Professional Documents
Culture Documents
4
1.1 Release Notes 7.1.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.1 Release Notes 7.0.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 Release Notes 6.8.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.1.3 Barracuda Firewall Release Notes 6.7.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.4 Barracuda Firewall Release Notes 6.6.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.1.5 Barracuda Firewall Release Notes 6.5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.1.6 Barracuda Firewall Release Notes 6.1.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
1.1.7 Barracuda Firewall Release Notes 6.0.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
1.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.2.1 Deploy as Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.2.2 Deploy as Remote Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.3 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.3.1 How to Configure WAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1.3.1.1 Example - Configuring a Static WAN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.3.1.2 How to Configure a PPPoE Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1.3.1.3 How to Configure a 3G Dial-In Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1.3.1.4 How to Configure a DHCP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.3.2 How to Configure Static Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.3.3 How to Configure Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.3.4 How to Configure a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
1.3.5 How to Configure a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1.3.6 How to Configure a Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.3.7 How to Configure a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1.3.8 How to Configure the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1.3.9 How to Configure a DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
1.3.10 How to Configure a Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1.3.11 Authoritative and Caching DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
1.3.11.1 How to Add Domains and DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1.3.12 How to Change the Management IP Address and Network Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
1.3.13 How to Configure and Use High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
1.4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
1.4.1 Firewall Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
1.4.1.1 Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
1.4.1.2 Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
1.4.1.3 Connection Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
1.4.1.4 Application Based Connection Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
1.4.1.5 NAT Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
1.4.1.6 User Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
1.4.1.7 Schedule Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
1.4.2 Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
1.4.2.1 Pre-Installed Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
1.4.2.2 Firewall Rules Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
1.4.2.3 How to Create User-Aware Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
1.4.2.4 Example - Allowing Access to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
1.4.2.5 Example - Handling SMTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
1.4.2.6 Example - Allowing SIP-based VoIP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
1.4.2.7 Example - Blocking ICMP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
1.4.2.8 Example - Configuring a DNAT Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
1.4.2.9 Example - Configuring an Access Rule for the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 113
1.4.2.10 Example - Creating Time-Based Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
1.4.2.11 How to Configure a Transparent Redirection to a Barracuda Web Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . 117
1.4.3 Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
1.4.3.1 How to Introduce Application Control to Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
1.4.3.2 Application Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
1.4.3.3 How to Configure and Use the URL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
1.4.3.4 How to Configure an Application Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
1.4.3.5 Example - Adjust Bandwidth for Application Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
1.4.4 Link Balancing and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
1.4.4.1 How to Configure Outbound Loadbalancing and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
1.4.5 Intrusion Prevention System or IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
1.4.6 How to Configure SSL Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
1.4.7 URL Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
1.4.7.1 URL Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
1.4.7.2 How to Configure URL Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
1.4.7.3 How to Configure URL Filter Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
1.4.7.4 How to Grant URL Category Overrides - User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
1.4.8 Virus Protection in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
1.4.8.1 How to Configure Virus Protection in the Firewall for Web Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
1.4.8.2 How to Configure Virus Scanning in the Firewall for FTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
1.4.9 Advanced Threat Detection (ATD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
1.4.9.1 How to Configure ATD in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
1.4.9.2 How to Manually Upload Files to ATD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
1.4.10 Mail Security in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
1.4.10.1 How to Configure Mail Security in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
1.4.11 How to Enforce Safe Search in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
1.4.12 How to Enforce YouTube for Schools in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
1.4.13 Custom Block Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
1.4.14 How to Configure Bandwidth Policies or QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
1.4.15 How to Create Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
1.4.16 How to Configure the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
1.4.17 How to Configure Google Accounts Filtering in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
1.5 Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
1.5.1 How to Configure Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
1.5.2 How to Configure an External Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
1.5.2.1 How to Configure Barracuda DC Agent Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
1.5.2.2 How to Configure MSAD Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
1.5.2.3 How to Configure NTLM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
1.5.2.4 How to Configure LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
1.5.2.5 How to Configure RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
1.5.2.6 How to Configure TS Agent Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
1.5.2.7 How to Join a Windows Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
1.5.2.8 How to Configure Wi-Fi Access Point Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
1.5.2.8.1 Wi-Fi AP Authentication Aerohive Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
1.5.2.8.2 Wi-Fi AP Authentication Ruckus Wireless Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
1.5.2.8.3 Wi-Fi AP Authentication Aruba Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
1.5.3 How to Set Up a Guest Access Confirmation Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
1.5.4 How to Set Up Guest Access with Ticketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
1.5.5 How to Manage Guest Tickets - User's Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
1.6 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
1.6.1 Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
1.6.1.1 How to Configure a Client-to-Site VPN with Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
1.6.1.2 How to Configure a Client-to-Site VPN with Shared Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
1.6.1.3 How to Configure the Apple iOS VPN Client for IPsec Shared Key VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
1.6.1.4 How to Configure Apple iOS VPN Client for IPsec VPN with Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . 229
1.6.1.5 How to Configure the Android VPN Client for IPsec Shared Key VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
1.6.1.6 Troubleshooting Client-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
1.6.1.7 How to Configure a Client-to-Site VPN with PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
1.6.2 Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
1.6.2.1 How to Configure a Site-to-Site VPN with IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
1.6.2.2 How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
1.6.2.3 How to Configure a Site-to-Site IPsec VPN to the Microsoft Azure VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
1.6.2.4 Example - Configuring a Site-to-Site IPsec VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
1.6.2.5 Troubleshooting Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
1.6.2.6 How to Configure Authentication Through a Site-to-Site VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
1.6.3 How to Allow VPN Access via a Dynamic WAN IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
1.6.4 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
1.6.4.1 How to Enable SSL VPN and CudaLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
1.6.4.2 How to Configure SSL VPN Access via DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
1.6.4.3 SSL VPN User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
1.6.4.3.1 SSL VPN Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
1.6.4.3.2 SSL VPN Web Portal User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
1.6.4.4 SSL VPN Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
1.6.4.4.1 How to Configure an Outlook Web Access Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
1.6.4.4.2 How to Configure a SharePoint Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
1.6.4.4.3 How to Configure a Generic Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
1.6.4.4.4 How to Configure a Tunneled Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
1.6.4.4.5 How to Configure Single Sign-On for Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
1.6.4.5 SSL VPN Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
1.6.4.5.1 How to Configure SSL VPN Applications for RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
1.6.4.6 How to Configure SSL Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
1.6.4.7 How to Configure Network Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
1.6.4.8 How to Use and Create Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
1.6.4.9 How to Configure NAC for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
1.6.4.10 How to Configure VPN Templates in the SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
1.6.4.10.1 Self-Service VPN Provisioning for iOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
1.6.4.10.2 Self-Service VPN Provisioning on macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.6.4.10.3 Self-Service VPN Provisioning on Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
1.7 Cloud Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
1.7.1 How to Configure the Barracuda Web Security Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
1.7.2 How to Connect to Barracuda Cloud Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
1.8 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
1.8.1 Monitoring Active and Recent Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
1.8.2 How to Configure SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
1.8.3 Barracuda NextGen Firewall X SNMP MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
1.8.4 Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
1.8.5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
1.8.6 How to Configure Log Streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
1.8.7 How to Configure Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
1.9 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
1.9.1 How to Update the Firmware on Your Barracuda NextGen Firewall X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
1.9.2 How to Backup and Restore the Barracuda NextGen Firewall X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
1.9.3 How to Recover the Barracuda NextGen Firewall X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
1.9.4 How to Use and Manage Certificates with the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
1.10 Management Tools and Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
1.10.1 Barracuda Report Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
1.10.1.1 How to Create Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
1.10.2 CudaLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
1.10.2.1 CudaLaunch for Windows and macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
1.10.2.2 CudaLaunch for iOS and Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
1.10.3 Barracuda Network Access and VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
1.11 Specifications of Hardware Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
1.11.1 Hardware Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Overview
The Barracuda NextGen Firewall X-Series is an application-aware network firewall appliance that is designed for organizations without dedicated
IT personnel to manage firewalls. It leverages cloud resources to extend next-generation security and networking beyond the capabilities of
typical security gateways or legacy firewalls. The Barracuda NextGen Firewall X-Series delivers application control, user awareness, secure
VPNs, link optimization, dynamic traffic prioritization, and advanced malware protection. It combines application-control and network-security
features with cloud technologies to provide up-to-date and dynamically scalable malware protection and content filtering. With the Barracuda
Cloud Control centralized management portal, you can use a web browser or app to deploy, configure, and manage the Barracuda NextGen
Firewall X-Series from any location.
Where to start
For detailed instructions, start here:
Getting Started
You can also download the Barracuda NextGen Firewall X-Series Quick Start Guide:
Key features
Firewall – Provides powerful next generation capabilities. Application Control and user-identity awareness enable the enforcement of
granular access policies. You can define policies based on any combination of criteria, such as application, user, group ID, and time.
Barracuda Web Security Service – Leverages cloud resources by offloading processor-intensive content filtering and malware protection
to the cloud.
VPN – Enables secure remote access for users and provides business continuity by securing Site-to-Site connectivity.
Barracuda Cloud Control – Lets you manage and configure multiple Barracuda NextGen X-Series Firewalls from a single management
portal.
WAN Interfaces – Eliminate the need for costly high-capacity backup links by aggregating disparate links such as MPLS, T1, DSL, cable,
and 3G.
Bandwidth Policies (QoS) – Balance and shape traffic among links, according to policies based on applications, traffic loads, and link
status.
Documentation for Barracuda NextGen Firewall X-Series Version 6.1 is available as a PDF file.
Before updating, back up your configuration and read through the release notes for all versions more current than the version you are
currently running on your firewall.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Upgrading can take up to 10 minutes. If the process takes longer, please contact Barracuda Networks Technical
Support for further assistance.
Due to most modern browsers removing SSL VPN Java applet support CudaLaunch is required to retain SSL VPN functionality
previously handled via Java applets. An additional Remote Access Premium subscription is required. By default a one-user demo
license for CudaLaunch is included.
For more information, see How to Configure a Tunneled Web Forward and SSL VPN Applications.
Barracuda NextGen Firewall X-Series version 7.1.1.010 is a maintenance release and contains no new features.
Firmware improvements
You can now deploy your X-Series Firewall as a remote access gateway behind your border firewall. This allows you to leverage the remote
connectivity options offered by the SSL VPN and client-to-site VPN services on the X-Series Firewall to offer easy remote connectivity for all your
users. The remote access gateway wizard can be launched separately or during the deployment.
For more information, see Getting Started and Deploy as Remote Access Gateway.
Firmware improvements
Barracuda NextGen Firewall X-Series version 7.1.0.017 is a maintenance release and contains no new features.
Firmware improvements
Firmware improvements
Barracuda NextGen Firewall X-Series version 7.1.0.008 is a maintenance release and contains no new features.
Firmware improvements
Barracuda NextGen Firewall X-Series version 7.1.0.007 is a maintenance release and contains no new features.
Firmware improvements
Advanced Threat Detection offers protection against advanced malware, zero-day exploits, and targeted attacks that are not detected by the virus
scanner or intrusion prevention system. ATD analyzes files in the Barracuda ATD cloud and assigns a risk score. Local ATD policies then
determine how files with a high, medium, or low risk score are handled. You can configure administrator email notifications and/or enable one of
the automatic blacklisting policies. To check local files, you also have the option to manually upload a file via the management web interface.
The web portal is redesigned to give desktop and mobile devices a single responsive interface. The web portal is designed to automatically
display a version customized for the device type you are using.
A tunneled web forward uses an SSL tunnel established by CudaLaunch to connect to a web server behind the firewall. The user's browser
connects to a localhost address (e.g., http://localhost:5678 ). A direct connection to the resource located behind the SSL VPN is then
Some tasks require the use of client-server applications. To connect with a service behind the SSL VPN service on the X-Series Firewall,
CudaLaunch establishes a secure tunnel and then automatically launches the locally installed application. The connection is terminated if the
session is closed or times out.
CudaLaunch 2.0
CudaLaunch 2.0 for iOS, Android, and now also for Windows and macOS is an update for the app that offers secure remote access to your
organization's applications and data from mobile devices. CudaLaunch 2.0 now also supports SSL Tunnels and SSL VPN Applications.
Firmware improvements
Time stamps on the BASIC > Alerts page now match the configured time zone settings. (BNF-6143)
Improved filtering on the LOGS > Firewall Log page. (BNF-6343, BNF-6344, BNF-6481)
Entering IP addresses in the failover and load balancing settings of a custom connection object is now possible. (BNF-6359)
Incoming NetBIOS traffic is no longer allowed on WAN interfaces. (BNF-6407)
The virus scanning block page now shows the correct URL for FTP over HTTP Proxy connections. (BNF-6465)
SSL Interception with certificate chains now works as expected. (BNF-6466)
The virus scanner result cache is now cleared after a virus pattern update. (BNF-6468)
Manually setting the bit rate for the Wi-Fi interface no longer results in poor bandwidth.
Improved URL categorization for SSL-intercepted hosts. (BNF-6474)
Editing the custom block page for the virus scanner now works as expected. (BNF-6480)
The BASIC > Status page no longer fails if the firewall has an uptime of more than a year. (BNF-6488)
Tool tips on the BASIC > Status pages now display the time correctly when set to auto refresh. (BNF-6130)
It is now possible to filter for Scan Exception on the BASIC > Recent Threat page. (BNF-6298)
You can now add a filter on the LOGS > Firewall Log page by clicking on the mouse-over magnifying glass icon next to the value you
want to filter for. (BNF-6378)
Migration instructions
Due to most modern browsers removing SSL VPN Java applet support CudaLaunch is required to retain SSL VPN
functionality previously handled via Java applets. An additional Remote Access Premium subscription is required. By
default a one-user demo license for CudaLaunch is included.
For more information, see How to Configure a Tunneled Web Forward and SSL VPN Applications.
Support for webDAV SSL VPN resources is discontinued and is no longer available after updating.
Known issues
IPsec client-to-site connections using the Android 6.0 and 6.1 native IPsec client are not possible. As a work-around, you can use
CudaLaunch instead. CudaLaunch requires a Remote Access Premium subscription.
Only first DNS and WINS servers are used for client-to-site tunnels.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
Barracuda NextGen Firewall X-Series version 7.0.1.005 is a maintenance release and contains no new features.
Firmware Improvements
Fixed a rare case where configuring access rules caused an error in the WebUI. (BNF-6494)
Improvements to active and recent connections pages. (BNF-6494)
Barracuda NextGen Firewall X-Series version 7.0.0.010 is a maintenance release and contains no new features.
Firmware Improvements
Barracuda NextGen Firewall X-Series version 7.0.0.008 is a maintenance release and contains no new features.
Firmware Improvements
Creating log filters with empty values no longer breaks the LOG page. (BNF-6492)
Barracuda NextGen Firewall X-Series version 7.0.0.006 is a maintenance release and contains no new features.
Firmware Improvements
Known Issues
Client-to-site VPN connections currently only use the first DNS and WINS server.
The Barracuda Report Creator is available only for Microsoft Windows 7, 8, and 10.
The secondary firewall in an HA cluster is not read-only when accessing the configuration through Barracuda Cloud Control.
Barracuda NextGen Firewall X-Series version 7.0.0.005 is a maintenance release and contains no new features.
Firmware Improvements
For more information, see Mail Security in the Firewall and Virus Protection in the Firewall.
The X-Series Firewall can transparently scan FTP traffic passing through the Forwarding Firewall service for malware. If malware is detected, the
file is discarded and the file transfer is terminated.
For more information, see Virus Protection in the Firewall and How to Configure Virus Scanning in the Firewall for FTP Traffic.
DHCP Relay
DHCP relaying allows you to share a single DHCP server across logical network segments that are separated by the firewall.
CudaLaunch
CudaLaunch offers secure remote access to your organization's applications and data from mobile devices. CudaLaunch is available for iOS and
SSL VPN Network Access Control (NAC) limits access to the web portals of the SSL VPN service according to a variety of factors that are not
connected to the user. Users who fail the NAC check are not allowed to log in until they have a conforming system.
For more information, see How to Configure NAC for SSL VPN.
Create web forwards to allow SSL VPN users to access web-based internal applications. There are predefined web forward types for Outlook
Web Access and SharePoint servers as well as generic settings that allow you full control over how the web content is rewritten.
For more information, see How to Configure an Outlook Web Access Web Forward, How to Configure a SharePoint Web Forward, and How to
Configure a Generic Web Forward.
User attributes are placeholder variables used to personalize web forwards or to configure single sign-on authentication. They are created by the
admin and filled in by the end user in either the desktop or mobile portal.
Web forwards can be configured to automatically log the user in when accessing web forwards requiring authentication. Both HTTP and
form-based (POST, GET, and JavaScript) authentication is supported. User attributes allow you to use different user credentials than those used
to log into the SSL VPN to authenticate to a web application made available as a web forward.
For more information, see How to Configure Single Sign-On for Web Forwards.
The SSL VPN service allows end users to self-provision their VPN client on Windows, macOS, or iOS devices. To automatically download and
install the configuration, the user must log into one of the SSL VPN portals and click the VPN Template provisioning link. VPN templates are
created as a part of the client-to-site VPN configuration.
For more information, see How to Configure VPN Templates in the SSL VPN.
Firmware Improvements
Disabling IPS in an access rule is now displayed correctly in the access rule list. (BNF-6068)
Disabling a Wi-Fi access no longer requires you to enter a passphrase. (BNF-6041)
Generating certificates on smaller appliances no longer times out. (BNF-6039)
Removing VPN certificates now works as expected. (BNF-5994)
Restoring a backup to a unit with a different serial number now works as expected. (BNF-5987)
Deleting entries with capital letters in the Authoritative DNS configuration now works as expected. (BNF-5889)
Management web interface now uses the following cipher string: HIGH:!aECDH:!ADH:!3DES:!MD5:!DSS:!RC4:!EXP:!eNULL:!NULL:!
aNULL. (BNF-5913)
Migration
Existing SSL VPN web forwards are automatically migrated to generic web forwards during the update. Verify the functionality of the web
forwards and, if necessary, recreate the web forwards. For more information, see How to Configure an Outlook Web Access Web
Forward, How to Configure a SharePoint Web Forward, and How to Configure a Generic Web Forward.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
Barracuda NextGen Firewall X-Series version 6.8.3.007 is a maintenance release and contains no new features.
If you are using local antivirus scanning, Barracuda Networks recommends upgrading all Barracuda NextGen Firewall X-Series
(versions 6.6X, 6.7X, and 6.8X) to this firmware version for uninterrupted antivirus security coverage.
In order for the changes to take effect, please restart the Virus Protection service by performing the following actions:
Firmware Improvements
Updates the authorization key for the embedded Avira Anti-Virus engine (BNF-6577)
Barracuda NextGen Firewall X-Series version 6.8.3.006 is a maintenance release and contains no new features.
To protect yourself against CVE-2016-0800 (DROWN) Barracuda Networks recommends to disable SSLv2 for all services. SSLv2 is
disabled in the factory default settings. Check your SSLv2 settings in the following service configurations:
Firmware Improvements
Disabling SSLv2 disables the SSLv2 protocol not just SSLv2 ciphers for captive portal, URL Filter override and guest access web
interfaces. (BNF-6267)
Barracuda NextGen Firewall X-Series version 6.8.3.004 is a maintenance release and contains no new features.
Firmware Improvements
Updated glibc library to mitigate potential remote code executions via specially crafted DNS response messages. (CVE-2015-7547)
Barracuda NextGen Firewall X-Series version 6.8.3.003 is a maintenance release and contains no new features.
Firmware Improvements
Entering the certificate name and SUBALT name in the TS Agent authentication advanced settings now works as expected. (BNF-6061)
Entering data in the time dialogues using Firefox browsers now works as expected. (BNF-6054)
Updated online help for the HTTPS Configuration on the FIREWALL > Captive Portal page to match the UI. (BNF-6006)
Removing certificates assigned to the VPN service now works as expected. (BNF-5994)
Accessing ADVANCED > Backup via Barracuda Cloud Control now works as expected. (BNF-5976)
Barracuda NextGen Firewall X-Series version 6.8.2.009 is a maintenance release and contains no new features.
Firmware Improvements
Updated glibc library to mitigate potential remote code executions via specially crafted DNS response messages. (CVE-2015-7547)
Updated BIND to fix security vulnerability CVE-2015-8704 and CVE-2015-8705. (BNF-6139)
The SIP proxy now passes the correct connection information to internal phones. (BNF-5962)
Barracuda NextGen Firewall X-Series version 6.8.2.007 is a maintenance release and contains no new features.
Firmware Improvements
URL Filter Overrides grant temporary access to otherwise blocked URL categories. URL categories that are set to the override policy redirect the
user to the customizable Override Block page. The override admin must grant the request for a specified time. After the request is granted, the
user is automatically forwarded to the website. Overrides are always granted for the entire URL category.
For more information, see URL Filtering in the Firewall, How to Configure URL Filter Overrides and How to Grant URL Category Overrides - User
Guide.
Wi-Fi AP Authentication
The Barracuda NextGen Firewall X-Series can authenticate users by using the authentication information from Aerohive, Aruba, and Ruckus
wireless access points.
Firmware Improvements
It is no longer possible to create static interfaces using main as the interface name. (BNF-5918)
Creating access rules no longer shows a warning in Firefox. (BNF-5910)
Disabling SSLv3 in ADVANCED > Secure Administration now works as expected. (BNF-5908)
Added option to use a VLAN interface for PPPoE connections. (BNF-5890)
Initiating a manual backup no longer changes the language of the web interface to the default language of the browser. (BNF-5855)
The Protect my Network wizard now shows the correct error message when configuring overlapping subnets. (BNF-5829)
Editing list-based application objects now works as expected. (BNF-5816)
Accessing the recovery console via directly attached VGA monitor and keyboard now works as expected. (BNF-5775, BNF-5813)
Enabling Barracuda Web Security Service now works as expected. (BNF-5798)
It is now possible to enter up to four DNS servers in the DHCP subnet configuration. (BNF-5763)
It is now possible to change the local certificate used for client-to-site VPN connections. (BNF-5749)
Newly created access rules are now displayed correctly in the ruleset. (BNF-5728)
Spotify on iOS devices is now detected correctly. (BNF-5554)
Updated OpenSSL to version 0.9.8zf to fix multiple vulnerabilities. (BNF-4718, BNSEC-5294)
Barracuda NextGen Firewall X-Series version 6.8.1.008 is a maintenance release and contains no new features.
Firmware Improvements
Barracuda NextGen Firewall X-Series version 6.8.1.005 is a maintenance release and contains no new features.
Firmware Improvements
It is now possible to set 0.0.0.0/0 as remote gateway IP address for IPsec VPN connections.
Barracuda NextGen Firewall X-Series now supports SHA256 and SHA512 as a choice for VPN site-to-site hash algorithms.
Changed the Block Page editor font to be monospace instead of proportional. (BNF-5692)
Added a user authentication timeout to the Web Security Service settings so that customers can decide for how long the userid
submitted to the Web Security Service should be considered valid. (BNF-5669)
Changed the default in the Certificate Manager for creation of new certificates. The check box: Disallow Private Key Download is now
enabled per default for newly uploaded or created certs. (BNF-5731)
Log file rotation now works and starts as expected. (BNF-5759)
Fixed an issue where under heavy load the logs could fill up the log space before being automatically deleted. (BNF-5745)
Fix for CVE-2015-5477. (BNF-5753)
Fixed an issue where the VPN wizard created a certificate in the Certificate Manager that could not be deleted. (BNF-5744)
Fixed an issue where DHCP over a Wi-Fi interface that is also part of a bridge setup did not work correctly after box reboot. (BNF-5741)
Fixed an issue where the pop-up dialog for time and date in BASIC > Administration > TIME settings disappeared before the user could
enter data. (BNF-5740)
Fixed an issue where the VPN CERTIFICATE POOL check failed when default was selected as certificate. (BNF-5715)
Fixed an issue where the Certificate Manager on model X100 showed SSL-VPN as usage although the X100 does not support SSL
VPN. (BNF-5712)
Fixed an issue where it was not possible to add more than one SRV DNS record in the Authoritative DNS configuration. (BNf-5708)
Fixed an issue where the Summary screen of the Protect my network wizard contained incorrect information. (BNF-5700)
Safe Search
Protect users behind a Barracuda NextGen Firewall X-Series from undesired content in search results by enabling Safe Search for the access
rules handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL when
the request is forwarded by the X-Series Firewall. Safe Search is supported for Google, Bing, and Yahoo search engines.
For more information, see How to Enforce Safe Search in the Firewall.
The Barracuda NextGen Firewall X-Series can transparently add YouTube for Schools restrictions for all connections the X-Series
Firewall forwards to YouTube without the need to configure the clients. YouTube for Schools is configured directly in the access rules matching
HTTP and HTTPS traffic connecting to YouTube.
For more information, see How to Enforce YouTube for Schools in the Firewall.
You can customize the block pages for Virus Scanner, URL Filter, Application Control, and SSL Inspection. Each page has a predefined list of
placeholder objects that are replaced on-the-fly by the Barracuda NextGen Firewall X-Series when the block page is delivered to the client. HTTP
connections blocked by a Block or Reset access rule can be redirected to an HTTP block page.
Transparent Redirection
The Barracuda NextGen Firewall X-Series can transparently redirect all HTTP and HTTPS traffic to a Barracuda Web Filter or any other HTTP or
HTTPS processing device. The Web Filter can then process the HTTP/HTTPS request using the original source and destination IP addresses.
This allows the Web Filter to create meaningful statistics and connection information.
For more information, see How to Configure a Transparent Redirection to a Barracuda Web Security Gateway.
Schedule Objects
Schedule objects are used as an additional matching criteria to restrict access and/or application rules to specific times and intervals. Schedule
objects offer time granularity in minutes and completely replace time objects.
Firmware Improvements
The Connection Object pop-over no longer displays the section title twice. (BNF-5622)
Setting encryption settings for the Captive Portal now works as expected. (BNF-5620)
It is now possible to create certificate signing requests (*.csr) with the Certificate Manager. (BNF-5598)
Added support for SHA256 and SHA512 to Phase 2 of the IPsec site-to-site configuration. (BNF-5595)
It is now possible to restart the authentication service on the ADVANCED > Expert Settings page. Append &expert=1 to the URL to
enable expert mode. (BNF-5592)
Encapsulation for IPsec tunnels using NAT-T is now set correctly. (BNF-5571, BNF-5495)
Cloning Application Based Connection Objects now works as expected. (BNF-5559)
Migrating SSL Interception certificates containing multiple (intermediate) certificates now works as expected. (BNF-5541)
Alerts listed on the BASIC > Alerts page are now sorted from newest to oldest. (BNF-5536)
The Directory browser now also works in combination with DC Agent authentication. (BNF-5513, BNF-5401)
It is now possible to use an @ in the SSID name. (BNF-5511)
Client-to-Site VPN traffic is no longer blocked if there is a MAC-based access rule. (BNF-5479)
Health check for external zones now works as expected. (BNF-5339)
Client-to-Site IPsec PSK connections no longer fill up the hard drive with excessive logging. (BNF-5241)
YouTube for Schools now works as expected when applying configuration changes to the unit. (BNF-5670)
If the VPN Certificate Pool on the VPN > Settings page is set to default, make a dummy change to the VPN > Client-to-Site VPN confi
guration.
After saving an access rule or application policy for which you used the inline Create New feature, you must reload the page twice for the
rule or policy to be displayed in the ruleset.
The Barracuda NextGen Firewall X-Series is designed to be used with a display resolution of 1280x1024 or higher. Use the browser
zoom function to use the management interface on screens with a lower resolution.
When editing an access rule on a screen with a resolution of less than 1280x1024, the browser zoom function must be used to view the
entire pop-over.
Safe Search cannot be enforced on Google Chrome browsers using the experimental QUIC protocol. Blocking UDP port 80 and 443 for
clients using Google Chrome resolves this issue.
Smaller Barracuda NextGen Firewall X-Series models may take up to 10 minutes to verify the update package causing a browser
timeout. Log in again to apply the update.
The SIP proxy cannot be used for external Barracuda Phone appliances. Use access rules to open the necessary ports instead.
If appending a port to the first target IP address of a DNAT access rule, the port is applied to all target IP addresses.
Barracuda NextGen Report Creator is only available for Windows 7, 8, and 8.1.
Inline editing or creation of connection objects is not possible for application-based connection objects.
Application-based connection objects cannot be renamed.
Application-based connection objects must be saved before adding link policy objects.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
Application-based connection objects allow you to select the Internet connection based on the application. Application-based link polices can be
defined for individual applications or application categories. Traffic that does not match one of these policies is sent using the default connection
object.
Certificate Manager
The Barracuda Firewall uses the Certificate Manager as a central repository to manage all X.509 certificates on the device. You can create
self-signed certificates or upload your own certificates. All certificates are available for all Barracuda Firewall services, as long as they meet the
requirements for that service.
For more information, see How to Use and Manage Certificates with the Certificate Manager.
Email Notification
To redirect to more than one server in cycle (round robin) or fallback mode, you can enter multiple IP addresses or use a network object
containing multiple IP addresses for DNAT access rules. It is also possible to redirect to a different port by appending the port after the IP
address.
The DHCP server configuration has been reworked to improve useability. The DHCP server subnet list now also shows which port is used by the
DHCP subnet.
The DNS server now allows you to distinguish between internal, external, and combined zones on a per-domain basis and automatically creates
PTR records when creating A records.
Enabling the split tunnel mode for a Client-to-Site VPN allows only the client access to the networks published for the Client-to-Site VPN. This
feature is available only for Windows clients using the full-featured Barracuda Network Access Client.
