, enable use of dynamic IP addresses. Then configure an access rule that redirects VPN traffic to the VPN server.
Step 1. Configure VPN Access via a Dynamic WAN IP Address
To allow VPN access via a dynamic WAN IP address:
1. On the VPN > VPN Settings page, in the Global Server Settings section, verify that Use Dynamic IPs is set to Yes.
2. If you want to make your VPN available through a DNS hostname, you can register the hostname with http://dyn.com/dns . For more
information, see How to Configure a DHCP Connection.
Step 2. Create an Access Rule to Redirect VPN Traffic to the VPN Server
Create a new access rule that redirects the VPN traffic to the VPN server to establish the tunnel:

3. In the Add Access Rule windows, configure a Redirect to Service firewall rule that redirects incoming VPN connections on the dynamic
interface to the VPN server listening on the local IP address. For the Destination, select the network object corresponding to your
Internet connection type (DHCP, 3G, or DSL).

5. Move the access rule above the BLOCKALL rule. For more information, see Firewall Rules Order.
6. Click Save.

SSL VPN
The Barracuda NextGen X-Series SSL VPN is ideal for giving remote users secure access to their organization's network and files from virtually
any device. With its web portal, the SSL VPN provides seamless service without the need to install and configure a full VPN client. The number of
simultaneous users using the SSL VPN is limited only by the hardware limitations of the firewall.
Licensing
Most modern browsers have removed support for browser Java plugins. For SSL tunnels and applications, this functionality previously
handled by browser-based applets is now covered by CudaLaunch. A Remote Access Premium subscription is required.
The following subscriptions are required to use SSL VPN in the X-Series Firewall:
Energize Updates – Needed for the following SSL VPN features:

SSL VPN Web Portal
Web Forwards
User Attributes
VPN Group Policy (manual)
NAC
Remote Access Premium – Needed for the following SSL VPN features:
CudaLaunch
Multiple client-to-site connections for the same user
VPN Group Policy (mananged)
Applications
SSL Tunnels
SSL VPN Web Portal
You can access the Barracuda SSL VPN web portal with any modern browser. Depending on the resource type you want to use, the client must
meet the following requirements:
Web Forwards – Any client operating system with a modern browser.

Applications / Tunnels – Any client operating system with a Java Runtime environment installed in the browser.
WebDAV/SharePoint – Any client operating system with a Java Runtime environment installed in the browser.
VPN Templates – Windows or macOS with a Barracuda VPN client.
NextGen X-Series SSL VPN Client / Access Monitor – Windows with a full Barracuda NAC VPN client and Java Runtime version 1.6
or higher.
For more information on authentication and basic setup, see How to Enable SSL VPN and CudaLaunch.
Web Forwards
Web forwards make internal web applications accessible through the SSL VPN web portal. This means that web servers do not have to be
outside of your corporate firewall. Since all communication is secured with SSL, additional encryption or authentication routines are not required
for the site. For web applications requiring the user to authenticate, you can configure the necessary single sign-on authentication information.
Configuration templates for frequently used services such as Outlook Web Access or SharePoint are kept up-to-date through the Energize
Updates subscription.
For more information, see:
How to Configure a Generic Web Forward

How to Configure Single Sign-On for Web Forwards
How to Configure an Outlook Web Access Web Forward
How to Configure a SharePoint Web Forward
Attributes
Attributes are placeholder variables used in web forwards. Session attributes are automatically filled in by the Barracuda NextGen Firewall
X-Series. User attributes are created by the admin and filled in by the end users themselves in the web portal. Attributes are used to personalize
web forwards or to configure single sign-on authentication. Session attributes are used if the user credentials are the same for the web forward
and the SSL VPN. If the user credentials do not match, user attributes are used.
SSL Tunnels
SSL tunnels are used to tunnel TCP connections for client/server applications protected by your X-Series Firewall. The tunnel is created by

CudaLaunch and terminated at the SSL VPN service. The user connects to a port on the 127.0.0.1 interface, instead of directly to the remote
resource as in a VPN. CudaLaunch accepts the local connection and forwards the traffic through the SSL tunnel. The SSL VPN service forwards
the traffic to the destination IP address and port defined in the tunnel configuration. Traffic from the firewall to the destination IP address in the
network does not have to be encrypted. Active tunnels are automatically terminated when the session is closed or timed out. SSL tunnels are
available for CudaLaunch only.
For more information, see How to Configure SSL Tunnels.
Network Places
Network places provide remote users with a secure web interface to access corporate SMB network file shares. With appropriate permissions,
users can browse network shares, rename, delete, retrieve, and upload files just as if they were connected in the office. Clients can connect to
SMB1 and SMB2 shares, but must be able to negotiate a CIFS session. To use a network place resource, a Java browser plugin is required on
the client.
For more information, see How to Configure Network Places
Applications
For resources requiring local applications on the client, you can configure application resources on the NextGen X-Series SSL VPN. Client
application tunneling provides predefined and custom client/server protocols with an SSL-encrypted tunnel to the internal resource. Similar to web
forwards, tunneling is employed when you need protocols on your desktop or mobile device to access your organization's network.
For more information, see How to Configure SSL VPN Applications for RDP.
CudaLaunch for mobile access
CudaLaunch provides mobile users secure remote access to your organization's applications and data. CudaLaunch is available for iOS and
Android devices via the Apple App Store or Google Play Store. Desktop portal access is not supported for the Barracuda NextGen X-Series SSL
VPN. To use CudaLaunch, you must have a remote access subscription. For testing purposes, one concurrent SSL VPN and CudaLaunch
connection is included in the base license.
Full Device VPN for Android and iOS
Barracuda NextGen X-Series SSL VPN provides full device VPN for CudaLaunch clients. Create a client-to-site configuration and a VPN template
resource in the SSL VPN in order to push the configuration to the mobile devices. By default, the first VPN template is used to connect to the
VPN service. Due to differences in the mobile operating systems, the Android version of CudaLaunch uses the Barracuda VPN client, whereas
CudaLaunch on iOS manages the built-in iOS IPsec client.
For more information, see How to Configure VPN Templates in the SSL VPN.

How to Enable SSL VPN and CudaLaunch
Configure SSL VPN on the X-Series Firewall to give end users remote access to corporate resources. It is recommended to use a signed
certificate to avoid browser certificate warnings when accessing the SSL VPN portals.
Before you begin
If you are running a VPN server on the same public IP address, go to VPN > Settings and verify that Use TCP Port 443 is set to No.
Verify that you are not using DNAT access rules to redirect HTTPS traffic on the same public IP that the SSL VPN is using.
Step 1. Enable SSL VPN
When you enable the SSL VPN portal, determine if you are using a static, dynamic, or secondary IP address for the portal. Typically, the SSL
VPN portal is deployed on a static public IP address with a respective DNS A resource record. The portal can also use a secondary IP address
for internal access.
Static IP address

2. In the Static Interface Configuration section, click Edit to configure your static WAN interface.
3. In the Edit Static Network Interface window, select the SSL VPN check box.
Disable port 443 if also using the SSL VPN service

If the VPN service is also enabled for this interface, go to the VPN > Settings page and verify that Use TCP Port 443 is set to
No.
4. Click Save.
Secondary IP address
Typically, a secondary IP address is used to provide the SSL VPN portal on internal network segments.

In the Management IP Configuration section, select the SSL VPN check box next to the required IP address in the Secondary
IP Addresses table, OR
When the IP address resides in a configured static network interface, edit the interface in the Static Interface Configuration se
ction, and select the SSL VPN check box.
2. Click Save.
Dynamic network interface
To use a dynamic interface to access the SSL VPN portals, redirect incoming HTTPS traffic to the SSL VPN service.

2. Add a redirect access rule with the following settings:
Name – Enter a name for the access rule. E.g., Redirect-to-SSL-VPN.
Source – Select Internet from the list, and click +.
Destination – Select the network object representing your incoming Internet connection, and click +. E.g., DHCP1-Local-IP
Redirected To – Select SSL VPN.

3. To enable access to the SSL VPN portal via a hostname instead of only via the IP address (because the latter may change), you can use
the third-party DynDNS service.
a. Go to the NETWORK > IP Configuration page.
b. In Dynamic Interface Configuration, enable Use Dynamic DNS for the required interface.
4. Click Save.
Step 2. Configure user authentication
End users must authenticate themselves before they can access internal resources and applications via SSL VPN. You can manage user
authentication either locally on the firewall or externally with Active Directory, LDAP, or RADIUS. For instructions on how to configure local or
external user authentication, see Managing Users and Groups.
To specify how users are authenticated for the SSL VPN:
1. Go to the VPN > SSL VPN page and click the Server Settings tab.
2. In the Authentication section, select the method from the User Authentication list.
3. (optional) To restrict SSL VPN access by user group:
a. Set Group Access Restrictions to Yes.
b. Enter the user groups that can access the SSL VPN in the Allowed Groups list, and click + after each entry. Use question
c. Enter the user groups that are denied access to the SSL VPN in the Blocked Groups list, and click + after each entry.
4. Click Save.
Step 3. Configure SSL VPN settings
Configure the SSL VPN web portal, enable CudaLaunch, and configure general and appearance settings.
1. Go to the VPN > SSL VPN page and click the Server Settings tab.
2. To provide users access via CudaLaunch, set Enable CudaLaunch to Yes.
3. Set Enforce Strong Ciphers to Yes unless you require backward compatibility with SSLv3-only clients.
4. Set Allow SSLv3 to No. SSLv3 is considered unsafe.
5. In the Appearance section, customize the SSL VPN portal by uploading your company's logo, and welcome and help texts.
Only ASCII characters are allowed in the Welcome Message and Help Text fields.
6. Click Save.
Step 4. Upload a certificate
It is recommended to install a CA-trusted SSL certificate for the SSL VPN on the X-Series Firewall, so that web browsers do not issue a SSL
warning to end users when they access the portal. By default, the Web UI certificate is used.
1. Go to the Advanced > Certificate Manager page.

2.

2. Upload or create a certificate. For instructions, see How to Use and Manage Certificates with the Certificate Manager.
3. Go to the VPN > SSL VPN page and click on the Server Settings tab.
4. Select the SSL VPN certificate you just created or uploaded from the Certificate drop-down list.
5. Click Save.
Next steps
After you enable and configure the SSL VPN, end users can access the portal in their web browsers. Configure your DNS server or service to
resolve sslvpn.<yourdomain> to the public IP address of your firewall. End users can then access the portal page by opening https://sslvpn<you
rdomain>.
To add resources for your end users to the SSL VPN portal, see:


How to Configure SSL VPN Access via DynDNS
You can configure SSL VPN connections to use a DynDNS hostname on the Barracuda NextGen Firewall X-Series instead of an IP address. To
enable access to the SSL VPN portal via a DynDNS hostname, enable the DynDNS service. Then, configure an access rule that redirects
HTTPS traffic to the SSL VPN service.
Before you begin
Configure the SSL VPN service. For more information, see How to Enable SSL VPN and CudaLaunch.
On the VPN > Settings page, in the Global Server Settings section, verify that Use TCP Port 443 is set to No.
Step 1. Configure VPN access via a DynDNS hostname
To allow SSL VPN access via a dynamic DNS hostname:

2. In the Dynamic Interface Configuration section, enable Use Dynamic DNS for the required interface.
Step 2. Create an access rule to redirect SSL VPN traffic
Create a Redirect to Service access rule that redirects incoming VPN connections on the dynamic interface to the SSL VPN service:

Name – Enter a name for the access rule. For example, Redirect-to-SSL-VPN.
Redirected To Service Details – Select SSL VPN.
Destination – Select the network object representing your incoming Internet connection, and click +.
3. Click Save.
4. Drag and drop the access rule so that it is the first rule that matches the traffic you want to forward.
5. Click Save.
Step 3. Access the SSL VPN
End users can now access the SSL VPN portal page via the DynDNS hostname by opening https://sslvpn/.<yourdomain>.

SSL VPN User Interfaces
The SSL VPN service can be accessed through the responsive web portal or through CudaLaunch. The web portal is designed to automatically
display a version customized for the device type you are using. It automatically adjusts to mobile and desktop devices in portrait and landscape
mode. The following SSL VPN features are available, depending on the interface:
SSL VPN feature CudaLaunch Web Portal Link
Proxied Web Forwards Yes Yes How to Configure a Generic Web

Forward
Tunneled Web Forwards Yes No How to Configure a Tunneled

Web Forward
Applications (e.g. RDP) Yes No How to Configure SSL VPN

Applications for RDP
SSL Tunnels Yes No How to Configure SSL Tunnels
Network Places No Yes How to Configure Network

Places
User Attributes Yes Yes How to Use and Create

Attributes
VPN Group Policies Yes Yes How to Configure VPN

Templates in the SSL VPN
SSL VPN NAC No Yes How to Configure NAC for SSL

VPN
SSL VPN web portal
The SSL VPN service includes web portals for both mobile and desktop devices. The responsive web interface automatically adapts its layout to
the screen resolution and screen orientation. SSL VPN features requiring an SSL tunnel are not available via the web interface.
For more information, see SSL VPN Web Portal User Guide and SSL VPN Supported Devices.
CudaLaunch

CudaLaunch offers secure remote access to your organization's applications and data through a mobile or desktop app. The desktop app is
available for Windows and macOS. The mobile app can be downloaded from the Apple App Store and Google Play Store for iOS and Android.
CudaLaunch is required if you want to use either tunneled web forwards, applications, or SSL tunnels.