The Barracuda Firewall SSL VPN mobile portal provides a user-friendly interface with a service bar where users can launch available web
resources that have been made accessible by the Barracuda Firewall. Users can navigate through the resources and add shortcuts to a favorites
list.The Barracuda Firewall SSL VPN mobile portal supports most commonly used devices, e.g., Apple iOS, Android and Blackberry.
For more information, see SSL VPN for the Barracuda NextGen Firewall X, Mobile Portal User Guide and Supported Mobile Devices.
The Barracuda Firewall now automatically creates up to 24 hourly backups directly on the local disk of the unit. These backups can be restored
directly via Web UI or from the recovery console.
For more information, see How to Backup and Restore the Barracuda NextGen Firewall X.
Firmware Improvements
Improved stability of the virus scanner engine during pattern updates. (BNF-5175)
Using the URL Filter when accessing heavy, interactive websites now works as expected. (BNF-5276)
You can now block just a subset of a URL. (BNF-5269)
The SIP Proxy now reacts gracefully when failing to open additional dynamic ports. (BNF-5220)
Custom application objects are now displayed correctly in the Application and Details columns on the BASIC > Active and Recent
Connections pages. (BNF-5193)
A warning popup is displayed when an SNMP source IP address is not a part of the Management ACL. (BNF-4881)
Added popup to advise user to enable TCP Stream reassembly when enabling virus scanning in the Firewall. (BNF-4859)
DC Agent authentication now works as expected. (BNF-4845)
It now possible to use * wildcards when filtering on the BASIC > Active and Recent Connection pages. (BNF-4723)
MSAD authentication now supports multi-domain login management by enabling Check Domain Names in the MSAD configuration.
(BNF-4690)
Yahoo Japan (yahoo.jp), Yahoo Mail Japan, and AOL Japan (aol.jp) are now detected by Application Control. (BNF-4683)
The support tunnel now reliably starts when triggered via the WebUI. (BNF-4644)
Editing service objects now works as expected. (BNF-4598)
The Directory Browser now correctly displays error messages. (BNF-4565)
Reverse Lookup zones are automatically created when adding an A-type DNS record. (BNF-4252)
Filtering for information contained in the Info column on the Recent Connections page now works as expected. (BNF-4217)
Added a validation check to avoid the HA partner from being excluded by the Management ACL. (BNF-4148)
In an HA cluster the Wi-Fi ticketing information is now synced to the secondary box. (BNF-3733)
When using Barracuda Cloud Control, the secondary unit of an HA cluster now mirrors the behavior of standalone secondary units.
(BNF-2636)
PPTP clients now show the username in the Name column on the VPN > Active Clients page. (BNF-1386)
If you are using an intermediary certificate bundled with a root certificate or a certificate chain as the SSL Inspection root certificate the
certificate is not migrated to the new certificate manager. You must reupload the complete certificate bundle to the new certificate
manager.
In some cases certificates with a expiration date after 01.01.2038 are unusable after updating from 6.6.2 to 6.7.0.
Smaller Barracuda Firewall models may take up to 10 minutes to verify the update package causing a browser timeout. Login again to
apply the update.
The SIP proxy can not be used for external Barracuda Phone appliances. Use Access rules to open the necessary ports instead.
If appending a port to the first target IP address of a DNAT access rule, the port is applied to all target IP addresses.
Barracuda Report Creator is only available for Windows 7, 8 and 8.1.
Creating / Editing Firewall Access Rule: In the “Connection” portion the inline creation only allows to create a regular connection object,
not an application based connection object.
Inline edit of connection objects is not possible for application based connection objects.
Application based connection objects can not be renamed.
Application based connection objects must be saved before adding link policy objects.
Certificate manager and application based connection objects currently can not be configured via the Barracuda Control Center.
In rare cases, using the Ping, Telnet, or Dig commands in Advanced > Troubleshooting results in an empty pop-up window. Clicking Relo
ad in the Basic > Administration tab resolves this issue.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
Security Advisories
6.6.2.008 includes OpenSSL updates to fix vulnerabilities described in the following security advisories:
CVE-2015-0286
CVE-2015-0287
CVE-2015-0289
CVE-2015-0292
CVE-2015-0293
All Barracuda Firewalls automatically received BNSEC-2.1.15715 (2015-01-30) to fix vulnerabilities described in security advisory
CVE-2015-0235 (GHOST). If you disabled Automatic Updates, update to version 6.6.1.002.
6.6.0.019 includes updates to mitigate potential man in the middle attacks due to security vulnerability CVE-2014-3566 (POODLE). The
following software modules are vulnerable to attacks described in the security advisory:
User Interface – As of version 6.6.0.019, SSLv3 is disabled by default. If you must support older browsers without
TLS support, you can enable SSLv3 in the expert settings on the ADVANCED > Secure Administration page.
Append &expert=1 to the URL to display expert variables.
SSL VPN, Captive Portal, and Guest Access – Old browsers that include support only for SSLv3 can connect to
these services by using the SSLv3 protocol. Connections by browsers supporting the newer TLS protocols are not
allowed to fall back to SSLv3.
Barracuda Firewall version 6.6.2.008 is a maintenance release and contains no new features.
Firmware Improvements
Improved HTTP and HTTPS stability and connectivity when using SSL Inspection and Virus Protection in the Firewall. (BNF-4860)
It is now possible to use more than 64 URL Filter whitelist or blacklist entries. (BNF-4877)
Content of predefined Service objects is now displayed as expected. (BNF-4556)
DC Agent authentication now works as expected. (BNF-4865)
Using wildcard characters on the Live and Recent Connection pages now works as expected. (BNF-4632)
Joining the Barracuda Web Security Service now works as expected. (BNF-4876)
Improved connection handling for MSAD authentication. (BNF-4778)
Enable TCP Stream Reassembly in FIREWALL > Settings if you are using Virus Protection in the Firewall.
The correct format for the Path of a custom application object is: Remove the first / and escape wildcard characters (* and ?) that are part
of the Path with a backslash (\). For example if the URL is https://example.com/user/search.do?resetForm=yes the path can be entered
as: user/search.do\?resetForm* where the * is used as a wildcard character and ? is escaped with a backslash because it is part
of the original URL.
Barracuda Firewall version 6.6.1.005 is a maintenance release and contains no new features.
Firmware Improvements
It is now possible to open the support tunnel via Barracuda Cloud Control. (BNF-4918)
Changing timezone and management IP address via wizard now works as expected. (BNF-4964)
Test at my desk wizard no longer offers the option to set the default gateway. (BNF4953)
DNS servers are optional in the Basic Setup Wizard. (BNF-4952)
Checking the Barracuda Websecurity subscription expiration now works as expected. (BNF-4977)
The offline activation link is no longer shown in the dashboard. (BNF-4951)
Barracuda Firewall version 6.6.1.002 is a maintenance release following 6.6.1.001 EA to fix the security vulnerability described in CVE-2015-0235
(GHOST).
To make setting up a new Barracuda Firewall easier, the new Basic Setup Wizard will guide you through configuring all basic settings required to
get up and running. You can also launch the Wizard from the ADVANCED > Wizard page.
Firmware Notification
The Barracuda Firewall now notifies the admin if a new firmware version is available. If automatic updates for Security Definitions are disabled,
you will also be notified if new Security Definition updates are available.
Virus Protection
The Barracuda Firewall now scans these additional MIME types by default:
MS Office
Android APK
PDF
Firmware Improvements
Web Interface
Opening a support tunnel in the web interface now works as expected. (BNF-4663)
BASIC > Active Connections now display values in the Bytes/s column as expected. (BNF-4596)
Filters for the Info column on the BASIC > Recent Connections page now work as expected. (BNF-4577)
Testing the configuration for external authentication servers defined in Users > External Authentication no longer return false positives.
(BNF-4566)
The SSL Inspection section on the FIREWALL > Settings page now displays as expected when using Mozilla Firefox. (BNF-4543)
Input validation was fixed to avoid Active Directory users in the DOMAIN\user format. (BNF-4415)
Increased web interface timeout to fix "Internal Error Occurred" messages. (BNF-4333)
Save and Cancel buttons are now disabled after the form has been submitted. (BNF-4286)
Firewall
Adding additional entries to an existing NAT object now works as expected. (BNF-4503)
Redirect to Service Access rules with the redirecting to the SSL VPN service now work as expected when the Barracuda Web Security
Service is enabled. (BNF-4410)
Fixed rare Traffic Shaping issue causing the system to crash. (BNF-4393)
By default SSLv3 is disabled for SSL Inspection to mitigate the OpenSSL POODLE vulnerability. If needed, you can enable SSLv3 for
SSL Inspection in FIREWALL > Settings. (BNF-4641)
Barracuda OS
Network interruptions no longer occur on Barracuda Firewalls that do not have a Web Security Subscription. (BNF-4665)
Dynamic network interfaces with PPTP enabled no longer start automatically when the connection start method is set to manual.
(BNF-4497)
MS-CHAP authentication configuration no longer requires a WINS server. (BNF-4463)
Health State for the Barracuda Firewall is now displayed as expected on the Status page of the Barracuda Control Center. (BNF-4510)
Charts on the Status page now display as expected in the Barracuda Control Center (BNF-4510)
Help button now works as expected in Barracuda Cloud Control. (BNF-4511)
Report Creator
The login to the Barracuda Firewall from the Barracuda Report Creator works as expected. (BNF-4417)
Unauthenticated users are now able to connect via Web Security Service when Enforce Authentication is set to No, and Include User
Information is set to YES. (BNF-4317)
Firmware Update – Your session may time out during verification of the update package on the smaller X100 and X200 Barracuda
Firewalls. Log in again to complete upgrading.
If you are experiencing problems with accessing streaming video or audio for connections using SSL Inspection, enable TCP Stream
Reassembly in FIREWALL > Settings.
Virus Protection
The Barracuda Firewall now supports both virus protection on the box and in the Cloud using the Barracuda Web Security Service. On-box virus
protection is enabled individually for each access rule. If a virus or malware is detected, the file is discarded and the user is redirected to a block
page. Detected viruses and malware are displayed on the BASIC > Recent Threats page. An active Web Security subscription is required to use
virus protection on the Barracuda Firewall.
SSL inspection can now be used in combination with virus protection and the Intrusion Prevention System (IPS). If you do not want to scan
certain websites you can now define URL Filter categories which will be exempted from SSL inspection.
Authoritative DNS
The updated ADNS service can now serve ADNS requests on both static and dynamic interfaces. You can define a health check per IP entry in a
DNS record. IP entries for which the health check fails are excluded from DNS responses.
The Terminal Server Agent allows the Barracuda Firewall to enforce user policies for users logged in to a Microsoft Terminal Server 2008 R2 or
newer. The Barracuda Terminal Server Agent on the Microsoft Terminal Server will transmit all user information to the Barracuda Firewall over an
optionally SSL encrypted connection.
The Barracuda Firewall now provides more control and access to advanced settings for the SIP proxy.
You can now define health check targets for a static routes. The Barracuda Firewall will periodically ping all IP addresses defined as a reachable
IP for the custom route. When one or more of these IP addresses are no longer reachable, the route is disabled until they are reachable again.
You can define the heath check targets by clicking Options next to the custom route and adding IP addresses to the reachable IPs list.
It is now possible to create client-to-site VPN connections by using the Remote Access For my Users wizard (ADVANCED > Wizards). The
wizard will guide you through the process of creating a client-to-site VPN for your mobile devices and remote users.
The Barracuda Firewall now provides additional DHCP options. Vendor Options and Client IDs can now be specified in the DHCP server
configuration.
To simplify the creation of user and group policies the Barracuda Firewall now provides an easy-to-use interface to search through your LDAP or
Active Directory servers. Users and groups can be added directly from the authentication browser to user objects.
Firmware Improvements
Web Interface
Firewall
Fixed activating/disabling redirect-to-service access rule for Barracuda Web Security Service. (BNF-3786)
Barracuda OS
The Protect My Network wizard now works as expected when creating a new interface of the same type on the same interface.
(BNF-3926)
DHCP Server
QoS
Values entered for QoS Choke Limit are now validated correctly. (BNF-4073)
QoS Internet Degradation Threshold now works as expected. (BNF-4056)
Fixed the QoS profile for system updates. (BNF-3976)
Resetting the QoS values now works as expected. (BNF-3820)
Bandwidth Policies are now displayed and assigned correctly. (BNF-3685)
High Availability
Users > Guest Access Login page options are no longer editable on the secondary HA unit. (BNF-3919)
PPTP options are no longer editable on the secondary HA unit. (BNF-3918)
Forwarding Proxy settings are no longer editable on the secondary HA unit. (BNF-3917)
SNMP Manager settings are no longer editable on the secondary HA unit. (BNF-3916)
VPN
Static IP address assignment is no longer allowed when using PPTP with MS-CHAPv2 or NTML authentication. (BNF-3876)
Uploading password protected PEM certificates is no longer allowed. (BNF-3757)
Fixed automatic network objects for site-to-site VPNs. (BNF-3711)
Displayed route status for PPTP client-to-site VPN interface fixed. (BNF-3642)
SSL VPN
The Tunnel Client Application parameter is no longer disabled after selecting IMAP4, POP3 and SMTP for an application resource.
(BNF-3915)
Fixed missing WebDAV sharename parameter when editing Network Places. (BNF-3914)
Wi-Fi
A warning message displays if you try to edit a static Wi-Fi interface or a DHCP Server configuration using a disabled Wi-Fi interface.
(BNF-4051)
Fixed Wi-Fi configuration validation. (BNF-4030)
Guest Networks
RADIUS authentication now works with the captive portal as expected. (BNF-3905)
The Wi-Fi networks are now selectable as a guest network. (BNF-3861)
Captive portal authentication errors are now logged to LOGS > Authentication Log. (BNF-3434)
Backup
Firmware Update – Your session may time out during verification of the update package on the smaller X100 and X200 Barracuda
Firewalls. Log in again to complete upgrading.
Backup – It is not possible to restore old 6.0.X, 6.1.X or 6.5.X backups on a Barracuda Firewall using firmware 6.6.0 or newer.
Barracuda Report Creator – Only available for Microsoft Windows 7 and 8.
Web Interface – On the BASIC > Active Connections page the Bytes/s column always shows 0.00.
Notifications – System alert email notifications are currently not correctly delivered to configured recipients.
Traffic Shaping (QoS) – Go to FIREWALL > QoS and do a dummy change to activate new QoS settings for firmware updates.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
6.5.3.002 includes updates to mitigate potential man in the middle attacks due to a security vulnerability in the SSLv3 protocol.
Some software modules of the Barracuda Firewall are vulnerable to attacks described in the security advisory CVE-2014-3566
(POODLE).
Barracuda Networks highly recommends to update your Barracuda Firewall to version 6.5.3.002.
User Interface – Starting with version 6.5.3.002 SSLv3 is disabled per default. If you must support older browsers without TLS
support, you can enable SSLv3 in the expert settings on the ADVANCED > Secure Administration page. Append &expert=
1 to the URL to display expert variables.
SSL VPN, Captive Portal and Guest Access – Old browsers which only include support for SSLv3 can connect to these
services using the SSLv3 protocol. Connections by browsers supporting the newer TLS protocols are not allowed to fall back
to SSLv3.
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
When the Barracuda Firewall is not connected to the Internet or has no route to the Internet, network configuration now works as
expected. (BNF-4426)
It is now possible to configure Static Network Interfaces on unactivated Barracuda Firewalls. (BNF-4482)
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Web Interface
Firmware Improvements
Web Interface
The user interface now displays warning messages, if disabled static Wi-Fi interfaces are configured. (BNF-4050)
The Wi-Fi configuration now works as expected. The number sign (#) is no longer supported in pre-shared keys, location
information is now mandatory, SSID must be unique across all Wi-Fi access points, and Wi-Fi configuration automatically enables
corresponding DHCP ranges if configured. (BNF-4029)
The Preferences configuration of IPs events now works as expected. (BNF-3086)
Redirect to Guest Ticketing now also works on a Barracuda Firewall X100. (BNF-4028)
Barracuda OS
Updating Barracuda Firewalls deployed behind a proxy server now works as expected. (BNF-3964)
Support tunnels can now also be initiated from a secondary unit of a HA cluster. (BNF-3870)
Configuration backups erroneously included secondary management IP addresses of the unit. (BNF-4017)
DHCP
The DHCP service now starts correctly if the configuration contains a disabled Wi-Fi interface. (BNF-3963)
Firmware Improvements
Web Interface
When saving a form the Save and Cancel buttons can no longer be clicked multiple times. (BNF-4285)
Firmware Improvements
Logout button in Basic > User Activity now works as expected. (BNF-3596)
It is no longer possible to change the management IP address when using the Barracuda Cloud Control. (BNF-3608)
Network interface configuration is now disabled when displayed in group context on the Barracuda Cloud Control. (BNF-3607)
Showing two identical static network interfaces in group context on Barracuda Cloud Control now works as expected. (BNF-3653)
Network, service, connection, NAT and user objects now work in group context on the Barracuda Cloud Control. (BNF-3640)
Web Interface
Barracuda OS
Upgrade of OpenSSL to fix CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and
CVE-2014-0076. (BNF-3714)
Authentication Logs now contain information on captive portal authentications. (BNF-2719)
Querying multiple domain controllers now works as expected even if the user credentials are not valid for one of the domain controllers.
(BNF-3688)
Firmware Upgrades are no longer possible if a network activation is still outstanding. (BNF-3584)
Firewall
VPN
SSL VPN
Fixed issue of the SSL VPN service was not handling requests until restarted. (BNF-3701)
Added SharePoint type for webforwards. (BNF-3799)
High Availability
Barracuda Cloud Control – In some cases the labeling of the time axis in the FIREWALL STATISTICS element on the Status page in
the Barracuda Cloud Control is illegible.
Barracuda Cloud Control – It is not possible to directly show the list of Recent Connections for a detected application from the Applicat
ion Monitor page in the Barracuda Cloud Control.
Guest Access – The ticketing web interface is not accessible on the management interface.
Backup – It is not possible to restore old 6.1.X or 6.0.X backups on a Barracuda Firewall using firmware 6.5.0 or newer.
VPN – When using the Barracuda VPN client it currently not possible to connect to a client-to-site VPN using user/password and client
certificate authentication.
Barracuda Report Creator – Only available for Microsoft Windows 7 and 8.
The 6.5 firmware includes a completely redesigned user interface. The updated user interface is now even easier to use as it uses a new visual
style, icons and popover screens instead of popup windows. The BASIC > Status and BASIC > Application Monitor overview pages are build
out of small movable and configurable elements. Each element contains specific information such as connection, blocked applications, link status
and many more. Elements can be dragged and dropped freely on the status page. You can also remove or add application monitor elements to
the dashboard.
Application Control
Barracuda Firewall 6.5.0 integrates and updates the Application Control engine into the core firewall. Now the Barracuda Firewall can identify and
enforce more than 1200 applications, even those that may hide their traffic inside otherwise "safe" protocols, such as HTTP. You can define
dynamic application polices to establish acceptable use policies for users and groups by application, application category, location or time of day:
Use the new application monitor to analyze application traffic, receive real-time and historical information on traffic passing through your
Barracuda Firewall. Drill down through the application data by using filters based on a combination of user, time, application or risk factor. Up to
20 of these customized elements can be included on your dashboard to offer an instant system and network overview every time you log in to
your Barracuda Firewall.
URL Filter
With the Barracuda Firewall 6.5.0 customers with an active Web Security subscription now have the option to use the URL Filter on the
Barracuda Firewall itself, instead of having to route all internet traffic through the Web Security Service cloud. The on-box URL Filter is tightly
integrated with application control in the firewall and allows creation and enforcement of effective Internet content and access policies based on
the Barracuda URL database. The URL database is hosted in the cloud and continuously updated by Barracuda Networks, ensuring that your
policies are always using the latest information. URL categorization performs an online lookup of the categorization for the domain in question
and the Barracuda Firewall subsequently caches this categorization information.
To make it easier for your Apple iOS or Android device to remotely connect to your network you can use the new client-to-site IPsec VPN with
pre-shared keys. You do not have to manage X.509 certificates which have to be installed on the mobile devices.
As of Barracuda Firewall Release 6.5.0 there is no more need to create specific firewall rules to allow network traffic from two networks
connected via VPN. The defined Local Networks and Remote Networks in the site-to-site VPN configuration are added automatically to these
newly created dynamic network objects. The VPN-SITE-2-SITE firewall rule is disabled by default and enabled automatically when a site-to-site
VPN is configured.
Reporting
Reporting is one of the major tasks to be managed in an enterprise. It is crucial to make bandwidth usage and all other security related
information visible, reportable and presenting it in an easy-to-read format. With Barracuda Firewall 6.5.0 the new Barracuda Report Creator,
directly downloadable from the BASIC > Administration page, makes creating IT security reports on a regular basis easy. Simply select the
appliances and the required types of reports, define the layout and way of delivery and the Report Creator does the rest. (please note that the
Barracuda Report Creator is only compatible to Microsoft Windows 7 and 8).
You now have the option to store your backups in the Cloud using your Barracuda Cloud Control account. Configure automated backups to
always have a working off-site configuration backup for your Barracuda Firewall, enhancing your data security.
If you are using one of the following features, complete the listed instructions to complete the migration:
Barracuda DC Agent – After the migration do a dummy change in USERS > external Authentication > DC Agent to activate the
automatic logout in case the DC Agent or the Active Directory Server the DC Agent is installed on is not available.
Application Control – Before you can make use of the improved Application Control you have to migrate your existing firewall rules: A
migration wizard will appear every time the BASIC > Status page is accessed until you complete the migration. If you do not want to
migrate these settings at the time of the upgrade you can continue using Application Control in legacy mode, However, certain
functionality (such as new BASIC > Status page) will not be available until migration has been completed. During the migration the
application control logic is transferred to the new FIREWALL > Application Policy page. Due to the different and enhanced functionality
it is not possible to provide an automated migration. Parts of your application control settings will need to be re-done after upgrading to
6.5.
VPN – If firmware version 6.5.0 was not preinstalled on your Barracuda Firewall you must manually add the network objects VPN-Local-
Networks and VPN-Remote-Networks as well as the firewall rule VPN-SITE-2-SITE to take advantage of automatic updates of the VPN
network objects and firewall rule when creating a site-to-site VPN.
Fixed error message which users who are not logged in would receive if the Include User Information option was set. (BNF-1835)
Fixed misleading error message when login to Barracuda Cloud Control fails. (BNF-3303)
In some cases it was not possible to see connection objects in the BCC. (BNF-2967)
The VPN > Certificates page is now displayed correctly in the Barracuda Control Center. (BNF-1788)
The NETWORK > DHCP Server page is no longer accessible when using group context in the Barracuda Control Center. (BNF-3636)
Adding identical configurations in group context now works as expected. (BNF-3653)
VPN
In some cases port 443 for client-to-site vpn was blocked. (BNF-2610)
VPNs using the blowfish cipher now work as expected. (BNF-3109)
Client-to-site VPN IPsec Phase 2 configuration is only mandatory if IPsec clients are enabled. (BNF-2415)
Wi-Fi
Improved Wi-Fi stability by fixing rekeying issues resulting from missing entropy. (BNF-2722)
Fixed issues resulting in kernel panics. (BNF-2721)
Changes to the Wi-Fi settings are now executed as expected. (BNF-3549)
Firewall
Web Interface
Firewall objects can no longer be deleted if they are still in use. (BNF-3169, BNF-3258)
It is no longer possible to delete all NTP server entries in Basic > Administration. At least one NTP server has to be configured at all
times. (BNF-3120)
When downloading csv log files a different name is now used for every log file. (BNF-3138)
PPPoE username and password configuration in protect my desk wizard is now works as expected. (BNF-3297)
Barracuda logo is updated. (BNF-3549)
Fixed security vulnerability when invoking logout action. (BNF-3598)
Session termination in Active Connections now works as expected. (BNF-3695)
SIP Proxy
The SIP proxy will now be enabled if you enable the LAN-2-INTERNET-SIP or INTERNET-2-LAN-SIP firewall access rules. (BNF-2679)
SIP clients can now receive calls on non-standard SIP ports. (BNF-2879)
SIP video (multi-port) calls now work as expected. (BNF-3115)
DHCP
The DHCP server now checks if an interface is disabled when creating a DHCP service pool. (BNF-2709)
High Availability
The Advanced > Backup and Network > Bridging pages are now read only on secondary unit. (BNF-2820, BNF-3231)
Forwarding sessions on dynamic interfaces are no longer synchronized to secondary unit. (BNF-3386)
Barracuda OS
Upgrade of OpenSSL to fix a potential man-in-the-middle attack for SSL/TLS clients and servers. (CVE-2014-0224, BNSEC-4402,
BNF-3713)
Upgrade of OpenSSL to version 1.01g to fix the openSSL heartbleed bug. (CVE-2014-0160)
The syslog daemon now restarts automatically if needed. (BNF-2919)
RADIUS authentication now works as expected. (BNF-3224)
After a reboot due to a power outage the system clock will not be reset to UTC time anymore. (BNF-3367)
DynDNS over HTTPS now works as expected. (BNF-3524)
Fixed security issues for the captive portal and guest ticketing authentication pages. (BNSEC-4395, BNSEC-4402)
Barracuda Control Center – In some cases the labeling of the time axis in the FIREWALL STATISTICS element on the Status page in
the Barracuda Control Center is illegible.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
6.1.7.003 includes an update of OpenSSL to fix a potential Man-in-the-middle attack for SSL/TLS clients and servers. (CVE-2014-0224,
BNSEC-4402, BNF-3715)
Some software modules of the Barracuda Firewall incorporate versions of OpenSSL, which are vulnerable to attacks described in
security advisory CVE-2014-016 (OpenSSL Heartbleed bug).
Barracuda Networks highly recommends to update your Barracuda Firewall to firmware version 6.1.5.005.
User Interface – Eavesdrop on communication with the Barracuda Firewall's user interface.
VPN – The VPN functionality of the Barracuda Firewall was never compromised since the service uses OpenSSL version
0.9.8g. However, if the VPN service and management interface share the same certificate (delivered default certificate),
Barracuda Networks recommends to also change the VPN certificates as described below.
Actions required
1. Update your Barracuda Firewall to version 6.1.5.005. This will upgrade OpenSSL to version 1.0.1g which is not vulnerable to
the Heartbleed bug.
2. ADVANCED > Secure Administration – Replace the Barracuda Firewall's default certificate with a newly created Private
(Self-signed) or Trusted (Signed by a trusted CA) certificate.
3. ADVANCED > Secure Administration – If your are using a Private (Self-signed) or Trusted (Signed by a trusted CA) certi
ficate, you must replace them with newly created certificates.
4. VPN > Certificates – Delete existing SAVED CERTIFICATES and create or upload new VPN certificates.
5. VPN > Site-To-Site – Reconfigure all IPsec tunnels to use the newly created certificates as Local Certificate and for
authentication (if applicable).
6. VPN > Client-To-Site – Replace the Local Certificate with the newly created certificate. This is valid for all client-to-site VPN
access policies.
7. VPN > SSL VPN – Select the newly created certificate in the Server Settings tab.
8. FIREWALL > Captive Portal – Replace the Signed Certificate with the newly created certificate.
9. Barracuda Networks recommends to follow best practices and change all passwords.
After installing release version 6.1.3.003 on your Barracuda Firewall, it is necessary to perform a configuration update to correctly apply
all improvements.
Open USERS > External Authentication > DC Agent and perform a temporary configuration change of one of the available
settings, and click Save Changes.
Important
Barracuda Firewall version 6.1.2.002 fixes a log rotation issue to prevent filling up the SSD. [BNF-2217]
Barracuda Networks strongly recommends updating to version 6.1.2.002 or contacting Barracuda Networks Technical Support for
assistance.
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Barracuda OS
Updated OpenSSL to fix a potential Man-in-the-middle attack for SSL/TLS clients and servers. (CVE-2014-0224, BNSEC-4402,
BNF-3715)
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Barracuda OS
The default certificates have been re-keyed and re-issued. Old certificates are being revoked. After updating your Barracuda Firewall, all
services using the unit's default certificates, will automatically use the re-issued certificates. (BNF-3480)
Network
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Barracuda OS
Update of OpenSSL to version 1.0.1g to fix the OpenSSL heartbleed bug. (CVE-2014-0160)
Firewall
VPN
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
VPN
The VPN service with Local Address set to dynamic will now listen on every IP address. (BNF-3402)
Web Interface
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Firewall
VPN
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Web Interface
Adding source or destination networks, with netmasks higher than /24, to firewall rules now works as expected. (BNF-2869)
The smart pre-submission input validation now also works correctly with DNAT firewall rules.
It is now possible to access release notes for the latest general and early release through the ADVANCED > Firmware Updates page. (
BNF-2790)
Configuration wizards now successfully finish, even if the Barracuda Firewall receives wrong time information from an NTP
server. (BNF-2777)
Viewing product documentation within the user interface, now also works correctly when switching to a different language. (BNF-2672)
Adding Group Filter Patterns in USERS > External Authentication now works as expected. (BNF-3178)
VPN
It is now possible to add IPsec VPN tunnel remote IP addresses containing .255 octets. (BNF-2913)
The SSL VPN Java security warning no longer occurs after an update to Java 7 version 54 or higher. (BNF-3049)
Firewall
The SIP proxy now works as expected with SIP providers outside of internal network segments. (BNF-2859, BNF-2879, BNF-2691)
Fixed a display issue in the Basic > Active Connections screen. (BNF-2887)
Networking
Dynamic interface control commands in Network > IP Configuration now work as expected with multiple configured dynamic network
interfaces. (BNF-2886)
High Availability
Static network interfaces introduced by a wizard are now correctly synchronized to the secondary Barracuda Firewall. (BNF-2797,
BNF-2796)
When enabling an HA cluster, the firmware now performs a validity check to ensure that the units' Management IP addresses reside
within the same network and subnet.
The SNMP service now works as expected and occasional crashes no longer occur. (BNF-2775)
When utilizing all three possible Wi-Fi Access Points, the Barracuda Firewall models X101 and X201 may freeze and/or crash under
certain circumstances.
Security
Web Interface
The Barracuda Firewall User Interface is now fully Japanese localized. Note that entering multi-byte characters is not yet supported.
Guest networks for Wi-Fi networks can now only be configured in USERS > Guest Access. (BNF-2650)
Barracuda Firewall OS
Improved stability due to kernel upgrade and various improvements: Updated underlying Linux kernel to 2.6.28.
Time zone upgrades for South Africa and Israel per new 2013 DST settings.
Firmware Improvements
Web Interface
The configuration progress spinner animation now loads correctly while saving configuration changes. (BNF-2350)
High Availability
VPN
A certificate upload issue in VPN > Certificates was fixed. (BNF-2699, BNSEC-2398)
The Barracuda Firewall now accepts all ASCII characters, except #, as Site-to-Site IPsec pre shared key. (BNF-2648)
SSL-VPN now also supports RDP for Microsoft Windows Server 2003 editions and higher. (BNF-2731)
Firewall
Manually overriding bandwidth policies is Basic > Active Connections is now correctly disabled, if QoS is disabled in the respective
firewall rule. (BNF-2443)
Enabling or disabling PAT in Connection Objects now works as expected. (BNF-2668)
The configured name of dynamic network interfaces is now correctly displayed in NETWORK > Routing. (BNF-2713)
Authentication Services
Received login information from the Barracuda DC Agent now expire after a certain period of time. (BNF-2434)
When utilizing all three possible Wi-Fi Access Points, the Barracuda Firewall models X101 and X201 may freeze and/or crash under
certain circumstances.
Before installing the new firmware version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, upgrading can take up to 10 minutes. If the
process takes longer, please contact Barracuda Networks Technical Support for further assistance.
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Firewall
The internal interface assignment of the QoS bandwidth policy Internet now works as expected. (BNF-2072)
Networking
The DHCP TFTP Host Name field now also accepts IP address and host name combinations. (BNF-2121)
VPN
Phase 2 settings of IPsec Site-to-Site VPN tunnels are now loaded correctly. (BNF-2098)
Administration
The Barracuda Firewall can now be connected to Web Security Service accounts containing a hash (#) in the password. (BNF-2098)
This firmware version is a maintenance release only. No new functionality has been added.
Security
Firmware Improvements
Web Interface
Firewall
The Active Connections screen now allows performing a Barracuda Labs reputation search for globally routable IP
addresses. (BNF-1800)
The Weight setting of Connection Objects is now saved correctly. (BNF-1870)
ICMP reply packets from already terminated sessions are not leading to orphaned sessions any more. (BNF-1833)
Networking
The DHCP server now consumes a lower amount of available memory. (BNF-1896)
Security
Firmware Improvements
This firmware version is a maintenance release only. No new functionality has been added.
Firmware Improvements
Web Interface
The Include User Information checkbox was permanently visible, although not available when using proxy forwarding. (BNF-1609)
Firewall
Networking
The DHCP service is now automatically restarted if a network activation occurs. (BNF-1591)
Source based routing for certain multi ISP configurations now work as expected (BNF-1630)
Secondary IP addresses are now also available through the default network bridge P1-P3. (BNF-1668)
The DHCP server is now able to assign DHCP options 66 (TFTP server name), 67 (Bootfile name) and 150 (TFTP server address) to
clients. (BNF-1761)
These instructions are an expanded version of the Barracuda NextGen Firewall X-Series Quick Start Guide that was shipped with your
appliance. If you have already completed the steps in the Quick Start Guide, go to Step 4.
To get started with your Barracuda NextGen Firewall X-Series, you must complete the activation procedure and integrate the firewall into your
existing network. You can also directly replace an existing firewall if your ISP assigns the WAN IP address via DHCP. For all other types of
Internet connections, you must first complete activation and basic setup in the existing network. After completing the basic setup wizard, you can
evaluate the X-Series Firewall as a firewall, using one of the firewall configuration wizards, or as a remote access gateway, using the Remote
Access Gateway wizard.
Unpack the NextGen X-Series Firewall and verify that you have all of the following accessories:
Barracuda NextGen X-Series Firewall (verify that you have received the correct model)
AC power cord
Power supply (X100/X101/X200/X201 only)
Wi-Fi antenna (X101/X201 only)
Mounting brackets (X300 and above)
Ethernet cable
If any items are missing or damaged, contact your Barracuda sales representative.
The number of ports depends on your model. By default, the ports are configured as follows:
The X-Series Firewall must be assigned an IP address by a DHCP server in your network or a DHCP server of your ISP.
Configure your client PC to use the following static IP address configuration for the network interface connected to the firewall:
IP Address – 192.168.200.100
Netmask – 255.255.255.0
Gateway – 192.168.200.200
DNS Servers – Enter DNS servers in your network, or use public DNS servers such as the Google DNS servers 8.8.8.8 and 8.8.4.4.
Click here to see Instructions for Microsoft Windows ...
Windows 8 / 8.1
You must have administrative rights to set the IP address on Microsoft Windows 8 / 8.1.
1. Open the Control Panel and click View network status and tasks. The Network and Sharing Center window opens.
2. In the View your active networks list, click on the name of the network interface connected to the firewall. For example, if you click
on Ethernet, the Ethernet Status window opens.
3. Click Properties and double-click on Internet Protocol Version 4 (TCP/IPv4). The Internet Protocol Version 4 (TCP/IPv4)
Properties windows opens.
5. Click OK.
The basic setup wizard automatically starts when you first log into the firewall.
5. Click Next.
6. (optional) Change the Management IP Address to match your existing network.
7. (optional) Change the Management Netmask to match the management network.
8. Enter the Primary and Secondary DNS Server.
If you changed the time zone, the X-Series Firewall will now reboot.
After the reboot, select a wizard for a customized setup, or configure the appliance manually:
As a firewall, by completing the configuration wizard matching your use case. For more information, see Deploy as Firewall.
As a remote access gateway using the Remote Access Gateway wizard. This wizard takes you through the necessary steps to configure
a client-to-site VPN. For more information, see Deploy as Remote Access Gateway.
The initial setup wizard automatically starts when you first log into the firewall and guides you through the first configuration steps. Use the
wizards to deploy the firewall into production or to evaluate it.
You can also start the wizards at a later time: Go to ADVANCED > Wizards.
The initial setup wizard automatically starts when you first log into the firewall. (When using another wizard, go to ADVANCED > Wizards, and
click Start to launch the wizard.)
Evaluation mode – Sets up the firewall for evaluation at your desk or in a test lab. All network traffic is transparently forwarded from
network interface p1 to p3. Verify p1 is connected to your LAN, and p3 to your test PC or test network.
Protect my network – Configures a primary and a secondary Internet uplink as well as up to two internal networks, including DHCP
server configuration. To complete this, wizard the following information is required:
Local area network preferences (LAN IP address, gateway IP address, required DHCP settings)
Internet service provider (ISP) uplink information
Failover Internet service provider information (optional)
Manual configuration – Click Close to exit the setup wizard.
If administrators always use the same IP range, you can restrict access to the web interface of the firewall by specifying a range of allowed IP
addresses or networks to increase security.
Misconfigurations of the administrator IP/range may cause the management web interface of the firewall to be unreachable. Contact
Barracuda Networks Technical Support to recover connectivity.
You may need to complete the following tasks to finish the basic setup for your firewall:
If needed, configure additional WAN connections. For more information, see How to Configure WAN Interfaces.
If you are using VLANs, configure the virtual interfaces. For more information, see How to Configure a VLAN.
Configure free ports for other networks. For more information, see How to Configure Static Network Interfaces.
After setting up the firewall, explore the following areas to learn where to get necessary information when working with your firewall and its
services:
Subscription Status
To verify the status of your licenses, go to the BASIC > Status page and view the Subscription Status section. The status for all purchased
licenses displays as Current. While the firewall is connected to the Internet, it automatically downloads licenses. If the firewall cannot be
activated, please contact Barracuda Technical Support.
Firmware Update
Network
Network interfaces – Go to the NETWORK > IP Configuration page and view the Network Interface Configuration section.
Bridges – Go to the NETWORK > Bridging page. Before you deploy the firewall for use in production, delete the port 1—port 3 bridge.
Firewall
To monitor currently active and recently established and completed connections, go to the following pages:
For more information on the firewall and firewall rules, see Firewall.
Next steps
After setting up and exploring the firewall, you can complete the following tasks:
Connect the firewall to your existing authentication service or create a built-in database for user information. For more information, see M
anaging Users and Groups.
If supported by your firewall model, configure Wi-Fi. For more information, see How to Configure Wi-Fi.
Configure site-to-site VPN. For more information, see Site-to-Site VPN.
Configure client-to-site VPN access. For more information, see Client-to-Site VPN
Link the firewall with your Barracuda Cloud Control account for central management and configuration. For more information, see How to
Connect to Barracuda Cloud Control
Configure the Barracuda Web Security Service, a cloud-based web filtering and security service. For more information, see How to
Configure the Barracuda Web Security Service
Set up an authoritative DNS. For more information, see Authoritative and Caching DNS.
Configure a DMZ. For more information, see How to Configure a DMZ
Deploy the Barracuda NextGen Firewall X-Series as a remote access gateway for VPN traffic. The Remote Access Gateway wizard takes you
through the necessary steps to configure a client-to-site VPN and enable SSL VPN with support for CudaLaunch. A remote access premium
subscription is required.
If you are using Active Directory as your method of authentication, you need to have the Active Directory configuration information.
The network that the client-to-site VPN clients will be assigned to (client network).
The networks that will be available to the client-to-site VPN clients (published networks).
This wizard allows you to configure the Barracuda X-Series Firewall as a remote access gateway that can work in conjunction with your existing
firewall.
1. To launch the wizard, go to Advanced > Wizards and click Start next to Remote Access Gateway.
2. Enter the VPN IP address(es) for the VPN service. Click + after each entry.
3. Click Next.
4. Select the authentication Type for the VPN service. When choosing Local Authentication,
Enter Username and Password.
5. When choosing Active Directory, specify the following settings:
Domain Controller Name – Enter the fully qualified name of the domain controller.
Domain Controller IP – Enter the IP address of the domain controller.
When using SSL, the name should be used instead of the IP address.
Searching User – Enter the username of the MSAD searching user.
Searching User Password – Enter the password for the MSAD searching user.
Base DN – Enter the Distinguished Name (DN) at which to start the search in the LDAP database, specified as a sequence of
Relative Distinguished Names, connected with commas, with or without blank spaces. Make the base DN as specific as possible
in order to speed the lookup and avoid timeouts. For example, if your domain is yourcompany.com, your search base DN might
be as follows: DC=yourcompany, DC=com, OU=sales
Cache MSAD Groups – Enable caching of MSAD groups.
Offline Sync – Enable offline synchronization.
Use SSL – Select to use SSL for connections to the authentication server.
8. Click Next.
9. Configure the settings for SSL VPN:
a. Enable CudaLaunch to give end users remote access to corporate resources.
b. (optional) Customize the Welcome Message for the SSL VPN portal.
c. (optional) Customize the Help Text to be displayed to the user. Only ASCII characters are allowed in the Welcome Message an
d Help Text fields.
If administrators always use the same IP range, you can restrict access to the web interface of the Barracuda Firewall by specifying a range of
allowed IP addresses or networks to increase security.
Misconfigurations of the administrator IP/range may cause the management web interface of the firewall to be unreachable. Contact
Barracuda Networks Technical Support to recover connectivity.
Next Steps
Configure the SSL VPN resources: For more information, see SSL VPN.
From the NETWORK tab, you can view and configure the following basic network, connectivity, and service settings:
On the NETWORK > IP Configuration page, you can view a list of each network interface (static, dynamic and virtual) that has been configured
for the Barracuda NextGen Firewall X-Series. You can also configure the following basic network configurations:
Management IP Address The management IP address is used to Getting Started with the Barracuda Firewall
administer and configure the firewall from a
web browser.
DNS Servers The primary and secondary DNS server. You Getting Started with the Barracuda Firewall
can also cache the DNS responses to speed
up DNS queries.
Static Interface Static interfaces for static IP addresses and How to Configure Static Network Interfaces
networks.
Dynamic Interface Dynamic interfaces for DSL, DHCP, or 3G. How to Configure WAN Interfaces
Virtual Interface Virtual interfaces for VLANs. You must use How to Configure a VLAN
properly configured 802.1q capable
switches.
Wi-Fi Link If available for your model, you can create up How to Configure Wi-Fi
to three different Wi-Fi networks.
3G Network Interface With a Barracuda M10 3G/UMTS USB How to Configure a 3G Dial-In Connection
modem, you can configure 3G connectivity.
Network routes
On the NETWORK > Routing page, you can add static routes. For more information, see How to Configure a Static Route.
On the Routing page, you can also view the following tables for a list of network routes and network interfaces for the NextGen Firewall X-Series:
Table Description
Network Routes This table contains all the routing information sorted by routing table.
Routing information is processed from top to bottom.
Network Interfaces This table contains all interfaces, their current state visualized by a
graphical icon, and the IP addresses assigned to the interface.
Interface groups
For more information on interface groups, see How to Create Interface Groups.
Bridges
To transparently connect two networks, you can configure a bridge. For more information, see How to Configure a Bridge.
DHCP server
Every X-Series Firewall can act as a DHCP server. You can configure DHCP servers on a per-network basis. For more information, see How to
Configure the DHCP Server.
Authoritative DNS
You can configure a split level and authoritative DNS server. For more information, see Authoritative and Caching DNS.
Proxy
To free the local firewall capabilities of the X-Series Firewall, you can use the cloud resources of the Barracuda Web Security Service to intercept
and scan all HTTP and HTTPS traffic for malware. To use this service, you must have an additional Barracuda Web Security subscription. You
must also be connected to the Barracuda Cloud Control.
If you already have an ICP-enabled proxy server running in your network, see How to Configure a Forward Proxy.
By default, ports p2 and p3 are preconfigured. If you want to configure a WAN interface for either of these ports, you might need to remove the
default configurations:
Port p2 – Initially, the network interface for port p2 is configured as a dynamic network interface named dhcp. If you want to configure
either a static or other dynamic connection besides DHCP (PPTP or PPPoE) on port p2, delete the default DHCP interface.
Port p3 – Initially, port p3 is bridged to port p1. Both interfaces are also configured as management ports in the LAN. To use port p3 for
another connection, delete the P1-P3 bridge. However you might lose connectivity to the network from your administrative PC.
After removing the default configurations for ports p2 and p3, you can reconfigure them as WAN interfaces. For any other ports, just begin
configuring the WAN interface. You can configure the WAN interface with either static or dynamic IP address assignment.
Be sure to add the gateway to create the default route over the WAN interface, either when you add or edit a static network interface, or on the N
ETWORK > Routing page.
If you want to use port p2 or p3, first remove their default configurations.
The static WAN interface and ISP gateway for this example are shown in the following figure:
The interface must be configured on port p4 with an IP address of 69.122.23.58 and a netmask of 255.255.255.0 (or /24). The default gateway of
the ISP is 69.122.23.254.
Setting Value
After you connect the Barracuda USB modem to the X-Series Firewall, configure the provider settings. Then verify that the default network route
and network interface of the 3G WAN link have been successfully introduced and are available.
1. Follow the steps in the Barracuda 3G Modem Quick Start Guide to insert the SIM card into the Barracuda USB modem.
2. Connect the Barracuda modem to an empty USB port of the X-Series Firewall.
3. Connect the antenna to the Barracuda modem and place it in a stable location.
4. Restart your firewall so that it recognizes the Barracuda modem.
a. Go to the BASIC > Administration page.
b. In the System Reload/Shutdown section, click Restart.
Verify that the X-Series Firewall can establish an Internet connection and that the default network route was introduced.
If your ISP provides a modem, connect the Ethernet port of the modem to a free network interface on the back of your Barracuda X-Series
Firewall. Use the Ethernet cable that is delivered with the modem. If a cable was not delivered with the modem, determine if the modem must be
connected to another device with a standard Ethernet cable or a crossover cable.
Specify the Connection Timeout for this link. The connection timeout specifies the time in seconds that the firewall waits for an
IP address to be assigned. If the defined limit is exceeded, the link is marked as unreachable.
To start the link automatically, set Connection Start Method to Automatic.
To manually start and stop the link, set Connection Start Method to Manual. To control the link, go to the Dynamic Network
Interfaces section of the NETWORK > Interfaces page.
To add IP addresses to monitor the Internet connection beyond the gateway, add a target IP address to the Health Check
Target list.
8. Click Add.
9. At the top of the page, click on the warning message to execute the new network configuration.
10. After committing your changes, log back into the X-Series Firewall.
Follow the instructions in this article to configure a static network interface. You can add a subnet to a free physical or virtual interface.
Barracuda NextGen Firewall X101 and X201 are equipped with a Wi-Fi network module supporting IEEE 802.11 b/g/n with a maximum
transmission rate of 54 Mbps and 108 Mbps in SuperG mode for compatible client devices. Using WPA and WPA2 with a RADIUS authentication
server, you can encrypt wireless networks. The Barracuda NextGen Firewall X-Series can serve up to three independent Wi-Fi networks with
different SSIDs. You can configure each Wi-Fi network with a landing page serving either a confirmation message or a ticketing system for guest
network access.
When the static Wi-Fi network interface is available, Wi-Fi can be activated. The SSID, wireless security, and authentication can also be adjusted.
1. Click Edit for the access point you want to enable (Wi-Fi, Wi-Fi2, Wi-Fi3).
2. In the SSID field, enter the Service Set IDentifier (SSID). This name is displayed to Wi-Fi clients that search for available Wi-Fi signals.
3. From the Security Level list, select one of the following options:
High – WPA2 (Recommended).
Medium – WPA.
None – No encryption.
4. From the Authentication list, select one of the following options:
WPA-PSK – Use this option when key management should be done locally on the firewall. Then define a preshared key.
WPA-RADIUS/EAP – Use this option when key management is done by a RADIUS server. Then enter the RADIUS server
information into the RADIUS Configuration section.
5. To forward clients to a landing page that displays a Confirmation Message or serves a Ticketing system, enable the feature. To give
clients direct access to the Wi-Fi network, select None.
6. Click Save.
To assign IP addresses to clients that are connected to the Wi-Fi network, enable the DHCP server of the firewall.
1. Go to the NETWORK > DHCP Server page. Clients with an active lease are listed in the Active Leases section.
2. In the DHCP Server section, set Enable DHCP Server to Yes.
3. If you change the network configuration of the default Wi-Fi and Wi-Fi2 interfaces, modify the available subnets or create a new one.
4. Click Save Changes.
Because rules are processed from top to bottom in the rule set, arrange your rules in the correct order. Also verify that your rules are placed
above the BLOCKALL rule; otherwise, the rules are blocked.
After adjusting the order of rules in the rule set, click Save Changes.
Requirement
You must have a properly configured 802.1q-capable switch to support VLANs and at least one unconfigured port on your X-Series
Firewall.
You can use VLANs to simulate several LANs on one physical network interface (but only one MAC address). The physical interface behaves as
if it were several interfaces, and the switch behaves as if it were multiple switches. VLANs let multiple virtual networks share switches, cables,
and routers. All VLANs created on a host interface share the bandwidth of the physical interface. However, you can configure bandwidth policies
(QoS) to specify how much bandwidth an interface can use. The Barracuda NextGen Firewall X-Series can use up to 256 VLANs on one physical
network interface and a maximum of 4096 VLANs globally. Only unconfigured ports can be used to create VLAN interfaces.
You can only select ports that are not in use, capable of supporting VLANs and connected to a correctly configured VLAN
switch.
The VLAN interface then appears in the Network Interface Configuration section. VLAN interface names are displayed in the format: p<port
number>.<vlan id>
Next steps
After adding the virtual interface, you can use it in your network configurations as if it were a physical interface. Continue with any of the following
network configuration articles:
Create a static route to specify a gateway for an unassociated network so that the return traffic can take the correct path. In general, you must
add a static route when you want to reach networks that are not directly attached to the Barracuda NextGen X-Series Firewall or the default
gateway.
If more than one route to the same target network exists, you must assign a unique metric value to each route. The lowest
metric (or preference number) specifies the preferred route. If the gateway becomes unreachable, the route with the next
lowest metric will be used.
7. Click Add.
8. At the top of the page, click on the warning message to execute the new network configuration.
The Barracuda NextGen Firewall X-Series supports layer 2 bridging of one or more network interfaces to create an aggregated network or to
physically separate LAN segments in a flat network structure. Configure Layer 2 bridging to transparently connect two networks.
For example:
You can bridge a wireless network with one of your local networks.
If you have servers with external IP addresses, you can bridge that traffic with the ISP gateway.
You can not create bridged groups containing dynamic interfaces like DHCP, PPPoE, PPTP or 3G.
After configuring your bridge, create an access rule to allow traffic between both networks. To help you configure the bridge, you can use the
pre-installed bridge between ports p1 and p3 and the predefined firewall rule for the bridge.
Before you begin, verify that least one interface has a static route configured.
Create an access rule to allow traffic between the bridged networks. For example, if you are bridging servers with external IP addresses with the
ISP gateway, create a rule that only allows traffic on port 443 and port 80 to pass.
Verify the order of the access rules. Because rules are processed from top to bottom in the rule set, ensure that you arrange your rules in the
correct order. You must especially ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. After adjusting
the order of rules in the rule set (use 'drag and drop'), click Save Changes.
To aid you in evaluation and initial setup, the X-Series Firewall has a pre-installed bridge between ports p1 and p3. You can see the bridge on
the NETWORK > Bridging page. The firewall rule that allows all traffic to pass between ports P1 and P3 is called P1-P3-BRIDGE. That rule has
the following settings:
In some cases, you might want to redirect network traffic from the Internet to a network host residing in a network segment protected by the
Barracuda NextGen X-Series Firewall. For example, you have a web server hosting a website that is reachable through the Internet. For
additional security, you can put the web server in the DMZ segment to logically separate hosts in the DMZ from other hosts in different network
segments.
With a DMZ configuration, you have full control over network traffic from the Internet to the web server, as well as traffic from other network
segments to the web server. This configuration might be necessary if hosts from other network segments must access the same web server.
If your web server listens on TCP port 8080 instead of 80 and you do not want to change the listening socket of your web server, you can use the
Port Address Translation (PAT) feature of the DNAT rule to modify the destination port of IP packets passing the firewall. In the Redirect To field
of the rule settings, append the port to be translated to the IP address field (e.g., 172.16.10.1:8080).
Create an access rule that allows HTTP traffic from the Internet to the web server residing in the DMZ.
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, you must arrange your
rules in the correct order. Ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information,
see Firewall Rules Order.
After adjusting the order of the rules in the rule set, click Save.
The DHCP server of the Barracuda NextGen Firewall X-Series automatically assigns IP addresses to clients that reside in a defined subnet. This
article provides an example of how to configure a DHCP server on the NextGen Firewall X-Series.
Configure a static interface by using the network the DHCP server subnet is in. For more information, see How to Configure Static Network
Interfaces
3. Click Save.
To use the DHCP server within the management network, go to the NETWORK > IP Configuration page and add a secondary IP
address in the Management IP Configuration section.
This example configures a DHCP server subnet named LAN that uses an IP range from 192.168.200.150 to 192.168.200.160, a subnet mask of
255.255.255.0, and an NTP server at ntp.barracudacentral.com.
6. Click Save.
For a client to always receive the same IP address, configure a static DHCP lease. The DHCP server uses the MAC address to identify the client.
1. In the ACTIVE LEASES section, click + in the Actions column. The Add DHCP static lease pop-over window opens.
3. Click Save.
In the Active Leases section of the DHCP Server window, the IP address lease is displayed as Static.
To free up an IP address that is in use for another DHCP lease, you can delete DHCP leases for inactive DHCP clients. Power off or disconnect
the client for the DHCP lease to change its state from active to inactive.
You must force the client to renew the DHCP lease after removing the DHCP lease on the X-Series Firewall; otherwise, it will continue
using the original lease until the maximum lease time expires. This may result in duplicate IP errors in your network!
1. In the DHCP Server Subnets section, click the trashcan icon in the Actions column. The Clear dynamic lease pop-over window opens.
2. Verify the IP addresses matches the DHCP lease you want to delete, and click Clear.
In the Active Leases section of the NETWORK > DHCP Server page, you can monitor active DHCP leases. The information for each lease is
displayed in the following columns:
Column Description
State The current state of the lease pool and the number of addresses that
are in use.
Type The type of the IP address. The IP address can be either Static or D
ynamic.
DHCP relaying allows you to share a single DHCP server across logical network segments that are separated by the firewall. The DHCP relay
service only forwards DHCP traffic; it does not assign the IP addresses. When configuring DHCP relay, both the port the DHCP server is
connected to and all ports the clients are connected to must be added to the DHCP relay interfaces.
The Agent ID Mismatch Policy setting is important when multiple relay agents serve the DHCP server.
10. Enter the Max. Packet Hop Count to avoid infinite packet loops (default: 10).
11. Select Forward Unicast Packets if Bootstrap/BOOTP unicast messages should be forwarded by the DHCP relay.
If your network has a proxy or you want to use an ISP proxy, you can configure a forward proxy. This article provides steps and example settings
to configure a forward proxy for the setup that is illustrated in the following figure:
4. Click Save.
The Barracuda NextGen Firewall X-Series can use a caching DNS to speed up frequently queried DNS requests in the network, or configured to
act as an authoritative DNS server for your domains. Enable Authoritative DNS to allow intelligent responses to DNS requests by evaluating link
state and source IP address before answering the DNS request. You can use either static or dynamic WAN IP addresses.To use the ADNS
server for internal clients the LOCALDNSCACHE access rule must be active.
Caching DNS intercepts DNS requests from your network to external DNS servers and if the answer to the request is present in the local cache,
replies to the query speeding up DNS queries in your network and saving bandwidth in the process. DNS caching is always active when ADNS is
enabled, all DNS requests are redirected to the local ADNS server.
Caching DNS
Enable Caching DNS for all connections by setting Caching DNS on the NETWORK > IP Configuration page to Yes. This setting is overridden
when the authoritative DNS server is enabled.
Authoritative DNS
You must change the settings at your domains registrar to allow the X-Series Firewall to act as the nameserver for your domain. After adding the
domain you can configure the following record types:
A — Use this DNS record to match an IPv4 IP address to a hostname. Each host in a domain should have an A record.
NS — NS records specify the authoritative name servers for the (sub)domain. If the domain name server is inside the domain, enter the
FQDN ending with a dot. E.g., ns.example.com.
MX — Use this type of DNS record to define the mail servers for the network. If multiple mail servers are used enter a preference
between 0 and 65535. The MX record with the lowest preference is used first by the sending agent. If not available the server with the
next higher preference is tried until a successful connection can be established.
TXT — This record associates a text string with the hostname. Use this for services which do not have a DNS record type of their own
such as SPF.
CNAME — This creates an alias for an already existing cannonical name. The link target does not have to be a part of the domain. E.g.,
Create a CNAME record which points www.cuda-inc.com to www.barracuda.com
SRV — Define services available in the domain such as LDAP or SIP.
PTR — PTR records point to a canonical name. Unlike CNAME the host name is returned and not resolved. Use for reverse DNS
lookups.
OTHER — Use this to define a DNS record which is not listed above.
The X-Series Firewall can be configured to block zone transfers on some or all of the domains that it hosts. An AXFR/IXFR query that is sent from
another DNS server to the firewall (to request a copy of the DNS records) is rejected if zone transfers are disabled for that domain. By default,
zone transfers are enabled for all domains created. This feature is necessary if you want to force all DNS requests to be handled directly by the
firewall and the results not to be cached by recursive DNS servers. DNS zones, which are only reachable internally are not transferred to other
DNS servers.
Split DNS
The X-Series Firewall can return different IP addresses depending on the source IP address of the DNS request. When configured a client in the
internal network receives the local IP address of the server while a client from the Internet is responded to with the external WAN IP address.
For more information, see How to Add Domains and DNS Records.
Step 1. Make the X-Series Firewall the authoritative DNS server at your domain registrar
To become the authoritative DNS server for a domain contact the registrar for your domain to use the static or dynamic WAN IP addresses of
your X-Series Firewall.
Hosting a subdomain
If you want to delegate a subdomain to the X-Series Firewall, add ns1 and ns2 records to the zone file of the domain where it is stored at the
registrar. If the domain is yourdomain.com, and you want to host subdomain.yourdomain.com add the following DNS records:
subdomain IN NS ns1
subdomain IN NS ns2
ns1 IN A <WAN IP 1 OF YOUR BARRACUDA FIREWALL>
ns2 IN A <WAN IP 2 OF YOUR BARRACUDA FIREWALL>
In the DNS Servers table, you can view a list of the static IP addresses for which the DNS Server service is enabled ( NETWORK > IP
Configuration). Dynamic IP addresses are not listed. An access rule is created in step 3 to redirect incoming DNS requests on dynamic
interfaces to the DNS service on the firewall. The access rule LOCALDNSCACHE must be active after enabling authoritative DNS for local
clients to access the DNS server.
3. Click Save.
To redirect DNS traffic for dynamic WAN interfaces you must redirect the incoming traffic to the authoritative DNS service.
The domain or subdomain is now listed in the DNS RECORDS section. NS and SOA records are automatically created for the new domain. The
NS records are set to the static IP addresses with the DNS server listener enabled.
Record Description
Start of Authority (SOA) The SOA record defines the global settings for the hosted
domain or zone. Only one SOA record is allowed per hosted
domain or zone.