SSL VPN Supported Devices
The SSL VPN web portal and CudaLaunch work with virtually any current web browser or mobile device.
Supported mobile operating systems for CudaLaunch
The following mobile operating systems are supported by CudaLaunch and the SSL VPN web portal. For more information on mobile browsers,
see the compatible browser list.
Mobile OS Version CudaLaunch
iOS 6.x - 8.3 not supported
9.0 and higher fully supported
Android 4.1 not supported
4.2 - 4.4 fully supported
5.0, 5.1 fully supported
6.0 fully supported
Windows 7 - 10 fully supported
macOS 10.09 -10.11 fully supported
Supported web browsers for web portal
The following web browser / operating system combinations are supported.
Browser OS Version SSL VPN web portal
Edge Windows 10, current stable release fully supported
Windows 10 Mobile
Internet Explorer Windows current stable release fully supported
10 and lower not supported
Firefox Windows, current stable release fully supported

macOS,
Android
Chrome Windows, current stable release fully supported

macOS,
Android,
iOS
Safari macOS, current stable release fully supported

iOS
Samsung stock browser Android current stable release fully supported

SSL VPN Web Portal User Guide
The SSL VPN web portal provides easy access to your organization’s web resources via the web browser on your desktop or mobile device. The
SSL VPN web portal's responsive interface automatically detects and adapts to the screen size and, for mobile, the screen orientation of the
connection device.
Before you begin
Both JavaScript and cookies must be enabled on your device to use the SSL VPN web portal.
SSL VPN web portal
The web portal arranges all available web resources into the following tabs, accessible via the interface service bar:
Favorites – Contains the shortcuts to resources for quick access.

Apps – Contains all configured web and Outlook Web Access resources.
Folders – Contains the folders made available via the NextGen Firewall SSL VPN.
Logging into the web portal
1. In your web browser, go to https://<Listening IP address or hostname used for the SSL VPN service>.
2. Enter your username and password.
3. Click Log in.
Changing language settings
You can change the display language for your SSL VPN web portal on the Settings page. To do so, click on the options icon on the top left and
select Settings.
Launching resources
The Apps tab contains all web resources. To launch a resource from the Apps screen, click the icon associated with it.
The web resource launches, and you are redirected to the application page.
Searching folders and favorites
Click the Apps, Folders, or Favorites tab to access the web resources. To search for a specific item, type the name of the item in the search
field with the looking glass icon.

Adding favorites
On the Favorites page, you can store web resource shortcuts for easier access. Click the Favorites tab. To add a web resource to the favorites,
click the + icon.
Select the item you want to add from the list, and click the checkmark icon. The resource you have added is now visible under the Favorites tab.
To remove a resource from the favorites list, click the Favorites tab and then click the trash can symbol.
Select the shortcut, and then click the checkmark icon.
Setting user attributes
User attributes are user-specific placeholder values used for web forwards. User attributes can be filled/changed in the options menu. When a

web forward is launched the first time, the user is requested to fill in the user attributes. To fill in or change a user attribute, click Settings in the O
ption menu, and click on Personal Information to see a list of the user attributes for your user. User attributes are used for single-sign on when
different credentials are required.
Logging off
To log out of the SSL VPN web portal, expand the options menu on the top left, and then select Log Out.

SSL VPN Web Forwards
Web forwards let the SSL VPN act as the front end to your web servers on the Internet or Intranet. The SSL VPN service on the X-Series Firewall
receives the incoming web traffic through the SSL VPN web portal or CudaLaunch before forwarding it to the appropriate internal web-based
service. The SSL VPN service handles authenticating users and secures all communication with SSL, allowing you to publish unsecured internal
websites while still offering secure access to them.
Proxied web forwards using templates
Frequently used proxied web forwards, such as Outlook Web Access or SharePoint, are available as templates. Templates contain all the
necessary configurations for the application and query the user for the required settings. By default, templates are configured to use the session
username and password to log in.
For more information, see How to Configure an Outlook Web Access Web Forward and How to Configure a SharePoint Web Forward.
Generic proxied web forwards
Generic proxied web forwards are used either when a manual rewrite configuration is required, or when a template does not exist for the service.
A simple setup creates a reverse proxy for the service. The data stream is not modified. For advanced configurations, you can configure
additional paths, custom replacements, and headers. For services requiring authentication, a single sign-on configuration is possible.
For more information, see How to Configure a Generic Web Forward.
Tunneled web forwards
A tunneled web forward uses an SSL tunnel established by CudaLaunch to connect to a web server behind the firewall. The user's browser
connects to a localhost address (e.g., http://localhost:5678). A direct connection to the resource located behind the SSL VPN is then
established through the SSL tunnel. This type of web forward only works as long as all links stay on the same destination host; it does not modify
the data stream. If the destination site uses multiple domains, or sub-domains, use a proxied generic Web forward instead.
For more information, see How to Configure a Tunneled Web Forward.
Single sign-on for web forwards
Web services published through SSL VPN web forwards often require the user to sign in. You can use session or user attributes as placeholders
to configure single sign-on. Session attributes contain the username and password used to log in to the SSL VPN service. If the credentials for
the web forward differ, configure user attributes. When users access the web forward for the first time, they are prompted to fill in the username
and password. Subsequent changes can be made in the SSL VPN web portal or via CudaLaunch.
For more information, see How to Configure Single Sign-On for Web Forwards.

To give your end users direct access to their corporate email resources, configure an Outlook Web Access / Outlook Web App (OWA) resource.
The SSL VPN offers preconfigured web forward templates for Outlook Web Access 2003, 2007, 2010, and 2013. By default, the session
username and password is used to authenticate on the Outlook Web Access portal. If the user must use a different password or user to sign in,
create user attributes to replace the session attributes.
Before you begin
Enable and configure SSL VPN on the firewall. For more information, see How to Enable SSL VPN and CudaLaunch.
Configure an Outlook Web Access web forward (OWA)
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. In the Web Forwards section, click Add Web Forward.
3. In the Add Web Forward window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not larger than 80x80 pixels.
5. Select the OWA template matching your Exchange server from the Web Forward Template drop-down list. A pop-up window appears,
asking for the server name.
6. Enter the FQDN, hostname, or IP address for your Microsoft Exchange server, and click OK.
7. (OWA 2003 only) Enter the Single Sign-On (SSO) domain for your Exchange server, and click OK.
8. In the Name field, enter the visible name for the web forward. This is the name displayed for the user in the web portals and
CudaLaunch.
9. (optional) In the Allowed Hosts list, add all servers that must be proxied by the SSL VPN when accessing this web forward. Enter Name
, Root URL, and Launch Path in the Allowed Hosts section, and click +.
10. (optional) To restrict access to the web forward by user group, remove the * entry in the Allowed User Groups list. Enter the user
groups that can access the web forward, and click + after each entry. If no groups are added, the web forward cannot be accessed. Use
question marks (?) and asterisks (*) as wildcard characters.
11. (optional) In the Single Sign On section, change the session attribute for user attributes to enable SSO if your OWA username and
password differ from the session username and password. For more information on how to create user attributes, see How to Use and
Create Attributes.
12. Click Save.

The Barracuda NextGen Firewall X-Series SSL VPN offers preconfigured templates for Microsoft SharePoint 2010 and 2013. The template
automatically fills in all necessary web forward parameters and configures Single Sign-On using the session username and password. If the user
must use a different password or user to sign in, create user attributes to replace the session attributes.
Before you begin
Configure a SharePoint web forward
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not bigger than 80x80 pixels.
5. Select the Sharepoint template matching your SharePoint server from the Web Forward Template drop-down list. A pop-up window
appears, asking for the server name.
6. Enter the hostname or FQDN of your SharePoint server and click OK.
7. Enter the Single Sign-On (SSO) domain for your SharePoint server and click OK.
8. In the Name field, enter the visible name for the web forward. This is the name used in the SSL VPN portal for this web forward.
11. (optional) In the Single Sign On section, change the session attribute for user attributes to enable SSO if your SharePoint username and
password differ from the session username and password. For more information on how to create user attributes, see How to Use and
Create Attributes
12. Click Save.

Create web forwards to allow SSL VPN users to access web-based internal applications or Intranet resources. There are predefined web forward
types for frequently used services, such as Outlook Web Access and SharePoint servers, as well as generic settings that allow you full control
over how the web content is rewritten. Web forwards can also be customized using user attributes. User attributes are defined by the
administrator and filled in by the end user in the web portal. They allow for personalized URLs or Single Sign-On for web forwards.
Before you begin
Configure a generic web forward
5. Select Generic from the Web Resource Template drop-down list.
For Outlook Web Access and SharePoint web forwards, see How to Configure an Outlook Web Access Web Forward and H
ow to Configure a SharePoint Web Forward.
7. Enter the Root URL of the web server in the following format: Protocol type (http:// or https://) followed by the FQDN or IP
address of the web server. For example, http://your.domain.com/ or https://10.10.10.10/
8. Enter the Launch Path in the following format: "/" followed by the path and file name you want to request when starting the Web
Forward. You can also include user or session attributes in the launch URL. For more information on Attributes, see How to Use and
Create Attributes.
Example: /wiki/${session:username} or /lunchmenu/${user:location}/index.php
10. In the Custom Headers section, define rules to replace or remove header values for either requests, responses, or both.
12. (optional) In the Single Sign On section, change the session attribute for user attributes to enable SSO if username and password differ
from the session credentials. For more information on how to create user attributes, see How to Use and Create Attributes.
13. Click Save.

How to Configure a Tunneled Web Forward
Create tunneled web forwards to allow SSL VPN users to access web-based internal applications through an SSL tunnel created by
CudaLaunch. The client then connects to a dynamically generated port on the loopback interface (e.g., 127.0.0.1:7324). CudaLaunch forwards
the web traffic through the SSL tunnel to the SSL VPN service and the web server behind it. To use tunneled web forwards you must have a Rem
ote Access Premium subscription.
Before you begin
Enable the SSL VPN service and CudaLaunch. For more information, see How to Enable SSL VPN and CudaLaunch.
Configure a tunneled web forward
2. In the Web Forwards section, click Add Tunneled Web Forward.
6. Enter the IP address or hostname of the Web Server Host.
7. Enter port the Web Server Host listens on.
8. In the Client Loopback TCP Port field, enter the client loopback TCP port number for the tunnel to enable tunneling of application data
to the user's localhost IP address 127.0.0.1:7000. To use a random port, enter 0 (default).
9. Select the type of the tunnel from the Protocol drop-down list.
11. Click Save.

Configure single sign-on (SSO) to automatically log the SSL VPN user in to a web-based service when accessing a web forward. As login
credentials, you can use either the session username and password, or custom user attributes. User attributes are entered by the end user the
first time the web resource is launched. Websites using one of the following authentication methods are supported:
HTTP Authentication
Form-Based Authentication
HTTP authentication
HTTP authentication is a basic method for authenticating users. An HTTP header is inserted into the HTML page, and the browser then queries
the user for a username and password. HTTP authentication is supported in three variants: basic, digest, and NTLM authentication. The
authentication type is automatically detected by the Barracuda NextGen Firewall X-Series. To automatically log into web forwards using HTTP
authentication, you can use static user credentials or user attributes. User attributes can either be the session username or password, or custom
values that are configurable by the end user.
Form-based authentication
Form-based authentication is used when the login credentials are entered on a HTML page. Open the source of the page and look at the HTML
code in between the <form> and </form> tags. The X-Series Firewall can automatically log users into web forwards. The form-based
authentication type is determined by the HTML source of the login page.
POST
POST is the most common form submission type. Set the type to POST if the method attribute is set to POST. If the form contains unique or
random hidden <input> elements, use JavaScript instead of POST as the form type. To find out which elements must be filled in, inspect the form
submission process with a tool such as HTTPWatch or Fiddler. Create a Form Parameter for every parameter submitted by the form. When
using POST, set the Launch path to the destination of the action attribute of the <form>element. E.g., /somedir/index2.html in the example
below.
Click here to see an example...
POST Form Example

HTML form
<form action="/somedir/index2.html" name="testform" method="POST" >

<input type="text" name="name">
<input type="password" name="password ">
<input type="checkbox" name="rememberme">
<input type="submit" value="Submit">
</form>
HTTP Watch
Web Resource Configuration
To use the custom attributes username and password, create the following two Form Parameter entries in the web resource
configuration:
name=${user:AnUserAttribute}
password=${user:AnUserAttribute}
secret="666"
JavaScript
Forms using random or unique hidden input elements must use the JavaScript authentication type. After waiting for a configurable amount of time
to make sure the page has finished loading, the X-Series Firewall injects a small JavaScript script into the HTML page. This script fills in the

parameters specified in the web resource configuration. Create a form parameter for every entry the user has to interact with when logging in,
including the submit button.
Click here to see an example ...
POST Form Example

HTML form
<form action="index2.html" name="testform" method="POST" >

<input type="hidden" name="UID" value="12345678901234567899012738230123123">
<input type="submit" name="submit" value="doLogin">
</form>
HTTP Watch
To use the session username and password, create the following two form parameter entries in the web resource configuration:
name=${session:username}
password=${session:password}
submit="doLogin"
GET
Set the form type to GET if the method attribute of the form element in the HTML source is set to GET. Determine which form parameters you
must fill in to complete a successful login by looking at the parameters appended to the URL after you have logged in. These form parameters are
then replaced by either session/custom user attributes or static user credentials.
Click here to see an example...
GET Form Example

HTML form
<form action="index.php" name="testform" method="GET" >

<input type="hidden" name="secret" value="666">
</form>
URL
Entering "John" results in the following rule
/test/index.php?name=John&destination=Rome&secret=666&submit=Submit
To use the session username and password, create the following two form parameter entries in the web resource configuration:
name=${session.username}
password=${session.password}
Before you begin