Name Server (NS) NS records specify the authoritative name servers for this
domain. One NS record for each name server in the DNS
Servers table is generated.
Mail Exchanger (MX) MX records point to the email servers that are responsible for
handling email for a given domain. There should be an MX
record for each email server, including any backup email
servers. If an email server lies within the domain, it requires an
A record for each name server. If the email server is outside
the domain, specify the FQDN of the server, ending with a dot.
Example: mail.my-isp.net
Text (TXT) Text records allow text to be associated with a name. This can
be used to specify Sender Policy Framework (SPF) or
DomainKeys records for the domain.
Canonical Name (CNAME) A CNAME record provides a mapping between this alias and
the true, or canonical, hostname of the computer. It is
commonly used to hide changes to the internal DNS structure.
External users can use an unchanging alias while the internal
names are updated. If the real server is outside the domain,
specify the FQDN of the server, ending with a dot.
Example: server1.my-isp.net
Service (SRV) Service records are used to store the location of newer
protocols, such as SIP, LDAP, IMAP, and HTTP.
Pointer (PTR) PTR records point to a canonical name. The most common
use is to provide a way to associate a domain name with an IP
address.
Other (OTHER) Use an OTHER record to add a type of DNS record that is not
supported, such as NAPTR.
5. Configure IP Addresses for the record (do this for all interfaces you want to use:
LINKS – Select the interface for which this response is valid. ANY is valid for all interfaces, INTERNAL ONLY only for requests
coming from Trusted Networks.
WAN IP ADDRESS – Enter the IP address which will be returned for DNS requests from the Internet.
LOCAL NETWORK – Enter the IP address which will be returned for DNS requests from Trusted Networks.
If a Internal Only and a WAN interface IP address exist for the same record, the WAN IP ADDRESS and the Internal
Only IP address will be returned when queried from the internal network. Always define a Local Network for WAN
interfaces to avoid this behavior.
HEALTH CHECK – Select the health check type: Ping, DNS, Host:Port. The TARGET will be checked by this method
periodically to verify that the link is still up. When the health check fails this IP address is removed from the DNS response.
TARGET – The IP address, DNS name, or Host:Port target which will be checked periodically. Use a health check target that
is behind the interface chosen as the LINK.
6. Click +
The DNS records are now listed in the DNS RECORDS section. Refresh the page until the health check checks for all records turn green.
Enter the domain names and verify that the WAN IP address for the interface or ANY IP Address is returned.
Enter the domain names and verify that the LOCAL NETWORKS IP for the interface or ANY IP Address is returned.
When not using the X-Series Firewall DNS directly, it might take some time for your changes to be distributed throughout the Internet. A new
domain name might take up to a day until it is accessible via other DNS servers. If the DNS record is modified, any server on the Internet that has
the old DNS records will not request an update until the TTL of the original record has expired.
The management IP address is used to configure and administer the Barracuda NextGen Firewall X-Series via web interface. By default, the
X-Series Firewall uses 192.168.200.200 as the management IP. You can change the management IP address and network to match your
existing network.
Make sure you can connect to the X-Series Firewall after changing the management IP address either by changing the IP address of
the client PC to be in the same network and plugging the client PC into the new management port, or via an allow access rules allowing
access from the the network the client PC is in to the new management IP address.
Use the new management IP address when you log into the web interface: https://<new management IP address>
For redundancy and reliability, you can set up two Barracuda NextGen X-Series Firewalls in a high availability (HA) cluster. During normal
operations, the primary unit is active while the secondary unit waits in standby mode. The secondary unit has the same configurations as the
primary unit, and it only becomes available when the primary unit is down. The failover is reversed when the primary unit can resume operations.
Services should be configured on the secondary IP address, not the management IP address of the firewall, as only the secondary IP addresses
fail over to the secondary unit. For the same reason use the secondary IP address as the default gateway for your clients.
To execute a failover when a unit or networking component becomes unavailable, you can configure the monitoring of additional IP addresses
and interfaces. You can also manually execute a failover.
When installing two firewalls in a high availability cluster, ensure that the cabling is done exactly the same on both units. The management IP
addresses must also be configured on the same ports. For example, if port 3 on the primary box is connected to ISP 1, the secondary box must
also connect port 3 with ISP 1. If you install cabling incorrectly, HA failover does not work properly. For an example of correct cabling, see the
following diagram:
If you want to join a Windows domain, you must do so on both primary and secondary units before creating the HA cluster. For more
information, see How to Join a Windows Domain.
If you want to use the Barracuda Web Security Service, you must connect both primary and secondary units, before creating the HA
cluster. For more information, see Cloud Features.
Each X-Series Firewall must have a management IP address in the same subnet. Verify that they are not using the same IP addresses
as the management IP address.
If you restrict administrative access to the firewall by defining administrators IP addresses or networks, you must add the management IP address
of the HA partner unit to the administrator IP/Ranges list. If you are not restricting the administrator IP address (0.0.0.0 entry is present) you can
skip this step.
Add the management IP of the secondary unit to the administrator IP addresses on the primary unit.
4.
Add the management IP of the primary unit to the administrator IP addresses on the secondary unit.
Add a secondary IP address to the primary Firewall and configure the services of the firewall that are to be used from the local network to listen
on this IP address. Use this secondary IP address as the default gateway for the clients in your network. In case of a failover this IP address is
transferred to the secondary firewall.
Go to the BASIC > Administration page and verify that NTP is enabled on the primary unit.
Before you set up two X-Series Firewalls in an HA cluster, ensure that both units fulfill the following prerequisites:
Both firewalls must be the same model type and revision. They must also run the same firmware version.
The management IP addresses of both units must be in the same network and subnet.
System clocks and timezones must be accurately set on both units. If they are not, HA pairing can fail.
The Default Domain (BASIC > Administration) must be set on both units.
After the HA pairing is successful, the Disable High Availability option appears in place of the Enable High Availability option. The IP
addresses and serial numbers of both HA units are also displayed.
Additionally, this warning message is displayed on every configuration page of the secondary unit:
While the secondary unit is part of the HA cluster, you can only configure the following settings:
You can configure the monitoring of additional IP addresses and interfaces. If these IP addresses and interfaces become unreachable, a failover
is executed.
On the ADVANCED > High Availability page, in the Monitoring section, add the Reachable IPs and Reachable Interfaces.
To verify the HA status of the firewall, go to the ADVANCED > High Availability page and see the Status section. This section indicates if the
appliance is active, standby, primary, or secondary. If the appliance is not part of an HA cluster, this section indicates that it is Stand-Alone.
This figure shows an example of the status for a firewall in a high availability cluster.
On the BASIC > Status page, you can also view the current HA status in the Services section. To see the status details, hover over Hi
gh Availability.
Note that the secondary X-Series Firewall is not visible in Barracuda Cloud Control.
On the ADVANCED > High Availability page, you can manually execute an HA failover by clicking Manual Failover in the Status section of the
unit which is currently active.
If the X-Series Firewall is not part of an HA cluster, the Manual Failover option is disabled.
The following settings are unique to each unit in the high availability cluster and are not synced:
Domain
Hostname
Timezone
HTTPS Port
Management Interface Configuration.
Content of DNS Cache
Dynamic Interfaces
The first matching access rule is executed. If none of the rules match the default Block-all rule will block the traffic.
Application Control (with or without SSL Inspection), a tightly integrated Intrusion Prevention System (IPS) and URL filtering for content security
offer granular control over your network traffic.
Application Control – Application Control enables you to manage traffic caused by applications on your network. Knowing which
applications use the most traffic lets you create rules to optimize bandwidth for business critical applications while limiting unwanted
application traffic.
SSL Inspection – Most of the application traffic is SSL encrypted. SSL Inspection transparently decrypts the SSL connections and after
passing through Application Control reencrypts the connection and forwards it to its destination. SSL Inspection enables Application
Control to detect sub-applications making it possible to block single features such as Facebook games, while still allowing access to the
rest of the site.
URL Filter – If you want to keep out inappropriate web based content from your network, the Barracuda Web Security Gateway enables
you to filter a large number of websites based on categories. The URL filter can be used to create a whitelist (blocking everything except
for selected sites) or a blacklist (blocking known unwanted content). If the site is not in the URL database you can define a custom URL
policy. The URL Filter can only filter based on the URL of the website. It does not offer the more granular control over sub-applications
that Application Control does. For more information, see Application Control.
Virus Protection – HTTP(S), FTP and SMTP(S) traffic can be transparently scanned for malicious content while the traffic passes
through the firewall. For more information, see Virus Protection in the Firewall.
Advanced Threat Detection (ATD) – Advanced Threat Detection secures your network against zero day exploits and other malware not
recognized by the IPS or virus scanner. You can choose between two policies, which either scan the files after the user has downloaded
them and, if perceived to be a threat, quarantine the user, or scan the file first and then let the user download the file after it is known to
be safe. For more information, see Advanced Threat Detection (ATD).
Mail Security – Check the source IP address of incoming SMTP(S) connections against a DNSBL and modify the header and subject of
the e-mail if the sender is listed in the DNSBL. For more information, see Mail Security in the Firewall.,
Intrusion Prevention System (IPS) – The tightly integrated Intrusion Prevention System will monitor the network for malicious activities
and block detected network attacks. For more information, see Intrusion Prevention System or IPS.
To create, edit, or change the order of access rules, go to the FIREWALL > Firewall Rules page. For more about matching criteria and possible
access rule actions, see Firewall Rules. If you are new to the Barracuda NextGen Firewall X-Series, see Pre-Installed Access Rules to review the
rules that are already set up in the appliance. You can use these preinstalled rules as a starting point for your own rules.
Firewall objects are named collections that represent specific networks, services, applications, user groups or connections when creating access
rules. You can use the firewall objects that are preconfigured on the Barracuda NextGen Firewall X-Series, but you can also create custom
firewall objects depending on your requirements. Firewall objects are re-usable which means that you can use one firewall object in as many
rules as required. The following section explains the firewall objects that are available for use and configuration on the NextGen Firewall X-Series
and contains articles on how to create the different firewall objects for your access rules.
Each firewall object has a unique name that is more easily referenced than e.g. an IP address or a network range.
Maintenance of the access rule set is simplified. When you update a firewall object, the changes are automatically updated in every rule
that refers to this object.
The following types of firewall objects are available for use and configuration:
Network Objects — Reference networks, IP addresses, or interfaces when configuring firewall access rules.
URL Policy Objects — (requires a Barracuda Web Security Subscription) Reference access restrictions for web sites. The NextGen
Firewall X-Series provides a predefined list of URL categories that are available for blacklisting and whitelisting.
Service Objects — Create service objects to reference TCP/UDP ports for a service.
Connection Objects — Reference the egress interface and source (NAT) IP address for traffic matching a firewall access rule.
NAT Objects — Map IP addresses from one IP address range to another, e.g., to let two subnets communicate with each other.
User Objects — Reference lists of users and/or user groups for use within access rules.
Schedule Objects — Configure time restriction or scheduling tables that can be applied to access rules on an hourly, weekly or calendar
date basis.
Application Objects — Reference lists of web applications and/or sub-applications when creating application aware firewall access
rules. For more information, see Application Control.
By using network objects instead of explicit IP addresses, access rule management is simplified. For example, if an IP address changes, you do
not have to edit it in every rule that references it; you must only change the IP address in the network object. The IP address is then automatically
updated for every rule that references the network object.
Before you begin, list the network addresses and ports that you want to add to the network object.
5. For any IP addresses and interfaces that must be excluded from the network object, add them to the Exclude Entries section.
6. Click Save. The custom network object then appears in the Custom Network Objects section.
Before you begin, list the TCP ports and UDP ports that you want to add to the custom service object.
5. Click Save. The custom service object appears in the Custom Service Objects section.
You can use the predefined connection objects or you can create new connection objects.
This setting lets you specify which source IP address and interface are to be used in case of fallback. This is especially
important if you are using multiple ISPs. Connecting via the backup provider using the wrong source IP address causes the
return traffic routing to fail.
Dynamic Source NAT – The firewall uses the routing table to find a suitable interface for routing the packet and uses the IP
address of the relevant interface as the new source IP address.
No Source NAT – The original source IP address of the packet is not changed.
From Interface – Source NAT is using the first IP address on a specific interface.
Select the interface from the Interface list.
Explicit – Uses the IP address that is specified in the Explicit IP Address field.
a. Enter the IP address in the Explicit IP Address field.
If the IP address does not exist locally, select the Proxy ARP check box to create an appropriate Proxy ARP entry. Prox
y ARP makes it possible for ARP requests to be answered for IP addresses that are not implemented in the Barracuda
NextGen Firewall X-Series.
5. When using From Interface or Explicit as Nat Type, configure the following settings if required:
Select the PAT check box to use Port Address Translation (PAT, also known as NAT overloading). PAT extends NAT so that
port numbers are also translated. Use PAT to pool several private IP addresses to one public IP address.
6. Click Save.
You can specify multiple source IP addresses and interfaces in the same connection object. This allows failover or session-based balancing
between up to four links. Balancing can be achieved using either a round robin or weighted random algorithm.
After you have successfully created this connection object, you can go to the FIREWALL > Firewall Rules page and apply it to a rule that directs
You can edit new connection objects and copies of the predefined connection objects.
1. Click the copy symbol next to the object in the Predefined Connection Objects table. A copy of the connection object appears in the Co
nnection Objects section.
2. Edit the settings for the object.
3. Click Save.
To allow HTTP and HTTPS connections from the local 192.168.200.0/24 network to the Internet, the firewall must perform source-based NAT.
Instead of using the source IP address from the client residing in the LAN, the connection is established between the WAN IP address of the
firewall and the destination IP address. Reply packets belonging to this session are replaced with the client's IP address within the LAN.
For this example, use the predefined Default (SNAT) connection object. It automatically uses the WAN IP address of the ISP uplink with the
lowest metric according to the firewall's routing table.
3. Enter a Name.
4. Select the Default Connection.
5. Click Save.
Edit the application-based connection object you just created and add the application-based link policies. Applications can be added individually,
through the application browser, or by application category. All selected applications will use the connection object selected for this policy.
The application-based link policy is now listed in the in the application-based connection object.
Step 3. Edit the Access Rule to use the Application Based Connection Object
4. Click Save.
To check which outgoing interface is used for a connection, go to BASIC > Active Connections or BASIC > Recent Connections and check
the SNAT column.
6. Click Save.
The NAT object appears in the NAT Objects section.
1. Click the trash can icon for the NAT object that you want to delete.
2. Click OK to confirm.
Create a Schedule
A time schedule entry can cover up to one week, starting on Mon-00:00, and ending on Mo 0:00 of the next week. To
enable the schedule for an interval crossing the Mo 00:00 threshold, split the entry. E.g., Fri-15:00 to Mo 0:00 and
Mon-00:00 to Tue-10:30.
7. Click Save.
The schedule is now displayed in the SCHEDULES list and can be used when creating access rules and application policies.
To edit a schedule, click the edit symbol next to the entry. In the Edit Schedule window, edit the settings for the object, and click Save. To delete
a schedule, click the trash can icon next to the entry and c lick OK.
Access rules are used to manage traffic going through the Barracuda NextGen Firewall X-Series. The firewall service is tightly integrated with
Application Control, IPS, and the URL Filter service.
Use firewall objects to reference specific networks, services, user groups or connections when creating firewall access rules. You can use the
firewall objects that are preconfigured on the NextGen Firewall X-Series or create custom firewall objects. The main purpose of firewall objects is
to simplify creation and maintenance of access rules. Firewall objects are re-usable which means that you can use one firewall object in as many
rules as required. Each firewall object has a unique name that is more easily referenced than an IP address or a network range (see Firewall
Objects).
For each access rule you can configure the following settings:
Name – The name of the access rule. This name is displayed on the BASIC > Active Connections, Recent Connections, and IPS
Events pages.
Description – An additional description field for the access rule.
Action – Specifies how the firewall handles network traffic that matches the criteria of the rule. The following actions are available:
Allow/Block – The firewall passes all network traffic that matches the access rule; / The firewall ignores all network traffic that
matches the access rule and does not answer to any packet from this particular network session.
Reset – The firewall dismisses all network traffic that matches the access rule. Matching network sessions are terminated by
replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests, and ICMP Denied by Filter for other IP
protocols.
DNAT – The firewall rewrites the destination IP address, network or port to a predefined network address. Enter multiple
destination IP addresses for loadbalancing or fallback configurations. To additionally forward to a different port you can append
the port number to the IP address. E.g., 172.16.0.10:80
Redirect to Service – The firewall redirects the traffic locally to one of the following services that are running on the firewall:
Caching DNS, SIP Proxy, HTTP Proxy, VPN, SSL VPN or NTP.
Connection – Defines the outgoing interface and source (NAT) IP address for traffic matching the access rule. The following table lists
the five default connection objects:
SNAT with DSL IP Source NAT with the IP address of the DSL uplink.
SNAT with DHCP IP Source NAT with the IP address of the DHCP uplink.
You can also create custom connection objects. For example, multiple source IP addresses and interfaces can be specified in the same
connection object. This allows failover or session-based balancing between up to four links. Balancing can be achieved using either a
round robin or weighted random algorithm.
Service – Describes the protocol and protocol/port range of the matching traffic. You can define one or more services for the access
rule. You can select a predefined service object or create your own service objects (see: Service Objects).
Source – The source IP address/netmask of the connection that is affected by the rule. You can select a network object
or explicitly enter a specific IP address/netmask. You can also create your own network objects (see: Network Objects).
Destination – The destination IP address/netmask of the connection that is affected by the rule. You can select a network object or
explicitly enter a specific IP address/netmask.
Bandwidth Policies
Bandwidth policies protect the available overall bandwidth of the Internet connection. Network traffic is classified and throttled or
prioritized within each access rule. To adjust the overall bandwidth of each network interface, go to the NETWORK > IP Configuration p
age. There are eight predefined bandwidth policies. For additional information, see How to Configure Bandwidth Policies or QoS.
Bandwidth policies for application traffic are configured in the application policy rules. For more information, see How to Configure an
Users/Time
For more granular control, you can configure access rules that are only applied to specific users or during specific times.
Users can be used as a criteria for the rule. Use the Barracuda DC Agent to enable the firewall to be aware of which connection belongs
to a specific user. You can also create users objects (see: User Objects).
You can create access rules that are only active for specific times or dates. For example, you can create a time object that only includes
Mondays and the hours of 8:00 am to 9:00 am. An access rule including this time object will only allow traffic during the time span
defined in the time object (see: Schedule Objects).
Advanced
Interface Group – When creating a access rule, you can assign interfaces that the source address is allowed to use. Arriving packets of
traffic that matches the rule are then processed to the specified network interfaces according to the interface group settings. For more
information, see How to Create Interface Groups.
SYN Flood Protection – SYN flood protection protects from a popular kind of DoS attack against computer systems. The firewall can
eliminate SYN flooding attacks for inbound or outbound attacks. The firewall completes the handshake and only then performs a
handshake with the actual target. This helps to protect the target from SYN flood attacks. Disabling SYN flood protection can cause an
overhead in packet transmission but can speed up interactive protocols like SSH.
In this Section
On the FIREWALL > FIREWALL RULES page, you can view the following pre-installed firewall access rules:
P1-P3-BRIDGE This rule creates a bridge between port p1 and port p3. All traffic
passes between the two ports. The rule is useful when you first get
the X-Series Firewall and want to evaluate the appliance at your
desk. Follow the instructions in the Barracuda NextGen Firewall
X-Series Quick Start Guide to connect port p1 to the LAN and port p3
to your PC. This configuration gives the firewall access to the
Internet, lets you look at traffic, and lets you continue to use your PC
for other purposes during the evaluation period.
When you are finished with your evaluation and move the firewall into
production, you can delete this rule.
LAN-2-BARRACUDA-SERVERS This rule allows the traffic from the trusted LAN to reach the
Barracuda Networks update servers. The rule is required for initial
activation as well as ongoing firmware and security updates.
LOCALDNSCACHE-WIFI This rule automatically redirects all DNS requests from a separate
Wi-Fi network on interface ath0 to the local caching DNS service of
the firewall. The rule is useful for reducing the amount of DNS traffic
over the WAN connection and improving DNS resolution speed as
well as security.
LOCALDNSCACHE This rule automatically redirects all DNS requests from the trusted
LAN to the local caching DNS service of the firewall. The rule is
useful for reducing the amount of DNS traffic over the WAN
connection and improving DNS resolution speed as well as security.
TRANSPARENT-PROXY-WIFI If enabled, this rule automatically redirects all HTTP requests on TCP
port 80 from a separate Wi-Fi network on interface ath0 to the local
proxy of the firewall. Depending on the proxy configuration (NETWO
RK > Proxy), web traffic is either scanned by Barracuda Web
Security Flex or forwarded to a different proxy service.
TRANSPARENT-PROXY If enabled, this rule automatically redirects all HTTP requests on TCP
port 80 to the local proxy of the firewall. Depending on the proxy
configuration (NETWORK > Proxy), web traffic is either scanned by
Barracuda Web Security Flex or forwarded to a different proxy
service.
LAN-2-INTERNET-SIP If enabled, this rule automatically redirects all SIP requests from the
trusted LAN to the local SIP proxy. It allows SIP communication
through the firewall.
INTERNET-2-LAN-SIP If enabled, this rule automatically redirects all SIP requests from any
IP address to the local SIP proxy. It allows SIP communication from
the Internet through the firewall.
WIFI-2-INTERNET This rule allows traffic from the Wi-Fi network coming in through
interface ath0 unrestricted access to the Internet.
LAN-2-LAN This rule allows network traffic for all types of data from one trusted
LAN to another. It allows unrestricted network traffic between hosts
residing in different LAN segments that are classified as trusted.
VPNCLIENTS-2-LAN This rule allows unrestricted access for VPN clients coming in
through interface pvpn0 to the trusted LAN. This includes
PPTP-based access.
WIFI-2-LAN This rule allows unrestricted access from the Wi-Fi network coming in
through interface ath0 to the trusted LAN.
BLOCKALL This rule blocks all incoming and outgoing network traffic that is not
handled by the access rules that are placed above it in the rule set.
Because users are included by their login names or authentication groups, verify that you have set up authentication. For more information, see:
Because rules are processed from top to bottom, ensure that you arrange your rules in the correct order. You must especially ensure that your
rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.
This article provides an example of how to configure a access rule that only allows HTTP and HTTPS connections from the local
192.168.200.0/24 network to the Internet.
Video
Watch the video below to see an example of an ALLOW access rule configured on the Barracuda NextGen Firewall X-Series.
Videos are not visible in the PDF export.
To allow connections from the local network to the Internet, the X-Series Firewall must perform source-based NAT. The source IP
address of outgoing packets is changed from that of the client residing in the LAN to the WAN IP address of the X-Series Firewall, so the
connection is established between the WAN IP address and destination IP address. The destination address of reply packets belonging
to this session is rewritten with the client's IP address.
5. Click Save.
New rules are created at the bottom of the firewall rule set. Rules are processed from top to bottom in the rule set. Drag your access rule to a slot
in the rule list, so that no access rules before it matches this traffic. Verify that your rules are placed above the BLOCKALL rule. Otherwise, the
rule never matches.
After adjusting the order of rules in the rule set, click Save.
Incoming Traffic
If your mail server or Barracuda Email Security Gateway is on the public network, you might want to allow your Barracuda NextGen X-Series
Firewall to provide protection and move your mail system onto the internal network. The mail traffic passes through the firewall in both directions.
If the advertised method of receiving email is a dynamically-assigned IP address, use a service such as DynDNS to make a permanent identifier
for your mail server or Email Security Gateway. For more information on the DynDNS service, see http://dyn.com/dns/.
As you can see on the FIREWALL > Service Objects page, the Any-EMAIL service object contains the following email protocols: POP2,
POP3S, POP3, IMAP, IMAPS, and SMTP. You can use this object or just the protocols that you want to support. The rules below specify the
protocols explicitly. Configure the access rules for the cases that match your scenario, and then verify your access rule order.
Configure a rule to redirect incoming mail traffic for the Barracuda Email Security Gateway. If you have an Email Security Gateway and your mail
server does not support POP or IMAP, this is the only rule that you will need for incoming email traffic.
Go to the FIREWALL > Firewall Rules page and configure the following rule to redirect the incoming mail traffic:
SMTP-2-SPAMFW Values:
DNAT Either the Internet n The destination SMTP No SNAT (the The internal static IP
etwork object or a depends on the original source IP address of the
specific public IP advertised method address is used) Barracuda Email
address. For of receiving email. Security Gateway.
example, the IP
If it is one or
address of the
more external
hosting provider.
static IP
addresses,
enter those
addresses (a
CIDR
summarization
of addresses
can also be
used).
If it is a domain
name which
maps to a
dynamically-ass
igned IP
address, select
the network
object named A
ny .
If you have a Barracuda Email Security Gateway and you also want to support POP/IMAP traffic from your mail server, then you must add this
rule in addition to the above rule for the Email Security Gateway.
Go to the FIREWALL > Firewall Rules page and configure the following rule to redirect the incoming POP/IMAP traffic only to the mail server:
POP-2-INTERNAL Values:
If you do not have a Barracuda Email Security Gateway, you can redirect the incoming traffic to the mail server that is on your internal network.
Go to the FIREWALL > Firewall Rules page and configure the following rule to redirect the incoming mail traffic:
EMAIL-2-MAIL-SERVER Values:
DNAT Either the Internet n The destination SMTP No SNAT (the The internal static IP
etwork object or a depends on the POP2 original source IP address of the mail
specific public IP advertised method POP3 address is used) server.
address. For of receiving email. POP3S
example, the IP IMAP
If it is one or
address of the IMAPS
more external
hosting provider.
static IP
addresses, ente
r those
addresses (a
CIDR
summarization
of addresses
can also be
used).
If it is a domain
name which
maps to a
dynamically
assigned IP
address, select
the network
object named A
ny.
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, arrange your rules in
the correct order. You must especially ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. After
adjusting the order of rules in the rule set, click Save Changes.
Outgoing SMTP traffic (for outgoing email) must also be allowed to pass. Depending on the location of your mail server, this traffic might already
be allowed by the pre-installed LAN-2-INTERNET rule. If it is not, or if you want to make an explicit rule anyway, you must add a rule.
Configure the access rules for the case that matches your scenario. If you have multiple public IP addresses, follow the instructions in Case 2 -
Multiple Public IP Addresses to ensure that the traffic leaves on the same IP address that the public MX record points to. If you do not have
multiple IP addresses, follow the instructions in Case 1 - Mail Server Not on Trusted LAN. After configuring the required access rule, verify your
access rule order.
Go to the FIREWALL > Firewall Rules page and configure the following rule to allow outgoing SMTP traffic:
SMTP-2-INTERNET Values:
If you have multiple external IP addresses and want to force outbound SMTP traffic to use a specific IP address :
1. Go to the FIREWALL > Connection Objects page and create a connection object that specifies the IP address that is in the MX record.
2. Go to the FIREWALL > Firewall Rules page and add the following rule to direct the outgoing mail traffic:
SMTP-2-INTERNET Values:
Move the firewall rule above the pre-installed LAN-2-INTERNET rule. If this rule is under the LAN-2-INTERNET rule, traffic goes out on the
primary IP address, which might not be the correct path. After adjusting the order of rules in the rule set, click Save Changes.
Allowing SIP-based VoIP Traffic for VoIP Phones – Steps for configuring access rules for VoIP phones that use the same network subnet
as the internal SIP server. The VoIP phones and SIP server are located in the the 192.168.200.0/24 network.
Allowing SIP-based VoIP Traffic for Barracuda Phone System – Steps for creating the access rules and network object required to allow
SIP-based VoIP traffic when using Barracuda Phone System with the NextGen Firewall X-Series.
Create a forwarding access rule that redirects traffic to the internal SIP proxy of the X-Series Firewall. The SIP proxy dynamically opens all
necessary RTP ports for successful SIP communication through the firewall. You must also create a separate access rule to allow traffic from the
Internet to the SIP proxy.
On the X-Series Firewall version 6.5.0 and above, the required LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP firewall access rules
are preconfigured. However, when upgrading from older firmware releases, you might have to create new rules or edit and configure
existing ones.
Step 1. Configure an Access Rule for the Connection from the SIP Server to Internet
To let SIP-based VoIP communication pass the firewall, create a forwarding firewall access rule that redirects traffic to the SIP proxy. You can
create a new access rule or edit an existing rule. This example edits the LAN-2-INTERNET-SIP rule.
In this rule, the Source includes the SIP server and the phones. The Destination specifies the destination of the SIP network traffic that
is allowed. Usually, the destination is the public IP address of your SIP provider. Here, Destination is the predefined Internet network
object, but you can also enter the network address of your SIP provider.
Step 2. Configure an Access Rule for the Connection from the Internet to the SIP Server
Configure a separate forwarding access rule to allow connections from the Internet to the SIP server. You can create a new access rule or edit an
existing rule. This example edits the INTERNET-2-LAN-SIP rule.
The Source specifies the origin of the network traffic that should be allowed. The Destination specifies the public IP address that is
allowed to receive SIP traffic.
Because rules are processed from top to bottom in the rule set, arrange your rules in the correct order. You must especially ensure that your rules
are placed above the BLOCKALL rule; otherwise, the rules are blocked.
After adjusting the order of rules in the rule set, click Save.
When using Barracuda Phone System with the X-Series Firewall, you must create two firewall access rules to allow SIP-based VoIP traffic from
the Internet to the Phone System and vice versa. For the access rule that allows SIP-based VoIP traffic from the Phone System to the Internet,
you must create a connection object that does not use port address translation (PAT) .
Step 1. Create an Access Rule for the Connection from the Internet to the Barracuda Phone System
4. Click Save.
From Interface Select your WAN interface. Clear the check box.
Step 3. Create an Access Rule for the Connection from the Barracuda Phone System to the Internet
4. Click Save.
This article provides an example of how to configure a access rule that blocks all ICMP traffic from the local LAN to the Internet.
Video
Watch the video below to see an example of an ALLOW access rule configured on the Barracuda NextGen Firewall X-Series.
Videos are not visible in the PDF export.
New rules are created at the bottom of the firewall rule set. Rules are processed from top to bottom in the rule set. Drag your access rule to a slot
in the rule list, so that no access rules before it matches this traffic. Verify that your rules are placed above the BLOCKALL rule. Otherwise, the
rule never matches.
After adjusting the order of rules in the rule set, click Save.
Video
Watch the video below to see an example DNAT access rule configured on the Barracuda NextGen Firewall X-Series:
Videos are not visible in the PDF export.
Create a new network object containing the IP addresses of all web servers you want to redirect traffic to. If you want to redirect to a
different port, you cannot use network objects.
Create a network object containing your public IP address. For this example, our public IP address is 62.99.0.51.
Verify that there is no local firewall service listening on that IP address. To forward IPsec traffic, go to VPN > Settings and set Use
Dynamic IPs to No.
This example creates a DNAT access rule that allows HTTP traffic from the Internet to the web server residing in the DMZ.
To redirect to more than one web server in cycle (round robin) or fallback mode, you can either add additional IP addressees to the network
object, or enter additional IP addresses to the Redirect list. In fallback mode, all traffic is sent to the first IP address in the list (or network object).
If that IP address is no longer reachable, traffic is sent to the second, and so forth. In cycle mode, the traffic is distributed to all IP addresses in
the Redirect list based on the source IP address of the traffic. In this example, we used a network object containing 2 IP addresses (172.16.0.11
and 172.16.0.12) and left the original IP address 172.16.0.10 on port 8080 from step 2. HTTP and HTTPS traffic is now cycled between:
172.16.0.10:8080
172.16.0.11 port 80 or 443 as the chosen network services HTTP+S allows for those ports
172.16.0.12 port 80 or 443 as the chosen network services HTTP+S allows for those ports
New rules are created at the bottom of the firewall ruleset. Rules are processed from top to bottom in the ruleset. Drag your access rule to a slot
in the rule list, so that no access rules before it matches this traffic. Verify that your rules are placed above the BLOCKALL rule. Otherwise, the
rule never matches.
After adjusting the order of the rules in the ruleset, click Save.
This article provides instructions on how to configure an access rule for the following setup:
Install and configure the Barracuda Email Security Gateway in your LAN as described in: Deployment Behind the Corporate Firewall.
To also forward SMTPS traffic to your Email Security Gateway, create a service object to redirect the traffic to port 465. For more information, see
Service Objects.
Protocol – TCP
Port Range – 465
Create a DNAT access rule that forwards all incoming SMTP traffic to the IP address of the Email Security Gateway.
1. Go to the FIREWALL > Firewall Rules page.
2. Click Add Access Rule to create a new firewall rule.
3. In the Add Access Rule window, enter a name and description for the rule.
4. Specify the following settings:
DNAT No SNAT Internet SMTP, SMTP SSL Enter the public IP Enter the IP
(optional) address of the address or select
X-Series Firewall. the network object
E.g.: 62.99.0.50 for your Barracuda
Email Security
Gateway. E.g.: 10
.10.10.3
Because rules are processed from top to bottom in the rule set, arrange your access rules in the correct order.
Make sure that this rule is the first access rule that matches SMTP traffic on the WAN port of the X-Series
Firewall.
After adjusting the order of the rules in the rule set, click Save.
This article provides an example of how to configure a access rule that blocks Internet (HTTP and HTTPS) access for two trainees from Monday
to Friday, except during the hours of 11:00 AM to 01:00 PM. The two trainees reside in the 192.168.200.0/24 network segment and use
computers with the 192.168.200.100 and 192.168.200.101 IP addresses.
This example configures a time object named TraineeOfficeHours that includes all office hours except lunch time from 12am to 1pm.
This example configures an access rule named Block-HTTPs-for-Trainees that blocks HTTP and HTTPS network traffic from the
192.168.200.100 and 192.168.200.101 IP addresses.
Because all other clients in the 192.168.200.0/24 network should not be affected by this rule, the source network is limited to the
192.168.200.100 and 192.168.200.101 IP addresses.
Access rules are processed from top to bottom. Place your access rule before any other access rule that matches the same traffic. For this
example, place your time-based block rule before any rule that allows Internet access. Click Save to save the changes to the order of the access
rules.
The Barracuda Web Security Gateway may be any device processing HTTP or HTTPS.
The X-Series Firewall and the Barracuda Web Security Gateway must be connected to the same subnet (within the same ARP domain).
Create the DNAT access rule to forward all HTTP traffic to the Barracuda Web Security Gateway.
Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname
or FQDN.
6. Click Save.
7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located
above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
8. Click Save.
Step 2. Create an Allow Access Rule for the HTTP Proxy to Access the Internet
6. Click Save.
7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located
above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
8. Click Save.
Step 3. Create an Allow Access Rule for the Barracuda Web Security Gateway to Access the Client
To allow the Barracuda Web Security Gateway to access the client, create an access rule with the following settings:
In order to successfully send the connection from the Barracuda Web Security Gateway to the Internet you must configure the device to:
As a powerful next-generation Firewall feature, Application Control allows the Barracuda NextGen Firewall X-Series to control application traffic,
including sub-applications (e.g., chat function and picture uploading). It includes the following features:
Application Policy – A list of policy rules to detect and control application traffic. You can create rules to drop or adjust the bandwidth of
detected applications. Traffic patterns are compared to predefined application objects containing detection patterns to detect the latest
applications. The application pattern database is updated with every NextGen Firewall X-Series firmware update. You can also
customize application definitions based on previously analyzed network traffic. To classify applications and threats, all application objects
are categorized based on risk, bandwidth, or vulnerabilities.
URL Filtering – Based on the Barracuda Web Security Gateway URL category database. The URL filter uses a large online database to
filter according to the URL of the website. The websites are organized into URL categories based on the content of the website. You can
use the URL filter as a whitelist or blacklist. To use the URL Filter you must have a Barracuda Web Security Subscription.
SSL Inspection – Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection intercepts and decrypts encrypted
traffic to let Application Control detect and handle embedded features or sub-applications of the main application. For example, you can
create a policy that permits the general usage of Facebook but forbids Facebook chat. If you choose not to enable SSL Inspection, the
main applications can still be detected. For example, Facebook can still be detected without SSL Inspection, but you will not be able to
determine if the Facebook chat or a Facebook app is being used.
Because applications either are web-based or connect via SSL- or TLS-encrypted connections to servers in the Internet, they can be detected
and then controlled as they pass the X-Series Firewall. If Application Control and SSL Inspection are enabled in the firewall rule that handles the
application traffic, then the traffic is evaluated by the application policies and processed as follows:
In this Section:
After your analysis, create application policies to ensure that business-critical applications receive the bandwidth that they need. Then configure
application and URL policies to block or choke any unwanted applications and websites. You can adjust and tune these policies by defining
exceptions for certain resources or users.
Enable Application Control and activate it in a firewall rule to start gathering application data. Configure one or more firewall rules that forward
traffic from the clients to the internet. If you want to use pre-installed rules, configure the LAN-2-INTERNET and WIFI-2-INTERNET rules. If you
are not using the pre-installed firewall access rules, use the corresponding firewall rules.
1. Go to the FIREWALL > Settings page, enable Application Control, and click Save.
2. Go to the FIREWALL > Firewall Rules page.
3. Edit the LAN-2-INTERNET and WIFI-2-INTERNET rules to enable Application Control and SSL Inspection.
4. Install SSL certificates on the client computers to avoid SSL warnings when using SSL Inspection. For more information, see How to
Configure an Application Policy.
The Barracuda NextGen Firewall X-Series can now start collecting information on the application-based traffic that is handled by these firewall
rules. If you configured a captive portal or the Barracuda DC Agent, user information is also collected.
Go to the BASIC > Application Monitor page to view information about the application traffic that passes through the X-Series Firewall and
determine which applications use the most bandwidth. You can either use filters or create custom reports to track this information and view it in
more detail.
Example - Define a Filter to see all Employees Using High Risk Applications.
If you want to see all data about high risk applications that were used in you network, configure a filter for the application monitor:
You can now see a list of all the data for high risk applications in the time period that you selected in the Last list. To remove the filter click the x i
con next to the filter.
Example - Create a Custom Report on How much Bandwidth is used by Business Applications
You can create daily reports using the Barracuda Report Creator (BASIC > Administration). You can define custom report types to get daily
update on how much traffic your business critical applications are using.
Create an application policy to ensure that important applications receive enough bandwidth.
1. Create a list based application object to include all the business-critical applications that you want to prioritize.
2. Create an Allow application policy rule with Adjust Bandwidth set to Business.
You are not limited to a single application object for important applications. If you are using VOIP applications like Skype or Facetime, you can
define an application object with Adjust Bandwidth set to VOIP, to ensure that these time-sensitive applications are forwarded without delay.
Unwanted applications can either be blocked or limited. When applications are blocked, they display connection errors to inform users that the
resource is not available. Some applications try to evade being blocked by changing protocol or port. As an alternative, you can limit, or choke,
1. Create list- or category-based application objects to include the applications that you want to block or limit.
2. To block applications, create a BLOCK application policy and add all the applications that you want to block.
3. To limit applications, create an ALLOW application policy. In the policy settings, add all the applications that you want to limit and set Adj
ust Bandwidth to Choke.
The URL filter can be configured as a blacklist, allowing all sites except specifically blocked URL categories, or as a whitelist blocking everything
except for specifically allowed categories.
If exceptions are required for special use cases or privileged users, you can configure exceptions for your policies:
To specify exceptions to the categories of websites that you allow or block, click the URLs tab in the URL policy settings. Then explicitly
enter the URL of websites that must always be allowed or blocked.
To create exceptions to your application policies, create new application policies. Then place the new application policies over the
policies that they are overriding.
Example - Block Everyone from using Facebook Except for Exempt Users
To define an exception from the standard policy, create an application policy specifically allowing access for the exempted users.
1. On the FIREWALL > User Objects page, create a user object that includes all users and groups who are allowed to access Facebook.
2. On the FIREWALL > Application Policy page, create an ALLOW application policy that includes the user object you just configured for
allowed users and groups.
3. Place the new exception application policy above the policy rule blocking Facebook for everyone.
View the application monitor to detect changes in application usage, and adapt and tune the application policies. Configure the Barracuda Report
Creator to send regular updates of what passes through your X-Series Firewall.
Use list based application objects if you want to create a list of applications which do not belong to the same category or do not share common
traits. For example, a list of business critical applications.
The applications or objects that match all filters are instantly displayed in the dynamically generated SELECT list.
5. From the Select list, add the desired applications or objects to Selected by clicking the + icon next to
their names. If an application consists of more than one component, you can expand the parent
application and all the child objects will be visible.
To exclude specific items from selected applications containing more than one component, expand the application in the Selected sectio
n and click the - icon next to the application features that you want to exclude.
6. Click Save.
The new application object is now displayed in the List Based Application Objects section.
Create a filter based application object if you want to create a list of applications based on risk factor, property or category. For example, a list of
all applications with a high (4) risk factor or belonging to the Instant Messaging category.
7. Click Save.
The new application object is now listed in the Filter Based Application Objects section.
If the application list does not contain the application or website you want to add to an object, you can create custom application objects.
To block broader access to a category of websites, you can enable the URL filter in your firewall and application policy rules. When the user
connects to a website, the Barracuda NextGen Firewall X-Series compares the URL against a large online database. You can allow or block
access website to based on predefined URL categories and define exceptions to exclude single websites from being blocked or allowed.
Create URL policy objects to specify the URL categories that you want to allow or block. You can define exceptions to these categories by
explicitly entering the URL of websites that you want to always allow or block.
If you want to use the URL filter in combination with application control, enable it in the firewall access rule.
Step 3. Configure an Application Policy Rule to Use the URL Filter Policy
You can create an application policy to just filter based on the selected URL policy or you can combine application control and the matching URL
policy in a single application policy rule.
5. Click Save.
6. (Optional) Reorder the application policies and click Save.
You can enable Application Control for each firewall rule individually. When the rule is executed, the application policy rules are processed from
top to bottom.
Application or sub-application
Time
User
Content
Source network
Protocol
To detect and manage application traffic, you must first enable application control.
4. Click Save.
To avoid SSL certificate errors in the browser when a user connects to an SSL-encrypted website, install the self-signed SSL certificate of the
Barracuda NextGen X-Series Firewall on your client computers.
With the certificates installed, your clients no longer receive SSL certificate warnings when SSL inspection is used.
Configure firewall rules to use Application Control. The pre-installed LAN-2-INTERNET firewall rule allows network traffic for all types of data from
the trusted LAN to the Internet. You can edit the LAN-2-INTERNET rule or create a new firewall rule if required.
Because Application Control can impact the performance of the X-Series Firewall, be as specific as possible with firewall rule settings.
Because rules are processed from top to bottom, verify that your rules are arranged in the correct order. Click Save.
Create an application policy for every application you want to modify or block.
Block an Application
To view blocked or throttled connections, go to the BASIC > Recent Connections page. In the Application column for each connection, the
controlled application is listed. To view specific connections, you can filter the list of recent connections.
4. Click Save.
4. Click Save.
Because rules are processed from top to bottom, you must place this rule before the LAN-2-INTERNET rule. After adjusting the order of the
rules, click Save.
To view blocked or throttled connections, go to the BASIC > Active Connections or BASIC > Recent Connections page. In the Application an
d Bandwidth Policy columns for each connection, the detected application and the assigned bandwidth policy is listed. To view specific
connections, you can filter the list.
On the Barracuda NextGen Firewall X-Series, you can configure inbound link balancing, outbound link balancing, and outbound link failover. Link
balancing is also sometimes called 'link aggregation'.
To achieve outbound link load balancing, create a connection object that balances the traffic among multiple links. Then use this connection
object in the firewall rules that direct outgoing traffic. The connection object specifies what happens if multiple links are configured. Options
include:
If one interface becomes unavailable, the traffic fails over to the next available link in the sequence.
Use a set of interfaces in weighted round robin fashion. You can specify the weights for each interface in the connection object.
Randomly choose one of a list of interfaces.
For more information about configuring connection objects, see How to Configure Outbound Loadbalancing and Failover.
You can use DNS to balance inbound traffic among multiple links. Associate your domain name (or names) with multiple IP addresses, each of
which represents an external interface. When the DNS request for the domain name is resolved, all of these IP addresses are included in the
answer. The DNS server can vary the order of the IP addresses, and the client uses the first entry in the list to access your site. You can add
multiple DNS entries with the same IP address to send more queries to the preferred WAN interface. Configure the X-Series Firewall as the
authoritative DNS resolver for the domain name.
You can use load balancing and failover in a DNAT access rule to distribute incoming traffic to multiple internal servers. Add additional IP
addresses to the network object referred to in the rule, or enter them in the Redirect list of the rule. Depending on the configuration, all traffic is
initially sent to the first IP address and, if this address is no longer reachable, to the second, and so forth (fallback mode), or distributed to all IP
addresses depending on the mode set in the rule: round robin or cycle.
In case one ISP connection fails, the Barracuda NextGen Firewall X-Series will automatically use the remaining Internet connection. Configure
the routing metric for both connections:
If you want to use both your Internet Connections to send outgoing traffic create and use a custom connection object.
After you have successfully created this connection object, you can go to the FIREWALL > Firewall Rules page and apply it to a rule that directs
outgoing traffic.
To report and instantly block suspicious network traffic from passing the Barracuda NextGen Firewall X-Series, the Intrusion Prevention System
(IPS) actively scans forwarded network traffic for malicious activities and known attack patterns. The IPS engine analyzes network traffic and
continuously compares the bitstream with its internal signature database for known attack patterns. To increase security, the IPS system offers
TCP stream reassembly to prevent IP datagram fragmentation before packets are scanned for vulnerabilities. The IPS engine can also inspect
HTML requests passing the firewall.
IPS must be globally enabled on an X-Series Firewall. However, you can enable or disable IPS for each firewall rule. Enabling IPS on a per-rule
basis lets you select which network traffic is scanned for threats. For example, you can choose to enable IPS scanning only for network traffic that
travels from and to the DMZ. When IPS is enabled in a firewall rule, the default IPS policy of Report Mode or Enforce Mode is used. In Report
Mode, the X-Series Firewall reports detected attacks instead of immediately blocking network traffic. This mode is recommended after the initial
deployment of IPS to prevent traffic from being incorrectly blocked. However, you can prevent false positives when the IPS engine operates in
Enforce Mode by creating IPS exceptions.
4. For Default IPS Policy, select either Report Mode or Enforce Mode.
5. Click Save.
In the Event Policy section of the FIREWALL > Intrusion Prevention page, define the actions to be taken when the IPS engine detects
suspicious network traffic with the following threat levels: Critical, High, Medium, Low, and Information. When the X-Series Firewall operates in
Report Mode, you can only adjust the Log settings. When the firewall operates in Enforce Mode, you can also modify the Action for each
severity.
Alert
Warn
Notice
You can view detected threats on the BASIC > Recent Threats page.
If you must allow network traffic that the X-Series Firewall has detected as a threat, you can create an IPS exception.
Before you create the IPS exception, get the description or CVE-ID of the threat:
1.
Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection transparently unencrypts and re-encrypts HTTPS traffic to allow
Application Control features (such as the Virus Scanner, IPS, URL Filter, or Safe Search) to inspect the content of SSL-encrypted connections
that would otherwise not be visible to the Firewall service. Before configuring SSL Inspection, you must install the SSL Inspection security
certificate (root certificate). The root certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NextGen Firewall
X-Series can then inspect the HTTPS connections by presenting the client with a SSL certificate that is derived from this root CA.
Do not use SSL Inspection in combination with Barracuda Web Security Service or forward proxy.
Create or upload the SSL Inspection root certificate in the Certificate Manager. You must use a CA certificate (Certificate Authority). For
more information, see How to Use and Manage Certificates with the Certificate Manager.
Enable SSL Inspection and prepare the root certificate for client download.
7. In the URL Category Exemptions section, add website categories that should not be SSL-inspected.
8. To automatically check for revoked CA certificates:
Click Show Advanced Options.
Select the Enable CRL checks checkbox.
In the CRL validation fail behavior section, select the action to be taken if the CRL check fails.
In the Additional Certificates section, add additional trusted CA certificates. These certificates are deemed valid even if the
CRL fails.
9. Click Save.
Download and install the security certificate on all clients. To prevent browser warnings and allow transparent SSL Inspection, install the
certificate into the operating system's or web browser's certificate store.
1. Go to:
https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=cer
OR
https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=pem
2. Download the certificate to the client computer.
SSL Inspection can now be enabled on a per-access rule basis. To use SSL Inspection, you must also enable Application Control. For more
information, see Firewall Rules.
The Barracuda NextGen Firewall X-Series offers real-time URL filtering for web and application traffic. URL filtering is handled as part of the
application policy. In combination with Application Control, URL filtering can also be enabled on a per-access-rule basis. To use URL filtering, you
must have a Barracuda Web Security Subscription.
URL Filter policies define access restrictions for URL categories. To restrict or allow access to specific URL categories and/or websites, create
URL policy objects. When applied to an application policy, the URL policy object defines how the application policy handles user access to
websites based on the URL Filter policy. When configuring a URL policy object, assign a policy for every URL category with the option of
including custom URL block and allow lists. The following actions are available for each URL category:
To configure URL filtering, apply URL policy objects to application policies. A URL policy object defines the action to be performed by the
X-Series Firewall when your users connect to a website and the application policy applies. The X-Series Firewall sends the visited URL to a large
online database for URL categorization and then performs the action specified in the URL policy object. To use application policies with URL
policy objects for web and application traffic, you must also enable URL filtering separately in the matching access rule.
For more information, see How to Configure URL Filtering in the Firewall.
If the action for the detected URL category is set to override in the URL Filter Policy object, the user can request permission for a URL category
override. A URL Filter override admin must grant the request and set the duration of the override request. Override requests are granted per URL
category.
Create a URL policy object to specify access restrictions for URL categories. You can also define exceptions to these categories by explicitly
entering the URL of websites that you want to always allow or block.
5. Enter the timeout for Warn and continue override valid for 'n' minutes.
6. In the Categories section, select the action to be performed when users try to access a URL category. You can define the following
actions for each category:
Allow – Allow access to all URLs defined in the category.
Warn – Allow access to the URL category. Access is silently logged by the X-Series Firewall.
Alert – Allow access after accepting a warn and continue message. This action is logged by the X-Series Firewall.
Override – User request time limited access from a URL Filter override admin. If the request is accepted the user is allowed to
access the URL. This action is logged by the X-Series Firewall.
Block – Block access to all URLs defined in the category.
7. (optional) To define exceptions for specific URLs, click the URLs tab.
In the Always ALLOW field, enter whitelisted URLs and for each entry click plus (+).
In the Always BLOCK field, enter blacklisted URLs and for each entry click plus (+).
8. Click Save.
The URL policy is displayed in the URL POLICY OBJECTS list and can now be used in your application policies. For more information, see Appl
y the URL policy object to an application policy.
To delete a URL policy, click the trash can icon next to the entry and click OK.
Create a URL policy object to specify the URL categories that you want to allow or block. You can define exceptions to these categories by
explicitly entering the URL of websites. For instructions, see URL Policy Objects.
To use application policies with URL policy objects for web and application traffic, enable Application Control and URL filtering in your access
rules.
Configure application policies to restrict access to URL categories specified in the URL policy object.
Create or edit existing URL Policy objects and select Override All as the action for the categories of your choice. For more information,
see URL Policy Objects.
Configure URL filtering in the firewall. For more information, see How to Configure URL Filtering in the Firewall.
5. Click Save.
Create a Redirect to Service access rule to redirect the URL Filter Override admin user to the Override Admin portal. This rule will also allow
access to the guest user ticketing system.
The URL Filter Override admin interface is now reachable via https://1.2.3.4/cgi-bin/override-admin (if you used 1.2.3.4 as the destination IP
address in the access rule).
JavaScript must be enabled in the client browser for the override request to be sent.
When attempting to access a website that is in an override URL category, the URL Filter Override block page is displayed.
To access such a blocked page, select from a drop-down list an override admin to send your access request to and then click Request Access.
After the override admin grants the request, click Request Access again to continue to the previously blocked website. If the admin denies the
override request, the URL category is blocked for the set duration.
For more information, see How to Grant URL Category Overrides - User Guide.
Get the following information from the Barracuda NextGen Firewall X-Series administrator:
Your browser must allow JavaScript on the Override Block and Admin pages.
To grant users access to URL categories that are normally blocked by the URL Filter, proceed as following:
4. Set the number of minutes the override will remain valid for, and click the green button or the red X button to deny the request.
If the request was allowed, the user is now permitted to access websites in this URL category for the timespan you set. If you denied the request,
this URL category is blocked for the set timespan.
The Barracuda NextGen Firewall X-Series can transparently scan HTTP, HTTPS, FTP, SMTP, and SMTPS traffic for malware. For in-depth
scanning of more advanced malware for which there are no virus scanner patterns available, the X-Series Firewall can also scan traffic using
Advanced Threat Detection. The following subscriptions are required to use Virus Scanning and ATD in the firewall:
To scan HTTP and HTTPS traffic for malware, configure an access rule to match your web traffic and enable Application Control, SSL Inspection
(optional), and Virus Protection. If malware is detected, the file is discarded and the user is redirected to a customizable block page.
SSL-encrypted HTTP and SMTP connections can be scanned only if SSL Inspection is enabled.
For more information, see How to Configure Virus Protection in the Firewall for Web Traffic.
To scan FTP traffic for malware, configure an access rule to match your web traffic and enable Application Control and Virus Protection. Since
the FTP protocol does not include MIME-type information, all files are scanned. If malware is detected, the file is discarded and the file transfer is
terminated. When malware in a FTP transfer is found, a local file is created by the FTP client before the transfer starts, so the user may see a file
with 0 bytes or a small, partially downloaded file.
For more information, see How to Configure Virus Scanning in the Firewall for FTP Traffic.
The X-Series can scan incoming and outgoing SMTP and SMTPS mail traffic. To scan mail traffic ,you must configure mail security in the firewall.
ATD scans HTTP, HTTPS, FTP, SMTP and SMTPS traffic for advanced malware on a per-access-rule basis. Malicious files are treated
according to configurable policies. When malware is detected in HTTP and FTP traffic, the user/IP address who downloaded the malware is
placed in quarantine. To use ATD you must have an Energize Updates, Web Security and Advanced Threat Detection subscription.
Only the MIME types listed in the Virus Protection configuration are scanned. The X-Series Firewall comes with a preconfigured list of MIME
types:
Click here for a full list of the factory default MIME types...
application/zip
application/x-msdos-program
application/x-zoo
application/mac-binhex40
application/x-apple-diskimage
application/x-tar
application/x-bzip2
application/x-archive
application/x-rpm
application/x-gzip
application/x-rar
application/rar
application/x-7z-compressed
application/x-stuffit
application/x-iso9660-image
application/x-dosexec
application/x-msdownload
application/x-msdos-windows
application/x-download
application/bat
application/x-bat
application/com
application/x-com
application/exe
application/x-exe
application/x-winexe
application/x-winhlp
application/x-winhelp
application/x-javascript
application/hta
application/x-silverlight-app
application/x-ms-application
application/x-ms-shortcut
application/octet-stream
application/pdf
application/x-pdf
application/vnd.android.package-archive
application/vnd.ms-word.document.macroenabled.12
application/vnd.ms-word.template.macroenabled.12
application/vnd.ms-excel
application/vnd.ms-excel.addin.macroenabled.12
application/vnd.ms-excel.sheet.binary.macroenabled.12
application/vnd.ms-excel.template.macroenabled.12
application/vnd.ms-excel.sheet.macroenabled.12
application/vnd.ms-powerpoint
application/vnd.ms-powerpoint.addin.macroenabled.12
application/vnd.ms-powerpoint.slide.macroenabled.12
application/vnd.ms-powerpoint.presentation.macroenabled.12
application/vnd.ms-powerpoint.slideshow.macroenabled.12
application/x-mspublisher
application/x-msaccess
application/x-msschedule
application/msword
application/onenote
application/vnd.visio
application/vnd.ms-works
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.openxmlformats-officedocument.presentationml.slide
application/vnd.openxmlformats-officedocument.presentationml.slideshow
application/vnd.openxmlformats-officedocument.presentationml.template
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.spreadsheetml.template
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/vnd.openxmlformats-officedocument.wordprocessingml.template
To scan HTTPS traffic, enable SSL Inspection. For more information, see How to Configure SSL Inspection.
Changing settings for the virus scanner also affects virus scanning for mail traffic.
5. Click Save.
You can test the virus scanner setup by downloading EICAR test files from http://www.eicar.com. The block page is customizable. For more
information, see Custom Block Pages.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.
Changing settings for the virus scanner also affects virus scanning for other services.
To scan files downloaded from external FTP servers, create a matching access rule and enable Application Control and Virus Protection.
4. Click Save.
Step 3. (optional) Create a DNAT access rule to protect an internal FTP server
To protect an internal FTP server from receiving infected files, create a matching DNAT access rule, and enable Application Control and Virus
Protection.
4.
You can test the virus scanner setup by downloading EICAR test files from an FTP server. Files that are malware are not downloaded. 0-byte
stub files are created by the FTP client.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.
Advanced Threat Detection (ATD) offers protection against advanced malware, zero-day exploits, and targeted attacks, which are not detected by
the virus scanner or Intrusion Prevention System. ATD analyzes files in the Barracuda ATD cloud and assigns a risk score. Local ATD policies
then determine how files with a high, medium, or low risk scores are handled. You can configure email notifications of the administrator and/or
enable one of the automatic blacklisting policies. To check local files, you can also manually upload a file. ATD can be used for HTTP, HTTPS,
FTP, SMTP, and SMTPS traffic in combination with the firewall service on a per access rule basis.
The following file types are scanned by the Barracuda ATD Cloud:
Licensing
You must have Energize Updates, Web Security and Advanced Threat Detection subscriptions for each X-Series Firewall using ATD. Depending
on the model size, there are burst (number of files uploaded per minute) and monthly limits on the number of files you can upload to the
Barracuda ATD cloud.
X300 10 216,000
X400 15 324,000
X600 25 540,000
If you exceed the burst limit (files/min), files will be queued and uploaded at the beginning of the next minute. If you exceed the monthly limit, files
will not be uploaded. Instead, they will be either passed through or blocked according to the fail policy of the virus scanner.
The virus scanner scans files up to the Large File Watermark size set in the security policy. If no malware is found by the virus scanner and the
file size is 8 MB or smaller, a hash of the file is created. Files larger than 8 MB are not processed by ATD. The hash of the file is then compared
to the local cache and online hash database in the Barracuda ATD Cloud. If the file was previously scanned, it is immediately blocked or
forwarded, depending on the result of the previous scan and your local ATD block threshold. If the hash of the file is unknown, the ATD scan
policy set for that file type is executed.