Configure a web resource. For more information, see How to Configure a Generic Web Forward.
Step 1. Authentication type
Analyze the HTML source to determine the form type (POST, GET or JavaScript).
Step 2. (Optional) Define user attributes
Create user attributes if you need to use different login credentials from the SSL VPN portal username and password, or additional user
configurable parameters to complete the login. User attributes are filled in by the end user in the web portal of the SSL VPN service.
2. Under the Applications section, click Show Advanced Options. The User Attributes section appears.
3. Click Add User Attribute.
4. Configure the following settings for each user attribute:
Format – Select the type of user attribute. Possible values are: Text, Number, and Password.
Name – Enter the name of the user attribute.
Label – Enter the name visible to the end user.
Description – Enter a description of the attribute.
Default – If the attribute should be set to default value, enter the value here.
Category – Enter a category name. User attributes will be grouped by category in the web portal.
Weight – Enter a value. Attributes are sorted within a category according to their weight.
Validator – Enter a regular expression to validate the input.
Click here to show regular expression examples...
4 digits PIN number
[0-9]{4}
URL
(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?
IPv4 address
(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
2. Click Save.
Step 3. Add authentication configuration to a web forward
Add authentication information to a web forward to automatically log the user in to the web application using the session user credentials or
custom user attributes.
FORM authentication
2. Edit a generic web forward.
3. (POST authentication only) Change the Launch Path to the path set in the action attribute of the form element. E.g., /somedir/index
.php if the form element is <form action="/somedir/index.php" name="testform" method="POST" >
4. Set the Authentication Type to HTTP or FORM.
5. Set the Form Type to GET, POST or JavaScript.
6. (JavaScript only) Enter the Form Name. E.g., testform if the form element is <form action="/somedir/index.php"
name="testform" method="POST">
7. (JavaScript only) Enter the Timeout(s) in seconds. This is the amount of the time the firewall waits before injecting the JavaScript code
into the page. Default: 5 sec.
8. Enter the Form Parameters and click + to add an entry.
POST and GET Form Type – Add an entry for every <input> element in the login form.
JavaScript Form Type – Add entries for the <input> elements the user enters data into.
Form Parameter Examples
<form action="index.php" name="testform" method="GET" >
<input type="checkbox" name="rememberme " value="on">
<input type="hidden" name="secret" value="666">
</form>

Necessary form parameters for POST/GET From Type
rememberme="on"
secret="666"
Necessary form parameters for JavaScript From Type
9. Click Save.
HTTP authentication
2. Edit a generic web forward.
3. (POST authentication only) Change the Launch Path to the path set in the action attribute of the form element. E.g., /somedir/index
.php if the form element is <form action="/somedir/index.php" name="testform" method="GET">
4. Set the Authentication Type to HTTP Authorization Headers.
5. Enter the Username. You can enter static content E.g., johndoe or use an Attribute E.g., ${userAttribute.SpecialUser} or ${s
ession.username}.
6. Enter the Password. You can enter static content E.g., johndoe or use an Attribute E.g., ${userAttribute.SpecialUser} or ${se
ssion.username}.
7. Click Save.

SSL VPN Applications
Some tasks require the use of client-server applications. To connect with a service behind the SSL VPN service on the X-Series Firewall,
CudaLaunch establishes a secure tunnel and then automatically launches the locally installed application. The connection is terminated if the
session is closed or times out.
RDP Applications
When accessing an RDP application via CudaLaunch, an SSL tunnel is created that connects your client with the SSL VPN service. Then, the
RDP client automatically launches and connects.
For more information, see How to Configure SSL VPN Applications for RDP.

How to Configure SSL VPN Applications for RDP
When accessing an application resource via CudaLaunch, an SSL tunnel is created that connects your client with the SSL VPN. Then, the native
RDP client automatically launches and connects. The native RDP app creates an SSL tunnel from a random port on 127.0.0.1 to the port 3389 on
the destination Windows server or PC behind the firewall. The native RDP client is automatically launched and supplied with the connection
information. It is not possible to configure single sign-on for native RDP apps. To use application resources you must have a Remote Access
Premium subscription.
Before you begin
Create an application resource
Create an application resource to give your end users direct access to an internal application. Application tunneling allows tunneling of application
data to the user’s localhost IP address.
2. In the Applications section, click Add Application.
3. In the Add Application window, set Enable to Yes.
5. Enter the visible Name. This is the name used in the web portal for this application.
6. In the Target Server field, enter the IP address of the server hosting the application.
7. From the Application drop-down list, select the protocol that the target server is providing.
8. (optional) To override the application’s standard port, enable Port Override and specify the Port to be used instead of the application’s
standard port.
9. To enable tunneling of application data to the user’s localhost IP address 127.0.0.1:7000, enter the Client Loopback TCP Port number
for the application tunnel. To use a random port, enter 0 (default).
10. (optional) To restrict access to the application by user group, remove the * entry in the Allowed User Groups list. Enter the user groups
that can access the application, and click + after each entry. If no groups are added, the application will not be accessible by any users.
You can use question marks (?) and asterisks (*) as wildcard characters.
11. Click Save.
Launching an RDP application
1. Start CudaLaunch.
2. In the Apps tab, click on the configured app.

2.
The native RDP client starts automatically and connects to the remote Windows server.

How to Configure SSL Tunnels
After you enable and configure the SSL VPN, you can add SSL tunnels. SSL tunnels are used to encrypt data for client/server applications that
normally do not use encryption. An outgoing SSL tunnel protects TCP connections that a computer forwards from a local port to a preconfigured
destination IP address and port that the user is connected to. To use SSL tunnels you must have a Remote Access Premium subscription.
Before you begin
SSL tunnels
Configure a resource containing one or more SSL tunnels that forward the TCP traffic of the remote service. Access to tunnel resources can be
limited via the user groups.
1. Go to VPN > SSL VPN and click the Resources tab.

2. In the SSL Tunnels section, click Add SSL Tunnel.
3. In the Add SSL Tunnel window, set Enable to Yes.
5. In the Name field, enter the visible name for the tunnel resource. This is the name used in the web portal for this resource.
6. In the Tunnels section, configure the SSL tunnel:
a. Enter the Name of the SSL tunnel.
b. Enter the tunnel destination IP address in the Address field.
c. Enter the port on the loopback interface that the user connects to in the FWD Port field and the Local Port of the service
tunneled by the SSL VPN. To use a random port, enter 0 (default).
d. (optional) To restrict access to the SSL tunnel by user group, remove the * entry in the Allowed User Groups list. Enter the
user groups that can access the tunnel, and click + after each entry. If no groups are added, the SSL tunnel cannot be
accessed. Use question marks (?) and asterisks (*) as wildcard characters.

7. Click Save.
Tunnels in CudaLaunch
Tunnels are available only in CudaLaunch. To enable or disable the tunnel, go to the Tunnels tab and click the tunnel icon. The gray or green
status icon shows the state of the tunnel.
State Icon
Tunnel inactive
Tunnel active

How to Configure Network Places
After you enable and configure the SSL VPN, you can add network places. Network places give your end users direct access to network file
shares in your corporate network. Users accessing the file share are prompted for the username and password. Access and privileges on the file
share are determined by the permissions set for the user by the admin of the network file share.
Network places are available for the web portal only. To use a network place resource a Java browser plugin is required on the client.
The following network file systems are supported:
SMB – Connect to SMB1 and SMB2 shares, but must be able to negotiate a CIFS session.
Before you begin
Enable the SSL VPN service. For more information, see How to Enable SSL VPN and CudaLaunch.
Configure Network places
Create a network place resource to let your users access internal SMB network shares.
1. Go to VPN > SSL VPN and click the Resources tab.

2. In the Network Places section, click Add Network Place.
3. In the Add Network Place window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not larger than 80x80 pixel.
5. In the Name field, enter the visible name for the resource. This is the name used in the web portal for this resource.
6. Enter the hostname or IP address of the web server.
7. Enter the sharename in the following format: "/" followed by the path and file name.
9. Click Save.

How to Use and Create Attributes
There are two types of attributes: session attributes and user attributes. Both types can be used to personalize web forwards or to configure
single sign-on authentication.
Session attributes
The following Session attributes are available:
${session:username} – This session attribute contains the username used to log into the SSL VPN.
${session:password} – This session attribute contains the password used to log into the SSL VPN.
User attributes
You can create user attributes that are filled in by the end user in the web portal or CudaLaunch. User attributes are used when different
usernames or personalized variables are needed. To enter a user attribute in the web forward configuration, use the following format:
${user:user_attribute_name}
Create a user attribute
2. Under the Applications section, click Show Advanced Options. The User Attributes section appears.
3. Click Add User Attribute.
4. Configure the following settings for each user attribute:
Format – Select the type of user attribute. Possible values are: Text, Number, and Password.
Name – Enter the name of the user attribute.
Label – Enter the name visible to the end user.
Description – Enter a description of the attribute.
Default – If the attribute should be set to default value, enter the value here.
Category – Enter a category name. User attributes will be grouped by category in the web portal.
Weight – Enter a value. Attributes are sorted within a category according to their weight.
Validator – Enter a regular expression to validate the input.
Click here to show regular expression examples...
4 digits PIN number
[0-9]{4}
URL
(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?
IPv4 address
(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
5. Click Save.
Filling in user attributes
When a web resource is launched that uses user attributes that have not been filled in yet, the user is prompted to enter the values. Alternatively,
user attributes can also be entered in the Settings menu of the web portals or CudaLaunch.

How to Configure NAC for SSL VPN
SSL VPN Network Access Control (NAC) limits access to the web portals of the SSL VPN service according to a variety of factors based on
attributes of the connecting device. Users who fail the NAC check are not allowed to log in until they have a conforming system. You can define
exceptions for each category. Use exceptions to allow/block specific versions denied in the NAC block list. For example, to allow only Windows 7
to connect: Block all Windows operating systems in the NAC block list and then add an exception for Windows 7. NAC settings do not apply to
clients connecting via CudaLaunch. The following parameters are evaluated by the SSL VPN service when the user logs in:
Desktop operating systems

Mobile operating systems
Desktop browser types and versions
Browser plugins
Mobile browser types and versions
Before you begin
Configure the NAC block list
1. Go to the VPN > SSL VPN page and click the NAC tab.
2. Set Enable NAC to Yes.
3. For each parameter, select the versions that should be blocked. Select None to not block according to this criteria.
4. (optional) Configure NAC exceptions to block or deny an entire category.
5. (optional) In the Exceptions section, click Add NAC Exceptions. The Add NAC Exceptions window opens.
a. Enter a Name for the exception.
b. Select the Access policy.
c. Select the exception Type. The subtype for the selected Type is displayed. For example, the mobile browser type if you
selected Mobile Browser as the Exception Type.
d. Select the Subtype and Version for the exception type you previously selected.
e. Click Save.
6. Click Save.
All users accessing the SSL VPN web portals must now conform to the requirements set in the NAC block list. When a user logs in with a device
that fails one or more of the server-side NAC checks, the following block pages are displayed:
Check the sslvpn log file to find out which NAC block rule caused the user to be rejected. For more information, see Viewing Logs.

How to Configure VPN Templates in the SSL VPN
By creating group policy-based VPN templates in the NextGen X-Series Firewall's client-to-site VPN settings, you can let end users self-provision
the VPN clients on their Windows, macOS, or iOS devices. Users then only need to log into CudaLaunch, or in their web portal, and click the
provisioning link. The downloaded file automatically configures the Barracuda VPN client or iOS VPN client, depending on the operating system.
Before you begin
Configure a client-to-site VPN. For more information, see Client-to-Site VPN.

(macOS and Windows only) Install the Barracuda VPN Client. For more information, see Installing the Barracuda Network Access/VPN
Client for Windows.
Configure the VPN template
Configure the client-to-site VPN access policy to allow CudaLaunch.

2. In the VPN Access Policies section, edit an access policy, or click Add Access Policy and create a policy as described in Client-to-Site
VPN and configure the VPN clients and network information to be passed to clients.
3. In the Add / Edit VPN Access Policy window, set Use for CudaLaunch to Yes.
5. In the CudaLaunch Server field, enter the IP address of the server providing CudaLaunch.
6. In the Allowed Groups field, enter the user groups that the policy setting applies to. Click + after each entry. You can use question
7. Click Save.
The VPN template can now be used to self-provision your user's Windows, macOS, and iOS devices via the web portal as well as full device VPN
in the CudaLaunch mobile app.
Self-Service VPN Provisioning for iOS Devices

Self-Service VPN Provisioning on Microsoft Windows
Self-Service VPN Provisioning on macOS

Self-Service VPN Provisioning for iOS Devices
Use CudaLaunch to automatically push and manage VPN profiles on iOS devices. For more information, see CudaLaunch.
The Barracuda NextGen Firewall X-Series SSL VPN portal allows users to automatically install VPN configurations on their iOS device by clicking
the provisioning link.
Before you begin
Configure the VPN access policy in the client-to-site VPN settings. For more information, see How to Configure VPN Templates in the
SSL VPN.
Self-service IPsec VPN provisioning
Use the provisioning link of the mobile portal to install the VPN configuration:
1. Log into the SSL VPN web portal with your iOS device.
2. Go to My Options and tap Settings.
3. Tap Setup VPN. All available VPN templates are listed.

4. Tap on a VPN template. This is the Display Name of the VPN file's SSL VPN resource. The Install Profile window opens.
5. Click Install.
6. Enter your Passcode.

7. Click Install.
8. Click Install. The VPN profile is installed.
9. Click Done.
You can now connect to the IPsec VPN on your iOS device.

Establishing a VPN connection
After you have installed the IPsec VPN configuration, your iOS device can connect to the Barracuda NextGen Firewall X-Series via IPsec VPN.
1. From the home screen of your iOS device, go to Settings and tap General.
2. Tap VPN.
3. Set the VPN slider to ON. The iOS device initiates the VPN connection.
When the VPN connection is established successfully, the VPN icon is displayed in the status bar.

Self-Service VPN Provisioning on macOS
Use CudaLaunch to automatically push and manage VPN profiles on macOS devices. For more information, see CudaLaunch.
The Barracuda NextGen Firewall X-Series SSL VPN portal allows users to automatically install VPN configurations on their macOS device by
downloading the VPN group policy.
Before you begin
SSL VPN.
(optional) Install the Barracuda VPN client for macOS. For more information, see Installing the Barracuda VPN Client for macOS.
Self-service VPN provisioning using Barracuda VPN client
1. Log into the SSL VPN web portal.

2. Click the menu in the upper-left corner and click Settings.
3. Click Downloads.
4. In the VPN Configurations section, click the download icon for the VPN group policy.
5. Double-click the VPN file. The Barracuda VPN client starts and automatically imports the configuration.
6. Click Save.

You can now launch the VPN client and enter the username and password to connect to the Barracuda NextGen Firewall X-Series.
Self-service VPN provisioning for the built-in VPN client


3. Click Downloads.
5. Click Install.
6. The VPN Profile is saved.

You can now launch the macOS VPN client and enter your username and password to connect to the Barracuda NextGen Firewall X-Series.

Self-Service VPN Provisioning on Microsoft Windows
Use CudaLaunch to automatically push and manage VPN profiles on Windows devices. For more information, see CudaLaunch.
The Barracuda NextGen Firewall X-Series SSL VPN portal allows users to automatically install VPN configurations on their Windows device by d
ownloading the VPN group policy.
Before you Begin
SSL VPN.
Self-Service VPN provisioning on Microsoft Windows

3. Click Downloads.
5. Verify that you are opening the VPN template with the Barracuda NAC Remote Management Tool and click Open.

The VPN template is now the default VPN configuration. You can now connect to the Barracuda NextGen Firewall X-Series via the client-to-site
VPN.

Cloud Features
Barracuda Networks offers two cloud services to centrally manage multiple Barracuda NextGen X-Series Firewalls and offload
processor-intensive tasks:

Barracuda Cloud Control is a comprehensive cloud-based service that lets you monitor and configure multiple Barracuda products from a single
console. When your X-Series Firewall is linked to Barracuda Cloud Control, it continuously synchronizes its configuration settings with the
service.
For more information on Barracuda Cloud Control, see Barracuda Cloud Control and How to Connect to Barracuda Cloud Control.
Barracuda Web Security Service is a cloud-based web filtering and security service. It helps conserve bandwidth by enforcing web policies in the
cloud before forwarding traffic to the X-Series Firewall.
For more information on the Barracuda Web Security Service, see Barracuda Web Security Service and How to Configure the Barracuda Web
Security Service.

How to Configure the Barracuda Web Security Service
You can configure the Barracuda NextGen Firewall X-Series to act as a transparent proxy. If you enable the proxy feature, outgoing HTTP traffic
is intercepted and redirected to either the Barracuda Web Security Service or to an upstream proxy (the latter option is rarely used).
Before you begin:
The Barracuda Web Security Service requires a paid subscription. To verify that your subscription is active:
1. Log into your Barracuda Cloud Control Account.

2. Go to the Account > Users page.
3. Verify that Product Entitlements: Web Security is selected. If not, contact your reseller or Barracuda Networks representative.
To configure the Barracuda Web Security Service on the X-Series Firewall:
1. On the NETWORK > Proxy page, select Use Barracuda Web Security Service if connected (recommended) .
2. To include the user and domain name if available, select the Include User Information check box.
For local users, this information is retrieved from the Barracuda DC agent. For information on how to get, install, and configure
the Barracuda DC Agent, see About the Barracuda DC Agent.
For VPN users, the information comes from whatever authentication method is used.
To change this selection later, you must disable and then re-enable the Barracuda Web Security Service so that it registers your
change.
3. To redirect HTTP traffic to the Barracuda Web Security Service, create the required firewall rules.
a. Go to the FIREWALL > Firewall Rules page.
b. Edit and enable the pre-installed TRANSPARENT-PROXY and TRANSPARENT-PROXY-Wi-Fi (if using Wi-Fi) firewall rules to al
low traffic to pass to the Barracuda Web Security Service.
4. Complete the connection from the X-Series Firewall to the Barracuda Web Security Service.
a. Go to the BASIC > Cloud Control page.
b. Verify that your customer account information is entered.
c. Enable Connect to Barracuda Cloud Control and save your changes. After a successful connection, a "Connected" status is
displayed.
5. Log into your Barracuda Cloud Control account again.
6. Click the Web Security tab and refresh the display. Some network activity appears.

How to Connect to Barracuda Cloud Control
The Barracuda Cloud Control service centrally manages up to five Barracuda NextGen X-Series Firewalls. When an X-Series Firewall is linked to
Barracuda Cloud Control, it continuously synchronizes its configuration settings with the service. It is still possible to continue using the on-device
web-interface to manage the device, while it is connected to Barracuda Cloud Control.
Before you Begin
Create a Barracuda Cloud Control Account.
Connect to Barracuda Cloud Control
To connect an X-Series Firewall to Barracuda Cloud Control:
1. Go to the BASIC > Cloud Control page and enter your cloud control account credentials.
2. Enable Connect to Barracuda Cloud Control and click Save. After a successful connection, a Connected status is displayed.
3. Log in to https://bcc.barracudanetworks.com with your Barracuda Cloud Control account to manage your X-Series Firewall using
Barracuda Cloud Control.

Monitoring
The Barracuda NextGen Firewall X-Series incorporates hardware and software fail-safe mechanisms that are indicated via system alerts and
logs. You can inspect the logs to see what is happening with traffic. SNMP monitoring and traps are supported.
These articles describe the tools and monitoring tasks that you can use to track connections and system performance.
In this Section
Monitoring Active and Recent Connections

How to Configure SNMP Monitoring
Barracuda NextGen Firewall X SNMP MIB
Viewing Logs
Troubleshooting
How to Configure Log Streaming
How to Configure Email Notifications

Monitoring Active and Recent Connections
To monitor network sessions or connections, view the following pages from the BASIC tab:
Active Connections – Lists all of the open and established sessions on the appliance.
Recent Connections – Lists all of the connections that were established on the Barracuda NextGen X-Series Firewall or that were trying
to access the firewall.
You can find the information that you are interested in by filtering the lists. For a description of the displayed fields and information on how to add
filters, click Help on the product page.
Active Connections
The BASIC > Active Connections page lists all of the open and established sessions on the appliance. You can terminate any session
by
clicking on the red x ( ). If QoS is enabled for a connection, you can manually override the bandwidth policy for the
connection by clicking on the arrow next to it and selecting a different policy from the drop-down menu.
In the State column, the following arrows tell you if the connection is established or closing:
Arrow Status
One-way traffic.
Connection established (TCP). Two-way traffic (all other).
Connection could not be established.
Closing connection.
To view the status of a connection, hover over the arrow for a status code. For more information about these status codes, see the Status Code
Overview.
Recent Connections
The BASIC > Recent Connections page lists all of the connections that were established on the X-Series Firewall or that were trying to access
the firewall. Use the information on this page for troubleshooting.
In the Action column, the following graphics tell you what action was performed for each connection:
Graphic Action
IPS Rule Applied
Allowed
Terminated
Failed
Blocked
Dropped
To see if there is still incoming or outgoing traffic for a specific session, click Refresh and then look at its Last or Co
unt value.
Sometimes, you might need to view ARP-Update traffic to troubleshoot in more detail. To display ARP-Update info, select the Include ARPs che
ck box.
To delete the whole history, click Flush Entries.
Status Code Overview
The following table provides more details on the status codes that you might see on the BASIC > Active Connections page.
Status Code Origin Description
FWD-NEW TCP Packet Forwarding Outbound Session is validated by the firewall rule set,
no traffic was forwarded so far.

FWD-FSYN-RCV TCP Packet Forwarding Outbound The initial SYN packet received from the
session source was forwarded.
FWD-RSYN-RSV TCP Packet Forwarding Outbound The session destination answered the SYN
with a SYN/ACK packet.
FWD-EST TCP Packet Forwarding Outbound The SYN/ACK packet was acknowledge by
the session source. The TCP session is
established.
FWD-RET TCP Packet Forwarding Outbound Either source or destination are

retransmitting packets. The connection might
be dysfunctional.
FWD-FFIN-RCV TCP Packet Forwarding Outbound The session source sent a FIN datagram
indicating to terminate the session.
FWD-RLACK TCP Packet Forwarding Outbound The session destination answered the FIN
packet with a FIN reply and awaits the last
acknowledgement for this packet.
FWD-RFIN-RCV TCP Packet Forwarding Outbound The session destination sent a FIN datagram
FWD-FLACK TCP Packet Forwarding Outbound The session source answered the FIN
FWD-WAIT TCP Packet Forwarding Outbound The session was reset by one of the two
participants by sending a RST packet. A wait
period of 5 seconds will silently discard all
packet belonging to that session.
FWD-TERM TCP Packet Forwarding Outbound The session is terminated and will shortly be
removed from the session list.
IFWD-NEW TCP Packet Forwarding Inbound Session is validated by the firewall rule set,
no traffic was forwarded so.
IFWD-SYN-SND TCP Packet Forwarding Inbound A SYN packet was sent to the destination
initiating the session (Note that the session
with the source is already established).
IFWD-EST TCP Packet Forwarding Inbound The destination replied the SYN with a
SYN/ACK. The session is established.
IFWD-RET TCP Packet Forwarding Inbound Either source or destination are re

transmitting packets. The connection might
be dysfunctional.
IFWD-FFIN-RCV TCP Packet Forwarding Inbound The session source sent a FIN datagram
IFWD-RLACK TCP Packet Forwarding Inbound The session destination answered the FIN
IFWD-RFIN-RCV TCP Packet Forwarding Inbound The session destination sent a FIN datagram
IFWD-FLACK TCP Packet Forwarding Inbound The session source answered the FIN
IFWD-WAIT TCP Packet Forwarding Inbound The session was reset by one of the two
participants by sending a RST packet. A wait
period of 5 seconds will silently discard all
packet belonging to that session.
IFWD-TERM TCP Packet Forwarding Inbound The session is terminated and will shortly be

PXY-NEW TCP Stream Forwarding Outbound Session is validated by the firewall rule set,
PXY-CONN TCP Stream Forwarding Outbound A socket connection to the destination is in

progress of being established.
PXY-ACC TCP Stream Forwarding Outbound A socket connection to the source is in

progress of being accepted.
PXY-EST TCP Stream Forwarding Outbound Two established TCP socket connection to
the source and destination exist.
PXY-SRC-CLO TCP Stream Forwarding Outbound The socket to the source is closed or is in the
closing process.
PXY-DST-CLO TCP Stream Forwarding Outbound The socket to the destination is closed or is
in the closing process.
PXY-SD-CLO TCP Stream Forwarding Outbound The source and the destination socket are
closed or in the closing process.
PXY-TERM TCP Stream Forwarding Outbound The session is terminated and will shortly be
IPXY-NEW TCP Stream Forwarding Inbound Session is validated by the firewall rule set,
IPXY-ACC TCP Stream Forwarding Inbound A socket connection to the source is in

progress of being accepted.
IPXY-CONN TCP Stream Forwarding Inbound A socket connection to the destination is in

progress of being established.
IPXY-EST TCP Stream Forwarding Inbound Two established TCP socket connection to
the source and destination exist.
IPXY-SRC-CLO TCP Stream Forwarding Inbound The socket to the source is closed or is in the
closing process.
IPXY-DST-CLO TCP Stream Forwarding Inbound The socket to the destination is closed or is
in the closing process.
IPXY-SD-CLO TCP Stream Forwarding Inbound The source and the destination socket are
closed or in the closing process
IPXY-TERM TCP Stream Forwarding Inbound The session is terminated and will shortly be
UDP-NEW UDP Forwarding Session is validated by the firewall rule set,

UDP-RECV UDP Forwarding Traffic has been received from the source
and was forwarded to the destination.
UDP-REPL UDP Forwarding The destination replied to the traffic sent by

the source.
UDP-SENT UDP Forwarding The source transmitted further traffic after

having received a reply from the destination.
UDP-FAIL UDP Forwarding The destination or a network component on

the path to the destination sent an ICMP
indicating that the request cannot be
serviced.
ECHO-NEW ECHO Forwarding Session is validated by the firewall rule set,

ECHO-RECV ECHO Forwarding Traffic has been received from the source

ECHO-REPL ECHO Forwarding The destination replied to the traffic sent by
the source.
ECHO-SENT ECHO Forwarding The source sent more traffic after racing a
reply from the destination.
ECHO-FAIL ECHO Forwarding The destination or a network component on

serviced.
OTHER-NEW OTHER Protocols Forwarding Session is validated by the firewall rule set.
No traffic was forwarded so far.
OTHER-RECV OTHER Protocols Forwarding Traffic has been received from the source
OTHER-REPL OTHER Protocols Forwarding The destination replied to the traffic sent by
the source.
OTHER-SENT OTHER Protocols Forwarding The source sent more traffic after receiving a
reply from the destination.
OTHER-FAIL OTHER Protocols Forwarding The destination or a network component on

serviced.
LOC-NEW Local TCP Traffic A local TCP session was granted by the local
rule set.
LOC-EST Local TCP Traffic The local TCP session is fully established.
LOC-SYN-SND Local TCP Traffic A Local-Out TCP session is initiated by

sending a SYN packet.
LOC-SYN-RCV Local TCP Traffic A Local-In TCP session is initiated by

receiving a SYN packet.
LOC-FIN-WAIT1 Local TCP Traffic An established local TCP session started the
close process by sending a FIN packet.
LOC-FIN-WAIT2 Local TCP Traffic A local TCP session in the FIN-WAIT1 state
received an ACK for the FIN packet.
LOC-TIME-WAIT Local TCP Traffic A local TCP session in the FIN-WAIT1 or in

the FIN-WAIT2 state received a FIN packet.
LOC-CLOSE Local TCP Traffic An established local TCP session is closed.
LOC-CLOSE-WAIT Local TCP Traffic An established local TCP session received a

FIN packet.
LOC-LAST-ACK Local TCP Traffic Application holding an established TCP

socket responded to a received FIN by
closing the socket. A FIN is sent in return.
LOC-LISTEN Local TCP Traffic A local socket awaits connection request

(SYN packets).
LOC-CLOSING Local TCP Traffic A local socket in the FIN_WAIT1 state

received a FIN packet.
LOC-FINISH Local TCP Traffic A local TCP socket was removed from the
internal socket list.