This ATD scan policy takes effect when Deliver before scan complete is enabled and is available for HTTP and HTTPS. FTP, SMTP, and
SMTPS connections.The user receives the downloaded file immediately after the virus scan and the hash DB lookup. Simultaneously, the file is
uploaded to the Barracuda ATD threat cloud and emulated in a virtual sandbox. Depending on the behavior of the file, it is assigned a threat level
and the result transmitted to the firewall. If the threat level exceeds the ATD threat level threshold, an email notification is sent to the administrator
This ATD scan policy takes effect when Deliver before scan complete is disabled and is supported for HTTP and HTTPS only. The user must
wait for ATD to finish scanning the file. In the interim, a browser window informs the user of the scan in progress. When the scan is complete and
the file is not classified higher than the ATD block threat threshold, the download begins. This scan policy offers higher security at the expense of
the user having to wait for sandboxing of the file to finish. Detected malware never enters your network.
Automatic Blacklisting
Configuring a quarantine policy allows automatic blacklisting of connections by the infected source. Automatic blacklisting fills a dynamic network
object with the infected users and/or IP addresses. You must create an access rule using that network object to block these users and IP
addresses. Management access to the firewall is exempt from the blacklist policy. Automatic blacklisting is not available for SMTP or SMTPS
connections.
To inform blacklisted users, you can add a HTTP Block Page to the Block access rule. When the user tries to access HTTP content, the
connection is automatically redirected to the quarantine page. The quarantine page can be customized to fit your needs.
Risk Scores
High – Files classified as high risk exhibit behavior normally only found in malware.
Medium – Files classified as medium risk pose a potential risk.
Low – Files classified as low risk are considered to be harmless. Some residual risk remains.
None – No suspicious activity was detected.
Reporting
You can view a short or detailed report on the scan results for every file uploaded to the Barracuda ATD Cloud.
Configure a System Notification Email address. For more information, see How to Configure Email Notifications.
Enable virus scanning in the firewall for web, mail, and/or FTP traffic. For more information, see How to Configure Virus Protection in the
Firewall for Web Traffic, How to Configure Mail Security in the Firewall, and How to Configure Virus Scanning in the Firewall for FTP
Traffic.
Verify that all file types you want to scan with ATD for HTTP and SMTP connections are also listed in the scanned MIME types of the
virus scanner. For more information, see How to Configure Virus Protection in the Firewall for Web Traffic.
Enable ATD and configure the ATD scan policies for HTTP, HTTPS, SMTP and SMTPS connections. Depending on the policy, the user will have
to wait for scanning to complete before the file is forwarded. FTP traffic is always scanned with the Deliver before scan complete policy.
If needed, set the individual scan policies for each file type:
After specifying the ATD settings, click Save to save your configuration changes.
To block users and/or IP addresses, you must create access rules using the ATD User Quarantine network object. Place the Block rules before
any other access rules handling traffic for these IP addresses and/or users. Enable HTTP Block Page to redirect HTTP traffic from quarantined
users or IP addresses to the custom quarantine block page. You must allow DNS queries from quarantined users to display the HTTP block
page. Non-HTTP traffic is simply blocked or denied.
Allow Select a connection DNS Select ATD Quarantine Enter the IP addresses
object to allow you to network object. of your DNS servers.
connect to the DNS
server.
5. Click Save.
6. Place the access rule so that no rule before it matches the same traffic.
7. Click Save.
8. Place the access rule directly below the rule allowing DNS queries from the quarantine so that no rule before it matches the same traffic.
Quarantined users or users connecting via HTTP from quarantined IP addresses are automatically redirected to the customizable quarantine
page. For more information, see Custom Block Pages.
Enable ATD by editing the access rules handling traffic you want to be scanned. E..g, LAN-2-INTERNET
5. Click Save.
All traffic handled by access rules with ATD enabled are now scanned by the ATD service. Blocked files are listed on the BASIC > Recent
Threats page. To view scan results, go to BASIC > ATD.
The ATD page displays results and processes file scanning via Advanced Threat Detection. Use the global filter settings to adjust the amount of
displayed files. To access the information about the files scanned by ATD, click the tabs.
This tab displays all files that are currently scanned or waiting in the queue. The information displayed on this page is listed in columns. The State
column shows the ATD scan status.
Clicking this tab queries the ATD list and displays all files that were scanned by ATD.
Scanned files are displayed on the Scanned Files page. You can download a basic or detailed version of the scan report.
The Action column provides the same options as on the Scanned Files tab. If you want to remove a file from the list, click the trash can icon and
choose the action Delete Entry to delete the file entry. To remove all files, select Remove all entries on this page.
Quarantine tab
Displays all files that are quarantined due to the Quarantine Policy.
If you want to remove a file from the quarantine, click the trash can icon and choose the action Remove from Quarantine. To remove all files
from the list, select Remove all entries on this page.
Quarantined users and/or IP addresses are also shown on the BASIC > Status page.
If you want to manually check a local file using ATD, you can upload the file to the ATD cloud. After the file has been scanned, you are mailed a
report with the scan results.
Next step
(Optional) To protect SMTP and SMTPS traffic, enable ATD in the Mail Security settings. For more information, see Mail Security in the Firewall.
Enable ATD. For more information, see How to Configure ATD in the Firewall.
To receive a notification email, you must configure the system notification email address. For more information, see How to Configure
Email Notifications.
5. Click Upload.
The file is now uploaded to the Barracuda ATD Cloud and listed on the Files in Progress page.
After the file is scanned, it is displayed on the Scanned Files page. You can download the scan report from there.
The Barracuda NextGen X-Series Firewall enforces mail security in the firewall by transparently scanning incoming and outgoing SMTP
connections for malware and checking the reputation of the sender's IP address via a DNS blacklist (DNSBL). SMTP connections are supported
on the following ports:
SSL-encrypted SMTP connections are decrypted differently for inbound and outbound connections. Outbound SSL-encrypted SMTP connections
are SSL-inspected by using a dynamically generated SSL certificate derived from the root certificate uploaded in the SSL Inspection
configuration. Inbound SSL-encrypted connections are inspected by using the same SSL certificate chain as is installed on the internal mail
server. The SSL certificates are bound to the IP address on the X-Series Firewall that the mail server domain's MX record resolves to. This allows
remote MTAs to use the information included in the SSL certificate to verify the identify of the server it is connecting to. To avoid certificate errors,
you must install the SSL Inspection root certificate on all mail clients connecting to a mail server via an SSL-inspected SMTP connection.
Both inbound and outbound email attachments are scanned by the virus scanner. If malware is detected in an email attachment, the infected file
is removed and replaced by an attachment containing a customizable text. The virus scanner Block All / Allow All policy does not apply to SMTP
and SMTPS connections. If Application Control and Virus Protection is not enabled, emails with attachments are not scanned. Instead, they are
delivered as-is to the internal mail server.
ATD scans SMTP and SMTPS traffic against advanced malware, that is not detected by the virus scanner or Intrusion Prevention System. ATD
analyzes files in the Barracuda ATD cloud and assigns a risk score. Local ATD policies determine how files with a high,medium, or low risk
scores are treated. To use ATD you must have an Energize Updates and Advanced Threat Detection subscription.
DNS blacklisting
Inbound email can also be classified according to DNS blacklists (DNSBL), such as the Barracuda Reputation Block List. For sender IP
addresses blacklisted by the DNSBL, [SPAM] is prepended to the subject line of the email, and the MIME headers of the email are modified to
allow the email to be immediately identified as spam by the mail server. If the DNSBL server is not available, the email is not modified.The email
itself is delivered to the internal mail server.
For more information, see How to Configure Mail Security in the Firewall.
1. SSL Inspection decrypts SSL-encrypted SMTP connections. For incoming connections, your mail server's SSL certificates are used.
2. The DNS blacklist database is queried via a DNS lookup using the sender's IP address. If the DNS reputation database is not available,
the email is not modified. If the domain or IP address is blacklisted, the email's subject line is modified to start with [SPAM] and the
following non-configurable MIME type headers are set:
X-Spam-Prev-Subject: Your email subject without the [SPAM] tag.
X-Spam-Flag: YES
X-Spam-Status: Yes
X-Spam-Level: ***
3. Email attachments are scanned by the virus scanner. If malware is found, the attachment is stripped from the email and replaced by a
customizable text informing the user that the malicious attachment has been removed.
Enable and configure SSL Inspection. If needed, adjust the SSL Inspection settings to support MTAs requiring SSLv3. For more
information, see How to Configure SSL Inspection.
Import the SSL certificates of your internal mail server(s). For more information, see How to Use and Manage Certificates with the Certificate
Manager.
Changing settings for the virus scanner also affects virus scanning for other services.
9. Click Save.
Enable Application Control, SSL Interception, and Virus Protection in the access rule.
4. Click Save.
Create an access rule to scan outgoing SMTP traffic from your internal mail server or mail clients for malware.
4. Click Save.
You can test the virus scanner setup by sending EICAR test files from http://www.eicar.com via email to a mail server located behind the firewall.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.
Next steps
Customize the text used to replace removed email attachments. For more information, see Custom Block Pages.
You can protect users behind a Barracuda NextGen Firewall X-Series from undesired content in search results by enabling Safe Search for the
access rule handling web traffic. No configuration is required on the clients. The necessary parameters are automatically appended to the URL
when the request is forwarded by the X-Series Firewall. Safe Search is supported for Google, Bing, Yahoo, and YouTube search engines.
Limitations
Safe Search relies on the supported search engines to honor and filter the search results. The X-Series Firewall can enable this feature,
but the execution is left up to the search engine.
Safe Search is not enforced for mobile search apps.
Safe Search is always set to strict.
You can enforce the usage of Safe Search for all web traffic matching an access rule by enabling the Safe Search settings in Application Control.
5. Click Save.
Every search query handled by this access rule now automatically enforces the Safe Search feature of the search engine provider.
You can test if your search engine is using Safe Search by looking at the URL after a search query. Each search engine includes a specific URL
parameter that indicates Safe Search is on.
Safe Search for Google includes the string safe=active in the URL. In addition, Google also includes messages on the web page stating
that Safe Search is on or active.
Safe Search for Yahoo includes the string vm=r in the URL.
YouTube handles Safe Search through setting a parameter in a cookie. That means you will not see a specific Safe Search string in the URL.
YouTube for Schools will be discontinued as of July 1, 2016. Google is offering current YouTube for Schools users and all G Suite
users a new way restrict YouTube content, per this Google article.
If you already have a YouTube for Schools token, you can continue using YouTube for Schools with the Barracuda NextGen
Firewall until July 1, 2016. Google has stopped issuing YouTube for Schools tokens.
The Barracuda NextGen Firewall X-Series can transparently add YouTube for Schools restrictions for all connections that the X-Series Firewall
forwards to YouTube without the need to configure the clients. Enable YouTube for Schools for access rules matching HTTP and HTTPS traffic
connecting to YouTube.
Limitations
YouTube for Schools relies on YouTube to honor and filter the search results. The X-Series Firewall can enable this feature, but the
execution is left up to YouTube.
YouTube for Schools is not enforced for mobile YouTube apps.
Create a YouTube for Schools account. For more information, see Signing Up and Getting Started with YouTube for Schools
The YouTube for Schools token is a unique ID identifying your YouTube for Schools account.
Name – Enter Name for the access rule. For example, LAN-2-YOUTUBEFORSCHOOLS
Source – Select a network object containing the subnets for which YouTube for Schools must be enforced and click +.
Network Services – Select to HTTP+S and click +.
Destination – Select Internet and click +.
Connection – Select Default (SNAT).
4. Set Application Control to Yes.
5. Set SSL Inspection to Yes.
8. Click Save.
New rules are created at the bottom of the firewall ruleset. Rules are processed from top to bottom in the ruleset. Drag your access rule to a slot
in the rule list, so that no access rules before it matches this traffic. Verify that your rules are placed above the BLOCKALL rule. Otherwise, the
rule never matches.
The Barracuda NextGen Firewall X-Series uses generic, unbranded block pages by default. You can change the HTML source of these pages to
adjust the content and style to fit your needs. Each page has a predefined list of placeholder objects that are replaced on-the-fly by the X-Series
Firewall when the block page is delivered to the client. Custom block pages can be used for services such as Application Control, Virus
Protection, and URL Filter.
Access Block Page Matching Block or Reset access rule with the advanced setting HTT
P Block Page enabled.
Application Control Block Page Connection blocked due to the action set in the matching application
policy.
Fail-Close Block Page URL Filter, Virus Protection, or SSL Inspection is unavailable.
Configuration settings prevented the virus scanning engine from
scanning the file. E.g., Block encrypted archives.
Internal errors.
Mail Security Virus Scan Text Placeholder text to replace email attachments removed due to the
mail security DNSBL check.
URL Filter Block Page Connection blocked due to a URL Filter category.
URL Filter Warning Page Connection blocked due to a URL Filter category.
URL Filter Override Page Connection blocked due to a URL Filter category. Users can request
temporary access from an administrator.
You can use HTML, CSS, and JavaScript code. Images up to 30 kB are inserted as base64 encoded HTML code.
For security reasons, images are stored as base64 encoded string in the HTML source.
4. Click Open Preview to display a live preview of the message in the browser.
5. Edit the HTML source code of the block page. Changed text immediately appears in the live preview window.
Placeholder values
Each block page has a set of placeholder variables that are processed on-the-fly by the X-Series Firewall before delivering the block page to the
user.
Limited network resources make bandwidth prioritization necessary. To ensure that important business critical applications are given enough
bandwidth, the Barracuda NextGen Firewall X-Series provides traffic shaping (also known as "packet shaping" and "Quality of Service") methods
to let you prioritize network resources according to factors such as the time of day, application type, and user identity. You can identify the traffic
and assign its priority using firewall rules.
Bandwidth Policies
There are eight different bandwidth policies. They are listed in the following table, in order of decreasing priority:
VoIP Highest priority before all other bandwidth policies. Traffic is sent with
no delay.
Low Low priority. Low and Lowest Priority are limited to 5% of the
available bandwidth.
Lowest Priority Lowest priority. Low and Lowest Priority are limited to 5% of the
available bandwidth.
Choke Applications assigned this are unusable but will not seek another way
to send traffic. For example, if you wish to block Skype traffic, assign
this policy to the Skype application.
The following diagram shows how the eight bandwidth policies are divided into queues:
The rate limits always apply, so even if there is no other traffic, the traffic in the Rate Limiting Queues never uses more than 5% of the bandwidth.
The classes within the Regular and Rate Limiting queues are weighted relative to the other classes in the same queue. Class weights are
enforced only when the link is saturated.
Before you begin, verify that you specified a bandwidth for each interface on which you want to enable QoS:
To monitor which bandwidth policy is assigned to active network sessions, go to the BASIC > Active Connections page. The assigned policy of
a network session is displayed in the Bandwidth Policy column. You can also manually override the assigned bandwidth policy by using the
drop-down menu in the Bandwidth Policy column.
In a firewall rule, the interface group specifies the interface that the source address is allowed to use. When you create firewall rules, you can use
the predefined groups, or if you want to reference custom interfaces that are not in the default list, you can create custom interface groups.
Matching Ensures that arriving packets are processed through the same
interface that is used to forward the corresponding reply packets. The
source and destination addresses are the same. This method helps
prevent a network attack in which an attacker might try using internal
addresses from outside the internal network (IP spoofing).
Any Uses the first interface matching the request, according to the routing
table. The packet source is not verified. Reply packets might be
forwarded through another interface, if another interface that is
capable of doing so is available. In very special configurations,
checking the physical source of packets cannot be required. For
security reasons, this option should only be used in very limited
situations.
The custom interface group appears in the Interface Group Configuration section.
The captive portal intercepts unauthorized users HTTP or HTTPS connections and redirects them to a login page. After successful authentication
the user is forwarded to the original destination. This type of authentication is used to allow HTTP/HTTPS access to authenticated users. Access
rules using inline authentication do not block non HTTP or HTTPS traffic even from unauthorized users. To avoid browser certificate errors, use a
signed SSL certificate or install the root certificate of the self-signed certificate on all client computers using Inline Authentication.
Verify that the confirmation message and ticketing features are disabled. Go to the NETWORK> IP Configuration page and edit the
relevant Wi-Fi interface to specify that there is no Landing Page.
Before configuring the captive portal for use with Wi-Fi, see How to Configure Wi-Fi to verify that you have correctly configured Wi-Fi.
Also ensure that users are connected to the Wi-Fi network of the Barracuda NextGen X-Series Firewall.
Barracuda Networks recommends that you select Unclassified for the Classification of the network interface that serves the captive
portal.
To avoid browser warnings caused by using a self-signed certificate, you can upload a signed certificate or your own trusted server certificate to
the Barracuda NextGen Firewall Certificate Manager.
The Common Name of the certificate must contain an IP address or hostname resolving to the IP address the captive portal is
listening on.
On the BASIC > User Activity page, you can view currently authenticated users. You can also disconnect specific users.
The X-Series Firewall can filter traffic to Google services based on the domain attached to the G Suite account. This allows you to block access
to personal Google accounts and other non-whitelisted G Suite accounts, while still allowing your whitelisted G Suite domains. Google Accounts
are enforced on a per-access-rule basis. Since Google requires HTTPS for almost all services, SSL Inspection is required. Google Chrome uses
the QUIC protocol by default to communicate with Google servers. To force Chrome to use the HTTPS fallback, you must block QUIC traffic.
Enable SSL Inspection. For more information, see How to Configure SSL Inspection.
Google accounts using the domains in the whitelist will be exempted from filtering when a Google account-enabled access rule matches.
You can block Google accounts not on the whitelist for all web traffic that matches an access rule by enabling Google Accounts in the advanced
settings of the access rule.
To force Google Chrome browsers to use HTTPS instead of QUIC on UDP port 443, you must create a BLOCK access rule.
4.
Web traffic matching this rule can now only access Google accounts for domains that are included in the whitelist. When users access a
non-whitelisted domain, they are automatically redirected to a Google block page.
Local Authentication
If no external authentication servers are available, you can administer users with the local authentication service. For instructions on how to set
up local authentication, see How to Configure Local Authentication.
For instructions on how to integrate the X-Series Firewall with these servers, see How to Configure an External Authentication Service.
Guest Access
To grant guest users access to the network, you can use the following methods:
Confirmation Page – Prompts guests to agree to Terms of Service before they can access the network. For more information, see How
to Set Up a Guest Access Confirmation Page.
Guest Ticketing – Assigns guests with tickets that give them credentials to temporarily access the network. For more information, see H
ow to Set Up Guest Access with Ticketing and How to Manage Guest Tickets - User's Guide.
If you do not have an external authentication service available, you can create and maintain a list of local users and groups on the Barracuda
NextGen Firewall X-Series. You can refer to these users and groups when creating firewall rules, VPNs, or when configuring the captive portal.
Ensure that you enter the correct group names. If you misspell a group name (e.g., tst instead of test), a new group
is created and permissions are not applied correctly to the group.
3. Click Add.
4. Click Save to confirm your settings.
The user entry is now listed in the Local Users and Groups table.
By integrating the Barracuda NextGen Firewall X-Series with your existing authentication server, you can configure access rules that apply to
specific users and groups without having to create local user accounts on the X-Series Firewall. The X-Series Firewall supports the following
external authentication services:
Barracuda DC Agent
Barracuda Terminal Server Agent (TS Agent)
Active Directory
NTLM
LDAP
RADIUS
Wi-Fi Access Point
OCSP
Barracuda DC Agent
The Barracuda DC Agent runs on the domain controller or a dedicated Windows PC in the office network. The DC Agent continuously checks the
domain controller for login events to create a list of users and their associated IP addresses. The list of authenticated users is provided to the
X-Series Firewall, allowing for true single sign-on capabilities. You can download the Barracuda DC Agent directly from the X-Series Firewall Web
UI.
For information, see How to Configure Barracuda DC Agent Authentication and Barracuda DC Agent for User Authentication
The Barracuda Terminal Server Agent (TS Agent) authenticates users logged into a Microsoft Terminal Server. Because users on a Terminal
Server all use the same source IP address, the Barracuda TS Agent maps each user to a specified source port range and sends this mapping to
the X-Series Firewall. The X-Series Firewall can thus determine the user for each connection from the terminal server by the source port.
Active Directory
Microsoft Active Directory (MSAD) is a directory service that allows authentication and authorization of users in a network. It has been included
with all Windows Server operating systems since Windows 2000 Server. MSAD is used for single sign-on for many services. Permissions are
managed by group. Users inherit the permissions of all the groups that they are members of. Backward-compatibility for older services is provided
by NTLM/MS-CHAP options that you can activate and configure on the MSAD server. All information is kept in a single directory information tree.
NTLM
If your network uses an NT LAN Manager (NTLM) authentication server, your NTLM domain users are transparently authenticated using their
Microsoft Windows credentials. This single sign-on method of access control is provided by transparent proxy authentication against your NTLM
server. To enable transparent proxy authentication against your NTLM server, you must join the X-Series Firewall to the NTLM domain as an
authorized host.
LDAP
Lightweight Directory Access Protocol (LDAP) is used for storing and managing distributed information services in a network. LDAP is mainly
used to provide a single sign-on solution. It follows the same X.500 directory structure as MSAD.
RADIUS
Remote Access Dial In User Service (RADIUS) is a networking protocol providing authentication, authorization, and accounting. The X-Series
Firewall uses RADIUS authentication for the IPsec, Client-to-Site, and SSL VPN.
The X-Series Firewall can parse authentication information contained in the syslog stream of supported wireless access points. Wi-Fi access
points typically use authentication services such as RADIUS servers to authenticate users before allowing them to connect. The X-Series Firewall
monitors the syslog files sent by the Wi-Fi access points for usernames and the associated IP address of logged-in users. Depending on the
For more information, see How to Configure Wi-Fi Access Point Authentication.
OCSP
Online Certificate Status Protocol (OCSP) is a protocol used to check if X.509 certificates have been revoked by their respective certificate
authorities (CAs). The X-Series Firewall uses the information provided by OCSP to verify the authenticity of a certificate. For integration with
OCSP-based online digital certification verification:
Download and install the Barracuda DC Agent on your domain controller or dedicated Windows PC. The DC Agent can be downloaded directly
from your X-Series Firewall:
Do not install the Barracuda DC Agent on Windows Server domain controllers that are configured to use NTLM.
When configuring the Barracuda DC Agent, add the IP address(es) of your X-Series Firewall and configure local audit policies to generate an
account login event whenever a user authenticates via the domain controller.
Configure the X-Series Firewall to communicate with the Barracuda DC Agent and specify the domain controllers where the Barracuda DC Agent
is installed.
Connect the X-Series Firewall with your Microsoft Active Directory (MSAD) server and configure MSAD as external authentication scheme.
8. Set Cache MSAD Groups to Yes to reduce network traffic and server load on the domain controller.
9. Select Use SSL if your Active Directory server is configured to use SSL.
10. (Optional) Select Follow Referrals to use Active Directory's global catalog and follow the referrals. When a requested object exists in the
directory but is not present on the contacted domain controller, the referral gives the client a location that holds the object or is more
likely to hold the object. It is also possible for the referred-to domain controller to refer to a next hop location. The number of next hops is
defined in Maximum Hops for Referrals.
11. Click Save.
12. (Optional) Add Group Filter Patterns to filter unwanted group information. Wlldcards are allowed.
Example: When using pattern: *SSL*, and the following group membership strings are used:
User01 group membership string: CN=xyz,OU=sales,DC=mycompany,DC=com
User02 group membership string: CN=SSL,DC=mycompany,DC=com
Only User02 will match.
13. Click Save.
The configuration is now added to the EXISTING AUTHENTICATION SERVICES table and you can use the MSAD authentication service on the
X-Series Firewall.
To test, if the connection is working, try to login as the user from another network host. When a user, for whom the authentication scheme
applies, logs into the network, a log entry is created showing the login details such as source address, success or failure, time, etc. To access
authentication logs, go to the LOGS > Authentication Logs page.
Make sure that you have entered the MSAD searching user in the Searching User field in the correct format: user@domain. Do not use
the domain\user format.
Verify that the entry for the Base DN where the lookup should be started does not contain spaces.
Check the Logs > Authentication Log page for error messages when connecting to your Active Directory server.
7. (Optional) Enter the hostname of the domain's Windows Internet Name Service server in the WINS Servers field.
8. Select the authentication scheme to retrieve group information from.
9. Click Save.
Your NTLM domain users can now authenticate on the X-Series Firewall using their Microsoft Windows credentials.
When selecting Logon to Authenticate, the authenticator will log on to the LDAP server to verify user authentication data.
Use this option when the LDAP server does not expose user passwords, not even to the administrator.
9. Click Save.
RADIUS authentication is now configured and can be used for IPsec, Client-to-Site, and SSL VPN.
TSAgentDrv – Windows Filtering Platform driver. TSAgentDrv intercepts the network traffic and assigns the specific source port number.
TSAgentSvc – Service that communicates with the TSAgentDrv driver and the X-Series Firewall. It automatically starts on system start
and recovers when terminated unexpectedly.
TSAgentConfig – Configuration utility. TSAgentConfig also shows the current debug log and helps identify problems.
Download and install the Barracuda TS Agent on the Microsoft Terminal Servers. The TS Agent can be downloaded directly from the
X-Series Firewall:
1. Go to the USERS > External Authentication page.
2. Click the TS Agent tab.
3. Click Download TS Agent.
For more information, see Barracuda Terminal Server Agent.
(Optional) Use SSL certificates for authentication.
On the X-Series Firewall, enter the IP address of the Terminal Server running the Barracuda TS Agent. The TS Agent must be configured to allow
connections to the management IP address of the X-Series Firewall.
The X-Series Firewall will now receive authentication information from the TS Agent on the Microsoft Terminal Server.
If you enable SSL, the connection between the X-Series Firewall and the TS Agent is SSL encrypted. By uploading your own SSL certificates to
the TS Agent and X-Series Firewall, the connection will only be established if the SSL certificate is valid.
If the TS Agent is configured to use SSL, an SSL-encrypted connection will be established, even if the Use SSL option is disabled on
the X-Series Firewall.
The X-Series Firewall will now use SSL and verify the SSL certificate when connecting to the TS Agent.
Because many of the requests for a domain join and subsequent authentication must query the domain controller directly, you must specify your
domain controllers in the DNS configuration.
Do not use domain\user formatting as this may cause problems with some Active Directory servers.
For more details about the settings, click Help on the page.
4. Click Save Changes.
It is not necessary to have WINS running on your domain, but you must configure the WINS Servers setting.
1. Go to the USERS > External Authentication page and open the NTLM tab.
2. In the Windows Domain Username and Windows Domain Password fields, enter the credentials for a user account with permissions
to join the domain (such as an administrator). These user credentials are not saved and are only used once during the join attempt.
3. Click Join Domain.
4. To verify that the join was successful, click Registration Status.
To authenticate connecting users, you must enable syslog streaming on the access point. For more information, see:
information, see How to Use and Manage Certificates with the Certificate Manager.
10. Select the manufacturer of your Wi-Fi access point from the AP Model dropdown.
11. Click Save.
12. Depending on the protocols used by the Wi-Fi AP endpoints, enter the UDP, TCP, or SSL Listen Ports.
Wi-Fi Access Point authentication is now configured and can be used for wireless connections.
Reference Devices/Versions:
Add the syslog configuration to the Network Policy you are using for your access points.
You can now configure Wi-Fi Access Point authentication on the X-Series Firewall. For more information, see How to Configure Wi-Fi Access
Point Authentication.
Reference Devices/Versions:
4. Click Apply.
You can now configure Wi-Fi Access Point authentication on the X-Series Firewall. For more information, see How to Configure Wi-Fi Access
Point Authentication.
Reference Devices/Versions:
9. Click Apply.
You can now configure Wi-Fi Access Point authentication on the X-Series Firewall. For more information, see How to Configure Wi-Fi Access
Point Authentication.
When setting up a guest network, you can configure the Barracuda NextGen Firewall X-Series to use a confirmation page that prompts guests to
agree to the Terms of Service before they can access the network. A confirmation page is typically used to grant network access to anonymous
users.
Ensure that the X-Series Firewall has one unused network interface (Wi-Fi, Ethernet, or virtual, e.g., ath3, p3, or p3.100).
Identify the guest network that you want to use (e.g., 192.168.225.0/24).
Configure a static network interface or a Wi-Fi interface. In the Static Interface Configuration, ensure that you specify the following settings:
To automatically assign IP addresses for guests, enable a DHCP server for the guest network.
For more information on setting up a DHCP server, see How to Configure the DHCP Server.
Specify the network using the confirmation page for guest access.
On the USERS > Guest Access page, you can configure the page that is displayed to guests when they log into the network.
In the Login Page Options section, edit the Welcome Message and upload a Welcome Image. The image can be up to 1 MB and must be in
JPG, GIF, or PNG format. The suggested image size is 170 x 40 pixels.
Create an access rule to always allow DNS traffic from the guest network to the Internet.
To allow connections from the guest network to the Internet, the X-Series Firewall must perform source-based NAT. The source IP
address of outgoing packets is changed from that of the client residing in the network to the WAN IP address of the X-Series Firewall, so
the connection is established between the WAN IP address and the destination IP address. The destination address of reply packets
belonging to this session is rewritten with the client's IP address.
5. At the bottom of the rule editor window, click Save.
Create an access rule to allow HTTP/S traffic from guest network users to the Internet.
Because rules are processed from top to bottom in the rule list, ensure that the rule to allow DNS traffic is placed above the rule to allow users,
and that both rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.
When you configure a guest network, you can set up a login or ticketing system to temporarily grant access to guests. Before guests can access
the network, they must enter a username and password from tickets that are assigned to them. The tickets expire after a set period of time.
Before tickets can be created, you must configure the ticketing system and set up ticket administrators. If the ticket administrator is located in a
different network segment, you must also create a firewall rule to allow access to the ticketing web interface.
Follow the instructions in this article to set up a guest network with ticketing.