How to Configure SNMP Monitoring
The Barracuda NextGen Firewall X-Series offers the ability to supply information to Network Management Systems via SNMP. Both SNMP v2c
and v3 are supported. Barracuda Networks recommends using SNMP v3 because it is more secure. Use the Barracuda Firewall MIB file to use
the reference objects included for your SNMP monitor software appliance or script.
SNMP v2
IP address (range) from which the Network Management System will contact the X-Series Firewall SNMP service.
SNMP community string.
SNMP v3
User and password to authenticate the NMS.

Authentication Method (supported encryption methods).
Allowed IP address or range for the Network Management System.
Configure SNMP v2
1. Open the BASIC > Administration page.

2. In the SNMP Manager section, configure the following settings:
Enable SNMP Agent – Select Yes.
SNMP Version – Select v2c.
Community String – Enter a password to authenticate the SNMP server.
Allowed SNMP IP/Range – Add the IP addresses or range from which the X-Series Firewall should accept SNMP queries.
3. In the Administrator IP/Range section, add the Allowed SNMP IP/Range to the IP/Network Address list.
Verify that the computer used to administer the X-Series Firewall is in one of the networks included in the Administrator
IP/Range. You will be locked out of the firewall otherwise. The default value of 0.0.0.0/0.0.0.0 allows all networks and IP
addresses to administer the X-Series Firewall.
4. Click Save.
Configure SNMP v3
1. Open the BASIC > Administration page.

2. In the SNMP Manager section configure the following settings:
Enable SNMP Agent – Select Yes.
SNMP Version – Select v3.
User – Enter a username.
Password – Enter a password.

Authentication Method – Select the authentication method supported by your network management software. E.g., SHA
Encryption Method – Select the encryption method supported by your network management software. E.g., AES
Allowed SNMP IP/Range – Add the IP addresses or range from which the X-Series Firewall should accept SNMP queries.
3. In the Administrator IP/Range section, add the Allowed SNMP IP/Range to the IP/Network Address list.
Verify that the computer used to administer the X-Series Firewall is in one of the networks included in the Administrator
IP/Range. You will be locked out of the firewall otherwise. The default value of 0.0.0.0/0.0.0.0 allows all networks and IP
addresses to administer the X-Series Firewall.
4. Click Save.

Barracuda NextGen Firewall X SNMP MIB
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.

Viewing Logs
From the LOGS tab, there are a number of log files that you can view to monitor and troubleshoot the Barracuda NextGen Firewall X-Series:
Firewall Log
HTTP Log
Network Log
VPN Log
Service Log
Authentication Log
HTTP Log Codes Overview
TCP Codes
ERR Codes
For all of these logs, click Help for a description of the information on the page.
Firewall Log
The Firewall Log displays firewall activity such as rules that have been executed and traffic that has been dropped. It lists all connections on the
X-Series Firewall. You can filter the log by criteria such as a source IP address or network, or the time that the connections occurred.
HTTP Log
The HTTP Log displays the activities of the X-Series Firewalls connection with the Barracuda Web Security Service. There are several codes in
the log. For details on these codes, see the HTTP Log Codes Overview section.
Network Log
Use the Network Log to investigate why network configuration changes are not working properly or cannot be activated.
The messages in the Network Log might explain the problem. If not, check the network configuration again for any problems or conflicts.
VPN Log
The VPN Log displays information for all client-to-site and site-to-site VPN tunnels. Use this log to investigate why VPN tunnels and PPTP
connections are disconnecting or not being established.
To see the messages for specific VPN connections, you can also filter the log by IP addresses.
Service Log
The Service Log lists specific errors and warnings for services that are not configured properly or are encountering problems. To restart these
services and debug any problems, you might need to contact Barracuda Networks Technical Support for assistance.
Authentication Log
The Authentication Log displays messages from the authentication service. This includes logins for the web interface and messages from the
various authentication methods.
For example, if a client is not able to access a service, the unsuccessful authentications are written into the log. Successful authentications are
also recorded.
HTTP Log Codes Overview
The following tables provide details on the codes that you might see on the LOGS > HTTP Log page.
TCP Codes
TCP_" refers to requests on the HTTP port (3128)
Code Description
TCP_HIT A valid copy of the requested object was in the cache.
TCP_MISS The requested object was not in the cache.

TCP_REFRESH_HIT An expired copy of the requested object was in the cache. Squid
made an If-Modified-Since request and the response was "Not
Modified."
TCP_REFRESH_FAIL_HIT An expired copy of the requested object was in the cache. Squid
attempted to make an If-Modified-Since request, but it failed. The old
(stale) object was delivered to the client.
TCP_REFRESH_MISS An expired copy of the requested object was in the cache. Squid
made an If-Modified-Since request and received a new object.
TCP_CLIENT_REFRESH The client issued a request with the "no-cache" pragma. ("reload" -
handled as MISS)
TCP_IMS_HIT An If-Modified-Since GET request was received from the client. A

valid copy of the object was in the cache (fresh).
TCP_IMS_MISS An If-Modified-Since GET request was received from the client. The
requested object was not in the cache (stale).
TCP_SWAPFAIL The object was believed to be in the cache, but could not be
accessed.
TCP_DENIED Access was denied for this request.
ERR Codes
Error Description
ERR_READ_TIMEOUT The remote site or network is unreachable; it may be down.
ERR_LIFETIME_EXP The remote site or network may be too slow or down.
ERR_NO_CLIENTS_BIG_OBJ All clients went away before transmission completed and the object is
too big to cache.
ERR_READ_ERROR The remote site or network may be down.
ERR_CLIENT_ABORT Client dropped connection before transmission completed. Squid

fetches the Object according to its settings for `quick_abort'.
ERR_CONNECT_FAIL The remote site or server may be down.
ERR_INVALID_REQ Invalid HTTP request.
ERR_UNSUP_REQ Unsupported request.
ERR_INVALID_URL Invalid URL syntax.
ERR_NO_FDS Out of file descriptors.
ERR_DNS_FAIL DNS name lookup failure.
ERR_NOT_IMPLEMENTED Protocol not supported.
ERR_CANNOT_FETCH The requested URL cannot currently be retrieved.
ERR_NO_RELAY There is no WAIS relay host defined for this cache.
ERR_DISK_IO The system disk is out of space or failing.
ERR_ZERO_SIZE_OBJECT The remote server closed the connection before sending any data.
ERR_FTP_DISABLED This cache is not configured to retrieve FTP objects.
ERR_PROXY_DENIED Access denied. Users must be authenticated before accessing this

cache.

Troubleshooting
The following diagnostic tools should help you troubleshoot most problems. Please read this article before contacting Barracuda Networks
Technical Support.
Basic Troubleshooting Tools
The ADVANCED > Troubleshooting page provides a suite of tools to help you troubleshoot network connectivity issues that might be impacting
the performance of your Barracuda NextGen X-Series Firewall.
For example, you can test your X-Series Firewall’s connection to the Barracuda Networks update servers to verify that it can successfully
download the latest Energize Update definitions. You can also ping or telnet to other devices from the X-Series Firewall, perform dig/NS-lookup,
TCP dump, and perform a trace route from the X-Series Firewall to any another system.
Connect to Barracuda Support Servers
To let technical support engineers troubleshoot your system, you can initiate a connection between your X-Series Firewall and the Barracuda
Networks Technical Support Center. On the ADVANCED > Troubleshooting page, in the Support Connection section, click Establish
Connection to Barracuda Support Center. The connection to Barracuda's Support Center is established via a VPN over SSH 2.0 tunnel with
RSA 2048bit key length using AES128-cbc hmac-md5 hash functions.
Rebooting the System in Recovery Mode
If your X-Series Firewall experiences a serious issue that impacts its core functionality, you can use diagnostic and recovery tools that are
available from the reboot menu to return your system to an operational state. Before you use the diagnostic and recovery tools:
Use the built-in troubleshooting tools on the ADVANCED > Troubleshooting page to help diagnose the problem.
Perform a system restore from the last known good backup file.
Contact Barracuda Networks Technical Support for additional troubleshooting tips.
As a last resort, you can reboot your X-Series Firewall and run a memory test or perform a complete system recovery, as described below.
To perform a system recovery or hardware test:
1. Connect a monitor and keyboard directly to your X-Series Firewall.

2. Reboot the system by doing one of the following:
In the web interface: Go to the BASIC > Administration page, navigate to the System Reload/Shutdown section, and click Re
start.
At the front panel of the X-Series Firewall: Press the Power button on the front panel to turn off the system, and then press the P
ower button again to turn the system on.
The splash screen displays with the following three boot options:
Barracuda
Recovery
Hardware_Test
3. Use your keyboard to select a boot option, and then press the Enter key. You must select the boot option within three seconds after the
splash screen appears. If you do not select an option within three seconds, the X-Series Firewall starts up in Normal mode (first option).
For a description of each boot option, refer to the Reboot Options below.
To stop a hardware test, reboot your X-Series Firewall by pressing Ctrl+Alt+Del.
Reboot Options
The table below describes the options available at the reboot menu.
Reboot Options Description
Barracuda Starts the X-Series Firewall in the normal (default) mode. This option
is automatically selected if no other option is specified within the first
three seconds of the splash screen appearing.

Recovery Displays the Recovery Console, where you can select the following
options:
Barracuda Repair (no data loss) – Repairs the file system on

the X-Series Firewall.
Full Barracuda Recovery (all data lost) – Restores the factory
settings on your X-Series Firewall and clears out the
configuration information.
Enable remote administration (reverse runnel) – Turns on the
reverse tunnel that lets Barracuda Networks Technical Support
access the system. You can also enable remote administration
by going to the ADVANCED >Troubleshooting page and
clicking Establish Connection to Barracuda Support Center.
Diagnostic memory test – Runs a diagnostic memory test from
the operating system. If problems are reported when running this
option, we recommend running the Hardware_Test option next.
Hardware_Test Performs a thorough memory test that shows most memory-related

errors within a two-hour time period. The memory test is performed
outside of the operating system and can take a long time to
complete. To stop the hardware test, reboot your X-Series Firewall.
Replacing a Failed System

Before you replace your X-Series Firewall, use the tools provided on the ADVANCED > Troubleshooting page to try to resolve the problem, or
call Barracuda Networks Technical Support.
Barracuda Instant Replacement Service
If you purchased the Instant Replacement service and the X-Series Firewall fails, you can call Barracuda Networks Technical Support and
arrange for a new unit to be shipped out within 24 hours.
After receiving the new system, ship the old X-Series Firewall back to Barracuda Networks at the address below, with an RMA number marked
clearly on the package. Barracuda Networks Technical Support can provide details on the best way to return the unit.
Barracuda Networks
3175 S. Winchester Blvd
Campbell, CA 95008
attn: RMA # <your RMA number>
To set up the new X-Series Firewall so that it has the same configuration as your old failed system, first manually configure the new
system’s IP information on the BASIC > IP Configuration page, and then restore the backup file from the old system onto the new
system. For information on restoring data, see How to Backup and Restore the Barracuda NextGen Firewall X.

How to Configure Log Streaming
With the Barracuda NextGen Firewall X-Series, you can choose to stream the following logs to a syslog server:
Firewall Log
HTTP Log
Network Log
VPN Log
Service Log
Authentication Log
Configure Syslog Streaming
Before you begin:
Verify that the syslog server supports the protocol that you want to use. All syslog servers support UDP, but not all support TCP.
To configure log streaming:
1. Go to the LOGS > Log Settings page.

2. In the Stream target field, type the hostname or IP address of your syslog server. You can define only one target.
3. Select the Protocol and Port. The default port for UDP is 514. If you select TCP, you must choose a different port.
4. Select which log streams to enable.
To verify that the connection to the syslog server can be established, go to the BASIC > Recent Connections page. Filter the list of
connections for the Protocol, Service, and Destination IP of the syslog server.

How to Configure Email Notifications
The Barracuda NextGen Firewall X-Series can alert the administrator of important system events by sending notification emails. You can
configure a notification email policy for each event, and to limit the number of emails for frequently occurring events, you can define up to three
thresholds. Thus, the administrator will receive an email only when the number of events exceeds the threshold set in the timespan. The following
events can trigger email notifications:
Security Events
ATD Cloud Status – State of the connection between the firewall and the Barracuda ATD cloud.
ATD malicious activity detected – A malicious file has been detected by ATD.
User added to quarantine – A user has been added to the ATD quarantine.
Duplicate IP Detected – An IP address living on the system has additionally been detected in the network.
IPS Drop Alert – Traffic matching an IPS Event with the Action set to Drop and the Log set to Alert.
IPS Drop Warning – Traffic matching an IPS Event with the Action set to Drop and the Log set to Warning.
IPS Drop Notice – Traffic matching an IPS Event with the Action set to Drop and the Log set to Notice.
IPS Log Alert – Traffic matching an IPS Event with the Action set to Log and the Log set to Alert.
IPS Log Warning – Traffic matching an IPS Event with the Action set to Log and the Log set to Warning.
IPS Log Notice – Traffic matching an IPS Event with the Action set to Log and the Log set to Notice.
Operational Events
Critical Disk Space – More than 90% of available disk space is in use on at least one partition.
This event is always triggered during firmware updates. Do not set the Notification policy to Immediate.
Critical System Load – System load is extremely high. The X-Series Firewall will reboot if this condition persists.
Route Changed, uplink not available – An uplink has become unreachable due to changes in the routing configuration.
HA Partner Unreachable – The other HA unit in the HA cluster is no longer reachable.
HA Failover to this System – This X-Series Firewall has taken over as the active HA partner.
HA Failover to Partner – The other X-Series Firewall in the HA cluster has taken over as the active HA partner.
License expired or invalid – The system license has expired or is running on invalid hardware.
System Reboot – The X-Series Firewall has rebooted.
System Shutdown – The X-Series Firewall has been shut down.
Step 1. Enable Email Notifications

2. In the Email Notifications section, enter the System Alerts Email Address.
3. Set Enable Email Notifications to Yes.
4. Enter the SMTP Server. E.g., mailserver.yourdomain.com
Enter an SMTP server that does not require authentication or encryption.
5. Enter the Sender Address. Emails sent by the X-Series Firewall use this email in the FROM section.
6. Click Save.
Step 2. Configure Thresholds and Event Notifications
1. Stay on the BASIC > Administration page.

2. In the Email Notifications section, click Show next to the Advanced Options. The Email Notification Advanced pop-over opens.
3.

3. For each Threshold:
Enter how many events must occur.
Select the timespan from the dropdown.
4. Select the Notification for each Security and Operational Event: When the number of events in the time-span defined for the first
threshold has been reached and email notification is sent.
None – No notification emails are sent for this event.
Immediate – An email notification is immediately sent for every event.
Threshold 1 – When the number of events in the timespan defined for the first threshold has been reached and an email
notification is sent.
Threshold 2 – When the number of events in the timespan defined for the second threshold has been reached and an email
Threshold 3 – When the number of events in the timespan defined for the third threshold has been reached and an email
5. Click Save.

Maintenance
The following section describes in detailed steps how to configure and restore backups of the Barracuda NextGen X-Series Firewall configuration
and explains the procedure of firmware updates.
In this Section
How to Update the Firmware on Your Barracuda NextGen Firewall X

How to Backup and Restore the Barracuda NextGen Firewall X
How to Recover the Barracuda NextGen Firewall X
How to Use and Manage Certificates with the Certificate Manager

How to Update the Firmware on Your Barracuda NextGen Firewall X
This article explains how to update your Barracuda NextGen X-Series Firewall to the latest generally available firmware version or if available
early release versions.
Latest General Release – The latest generally available version of the firmware available for use on the X-Series Firewall.
Latest Early Release – The newest firmware versions available for early access to your X-Series Firewall.
Applying a new firmware version may result in a temporary loss of service and the unit may reboot. For this reason, you should apply
new firmware versions during non-business hours.
Stand-Alone System
To update the firmware version of a stand-alone X-Series Firewall:
1. Go to ADVANCED > Backups and back up the current configuration.

2. Go to the ADVANCED > Firmware Update page.
3. Click Download Now for the Latest General Release you want to update to. The download function is available as soon as a new
general release is provided.
4. After the firmware has been successfully downloaded, click Apply Now.
High Availability Cluster
To update the firmware of all systems in a cluster:
On the active/primary unit:
1. Go to ADVANCED > Backups, to back up the current configuration.

2. Go to ADVANCED > Firmware Updates and download the latest generally available firmware version. The firmware download
automatically starts on the standby unit.
3. As soon as the firmware downloads are complete, go to ADVANCED > High Availability and click Manual Failover.
4. Apply the new firmware and verify that the update has successfully finished.
5. If you are updating from 6.1.X to 6.5.X make sure to follow the instructions after logging in to migrate the application control policies
before updating the secondary unit.
On the standby/secondary unit:
1. Go to ADVANCED > High Availability and click Manual Failover.

2. Apply the new firmware and verify that the update has successfully finished.

How to Backup and Restore the Barracuda NextGen Firewall X
Barracuda Networks recommends that you regularly back up the latest working configuration, in case you need to restore this information on a
replacement Barracuda NextGen X-Series Firewall or the current system data becomes corrupt. It is also very important to back up your
configuration before updating your X-Series Firewall to the latest available firmware.
Backups from appliances with older firmware versions (< 6.5.0) cannot be restored on an X-Series Firewall firmware version 6.5.0 or
newer.
You can back up your current X-Series Firewall configuration into a single file. After a misconfiguration or hardware failure, you can import this
backup file (*.bak) to the X-Series Firewall to restore the saved configuration. You have multiple options for saving configuration backups:
In the Cloud (Barracuda Cloud Control)
Note that you can restore backups only to X-Series Firewalls with the same serial number.
For manual backups, on the local file system of a computer that manages the X-Series Firewall.
For automated backups, remotely on an FTP(S) server.
Automatic hourly backups. The X-Series Firewall automatically creates a backup file every hour for the last 24 hours.
The following information is not included in the backup file:
System password
System management IP address
DNS information
Manually Back Up and Download the Configuration of the X-Series Firewall
To manually save a configuration backup of an X-Series Firewall and store it locally:
1. Go to the ADVANCED > Backups page.

2. In the MANUAL BACKUPS section, click Backup Now. The MANUAL BACKUPS window opens.
3. Select the Local and Configuration check boxes and click Backup NOW. Download the generated backup file.
Automatically Back Up the X-Series Firewall
To automatically back up your configurations and store them on either an FTP server or a Windows network share:

2. In the BACKUP DESTINATION SETTINGS section, select either Cloud, FTP or FTPS as the Destination.
3. Enter the settings for the server on which the backup file will be stored.
You need to use the full path on the server when configuring the FTP server. E.g., /home/user/ftpbackups/ for
ftp:://ftpserver/ftpbackups/.
4. To test the connection to the server, click Test Configuration.

5. In the SCHEDULES BACKUPS section configure and schedule the automated backups.
6. Click Save.
Restoring the X-Series Firewall with a Configuration Backup
You can restore your X-Series Firewall from either locally saved backups, backups stored in the cloud (Barracuda Cloud Control), backups stored
on an FTP(S) server or from the hourly backups on the X-Series Firewall.
If the restore process is being performed to upload settings onto a new (unconfigured) X-Series Firewall, be sure to manually set the IP
address and DNS information from the BASIC > IP Configuration page prior to starting.
Restoring a backup will overwrite the current configuration of your X-Series Firewall. Do not restore backup files from old 6.0.x or 6.1.x
firmware versions on an X-Series Firewall running 6.5.X.
To restore the configuration of your X-Series Firewall:

2. In the RESTORE BACKUPS section, click Browse.
3. Navigate to the location where the configuration backup is stored:

3.
Cloud – All backup files stored in the cloud for this particular X-Series Firewall (as determined by serial number). To access and
restore from a backup file stored in the cloud that was created from a different system, please contact Barracuda Networks
Technical Support for assistance.
FTP or FTPS – All backup files stored in the FTP server location configured above. By default, only the backup files for this
particular X-Series Firewall (as determined by serial number), will be displayed. To list all available X-Series Firewall backup files
regardless of serial number, set the Show All Backups option to Yes.
Local – Uses your native desktop browser to navigate to a location of your choosing.
Disk – Choose backup file stored locally on your X-Series Firewall.
4. Select the backup file and click Restore Backup.
5. Confirm the information displayed on the main backup page to start the process.
6. After the backup has successfully finished, reboot the X-Series Firewall.

How to Recover the Barracuda NextGen Firewall X
To recover the Barracuda NextGen X-Series Firewall, you can use the Recovery Console with one of the following recovery options:
Barracuda Repair – Retains your settings and data during system recovery.
Full Barracuda Repair– Resets the X-Series Firewall to factory default settings. With this option, all your settings and data will be lost. If
you are unsure of which recovery option to use, first run the Barracuda Repair. If problems persist, run a Full Barracuda Repair.
Do not manually reboot your system at any time during recovery or repair, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, this process can take up to 15 minutes. If it
takes longer, please contact Barracuda Networks Technical Support for further assistance.
Before You Begin
Before you recover the X-Series Firewall, ensure that you have physical access to the system. You must also have the following equipment:
Monitor with a VGA cable

USB keyboard
Recover the X-Series Firewall
To recover the X-Series Firewall:
1. Ensure that the X-Series Firewall is turned off and the ports in the back of the appliance are accessible.
2. Connect the monitor to the VGA port.
3. Connect the keyboard to one of the USB ports.
4. Turn on the X-Series Firewall by plugging the power cord in.
5. When the bootloader menu displays, use your keyboard to select Recovery. After two to three minutes, the system boots into the
Recovery Console menu:
Recovery Console
BARRACUDA NETWORKS RECOVERY CONSOLE
Please make a selection
(1) Barracuda Repair (no data loss)
(2) Full Barracuda Recovery (all data lost)
(3) Enable remote administration (reverse tunnel)
(5) EXIT
6. Select a recovery option:
If you want to retain all of your data and settings during the repair, enter 1 to select the Barracuda Repair (no data loss) option.
If you want to restore the X-Series Firewall with the default factory settings, enter 2 to select the Full Barracuda Recovery (all
data lost) option. With this option, you will lose all of your current data and settings. When you are prompted by the on-screen
instructions, confirm that you want to continue with the recovery.
7. After you receive the message stating that the recovery process is complete, enter 5 to exit the Recovery Console. The X-Series Firewall
then reboots.
If problems persist after the reboot, please contact Barracuda Networks Technical Support for further assistance.

How to Use and Manage Certificates with the Certificate Manager
The Barracuda NextGen Firewall X-Series uses the Certificate Manager as a central repository to manage all X.509 certificates on the device.
You can create self-signed certificates or upload your own certificates. All certificates are available for all X-Series Firewall services, as long as
they meet the requirements for that service.
Create a Self-Signed Certificate
1. Go to ADVANCED > Certificate Manager.

2. Click Create. The Create Certificate pop-over opens.
3. Enter the certificate information.
Certificate Name – Enter a name to identify this certificate.
Common Name – Enter the domain name (DN) that is used to access the service, e.g., "mycompany.vpn.com", *.domain.com It
must contain at least one dot (.)
Country Code (2 characters) – Enter the two–letter ISO country code of the location of the organization.
State or Province – Enter the full name of the state or province of the location of the organization.
Location – Enter the full name of the city where the organization is located.
Organization – Enter the name of your organization or company.
Organizational Unit – Enter the department or unit within the organization.
Key Size (bits) – Select the private key size for the certificate from the dropdown list. The default key size is 2048 bits. Use
2048 bits if you want stronger and more secure encryption.
Disallow Private Key Download – Selecting this option will lock the private key corresponding to this certificate. Normally,
certificates are downloaded in PEM format, which includes the private key and certificate. When a key is locked, the PEM file will
only contain the certificate.
Private keys are not included in the backup. Download the private key and keep it in a safe location.
Expiration Date – Click the calendar icon to select a date.

Subject Alt Name – Set the Email, DNS, URI or IP for this certificate.
For a Client–to–Site VPN connection to a mobile device, set the DNS to the FQDN of the X-Series Firewall. The
FQDN must resolve to the IP address of the VPN service on the X-Series Firewall.
Add to VPN Certificates – Automatically add this certificate to the list of VPN certificates. You can also manually add the
certificate to the VPN certificates later on the VPN > Settings page.
4. Click Save.
Upload a Certificate
You can upload certificates in PEM or PKCS12 files. PEM files can either contain a single certificate or multiple certificates. Multiple PEM files
must contain one or more certificates and the private key in order to create a complete chain of trust.

2. Click Upload. The Upload Certificate pop-over opens.
3. Enter the Certificate Name.
4. Select the Certificate Type to match your certificate file.
5. (optional) If you want to use the certificate for the VPN service, select Add to VPN Certificates.
6. Click Browse to select the Certificate File.
7. (multiple PEM files) Click Browse to select the Certificate Key File.
8. (optional) Enter a Certificate Password.
9. (optional) Select Disallow Private Key Download. This action cannot be reversed.
Private keys are not included in the backup. Download the private key and keep it in a safe location.
10. Click Save.
Download or View a Certificate or Certificate Signing Request (CSR)
2. Click to open the View Certificate pop-over.

3. You can now:
Click Details to see the complete certificate information.
Click Lock Key to disable the private key download. This change is permanent.
Click Replace Upload to upload a new certificate. You cannot upload a new certificate if the old certificate has already expired.
Click Replace Self-Signed to create a new self-signed certificate. You cannot create a new self-signed certificate if the old

certificate has already expired.
Click Download Certificate to download the certificate in a PEM file.
Click Download Key to download the private key in a PEM file.
Click Download CSR to download a *.csr file. Submit the CSR to your certificate authority to received signed SSL certificates.
Delete a Certificate
You cannot delete certificates that are in use. Change the certificate for all services listed in the Usage column and then click in the Action c
olumn to delete the certificate.
Add Certificates to the VPN Certificates
Certificates that are to be used for the VPN service must be added to the VPN certificates. If you did not select Add to VPN Certificates when
creating or uploading the certificates, you can also add it to the VPN Certificates in the VPN Settings. Root CA certificates must be CA
certificates.
1. Go to VPN > Settings.