Ensure that the Barracuda NextGen Firewall X-Series has one unused network interface (Wi-Fi, Ethernet, or virtual, e.g., ath3, p3, or
p3.100).
Identify the guest network that you want to use (e.g., 192.168.223.0/24).
You can use Wi-Fi or a wired network for guest access. Configure a static network interface or a Wi-Fi interface. In the Static Interface
Configuration, ensure that you specify the following settings:
To automatically assign IP addresses for guests, enable a DHCP server for the guest network.
For more information on setting up a DHCP server, see How to Configure the DHCP Server.
If you configured the guest network on a wired interface, specify that the network uses ticketing for guest access.
The ticket administrator can log into the ticketing system to create guest tickets but cannot log into the management interface of the X-Series
Firewall.
Create a Network Object for the gateway IP address of the guest access network, and then add a Redirect to Service firewall rule.
5. Click Save.
On the USERS > Guest Access page, you can configure the page that is displayed to guests when they log into the network.
In the Login Page Options section, edit the Welcome Message and upload a Welcome Image. The image cannot be larger than 1 MB and
must be in JPG, GIF, or PNG format. The suggested image size is 170 x 40 pixels.
Create an access rule to always allow DNS traffic from the guest network to the Internet.
Create an access rule to allow HTTP/S traffic from guest network users to the Internet.
Because rules are processed from top to bottom in the rule list, ensure that the rule to allow DNS traffic is placed above the rule to allow users,
and that both rules are placed above the BLOCKALL rule; otherwise, the rules are blocked. For more information, see Firewall Rules Order.
Next Step
For instructions on how to create tickets for guests, see How to Manage Guest Tickets - User's Guide.
If you are a ticketing administrator, you can create tickets in the Barracuda NextGen Firewall X-Series ticketing web interface to let guests
temporarily access your network.
Tickets assign guests with a username and password that expire after a preset amount of time. After tickets expire, they are automatically
deleted.
Create a Ticket
To give guests their username and password for accessing the network, you can print their ticket information. The printed information also
specifies when the ticket expires.
To print the information for a guest ticket, click the printer symbol next to it.
If your guests are accessing a Wi-Fi network, you must also give them the SSID and passphrase for the network.
Site-to-Site VPN – Securely and transparently connects remote locations with your network.
Client-to-Site VPN – Lets remote users access the corporate network with VPN clients and mobile devices.
SSL VPN – Lets remote users access corporate resources over a secure and configurable web interface without the need to install or
configure a VPN client.
In this Section
Client-to-Site VPN
Site-to-Site VPN
How to Allow VPN Access via a Dynamic WAN IP Address
SSL VPN
Shared Key – No external CA is required. A passphrase (shared key) is entered on the server and the client. This passphrase is used to
authenticate the connection.
Client Certificate – X.509 certificates are generated by an external CA. These certificates are used to authenticate the client. This
method is more secure.
Shared Key or Client Certificate – Client and server require either a shared key or valid client certificate to authenticate the remote
device.
Additionally, every user must authenticate using a username and password. Usernames and passwords can be stored in external authentication
services like Microsoft Active Directory, LDAP, or RADIUS. For more information, see How to Configure an External Authentication Service.
For instructions on how to set up an IPsec VPN, see the following articles:
The SSL VPN lets any user with a browser connect to published corporate resources—such as Exchange OWA, RDP connections to internal
servers/computers, or internal Wikis. You can also use the My Network feature to initiate a full routed network VPN from the SSL VPN portal.
PPTP
Warning
As of 2012, PPTP is no longer considered secure. It is highly recommended that you switch away from PPTP because of the security
risks involved.
Point-to-Point-Tunnel-Protocol (PPTP) is offered with up to 128-bit of MPPE encryption. It provides the following:
Limitations
Almost every modern operating system includes a PPTP client. The following clients are officially supported by Barracuda Networks:
For instructions on how to set up a PPTP VPN, see How to Configure a Client-to-Site VPN with PPTP.
Mobile devices
The X-Series Firewall supports IPsec VPN connections for Apple iOS and Android devices. You must enable the IPsec client option in the
access policy to be able to connect with a mobile client.
The Barracuda VPN client authenticates with the certificate and username/password. You must enable the Barracuda VPN Client option in the
access policy to be able to connect with the Barracuda VPN client.
The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN. You
must enable IPsec client in the access policy to use the IPsec VPN client.
Enable the VPN service on a static IP address. If you do not have a static WAN IP address, you must enable the VPN service for a static internal
interface and then redirect incoming connections to the VPN service with a firewall rule.
3. In the Edit Static Network Interface window, select the VPN Server check box.
4. Click Save.
4. Click Add.
5. Create an access rule to redirect incoming VPN connections on the dynamic interface to the VPN server listening on the local IP
address.
a. Go to the FIREWALL > Firewall Rules page.
b. Click Add Access Rule.
c. In the Add Access Rule window, configure a Redirect to Service firewall rule.
For the Destination, select the network object corresponding to your Internet connection type (DHCP, 3G, or DSL).
For the Redirected To setting, select the VPN network object.
d. Click Save.
6. Move the access rule above the BLOCKALL rule so it is the first access rule to match incoming VPN traffic. For more information, see Fi
rewall Rules Order.
7. Click Save.
Use a third-party PKI to create the VPN and client certificates. For more information on how to create certificates, see How to Create Certificates
with XCA and How to Create Certificates for a Client-to-Site VPN.
The SubAlt name of the VPN server certificate must be DNS: examplevpn.domain.com or DNS: *. If you are using an FQDN, it
must resolve to the IP address of the X-Series Firewall VPN service.
Do not change the default IPsec Phase 1 and Phase 2 settings if you want to use iOS or Android devices as VPN clients,
4. Click Save.
Access policies are matched based on the Allowed Group of the access policy from top to bottom. Make sure access policies are
entered so the more specific allowed groups are on the top of the list and the generic * conditions are on the bottom of the list.
Client Network – The network that the client will be assigned to (e.g., 192.168.100.0/24).
(Optional) Domain – The domain assigned to the client.
Primary DNS Server – The IP address of the DNS server.
Published Networks – The local networks available for the VPN client.
IPsec Phase 2 – The IPsec Phase 2 settings that you configured in Step 3.2 (e.g., Client2SiteVPNClients from the example
in Step 3.2).
No Split Tunnel Mode – Enable to lock down the client to only connect to the Published Networks of the VPN tunnel.
Windows hosts using the Barracuda VPN client only.
Enabling this option blocks VPN access for all non-Windows clients!
Allowed Peers – Enable IPsec Clients for mobile devices and third-party IPsec clients and Barracuda VPN client to be able to
connect with the Barracuda VPN client.
Allowed Groups – The groups that are allowed to connect. To allow all groups, enter an asterisk (*).
Use for CudaLaunch – Enable self-provisioning on Windows, macOS, or iOS devices for remote clients using the CudaLaunch
portal. For more information, see CudaLaunch.
Configure the following settings:
CudaLaunch Server – Enter the IP address of the server providing CudaLaunch.
Allowed Groups – Enter the user groups that the policy applies to. Click + after each entry. You can use question
marks (?) and asterisks (*) as wildcard characters.
4. Click Save.
Configure VPN clients to connect to the IPsec VPN with certificate authentication.
Configure the Barracuda VPN client to connect to the IPsec VPN with certificate authentication you just created.
After configuring the Barracuda VPN client, you can connect to the IPsec VPN:
You are now connected to the client-to-site IPsec VPN with the Barracuda VPN Client.
Mobile clients
Apple iOS 5.2 and above How to Configure the Apple iOS VPN Client
for IPsec Shared Key VPN
Android 4.0 and above How to Configure the Android VPN Client for
IPsec Shared Key VPN
The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN.
The certificates for the VPN service must include the FQDN resolving to the external IP address the VPN service is listening on as the
Subject Alternative Name. E.g., DNS:vpn.mydomain.com Alternatively, you can also use a wildcard: DNS:*
Mobile devices
The X-Series Firewall supports IPsec VPN connections for Apple iOS and Android devices. You must enable the IPsec client option in the
access policy to be able to connect with a mobile client.
The Barracuda VPN Client authenticates with username and password. The shared key configured for the IPsec client is not used for the
Barracuda VPN Client. You must enable the Barracuda VPN Client option in the access policy to be able to connect with the Barracuda VPN
Client.
Enable the VPN service on a static IP address. If you do not have a static WAN IP address, you must enable the VPN service for a static internal
interface and then redirect incoming connections to the VPN service with a firewall rule.
3. In the Edit Static Network Interface window, select the VPN Server check box.
4. Click Save.
To use the VPN service with a dynamic WAN IP address, run the VPN service on an internal IP address. Do not use the management IP
address; instead, use a secondary IP address. Then, configure a firewall rule to redirect all incoming VPN traffic from the dynamic interface to the
VPN service.
4. Create an access rule to redirect incoming VPN connections on the dynamic interface to the VPN server listening on the local IP
address.
a. Go to FIREWALL > Firewall Rules.
b. Click Add Access Rule.
c. In the Add Access Rule windows, configure a Redirect to Service firewall rule.
For the Destination, select the network object corresponding to your Internet connection type (DHCP, 3G, or DSL).
For the Redirected To setting, select the VPN network object.
d. Click Save.
5. Move the firewall rule above the BLOCKALL rule. For more information, see Firewall Rules Order.
6. Click Save.
Step 2. Configure client-to-site VPN settings for shared key IPsec VPN
If you want to use iOS or Android devices as VPN clients, do not change the default IPsec Phase 1 and Phase 2 settings.
Define the VPN clients and the network information to be passed to client.
Access policies are matched based on the Allowed Group of the access policy from top to bottom. Make sure access policies are
entered so the more specific allowed groups are at the top of the list and the generic * conditions are at the bottom of the list.
Client Network – The network that the client will be assigned to (e.g., 192.168.100.0/24).
(Optional) Domain – The domain assigned to the client.
Primary DNS Server – The IP address of the DNS server.
Published Networks –The local networks available for the VPN client.
No Split Tunnel Mode – Enable to lock down the client to connect only to the Published Networks of the VPN tunnel. Add 0.0.
0.0/0 to the Published Networks to allow the client to access the Internet through the VPN tunnel.
IPsec Phase 2 – The IPsec Phase 2 settings that you configured in Step 2.2 (e.g., Client2SiteVPNClients from the example in
Step 2.2).
Allowed Peers – Enable IPsec Clients for mobile devices and third-party IPsec clients and Barracuda VPN client to be able to
connect with the Barracuda VPN Client.
Allowed Groups – The groups that are allowed to connect. To allow all groups, enter an asterisk (*).
Use for CudaLaunch – Enable self-provisioning on Windows, macOS, or iOS devices for remote clients using the CudaLaunch
portal. For more information, see CudaLaunch.
Configure the following settings:
Configure VPN clients to connect to the IPsec VPN with shared key authentication.
Configure the Barracuda VPN Client to connect to the IPsec VPN with the certificate authentication you just created.
After configuring the Barracuda VPN client, you can connect to the IPsec VPN:
You are now connected to the client-to-site IPsec VPN with the Barracuda VPN Client.
The connection status is displayed on the VPN > Active Connections page.
Apple iOS 5.2 and above How to Configure the Apple iOS VPN Client
for IPsec Shared Key VPN
Android 4.0 and above How to Configure the Android VPN Client for
IPsec Shared Key VPN
The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN.
Troubleshooting
If you are having trouble connecting to the client-to-site VPN, see Troubleshooting Client-to-Site VPNs.
Verify that the Apple device is running iOS version 5.1 or above.
Barracuda Networks reference device for IPsec PSK. Apple iPhone/iPad with iOS version 7.0.4.
Verify that a client-to-site IPsec VPN with shared key authentication has been properly configured. For more information, see How to
Configure a Client-to-Site VPN with Shared Key Authentication.
To configure an Apple iOS device for IPsec VPN connections with the Barracuda NextGen Firewall X-Series:
1. On the Apple iOS device, tap Settings > General > VPN > Add VPN Configuration.
2. On the Add VPN configuration screen, tap the IPSec tab.
3. Configure the following settings:
Server – The IP address or FQDN that the VPN service is listening on (e.g., 62.99.0.51).
Account and Password – Your username and password.
Group Name – The access policy name for the client-to-site VPN on the X-Series Firewall you want to connect to (e.g., IPsecV
PN).
Secret – The shared key.
4. Tap Save in the top right corner. The VPN configuration then appears on the VPN screen.
After configuring the Apple device, you can connect to the IPsec VPN.
On your Apple iOS device, tap Settings and then turn on VPN. After a few seconds, the VPN icon appears in the status bar to indicate that the
connection is successful.
Unfortunately, many cell phone providers use NAT to connect mobile devices to the Internet. Contact your cell phone provider support
for help.
Because certificates longer than 512-bit do not work for iOS VPN clients with iOS version 6.0, it is recommended that you update to the
latest version of iOS.
For client-to-site IPsec VPN connections, you can use Apple iOS devices. Follow the steps in this article to configure Apple iOS devices for IPsec
VPN connections with the Barracuda NextGen Firewall X-Series.
To use Apple iOS devices to connect to a client-to-site IPsec VPN, you must have the following:
X.509 Certificate Type Installation Device File Type Chain of Trust X.509 Extensions and
Values
Client Certificate Apple iOS Device PKCS12 End Instance Key Usage -
Including the
"Digital Signature"
flag.
Do not use identical Subject Alternative Names settings. Subject Alternative Names must also not contain the management IP
address of the X-Series Firewall.
Only use the X.509 extensions that are listed in the table above.
Hash 7b6d2374
Server Certificate
Hash cc0460b5
Hash 7b6d2374
Client Certificate
Hash c2b06d20
Hash 7b6d2374
You must import the root and the client certificate on the Apple iOS device. You can import the certificate via email or by downloading it from a
web server. If you are using a Mobile Device Management (MDM) server, you can also push the certificates to your devices.
To configure an Apple iOS device for IPsec VPN connections with the X-Series Firewall:
1. On the iOS device, tap Settings > General > VPN > Add VPN Configuration.
2. On the Add VPN configuration screen, tap the IPsec tab.
3. Configure the following settings:
Server – The Subject Alternative Name used in your certificates.
After configuring the Apple device, you can connect to the IPsec VPN.
On your Apple iOS device, tap Settings and then turn on VPN. After a few seconds, the VPN icon appears in the status bar to indicate that the
connection is successful.
Unfortunately, many cell phone providers use NAT to connect mobile devices to the internet. Contact your cell phone provider support
for help.
Barracuda Networks reference device for IPsec PSK uses Android version 4.3.
After configuring the Android device, you can connect to the IPsec VPN.
1.
The client might not be able to reach the public listen IP address of the Barracuda NextGen Firewall X-Series. Try to ping the public listen
IP address of the appliance from the client.
Go to the VPN > Client-to-Site VPN page and verify that the tunnel is configured correctly.
Go to the VPN > Client-to-Site VPN page and verify that the correct user authentication method is selected.
Go to the Users > External Services page and verify that the external authentication method is correctly configured.
Ensure that the correct username and password are being used to log in.
Verify that special characters are not being used in the password. If there are any special characters, change the password and then try
to connect.
You are Able to Connect but Cannot Reach the Published Networks
On the client, see if traffic is being sent into the tunnel. You can either check the routing table of the client machine or use the tracert a
nd traceroute command-line utilities.
Go to the VPN > Client-to-Site VPN page and verify that the VPN Access Policies are configured correctly.
Ensure that the firewall rule for the VPN is allowing the traffic into the networks.
Per default the VPNCLIENTS-2-LAN access rule allows traffic from the client-to-site VPN to all networks in the Trusted LAN network object. Veri
fy that the rule matches by pinging a computer in the Trusted LAN from a connected VPN client. If the ping goes trough you are able to reach the
internal network through the client-to-site VPN. If the ping does not work, go to BASIC > Active Connections:
1. Find the connection of your ping by matching protocol (ICMP), source and destination.
2. If the access rule listed in the firewall rule column for the connection is not VPNCLIENTS-2-LAN move the VPNCLIENTS-2-LAN rule
above the rule which is currently handling the VPN traffic. For more information, see Firewall Rules Order.
Warning
As of 2012, PPTP is no longer considered secure. It is highly recommended that you switch away from PPTP because of the security
risks involved.
Using VPNs, mobile workers can securely access corporate information and resources. The Barracuda NextGen Firewall X-Series allows all
operating systems with PPTP clients to connect via a client-to-site VPN.
Follow the steps in this article to configure a client-to-site VPN using PPTP.
The VPN server that runs on the X-Series Firewall must listen on the appropriate IP address for the clients. Depending on whether the X-Series
Firewall is connected to the Internet through an ISP that statically or dynamically assigns the WAN IP address, complete the steps in the Static
WAN IP Address or Dynamic WAN IP Address section.
If the X-Series Firewall is connected to the Internet through an ISP that statically assigns the WAN IP address:
To allow VPN connections using a dynamically assigned WAN IP address on the X-Series Firewall, follow the steps in How to Allow VPN Access
via a Dynamic WAN IP Address.
Configure PPTP to let remote devices access the X-Series Firewall VPN.
For more information on the PPTP and authentication settings, click Help on the VPN > PPTP page.
Local Authentication
MS-CHAPv2/NTLM
Note that successful authentication is only possible for users that are matching the conditions in Allowed Users AND Allowed
Groups.
Step 4. Add the Firewall Rule to Allow Traffic Between VPN Clients and LAN
Create a new firewall rule that lets VPN traffic from the PPTP clients access the Trusted LAN:
1. Go to the FIREWALL > Firewall Rules page and add this rule:
Allow The network range Trusted LAN Any (or the No SNAT (the original
assigned to the PPTP allowed/required source IP address is
clients (configured in V services) used)
PN > PPTP > Client IP
Pool Begin/Client IP
Pool Size)
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, arrange your rules in
the correct order. You must especially ensure that your rules are placed above the BLOCKALL rule; otherwise, the rules are blocked.
After adjusting the order of rules in the rule set, click Save.
Site-to-site VPNs let offices in multiple locations establish secure connections with each other over a public network such as the Internet. A
site-to-site VPN extends the company´s network, making resources available to remote employees. The Barracuda NextGen Firewall X-Series
establishes strongly encrypted IPsec VPN tunnels, using DES, 3DES, AES-128, AES-256, etc. It supports active and passive tunnel initiation and
provides maximum flexibility.
Video
Watch an example of a Site-to-Site VPN IPsec tunnel being configured on the X-Series Firewall:
Videos are not visible in the PDF export.
Step 1. Create the IPsec Tunnel on the X-Series Firewall and on the Remote Appliance
The VPN server that runs on the X-Series Firewall must listen on the appropriate IP address for its peer. Depending on whether the X-Series
Firewall is connected to the Internet through an ISP that statically or dynamically assigns the WAN IP address, complete the steps in the
following Static WAN IP Address or Dynamic WAN IP Address section.
If the X-Series Firewall is connected to the Internet through an ISP that statically assigns the WAN IP address:
If your X-Series Firewall is connected to the Internet through an ISP that dynamically assigns the WAN IP address, see How to Allow VPN
Access via a Dynamic WAN IP Address.
Create a firewall rule to allow network traffic between the two networks. If the tunnel is to be established between two X-Series Firewalls, create
the same rule on both appliances.
Allow No SNAT (the Select the Bi-direc Any The LAN 1 The LAN 2
original source IP tional check box. address. address.
address is used)
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule set, ensure that you
arrange your rules in the correct order. Take special care to place your rule above the BLOCKALL rule. Otherwise, the rule will never match and
all traffic is blocked. If you are configuring a tunnel between two X-Series Firewalls, verify the order of the firewall rules in the rule sets for both
appliances.
After adjusting the order of rules in the rule set, click Save.
To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to the VPN > Site-to-Site Tunnels page. Verify that green check
Use ping to verify that network traffic is passing the VPN tunnel. Open the console of your operating system and ping a host within the remote
network. If no host is available, you can ping the management IP address of the remote X-Series Firewall. Go to the NETWORK > IP
Configuration page and ensure that Services to Allow: Ping is enabled for the management IP address of the remote firewall.
If network traffic is not passing the VPN tunnel, go to the BASIC > Recent Connections page and ensure that network traffic is not blocked by
any other firewall rule.
Create and configure a Microsoft Azure static VPN Gateway for your virtual network.
You will need the following information:
VPN Gateway
External IP address for the X-Series Firewall
Remote and local networks.
Create a virtual Network in the Microsoft Azure cloud. Choose subnets which are not present in your local networks to avoid IP address conflicts.
7. Click NEXT .
16. In the Virtual Network Address Spaces section click add subnet:
Subnet – Enter a name for the subnet.
Starting IP – Enter the first IP of the IP Range for the subnet. E.g., 10.10.201.0
CIDR(ADDRESS COUNT) – Select the subnet mask from the list. E.g., /24 for 256 IP addresses
17. Click add gateway subnet:
Starting IP – Enter the first IP for the gateway subnet. E.g., 10.10.201.0
CIDR (ADDRESS COUNT) – Select the subnet mask from the list. E.g., /29 for 8 IP addresses
18. Click OK .
The Azure Virtual Network you have just created is now listed in the NETWORK menu in the Azure management interface.
6. Select Static Routing from the list. Creating the gateway will take a couple of minutes.
When the color of the gateway turns blue, the gateway has been successfully created. The Gateway IP is now displayed below the VPN Gateway
image.
6. Click Save.
If you do not have the VPN-SITE-2-SITE access rule you must create an access rule to allow traffic to allow traffic from your local network to the
Azure subnet.
Your X-Series Firewall will now automatically connect to the Azure VPN Gateway.
On the VPN > Settings page of both X-Series Firewalls, verify that you selected a valid VPN certificate. For more information, see Certificate
Manager.
Step 1. Enable VPN Listener on the Dynamic IP Address of the Active Peer
On the X-Series Firewall at Location 1, enable Use Dynamic IPs in the GLOBAL SERVER SETTINGS of the VPN > Settings page for the VPN
service to listen on all IP addresses.
Configure the X-Series Firewall at Location 1 with the dynamic WAN IP as the active peer.
Configure the X-Series Firewall at Location 2, with the static WAN IP as the passive peer. Use 0.0.0.0/0 as the IP address for the remote gateway
to allow the Location 1 unit to use dynamic WAN IP addresses.
Remote and local subnets are automatically added to the VPN-Local-Networks and VPN-Remote-Networks network objects when saving the
Site-to-Site VPN configuration. If not present, go to FIREWALL > Network Objects and create these network objects. For more information, see
Network Objects.
Create PASS access rules on both Location 1 and Location 2 X-Series Firewalls to allow traffic in and out of the VPN tunnel.
Use ping to verify that network traffic is passing the VPN tunnel. Open the console of your operating system and ping a host within the remote
network. If no host is available, you can ping the management IP address of the remote X-Series Firewall. Go to the NETWORK > IP
Configuration page and ensure that Services to Allow: Ping is enabled for the management IP address of the remote firewall.
If network traffic is not passing the VPN tunnel, go to the BASIC > Recent Connections page and ensure that network traffic is not blocked by
any other access rule.
Verify that at least one static interface configuration or the management IP address is part of the local published network you want to use
for the site-to-site VPN tunnel.
Go to NETWORK > Routing and verify that the VPN routes for the remote published networks will not break your existing routing
configuration.
Configure a site-to-site VPN tunnel. At least one local published network must be directly attached to the firewall and configuration as a static
network interface or as the management network.
For more information, see How to Configure a Site-to-Site VPN with IPsec or Example - Configuring a Site-to-Site IPsec VPN Tunnel.
Step 2. Change VPN settings to add VPN routes to main routing table
In expert mode, switch from the default source-based routing to adding the VPN routed to the main routing table.
Replacing VPN source-based routing without a proper migration plan may break your current setup and cause loss of connectivity.
VPN routes are always added with the metric set to 10.
Go to NETWORK > Routing and verify that the VPN routes are now in the main routing table:
Configure the external authentication server. Click Test Connection to verify that the firewall can connect to the remote authentication server
through the site-to-site VPN.
You can configure VPN connections to use a dynamically assigned WAN IP address on the Barracuda NextGen Firewall X-Series. In the VPN
settings, enable use of dynamic IP addresses. Then configure an access rule that redirects VPN traffic to the VPN server.
1. On the VPN > VPN Settings page, in the Global Server Settings section, verify that Use Dynamic IPs is set to Yes.
2. If you want to make your VPN available through a DNS hostname, you can register the hostname with http://dyn.com/dns . For more
information, see How to Configure a DHCP Connection.
Step 2. Create an Access Rule to Redirect VPN Traffic to the VPN Server
Create a new access rule that redirects the VPN traffic to the VPN server to establish the tunnel:
The Barracuda NextGen X-Series SSL VPN is ideal for giving remote users secure access to their organization's network and files from virtually
any device. With its web portal, the SSL VPN provides seamless service without the need to install and configure a full VPN client. The number of
simultaneous users using the SSL VPN is limited only by the hardware limitations of the firewall.
Licensing
Most modern browsers have removed support for browser Java plugins. For SSL tunnels and applications, this functionality previously
handled by browser-based applets is now covered by CudaLaunch. A Remote Access Premium subscription is required.
The following subscriptions are required to use SSL VPN in the X-Series Firewall:
You can access the Barracuda SSL VPN web portal with any modern browser. Depending on the resource type you want to use, the client must
meet the following requirements:
For more information on authentication and basic setup, see How to Enable SSL VPN and CudaLaunch.
Web Forwards
Web forwards make internal web applications accessible through the SSL VPN web portal. This means that web servers do not have to be
outside of your corporate firewall. Since all communication is secured with SSL, additional encryption or authentication routines are not required
for the site. For web applications requiring the user to authenticate, you can configure the necessary single sign-on authentication information.
Configuration templates for frequently used services such as Outlook Web Access or SharePoint are kept up-to-date through the Energize
Updates subscription.
Attributes
Attributes are placeholder variables used in web forwards. Session attributes are automatically filled in by the Barracuda NextGen Firewall
X-Series. User attributes are created by the admin and filled in by the end users themselves in the web portal. Attributes are used to personalize
web forwards or to configure single sign-on authentication. Session attributes are used if the user credentials are the same for the web forward
and the SSL VPN. If the user credentials do not match, user attributes are used.
SSL Tunnels
SSL tunnels are used to tunnel TCP connections for client/server applications protected by your X-Series Firewall. The tunnel is created by
Network Places
Network places provide remote users with a secure web interface to access corporate SMB network file shares. With appropriate permissions,
users can browse network shares, rename, delete, retrieve, and upload files just as if they were connected in the office. Clients can connect to
SMB1 and SMB2 shares, but must be able to negotiate a CIFS session. To use a network place resource, a Java browser plugin is required on
the client.
Applications
For resources requiring local applications on the client, you can configure application resources on the NextGen X-Series SSL VPN. Client
application tunneling provides predefined and custom client/server protocols with an SSL-encrypted tunnel to the internal resource. Similar to web
forwards, tunneling is employed when you need protocols on your desktop or mobile device to access your organization's network.
For more information, see How to Configure SSL VPN Applications for RDP.
CudaLaunch provides mobile users secure remote access to your organization's applications and data. CudaLaunch is available for iOS and
Android devices via the Apple App Store or Google Play Store. Desktop portal access is not supported for the Barracuda NextGen X-Series SSL
VPN. To use CudaLaunch, you must have a remote access subscription. For testing purposes, one concurrent SSL VPN and CudaLaunch
connection is included in the base license.
Barracuda NextGen X-Series SSL VPN provides full device VPN for CudaLaunch clients. Create a client-to-site configuration and a VPN template
resource in the SSL VPN in order to push the configuration to the mobile devices. By default, the first VPN template is used to connect to the
VPN service. Due to differences in the mobile operating systems, the Android version of CudaLaunch uses the Barracuda VPN client, whereas
CudaLaunch on iOS manages the built-in iOS IPsec client.
For more information, see How to Configure VPN Templates in the SSL VPN.
If you are running a VPN server on the same public IP address, go to VPN > Settings and verify that Use TCP Port 443 is set to No.
Verify that you are not using DNAT access rules to redirect HTTPS traffic on the same public IP that the SSL VPN is using.
When you enable the SSL VPN portal, determine if you are using a static, dynamic, or secondary IP address for the portal. Typically, the SSL
VPN portal is deployed on a static public IP address with a respective DNS A resource record. The portal can also use a secondary IP address
for internal access.
Static IP address
4. Click Save.
Secondary IP address
Typically, a secondary IP address is used to provide the SSL VPN portal on internal network segments.
To use a dynamic interface to access the SSL VPN portals, redirect incoming HTTPS traffic to the SSL VPN service.
End users must authenticate themselves before they can access internal resources and applications via SSL VPN. You can manage user
authentication either locally on the firewall or externally with Active Directory, LDAP, or RADIUS. For instructions on how to configure local or
external user authentication, see Managing Users and Groups.
1. Go to the VPN > SSL VPN page and click the Server Settings tab.
2. In the Authentication section, select the method from the User Authentication list.
3. (optional) To restrict SSL VPN access by user group:
a. Set Group Access Restrictions to Yes.
b. Enter the user groups that can access the SSL VPN in the Allowed Groups list, and click + after each entry. Use question
marks (?) and asterisks (*) as wildcard characters.
c. Enter the user groups that are denied access to the SSL VPN in the Blocked Groups list, and click + after each entry.
4. Click Save.
Configure the SSL VPN web portal, enable CudaLaunch, and configure general and appearance settings.
1. Go to the VPN > SSL VPN page and click the Server Settings tab.
2. To provide users access via CudaLaunch, set Enable CudaLaunch to Yes.
3. Set Enforce Strong Ciphers to Yes unless you require backward compatibility with SSLv3-only clients.
4. Set Allow SSLv3 to No. SSLv3 is considered unsafe.
5. In the Appearance section, customize the SSL VPN portal by uploading your company's logo, and welcome and help texts.
Only ASCII characters are allowed in the Welcome Message and Help Text fields.