2. Select the certificate you want to add from the Local Certificates dropdown and click +.
3. Select the certificate you want to add from the Root CA Certificates dropdown and click +.
4. Click Save.
Select the SSL Inspection Certificate
You can only use certificates with the CA option for SSL Inspection.

2. Verify that Enable SSL Inspection is set to Yes.
3. Select the certificate from the Select Certificates dropdown.
4. Click Save.
Select the SSL Certificate for the Web Interface
1. Go to ADVANCED > Secure Administration.

2. Select the certificate from the Certificate for SSL dropdown.
3. Click Save.
Select the SSL Certificate for the SSL VPN
It is recommended to use signed certificates for the SSL VPN service.
1. Go to VPN > SSL VPN.

2. Click on the Server Settings tab.
3. Select the certificate from the Certificate dropdown.
4. Click Save.

Management Tools and Apps
Barracuda Networks offers several applications to manage and connect to the Barracuda NextGen Firewall X-Series. Download the latest
releases from Barracuda Cloud Control.
The following applications and apps are available:
Barracuda Report Creator
The Barracuda Report Creator creates PDF reports using the statistics and logs collected by your Barracuda NextGen Firewall X-Series. Reports
can be created instantly or per schedule and are delivered either by email or stored on the Windows client that is running the Report Creator.
For more information, see Barracuda Report Creator.
CudaLaunch
CudaLaunch provides mobile users secure remote access to your organization's applications and data. CudaLaunch is available for iOS and
Android devices via the Apple App Store or Google Play Store. Desktop portal access is not supported for the Barracuda NextGen X-Series SSL
VPN.
Barracuda Network Access Client and VPN Client
Barracuda offers a Windows, macOS, and Linux client to configure and establish client-to-site VPNs. The Network Access Client consists of the
Barracuda Personal Firewall, the Barracuda Access Monitor, and the Barracuda VPN Client.
For more information, see Barracuda Network Access and VPN Client.

Barracuda Report Creator
With the Barracuda NextGen Report Creator, you can customize reports on Barracuda NextGen X-Series Firewalls with the statistics and logs
that are collected on the appliances. If you want to generate a collective report for multiple X-Series Firewalls, you can organize the appliances
into consolidation groups. The report content is fully configurable and can provide the following information:
The activities of a specific user or IP address.

Most blocked and allowed URL categories.
Most blocked and allowed application categories.
Application usage.
You generate a report by combining templates that specify what appliances or consolidation groups are included in the report, the type of
information to include in the report, how the report is formatted, and how the report should be delivered. You can either use predefined templates
or customize your own templates.
Video
Watch the video below to see the Barracuda NextGen Report Creator in action:
Set up and generate a report
Step 1. Install the Barracuda NextGen Report Creator
To configure reporting for X-Series Firewalls, you must install the Barracuda NextGen Report Creator:
1. Go to BASIC > Administration

2. In the Reporting section, select Yes to Enable Reporting.
3. Click Save.
4. Click Download Barracuda Report Creator.
5. After the download finishes, install the application.
Step 2. Add your Barracuda NextGen X-Series Firewalls
In the Appliances section of the Barracuda NextGen Report Creator, create an entry for every X-Series Firewall that you want to generate a
report for. In each entry, specify the settings for connecting to the appliance.
1. Click the Templates tab.
2. In the Appliances section in the left pane, click the plus sign ( ).
3. Select Barracuda Firewall from the Type list.
4. Enter the Management IP or Hostname of the X-Series Firewall.
5. Enter the Login and Password.
6. Click Test Connection to verify that the Barracuda NextGen Report Creator can connect to the appliance.
7. Click Save.
If you are creating reports for a large number of firewalls, sort them into Consolidation Groups:

2. In the left menu, click Consolidation Groups.
3. For every consolidation group that you want to create:
a. Click the plus sign ( ).

b. Right-click the group name, select rename, and enter an appropriate name.
c. In the Consolidation Group "Group name" section, select the X-Series Firewalls you want to add and click the right arrow icon
to add them to the Appliances in this Group list.

4. Click Save.
The Barracuda NextGen Report Creator is now configured to create reports containing the selected data from your X-Series Firewalls.
Step 3. Configure Report Data
The Report Data templates specify the type of information included in the report. The following predefined report types are available:
Top Applications – Create reports summarizing the usage of applications. By default, the top 25 applications are displayed, covering
the last 7 days. Settings can be changed in the template.
Top Allowed Applications – Create reports summarizing the usage of allowed applications. By default, the top 25 applications are
displayed, covering the last 7 days.
Top Blocked Applications – Create reports summarizing the access of blocked applications. By default, the top 25 applications are
displayed, covering the last 7 days.
Top URL Categories & Websites – Create reports summarizing accessed URL categories and websites. By default, the top 25
accessed URLs are displayed, covering the last 7 days.
Top Allowed URL Categories & Websites – Create reports summarizing the top 25 allowed URL categories and websites.
Top Blocked URL Categories & Websites – Create reports summarizing the top 25 access attempts to URL categories and websites
that have been blocked by the X-Series Firewall.
Application Usage and Risks – Create reports summarizing used applications and risks covering the last 7 days.

2. In the left menu, click Report Data.
3. To modify the settings, select the predefined report in the Report Data section.
4. Change the settings as necessary. For example, change the time span, or enable Source IP Address Anonymization if you do not
want to include the source address in the report.
5. Click Save.
The template is available for selection when configuring the report. If you need information in your report that is not provided by the predefined
reports, you can create your own custom report. For more information, see How to Create Custom Reports.
Step 4. Configure the Report Layout
Create a Report Layouts template to configure how the report is displayed.

2. In the left menu, click Layouts.
3. Either select the Standard Layout default template, or create a new template by clicking the plus sign (
).
4. Right-click the template name, select rename, and enter a name.
5. Configure the following settings for the layout:
Report Title – The heading text that is displayed on the first page of the report.
Front Page Logo – The larger image that is displayed on the first page of the report. This image must be in PNG format. Your
custom logo image is not automatically resized. Use images with a maximum width of 500 pixels.
Header Logo – The small logo that is displayed in the headline. This image must be in PNG format and have a maximum height
of 44 pixels. The custom header image is automatically resized to 155 X 44 pixels. Upload it in multiples of these values to get
the best results.
Page Size – The print page size.
Font Name – The font used in the report.
Font Size – The size of the font for the continuous text. Headlines have a fixed size that cannot be changed.

6. Click Save.
Step 5. Configure Report Delivery
Create a Deliveries template to specify how the reports are delivered. You can either store reports in a local directory or email the reports.

2. In the left menu, click Delivery.
3. Click the plus sign ( ).

4. Right-click the template name, select rename, and enter an appropriate description.
5. To store the reports in a local directory, select FILE from the Type list and then configure the following settings:
Filename – The report's file name. When the report is generated, a time stamp is appended to the report name. For example, r
eport_2013_08_06_09_53_50.pdf.
Folder – The folder where the reports are saved.
6. To email reports, select EMAIL from the Type list and then configure the following settings:
Sender – The sender email address.
Recipient(s) – The email addresses that should receive the report. Separate multiple addresses with a semicolon (;).
Mail Text – (Optional) Text for the email body.
Server Address – The IP address of the email server.
Port – The SMTP port on the email server to connect to. Common default values are:
25 – Anonymous sending.
587 – TLS authenticated sending.
Force TLS encryption – Enables authenticating at the email server, with the username and password configured below. This
option requires a valid Sender Address.
Use anonymous authentication – Allows use of the email server without a username and password. This option does not
require a valid Sender Address.
User Name and Password – If required, the credentials to authenticate on the email server.
7. Click Save.
Step 6. Generate a report
After setting up the Barracuda NextGen Report Creator, you can generate a report.
1. Click the Reports tab on the upper left of the window.
2. In the Reports section in the left menu, click the plus sign ( ).
3. Left-click the template name, select rename, and enter a name for the report.
4. In the Content section of the main pane, repeat the following steps for each appliance or consolidation group you want to add to the
report:
a. In the Appliances section, click the plus sign ( ) and then select the consolidation group or
appliance.
b. In the Data for "your appliance name" section, click the plus sign ( ) and then select the
types of reports that you want to generate.
5. Select the Layout from the list.
6. In the Delivery section, click the plus sign ( ) and then select the delivery method you previously
configured:
EMAIL – Sends the report to the email address specified in the Deliveries template.

6.
FILE – Saves the report in the location path specified in the Deliveries template
7. Click Save.
Step 7. Run the report
Click Run Now to generate the report. The report is sent to your desktop or delivered via email, depending on the configuration of the selected D
eliveries template.
Step 7. Automate report creation
To automate the reporting, schedule a task and specify how often the report is generated.
1. Click the Reports tab.

2. In the left pane, select a report.
3. Click Schedule.
4. In the Schedule Task for Report Delivery window, specify the delivery times for the report and enter the password for your Windows
user.
5. To open the Windows Task Scheduler, click Create Custom Task. Barracuda NextGen Report Creator tasks are stored in the Barracu
daNGReportCreator subfolder.
6. Click OK. Your scheduling task is created in the Windows Task Scheduler.
7. Save your configurations.
Using keyboard shortcuts
You can use various keyboard shortcuts within the Barracuda NextGen Report Creator:
Click here to show the keyboard shortcuts...
Keyboard Shortcut Action
Tab, Shift+Tab Move forward or backward through the currently visible controls.
Ctrl+Tab Move between the Templates and Reports pages.
F2 Rename the selected item.
Del Delete the selected item.
Alt+S Save the current configuration.
Alt+E Exit the configuration UI without saving your changes.
Alt+D Schedule a task for the currently selected report. You can use this
shortcut only in the Report tab.
Alt+R Create a report. You can use this shortcut only in the Report tab.

How to Create Custom Reports
With the Barracuda NextGen Report Creator, you can generate custom reports by creating custom report data configurations. The following
custom report data configurations are available:
Custom Report – Use this type to create reports for allowed or blocked traffic by common criteria such as protocol, user, source, and
risk.
User Activity Report – Create a summary of all activities for one or more users.
URL Category Reports – Create reports for the top blocked or allowed URL categories.
Application Category Reports – Create reports for the top blocked or allowed application categories.
Application Reports – Create reports summarizing the usage of specific applications.
Before you begin

Step 1. Configure custom report data settings
Step 2. Add the custom reports to the report
Before you begin
Configure the Barracuda NextGen Report Creator. For more information, see Barracuda Report Creator.
Step 1. Configure custom report data settings
To configure a custom report, choose a template type and add your custom template.

2. In the left menu, click Report Data.
3. Select the custom report type you want to create and click . A custom report is inserted below the report type.
4. Right-click the placeholder report name, select rename, and enter a name for the new custom report.
5. Click on the custom report. In the main window configure:
Time Span – Select how far back data should analyzed. Min: 1 hour. Max: 4 weeks.
Filters – Set Merge Filtered Data to yes to consolidate all data for this filter into one report. Set to no to receive consecutive
reports for each filter entry. Depending on the report data type, configure:
User Address Activity Reports – Enter one or more Username or IP address (IPv4) separated by a semicolon.
Spaces are interpreted to be a part of the username.
IP Address Activity Reports – Enter one or more single IP address (IPv4) () separated by a semicolon. Do not use
spaces between the IP addresses.
URL Category Reports – Click on the three dots at the end of the line (...), select one or more URL Categories from
the list, and click OK.
Application Category Reports – Click on the three dots at the end of the line (...), select one or more Application
Categories from the list, and click OK.
Application Reports – Click on the three dots at the end of the line (...), select one or more Application Categories fr
om the list, and click OK.
Content – Set these settings to define how many details are included in the report.
Advanced – Set Source IP address anonymization to Yes to obscure the last number of the source IP address. E.g., 10.0.10.
x
6. Click Save.
Step 2. Add the custom reports to the report

1. Click on the Reports tab.
2. In the Appliances section, select an appliance or consolidation group from the list.
3. In the Data section click and add the custom report(s) created in step 1.
4. Click Save.
You can now run or schedule reports containing the custom report data. For more information, see Barracuda Report Creator.

CudaLaunch
CudaLaunch is a Windows, macOS, iOS, and Android application that provides secure access to your organization's applications and data from
remote locations and a variety of devices. CudaLaunch also integrates with the Barracuda VPN Client to connect via client-to-site VPN. The
CudaLaunch portal's responsive interface is compatible for both desktop and mobile devices.
Video
Watch the following video to see a short demo of CudaLaunch in action:

CudaLaunch for Windows and macOS
CudaLaunch offers secure access to resources made available on the X-Series Firewall. Remote users can access firewall services and features
and establish VPN connections. CudaLaunch is available for Windows and macOS via the Microsoft 10 Apps Store, macOS App Store, and the
Barracuda Download portal.
For more information, see CudaLaunch for Windows and macOS.
CudaLaunch for iOS and Android
CudaLaunch provides secure remote access to your organization's resources from mobile devices. CudaLaunch for mobile is available for iOS
and Android devices via the Apple App Store or Google Play Store. Both versions offer similar functionality.
For more information, see CudaLaunch for iOS and Android.

CudaLaunch for Windows and macOS
CudaLaunch offers remote access to services and features for remote users through the SSL VPN service. CudaLaunch requires a Remote
Access Premium subscription. To evaluate CudaLaunch without having to set up the X-Series services, log in with the demo button.
Before you begin
Download CudaLaunch from the Barracuda Download Portal, the Microsoft Windows 10 App Store, or the macOS App Store.
(optional) To use the VPN group policies in the VPN Connection tab, install the VPN Client & Network Access Client.
Configure the services and features you want to use in CudaLaunch. For more information, see How to Enable SSL VPN and
CudaLaunch.
Interface
CudaLaunch arranges all available web resources into the following sections, accessible via the interface service bar:
Favorites – Contains the shortcuts to resources for quick access.

Apps – Contains all configured web and Outlook Web Access resources.
VPN Connections – Contains all client-to-site VPN group policies made available by the admin.
Tunnels – Contains the generic SSL tunnels that are either stored on the device or made available by the admin.
Folders – Contains all configured network file share resources that the user is allowed to access.
Logging in
To log in, you must have the following information:
Hostname or IP address – The IP address or FQDN resolving to the public IP address the SSL VPN service is listening on.
Username
Password
Changing language settings
You can change the display language for CudaLaunch on the Settings page. To do so, click on the options icon on the top left and select Setting
s > General.

Launching resources
The Apps tab contains all the web resources. To launch a resource from the Apps screen, click the icon associated with it.
The web resource launches in a new tab in your network browser, and you are redirected to the application page.
Native Apps
When launching native apps such as RDP, CudaLaunch automatically establishes a tunnel in the background and launches the app in a new
browser tab.
VPN Connections
The VPN Connections tab contains the VPN group policies configured by the admin for CudaLaunch. The Barracuda Network Access or VPN
Client must be installed on the client to be able to start the VPN connection in CudaLaunch. To connect to the client-to-site VPN, click on the VPN
Group policy.

Tunnels
SSL tunnels are used to tunnel TCP connections for client/server applications.
Click the Tunnels tab. Click on one of the SSL tunnel profiles that are made available by the admin.
The client connects to a port on the 127.0.0.1 interface. Use the local IP address and port number in the locally installed app.
Network places
Network places provide remote access to corporate file shares made available by the admin. The Folders tab allows you to browse network
shares and to rename, delete, retrieve, and upload files.
Click the Folders tab. Click the 'forward' arrow icons to navigate through the folders and files.
To launch a resource from the Folders screen, click the icon associated with it. When prompted for attributes, enter username and password,
and click Continue.

Network places are launched using the default browser of the operating system.
Adding favorites
On the Favorites page, you can store web resource shortcuts for easier access. Click the Favorites tab. To add a web resource to the favorites,
click the + icon.
Select the item you want to add from the list, and click the checkmark icon. The resource you have added is now visible under the Favorites tab.
To remove a resource from the favorites list, click the Favorites tab and then click the trash can symbol.
Select the shortcut, and then click the checkmark icon.

User attributes are user-specific placeholder values used for web forwards. User attributes can be filled/changed in the options menu. When a
web forward is launched for the first time, the user is requested to fill in the user attributes. To fill in or change a user attribute, click Settings in
the Options menu, and click on Personal Information to see a list of the user attributes for your user.
Information and logs
You can view general information about CudaLaunch on the Info page. To do so, click on the Options icon on the top left and select Info.
To view logs, version number, and connection details, select About. On the Log window, you can copy the logfiles to clipboard and view the
license agreement.
From the Options menu, you can also refresh the CudaLaunch configuration. To do so, select Refresh.
Logging off
To log out of CudaLaunch, expand the Options menu on the top left, and then select Log Out.

CudaLaunch for iOS and Android
CudaLaunch offers secure remote access to your organization's applications and data from mobile devices. It is available for iOS and Android
devices via the Apple App Store or Google Play Store. CudaLaunch on Android uses Barracuda's VPN client; CudaLaunch on iOS manages the
built-in IPsec VPN client. To evaluate CudaLaunch without having to set up the Barracuda NextGen Firewall X-Series services, log in with the de
mo user credentials.
Before you begin
Configure the services and features you want to use in CudaLaunch on your Barracuda NextGen Firewall X-Series. For more
information, see How to Enable SSL VPN and CudaLaunch.
Verify that you are using a mobile device with a supported operating system. For more information, see SSL VPN Supported Devices.
Logging into CudaLaunch
To log in, you must have the following information:
Hostname or IP address – The IP address or FQDN resolving to the public IP address the X-Series Firewall's SSL VPN service is
listening on.
Username
Password
Web forwards
Swipe to the Apps tab. To launch a web forward, tap on the icon. Frequently used web forwards can be added to the Favorites tab for easy
access.

Full-device VPN
Swipe to the VPN Connections tab. Tap on one of the VPN connection profiles that are either stored on your device or made available by the
admin through SSL-VPN VPN templates. The key symbol in the taskbar is displayed as long as you are connected to the VPN. Settings for the
VPN connection can be changed in the Option menu under VPN Profiles. Changes to the VPN templates by the administrator are automatically
synced to the mobile device. Full-device VPN connections can be used by all native apps on your device, not just CudaLaunch.
User attributes are user-specific placeholder values used for web forwards. User attributes can be filled/changed in the Options menu of
CudaLaunch. When a web forward is launched the first time, the user is requested to fill in the user attributes. To fill in or change a user attribute,
tap Settings in the Options menu of CudaLaunch. Tap on Personal Settings to see a list of the user attributes for your user.

Logging off
To log out of CudaLaunch, expand the options menu on the top left, and then select Log Out.

Barracuda Network Access and VPN Client
The Barracuda Network Access Client is a suite of applications available for Windows that lets you control network and VPN client access based
on rules and policies. The Barracuda Network Access Client consists of the Barracuda Personal Firewall, the Barracuda Access Monitor, and
the Barracuda VPN Client. The Barracuda VPN Client is also available for macOS and Linux. For more information, see the Barracuda NAC and
VPN Client's overview page.
Supported features
The Barracuda Network Access / VPN client provides the following features:
Management Authentication Support VPN Properties VPN Connection Security Features

Intelligence
Central Management MS Certificate Raw ESP Redundant Gateway Full Server-Side

of the VPN Management (Crypto UDP Encapsulation Support Control
Configuration API) TCP Encapsulation NAT Traversal Split DNS
VPN Diagnostic Log MSAD Hybrid HTTPS Proxy Split Tunnel Mode
VPN Systems LDAP Encapsulation Compatibility ENA - Exclusive
Diagnostics Report RADIUS DHCP-based SSL Handshake Network Access
VPN Status MSNT Parameter Simulation
Monitoring RSA ACE Assignment SOCKS 4/5 Proxy
Attack Access External X.509 Cryptography Compatibility
Cache Certificates AES128 / AES256 Pathfinder - Best
Packet Log RSA SecureID 3DES and DES Gateway Finder
(Capture) Tokens CAST and Blowfish WLAN Roaming
VPN Groups Smart Cards Authentication Only Support
Manageable MS Domain Logon (Null Encryption) Always Connect
Silent Client Setup Support SHA-1 and MD5 Technology
Using Templates Hashing Fast Reconnect
and Scripts Technology
Installing, configuring, and operating the client
For information on how to set up and use the Barracuda Network Access and VPN clients, see the following articles:
Installing the Barracuda Network Access/VPN Client for Windows

Installing the Barracuda VPN Client for macOS
Installing the Barracuda VPN Client for Linux
Installing, configuring, and operating the server
For information on how to configure the consumer-level Barracuda Firewall product line for client-to-site VPN, see How to Configure a
Client-to-Site VPN with Certificate Authentication.

Specifications of Hardware Models
Warranty and Safety Instructions

Unless you are instructed to do so by Barracuda Networks Technical Support, you will void your warranty and hardware support if you
open your Barracuda Networks appliance or remove its warranty label.
Barracuda Networks Appliance Safety Instructions Hardware Compliance
Hardware specifications of the various Barracuda NextGen Firewall X-Series models
The hardware configuration list in this table was valid at the time this content was created. Due to technological advances, the
components are subject to change at any time. Thus, the list may not reflect the current hardware configuration of the Barracuda
Barracuda NextGen Firewall X-Series model
X50 / X51 X100 / X101 X200 / X201 X300 (End of X300 X400 X600
Sale) Revision B
Hardware
Form factor Desktop Desktop Desktop 1U rack mount Desktop with 1U rack mount 1U rack mount
Rack Mount
Brackets
Dimensions 10.8 x 6.4 x 10.8 x 6.4 x 10.8 x 6.4 x 14.9 x 6.4 x 14.9 x 6.4 x 16.8 x 15.9 x 16.8 x 15.9 x
(inch) 1.8 1.8 1.8 1.8 1.7 1.7 1.7
Weight (lb) 2.9 2.9 2.9 4.4 4.9 11.3 11.3
Ports 4x 1GbE 4x 1GbE 4x 1GbE 6x 1GbE 6x 1GbE 8x 1GbE 8x 1GbE

copper copper copper copper copper copper copper
Power supply Single Single Single Single Single Single Single

(external) (external) (external) (internal) (external) (internal) (internal)
Integrated Yes , model Yes , model Yes, model No No No No

Wi-Fi access X51 X101 X201
point
3G USB Optional Optional Optional Optional Optional Optional Optional

modem
Integrated Wi-Fi Access Point specifications (model X51/X101/X201)

Standards IEEE 802.11b/g/n, CSMA/CA with ACK
Frequency 2.4-2.4835 GHz
Signal rate 11n: Up to 150 Mbps, 11g: Up to 54 Mbps, 11b: Up to 11 Mbps
EIRP 20 dBm (MAX)
Radio receive sensitivity 130 Mbps: -68 dBm @10% PER

108 Mbps: -68 dBm @10% PER
54 Mbps: -68 dBm @10% PER
Wireless security 64/128 bits WEP

WPA/WPA2, WPA-PSK/WPA2-PSK (TKIP/AES)
Wall mount kit
Some shipped with a wall mount kit. Print the Barracuda NextGen Firewall X-Series Wall Mount Jig to use as a template when drilling the
required holes. Do not scale the PDF when printing.

Hardware Compliance
This section contains compliance information for the appliance.
Notice for the USA
Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules.
Operation is subject to the following conditions:
1. This device may not cause harmful interference, and

2. This device must accept any interference received including interference that may cause undesired operation. If this equipment does
cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user in
encouraged to try one or more of the following measures:
Reorient or relocate the receiving antenna.

Increase the separation between the equipment and the receiver.
Plug the equipment into an outlet on a circuit different from that of the receiver.
Consult the dealer on an experienced radio/ television technician for help.
Notice for Canada
This apparatus complies with the Class B limits for radio interference as specified in the Canadian Department of Communication Radio
Interference Regulations.
Notice for Europe (CE Mark)
This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC).
Power Requirements
AC input voltage 100-240 volts; frequency 50/60 Hz.

Barracuda Firewall (PDFDrive)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Barracuda Firewall (PDFDrive)

Uploaded by

Copyright:

Available Formats

1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Quick Start Guide: English, German, Spanish, Italian, Turkish

Copyright Barracuda Networks 2015

Before you begin

What's new in Barracuda NextGen Firewall X-Series version 7.1.1.010

Updated bind to version 9.9.9-P4 to fix security vulnerability CVE-2016-8864. (BNF-6696)

What's new in Barracuda NextGen Firewall X-Series version 7.1.1.008

Remote Access Gateway wizard

The Top 10 Application element now works as expected. (BNF-6583)

What's new in Barracuda NextGen Firewall X-Series version 7.1.0.017

OpenSSL update to resolve security vulnerability CVE-2016-6304. (BNF-6644)

What's new in Barracuda NextGen Firewall X-Series version 7.1.0.013

Copyright Barracuda Networks 2015

Multiple SSL VPN improvements. (BNF-6591)

What's new in Barracuda NextGen Firewall X-Series version 7.1.0.008

Site-to-site VPN tunnel stability improvements. (BNF-6570)

What's new in Barracuda NextGen Firewall X-Series version 7.1.0.007

IPsec client-to-site VPN tunnel rekeying now works as expected. (BNF-6565)

What's new in Barracuda NextGen Firewall X-Series version 7.1.0.006

Advanced Threat Detection (ATD)

For more information, see Advanced Threat Detection (ATD)

SSL VPN web portal redesign

For more information, see SSL VPN User Interfaces.

SSL VPN tunneled web forward

Copyright Barracuda Networks 2015

For more information, see How to Configure a Tunneled Web Forward.

SSL VPN applications

For more information, see SSL VPN Applications.

For more information, see CudaLaunch.

Copyright Barracuda Networks 2015

Copyright Barracuda Networks 2015

Please Read Before Upgrading

What's New in Barracuda NextGen Firewall X-Series Version 7.0.1.005

What's New in Barracuda NextGen Firewall X-Series Version 7.0.0.010

Updated OpenSSL to fix the following security vulnerabilities:

What's New in Barracuda NextGen Firewall X-Series Version 7.0.0.008

What's New in Barracuda NextGen Firewall X-Series Version 7.0.0.006

Restoring from a cloud backup now works as expected. (BNF-6340)

What's New in Barracuda NextGen Firewall X-Series Version 7.0.0.005

Increased firewall engine stability. (BNF-6348)

What's New in Barracuda NextGen Firewall X-Series Version 7.0.0.004

Mail Security in the Firewall

Copyright Barracuda Networks 2015

Virus Protection for FTP in the Firewall

For more information, see How to Configure a DHCP Relay.

Copyright Barracuda Networks 2015

For more information, see CudaLaunch.

NAC for SSL VPN

SSL VPN Web Forwards Improvements

SSL VPN User Attributes

For more information, see How to Use and Create Attributes.

Single Sign-On for Web Forwards

SSL VPN Self-Provisioning for VPN Templates

Barracuda Mobile Device Manager BETA

Copyright Barracuda Networks 2015

For more information, see Barracuda Mobile Device Manager.

Copyright Barracuda Networks 2015

Please Read Before Upgrading

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.007

1. Go to Firewall > Settings

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.006

Firewall > Captive Portal > HTTPS CONFIGURATION > Encryption

What's New in Barracuda NextGen Firewall X-Series Version 6.8.3.004