6. Click Save.
It is recommended to install a CA-trusted SSL certificate for the SSL VPN on the X-Series Firewall, so that web browsers do not issue a SSL
warning to end users when they access the portal. By default, the Web UI certificate is used.
Next steps
After you enable and configure the SSL VPN, end users can access the portal in their web browsers. Configure your DNS server or service to
resolve sslvpn.<yourdomain> to the public IP address of your firewall. End users can then access the portal page by opening https://sslvpn<you
rdomain>.
To add resources for your end users to the SSL VPN portal, see:
Configure the SSL VPN service. For more information, see How to Enable SSL VPN and CudaLaunch.
On the VPN > Settings page, in the Global Server Settings section, verify that Use TCP Port 443 is set to No.
Create a Redirect to Service access rule that redirects incoming VPN connections on the dynamic interface to the SSL VPN service:
3. Click Save.
4. Drag and drop the access rule so that it is the first rule that matches the traffic you want to forward.
5. Click Save.
End users can now access the SSL VPN portal page via the DynDNS hostname by opening https://sslvpn/.<yourdomain>.
The SSL VPN service includes web portals for both mobile and desktop devices. The responsive web interface automatically adapts its layout to
the screen resolution and screen orientation. SSL VPN features requiring an SSL tunnel are not available via the web interface.
For more information, see SSL VPN Web Portal User Guide and SSL VPN Supported Devices.
CudaLaunch
The following mobile operating systems are supported by CudaLaunch and the SSL VPN web portal. For more information on mobile browsers,
see the compatible browser list.
Windows 10 Mobile
Both JavaScript and cookies must be enabled on your device to use the SSL VPN web portal.
The web portal arranges all available web resources into the following tabs, accessible via the interface service bar:
1. In your web browser, go to https://<Listening IP address or hostname used for the SSL VPN service>.
2. Enter your username and password.
3. Click Log in.
You can change the display language for your SSL VPN web portal on the Settings page. To do so, click on the options icon on the top left and
select Settings.
Launching resources
The Apps tab contains all web resources. To launch a resource from the Apps screen, click the icon associated with it.
The web resource launches, and you are redirected to the application page.
Click the Apps, Folders, or Favorites tab to access the web resources. To search for a specific item, type the name of the item in the search
field with the looking glass icon.
On the Favorites page, you can store web resource shortcuts for easier access. Click the Favorites tab. To add a web resource to the favorites,
click the + icon.
Select the item you want to add from the list, and click the checkmark icon. The resource you have added is now visible under the Favorites tab.
To remove a resource from the favorites list, click the Favorites tab and then click the trash can symbol.
User attributes are user-specific placeholder values used for web forwards. User attributes can be filled/changed in the options menu. When a
Logging off
To log out of the SSL VPN web portal, expand the options menu on the top left, and then select Log Out.
Frequently used proxied web forwards, such as Outlook Web Access or SharePoint, are available as templates. Templates contain all the
necessary configurations for the application and query the user for the required settings. By default, templates are configured to use the session
username and password to log in.
For more information, see How to Configure an Outlook Web Access Web Forward and How to Configure a SharePoint Web Forward.
Generic proxied web forwards are used either when a manual rewrite configuration is required, or when a template does not exist for the service.
A simple setup creates a reverse proxy for the service. The data stream is not modified. For advanced configurations, you can configure
additional paths, custom replacements, and headers. For services requiring authentication, a single sign-on configuration is possible.
A tunneled web forward uses an SSL tunnel established by CudaLaunch to connect to a web server behind the firewall. The user's browser
connects to a localhost address (e.g., http://localhost:5678). A direct connection to the resource located behind the SSL VPN is then
established through the SSL tunnel. This type of web forward only works as long as all links stay on the same destination host; it does not modify
the data stream. If the destination site uses multiple domains, or sub-domains, use a proxied generic Web forward instead.
Web services published through SSL VPN web forwards often require the user to sign in. You can use session or user attributes as placeholders
to configure single sign-on. Session attributes contain the username and password used to log in to the SSL VPN service. If the credentials for
the web forward differ, configure user attributes. When users access the web forward for the first time, they are prompted to fill in the username
and password. Subsequent changes can be made in the SSL VPN web portal or via CudaLaunch.
For more information, see How to Configure Single Sign-On for Web Forwards.
Enable and configure SSL VPN on the firewall. For more information, see How to Enable SSL VPN and CudaLaunch.
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. In the Web Forwards section, click Add Web Forward.
3. In the Add Web Forward window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not larger than 80x80 pixels.
5. Select the OWA template matching your Exchange server from the Web Forward Template drop-down list. A pop-up window appears,
asking for the server name.
6. Enter the FQDN, hostname, or IP address for your Microsoft Exchange server, and click OK.
7. (OWA 2003 only) Enter the Single Sign-On (SSO) domain for your Exchange server, and click OK.
8. In the Name field, enter the visible name for the web forward. This is the name displayed for the user in the web portals and
CudaLaunch.
9. (optional) In the Allowed Hosts list, add all servers that must be proxied by the SSL VPN when accessing this web forward. Enter Name
, Root URL, and Launch Path in the Allowed Hosts section, and click +.
10. (optional) To restrict access to the web forward by user group, remove the * entry in the Allowed User Groups list. Enter the user
groups that can access the web forward, and click + after each entry. If no groups are added, the web forward cannot be accessed. Use
question marks (?) and asterisks (*) as wildcard characters.
11. (optional) In the Single Sign On section, change the session attribute for user attributes to enable SSO if your OWA username and
password differ from the session username and password. For more information on how to create user attributes, see How to Use and
Create Attributes.
12. Click Save.
Enable and configure SSL VPN on the firewall. For more information, see How to Enable SSL VPN and CudaLaunch.
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. In the Web Forwards section, click Add Web Forward.
3. In the Add Web Forward window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not bigger than 80x80 pixels.
5. Select the Sharepoint template matching your SharePoint server from the Web Forward Template drop-down list. A pop-up window
appears, asking for the server name.
6. Enter the hostname or FQDN of your SharePoint server and click OK.
7. Enter the Single Sign-On (SSO) domain for your SharePoint server and click OK.
8. In the Name field, enter the visible name for the web forward. This is the name used in the SSL VPN portal for this web forward.
9. (optional) In the Allowed Hosts list, add all servers that must be proxied by the SSL VPN when accessing this web forward. Enter Name
, Root URL, and Launch Path in the Allowed Hosts section, and click +.
10. (optional) To restrict access to the web forward by user group, remove the * entry in the Allowed User Groups list. Enter the user
groups that can access the web forward, and click + after each entry. If no groups are added, the web forward cannot be accessed. Use
question marks (?) and asterisks (*) as wildcard characters.
11. (optional) In the Single Sign On section, change the session attribute for user attributes to enable SSO if your SharePoint username and
password differ from the session username and password. For more information on how to create user attributes, see How to Use and
Create Attributes
12. Click Save.
Enable and configure SSL VPN on the firewall. For more information, see How to Enable SSL VPN and CudaLaunch.
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. In the Web Forwards section, click Add Web Forward.
3. In the Add Web Forward window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not larger than 80x80 pixels.
5. Select Generic from the Web Resource Template drop-down list.
For Outlook Web Access and SharePoint web forwards, see How to Configure an Outlook Web Access Web Forward and H
ow to Configure a SharePoint Web Forward.
6. In the Name field, enter the visible name for the web forward. This is the name used in the SSL VPN portal for this web forward.
7. Enter the Root URL of the web server in the following format: Protocol type (http:// or https://) followed by the FQDN or IP
address of the web server. For example, http://your.domain.com/ or https://10.10.10.10/
8. Enter the Launch Path in the following format: "/" followed by the path and file name you want to request when starting the Web
Forward. You can also include user or session attributes in the launch URL. For more information on Attributes, see How to Use and
Create Attributes.
Example: /wiki/${session:username} or /lunchmenu/${user:location}/index.php
9. (optional) In the Allowed Hosts list, add all servers that must be proxied by the SSL VPN when accessing this web forward. Enter Name
, Root URL, and Launch Path in the Allowed Hosts section, and click +.
10. In the Custom Headers section, define rules to replace or remove header values for either requests, responses, or both.
11. (optional) To restrict access to the web forward by user group, remove the * entry in the Allowed User Groups list. Enter the user
groups that can access the web forward, and click + after each entry. If no groups are added, the web forward cannot be accessed. Use
question marks (?) and asterisks (*) as wildcard characters.
12. (optional) In the Single Sign On section, change the session attribute for user attributes to enable SSO if username and password differ
from the session credentials. For more information on how to create user attributes, see How to Use and Create Attributes.
13. Click Save.
Enable the SSL VPN service and CudaLaunch. For more information, see How to Enable SSL VPN and CudaLaunch.
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. In the Web Forwards section, click Add Tunneled Web Forward.
3. In the Add Web Forward window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not larger than 80x80 pixels.
5. In the Name field, enter the visible name for the web forward. This is the name used in the SSL VPN portal for this web forward.
6. Enter the IP address or hostname of the Web Server Host.
7. Enter port the Web Server Host listens on.
8. In the Client Loopback TCP Port field, enter the client loopback TCP port number for the tunnel to enable tunneling of application data
to the user's localhost IP address 127.0.0.1:7000. To use a random port, enter 0 (default).
9. Select the type of the tunnel from the Protocol drop-down list.
10. (optional) To restrict access to the web forward by user group, remove the * entry in the Allowed User Groups list. Enter the user
groups that can access the web forward, and click + after each entry. If no groups are added, the web forward cannot be accessed. Use
question marks (?) and asterisks (*) as wildcard characters.
11. Click Save.
HTTP Authentication
Form-Based Authentication
HTTP authentication
HTTP authentication is a basic method for authenticating users. An HTTP header is inserted into the HTML page, and the browser then queries
the user for a username and password. HTTP authentication is supported in three variants: basic, digest, and NTLM authentication. The
authentication type is automatically detected by the Barracuda NextGen Firewall X-Series. To automatically log into web forwards using HTTP
authentication, you can use static user credentials or user attributes. User attributes can either be the session username or password, or custom
values that are configurable by the end user.
Form-based authentication
Form-based authentication is used when the login credentials are entered on a HTML page. Open the source of the page and look at the HTML
code in between the <form> and </form> tags. The X-Series Firewall can automatically log users into web forwards. The form-based
authentication type is determined by the HTML source of the login page.
POST
POST is the most common form submission type. Set the type to POST if the method attribute is set to POST. If the form contains unique or
random hidden <input> elements, use JavaScript instead of POST as the form type. To find out which elements must be filled in, inspect the form
submission process with a tool such as HTTPWatch or Fiddler. Create a Form Parameter for every parameter submitted by the form. When
using POST, set the Launch path to the destination of the action attribute of the <form>element. E.g., /somedir/index2.html in the example
below.
Click here to see an example...
HTTP Watch
To use the custom attributes username and password, create the following two Form Parameter entries in the web resource
configuration:
name=${user:AnUserAttribute}
password=${user:AnUserAttribute}
secret="666"
JavaScript
Forms using random or unique hidden input elements must use the JavaScript authentication type. After waiting for a configurable amount of time
to make sure the page has finished loading, the X-Series Firewall injects a small JavaScript script into the HTML page. This script fills in the
HTTP Watch
To use the session username and password, create the following two form parameter entries in the web resource configuration:
name=${session:username}
password=${session:password}
submit="doLogin"
GET
Set the form type to GET if the method attribute of the form element in the HTML source is set to GET. Determine which form parameters you
must fill in to complete a successful login by looking at the parameters appended to the URL after you have logged in. These form parameters are
then replaced by either session/custom user attributes or static user credentials.
Click here to see an example...
URL
/test/index.php?name=John&destination=Rome&secret=666&submit=Submit
To use the session username and password, create the following two form parameter entries in the web resource configuration:
name=${session.username}
password=${session.password}
Analyze the HTML source to determine the form type (POST, GET or JavaScript).
Create user attributes if you need to use different login credentials from the SSL VPN portal username and password, or additional user
configurable parameters to complete the login. User attributes are filled in by the end user in the web portal of the SSL VPN service.
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. Under the Applications section, click Show Advanced Options. The User Attributes section appears.
3. Click Add User Attribute.
4. Configure the following settings for each user attribute:
Format – Select the type of user attribute. Possible values are: Text, Number, and Password.
Name – Enter the name of the user attribute.
Label – Enter the name visible to the end user.
Description – Enter a description of the attribute.
Default – If the attribute should be set to default value, enter the value here.
Category – Enter a category name. User attributes will be grouped by category in the web portal.
Weight – Enter a value. Attributes are sorted within a category according to their weight.
Validator – Enter a regular expression to validate the input.
Click here to show regular expression examples...
4 digits PIN number
[0-9]{4}
URL
(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?
IPv4 address
(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
2. Click Save.
Add authentication information to a web forward to automatically log the user in to the web application using the session user credentials or
custom user attributes.
FORM authentication
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. Edit a generic web forward.
3. (POST authentication only) Change the Launch Path to the path set in the action attribute of the form element. E.g., /somedir/index
.php if the form element is <form action="/somedir/index.php" name="testform" method="POST" >
4. Set the Authentication Type to HTTP or FORM.
5. Set the Form Type to GET, POST or JavaScript.
6. (JavaScript only) Enter the Form Name. E.g., testform if the form element is <form action="/somedir/index.php"
name="testform" method="POST">
7. (JavaScript only) Enter the Timeout(s) in seconds. This is the amount of the time the firewall waits before injecting the JavaScript code
into the page. Default: 5 sec.
8. Enter the Form Parameters and click + to add an entry.
POST and GET Form Type – Add an entry for every <input> element in the login form.
JavaScript Form Type – Add entries for the <input> elements the user enters data into.
</form>
name=${session.username}
password=${session.password}
rememberme="on"
secret="666"
name=${session.username}
password=${session.password}
9. Click Save.
HTTP authentication
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. Edit a generic web forward.
3. (POST authentication only) Change the Launch Path to the path set in the action attribute of the form element. E.g., /somedir/index
.php if the form element is <form action="/somedir/index.php" name="testform" method="GET">
4. Set the Authentication Type to HTTP Authorization Headers.
5. Enter the Username. You can enter static content E.g., johndoe or use an Attribute E.g., ${userAttribute.SpecialUser} or ${s
ession.username}.
6. Enter the Password. You can enter static content E.g., johndoe or use an Attribute E.g., ${userAttribute.SpecialUser} or ${se
ssion.username}.
7. Click Save.
RDP Applications
When accessing an RDP application via CudaLaunch, an SSL tunnel is created that connects your client with the SSL VPN service. Then, the
RDP client automatically launches and connects.
For more information, see How to Configure SSL VPN Applications for RDP.
Enable the SSL VPN service and CudaLaunch. For more information, see How to Enable SSL VPN and CudaLaunch.
Create an application resource to give your end users direct access to an internal application. Application tunneling allows tunneling of application
data to the user’s localhost IP address.
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. In the Applications section, click Add Application.
3. In the Add Application window, set Enable to Yes.
4. (optional) Click Browse to upload a PNG file for the web portal, less than 30 kB and not larger than 80x80 pixels.
5. Enter the visible Name. This is the name used in the web portal for this application.
6. In the Target Server field, enter the IP address of the server hosting the application.
7. From the Application drop-down list, select the protocol that the target server is providing.
8. (optional) To override the application’s standard port, enable Port Override and specify the Port to be used instead of the application’s
standard port.
9. To enable tunneling of application data to the user’s localhost IP address 127.0.0.1:7000, enter the Client Loopback TCP Port number
for the application tunnel. To use a random port, enter 0 (default).
10. (optional) To restrict access to the application by user group, remove the * entry in the Allowed User Groups list. Enter the user groups
that can access the application, and click + after each entry. If no groups are added, the application will not be accessible by any users.
You can use question marks (?) and asterisks (*) as wildcard characters.
11. Click Save.
1. Start CudaLaunch.
2. In the Apps tab, click on the configured app.
The native RDP client starts automatically and connects to the remote Windows server.
Enable the SSL VPN service and CudaLaunch. For more information, see How to Enable SSL VPN and CudaLaunch.
SSL tunnels
Configure a resource containing one or more SSL tunnels that forward the TCP traffic of the remote service. Access to tunnel resources can be
limited via the user groups.
Tunnels in CudaLaunch
Tunnels are available only in CudaLaunch. To enable or disable the tunnel, go to the Tunnels tab and click the tunnel icon. The gray or green
status icon shows the state of the tunnel.
State Icon
Tunnel inactive
Tunnel active
Network places are available for the web portal only. To use a network place resource a Java browser plugin is required on the client.
SMB – Connect to SMB1 and SMB2 shares, but must be able to negotiate a CIFS session.
Enable the SSL VPN service. For more information, see How to Enable SSL VPN and CudaLaunch.
Create a network place resource to let your users access internal SMB network shares.
8. (optional) To restrict access to the web forward by user group, remove the * entry in the Allowed User Groups list. Enter the user
groups that can access the web forward, and click + after each entry. If no groups are added, the web forward cannot be accessed. Use
question marks (?) and asterisks (*) as wildcard characters.
9. Click Save.
Session attributes
${session:username} – This session attribute contains the username used to log into the SSL VPN.
${session:password} – This session attribute contains the password used to log into the SSL VPN.
User attributes
You can create user attributes that are filled in by the end user in the web portal or CudaLaunch. User attributes are used when different
usernames or personalized variables are needed. To enter a user attribute in the web forward configuration, use the following format:
${user:user_attribute_name}
1. Go to the VPN > SSL VPN page and click the Resources tab.
2. Under the Applications section, click Show Advanced Options. The User Attributes section appears.
3. Click Add User Attribute.
4. Configure the following settings for each user attribute:
Format – Select the type of user attribute. Possible values are: Text, Number, and Password.
Name – Enter the name of the user attribute.
Label – Enter the name visible to the end user.
Description – Enter a description of the attribute.
Default – If the attribute should be set to default value, enter the value here.
Category – Enter a category name. User attributes will be grouped by category in the web portal.
Weight – Enter a value. Attributes are sorted within a category according to their weight.
Validator – Enter a regular expression to validate the input.
Click here to show regular expression examples...
4 digits PIN number
[0-9]{4}
URL
(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?
IPv4 address
(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
5. Click Save.
When a web resource is launched that uses user attributes that have not been filled in yet, the user is prompted to enter the values. Alternatively,
user attributes can also be entered in the Settings menu of the web portals or CudaLaunch.
Enable and configure SSL VPN on the firewall. For more information, see How to Enable SSL VPN and CudaLaunch.
1. Go to the VPN > SSL VPN page and click the NAC tab.
2. Set Enable NAC to Yes.
3. For each parameter, select the versions that should be blocked. Select None to not block according to this criteria.
4. (optional) Configure NAC exceptions to block or deny an entire category.
5. (optional) In the Exceptions section, click Add NAC Exceptions. The Add NAC Exceptions window opens.
a. Enter a Name for the exception.
b. Select the Access policy.
c. Select the exception Type. The subtype for the selected Type is displayed. For example, the mobile browser type if you
selected Mobile Browser as the Exception Type.
d. Select the Subtype and Version for the exception type you previously selected.
e. Click Save.
6. Click Save.
All users accessing the SSL VPN web portals must now conform to the requirements set in the NAC block list. When a user logs in with a device
that fails one or more of the server-side NAC checks, the following block pages are displayed:
Check the sslvpn log file to find out which NAC block rule caused the user to be rejected. For more information, see Viewing Logs.
7. Click Save.
The VPN template can now be used to self-provision your user's Windows, macOS, and iOS devices via the web portal as well as full device VPN
in the CudaLaunch mobile app.
Use CudaLaunch to automatically push and manage VPN profiles on iOS devices. For more information, see CudaLaunch.
The Barracuda NextGen Firewall X-Series SSL VPN portal allows users to automatically install VPN configurations on their iOS device by clicking
the provisioning link.
Configure the VPN access policy in the client-to-site VPN settings. For more information, see How to Configure VPN Templates in the
SSL VPN.
Self-service IPsec VPN provisioning
Use the provisioning link of the mobile portal to install the VPN configuration:
1. Log into the SSL VPN web portal with your iOS device.
2. Go to My Options and tap Settings.
5. Click Install.
9. Click Done.
You can now connect to the IPsec VPN on your iOS device.
After you have installed the IPsec VPN configuration, your iOS device can connect to the Barracuda NextGen Firewall X-Series via IPsec VPN.
1. From the home screen of your iOS device, go to Settings and tap General.
2. Tap VPN.
3. Set the VPN slider to ON. The iOS device initiates the VPN connection.
When the VPN connection is established successfully, the VPN icon is displayed in the status bar.
Use CudaLaunch to automatically push and manage VPN profiles on macOS devices. For more information, see CudaLaunch.
The Barracuda NextGen Firewall X-Series SSL VPN portal allows users to automatically install VPN configurations on their macOS device by
downloading the VPN group policy.
Configure the VPN access policy in the client-to-site VPN settings. For more information, see How to Configure VPN Templates in the
SSL VPN.
(optional) Install the Barracuda VPN client for macOS. For more information, see Installing the Barracuda VPN Client for macOS.
3. Click Downloads.
4. In the VPN Configurations section, click the download icon for the VPN group policy.
5. Double-click the VPN file. The Barracuda VPN client starts and automatically imports the configuration.
6. Click Save.
4. In the VPN Configurations section, click the download icon for the VPN group policy.
5. Click Install.
Use CudaLaunch to automatically push and manage VPN profiles on Windows devices. For more information, see CudaLaunch.
The Barracuda NextGen Firewall X-Series SSL VPN portal allows users to automatically install VPN configurations on their Windows device by d
ownloading the VPN group policy.
Configure the VPN access policy in the client-to-site VPN settings. For more information, see How to Configure VPN Templates in the
SSL VPN.
3. Click Downloads.
4. In the VPN Configurations section, click the download icon for the VPN group policy.
5. Verify that you are opening the VPN template with the Barracuda NAC Remote Management Tool and click Open.
Barracuda Cloud Control is a comprehensive cloud-based service that lets you monitor and configure multiple Barracuda products from a single
console. When your X-Series Firewall is linked to Barracuda Cloud Control, it continuously synchronizes its configuration settings with the
service.
For more information on Barracuda Cloud Control, see Barracuda Cloud Control and How to Connect to Barracuda Cloud Control.
Barracuda Web Security Service is a cloud-based web filtering and security service. It helps conserve bandwidth by enforcing web policies in the
cloud before forwarding traffic to the X-Series Firewall.
For more information on the Barracuda Web Security Service, see Barracuda Web Security Service and How to Configure the Barracuda Web
Security Service.
You can configure the Barracuda NextGen Firewall X-Series to act as a transparent proxy. If you enable the proxy feature, outgoing HTTP traffic
is intercepted and redirected to either the Barracuda Web Security Service or to an upstream proxy (the latter option is rarely used).
The Barracuda Web Security Service requires a paid subscription. To verify that your subscription is active:
1. On the NETWORK > Proxy page, select Use Barracuda Web Security Service if connected (recommended) .
2. To include the user and domain name if available, select the Include User Information check box.
For local users, this information is retrieved from the Barracuda DC agent. For information on how to get, install, and configure
the Barracuda DC Agent, see About the Barracuda DC Agent.
For VPN users, the information comes from whatever authentication method is used.
To change this selection later, you must disable and then re-enable the Barracuda Web Security Service so that it registers your
change.
3. To redirect HTTP traffic to the Barracuda Web Security Service, create the required firewall rules.
a. Go to the FIREWALL > Firewall Rules page.
b. Edit and enable the pre-installed TRANSPARENT-PROXY and TRANSPARENT-PROXY-Wi-Fi (if using Wi-Fi) firewall rules to al
low traffic to pass to the Barracuda Web Security Service.
4. Complete the connection from the X-Series Firewall to the Barracuda Web Security Service.
a. Go to the BASIC > Cloud Control page.
b. Verify that your customer account information is entered.
c. Enable Connect to Barracuda Cloud Control and save your changes. After a successful connection, a "Connected" status is
displayed.
5. Log into your Barracuda Cloud Control account again.
6. Click the Web Security tab and refresh the display. Some network activity appears.
The Barracuda Cloud Control service centrally manages up to five Barracuda NextGen X-Series Firewalls. When an X-Series Firewall is linked to
Barracuda Cloud Control, it continuously synchronizes its configuration settings with the service. It is still possible to continue using the on-device
web-interface to manage the device, while it is connected to Barracuda Cloud Control.
1. Go to the BASIC > Cloud Control page and enter your cloud control account credentials.
2. Enable Connect to Barracuda Cloud Control and click Save. After a successful connection, a Connected status is displayed.
3. Log in to https://bcc.barracudanetworks.com with your Barracuda Cloud Control account to manage your X-Series Firewall using
Barracuda Cloud Control.
These articles describe the tools and monitoring tasks that you can use to track connections and system performance.
In this Section
To monitor network sessions or connections, view the following pages from the BASIC tab:
Active Connections – Lists all of the open and established sessions on the appliance.
Recent Connections – Lists all of the connections that were established on the Barracuda NextGen X-Series Firewall or that were trying
to access the firewall.
You can find the information that you are interested in by filtering the lists. For a description of the displayed fields and information on how to add
filters, click Help on the product page.
Active Connections
The BASIC > Active Connections page lists all of the open and established sessions on the appliance. You can terminate any session
by
clicking on the red x ( ). If QoS is enabled for a connection, you can manually override the bandwidth policy for the
connection by clicking on the arrow next to it and selecting a different policy from the drop-down menu.
In the State column, the following arrows tell you if the connection is established or closing:
Arrow Status
One-way traffic.
Closing connection.
To view the status of a connection, hover over the arrow for a status code. For more information about these status codes, see the Status Code
Overview.
Recent Connections
The BASIC > Recent Connections page lists all of the connections that were established on the X-Series Firewall or that were trying to access
the firewall. Use the information on this page for troubleshooting.
In the Action column, the following graphics tell you what action was performed for each connection:
Graphic Action
Allowed
Terminated
Failed
Blocked
Dropped
To see if there is still incoming or outgoing traffic for a specific session, click Refresh and then look at its Last or Co
unt value.
Sometimes, you might need to view ARP-Update traffic to troubleshoot in more detail. To display ARP-Update info, select the Include ARPs che
ck box.
The following table provides more details on the status codes that you might see on the BASIC > Active Connections page.
FWD-NEW TCP Packet Forwarding Outbound Session is validated by the firewall rule set,
no traffic was forwarded so far.
FWD-RSYN-RSV TCP Packet Forwarding Outbound The session destination answered the SYN
with a SYN/ACK packet.
FWD-EST TCP Packet Forwarding Outbound The SYN/ACK packet was acknowledge by
the session source. The TCP session is
established.
FWD-FFIN-RCV TCP Packet Forwarding Outbound The session source sent a FIN datagram
indicating to terminate the session.
FWD-RLACK TCP Packet Forwarding Outbound The session destination answered the FIN
packet with a FIN reply and awaits the last
acknowledgement for this packet.
FWD-RFIN-RCV TCP Packet Forwarding Outbound The session destination sent a FIN datagram
indicating to terminate the session.
FWD-FLACK TCP Packet Forwarding Outbound The session source answered the FIN
packet with a FIN reply and awaits the last
acknowledgement for this packet.
FWD-WAIT TCP Packet Forwarding Outbound The session was reset by one of the two
participants by sending a RST packet. A wait
period of 5 seconds will silently discard all
packet belonging to that session.
FWD-TERM TCP Packet Forwarding Outbound The session is terminated and will shortly be
removed from the session list.
IFWD-NEW TCP Packet Forwarding Inbound Session is validated by the firewall rule set,
no traffic was forwarded so.
IFWD-SYN-SND TCP Packet Forwarding Inbound A SYN packet was sent to the destination
initiating the session (Note that the session
with the source is already established).
IFWD-EST TCP Packet Forwarding Inbound The destination replied the SYN with a
SYN/ACK. The session is established.
IFWD-FFIN-RCV TCP Packet Forwarding Inbound The session source sent a FIN datagram
indicating to terminate the session.
IFWD-RLACK TCP Packet Forwarding Inbound The session destination answered the FIN
packet with a FIN reply and awaits the last
acknowledgement for this packet.
IFWD-RFIN-RCV TCP Packet Forwarding Inbound The session destination sent a FIN datagram
indicating to terminate the session.
IFWD-FLACK TCP Packet Forwarding Inbound The session source answered the FIN
packet with a FIN reply and awaits the last
acknowledgement for this packet.
IFWD-WAIT TCP Packet Forwarding Inbound The session was reset by one of the two
participants by sending a RST packet. A wait
period of 5 seconds will silently discard all
packet belonging to that session.
IFWD-TERM TCP Packet Forwarding Inbound The session is terminated and will shortly be
removed from the session list.
PXY-EST TCP Stream Forwarding Outbound Two established TCP socket connection to
the source and destination exist.
PXY-SRC-CLO TCP Stream Forwarding Outbound The socket to the source is closed or is in the
closing process.
PXY-DST-CLO TCP Stream Forwarding Outbound The socket to the destination is closed or is
in the closing process.
PXY-SD-CLO TCP Stream Forwarding Outbound The source and the destination socket are
closed or in the closing process.
PXY-TERM TCP Stream Forwarding Outbound The session is terminated and will shortly be
removed from the session list.
IPXY-NEW TCP Stream Forwarding Inbound Session is validated by the firewall rule set,
no traffic was forwarded so far.
IPXY-EST TCP Stream Forwarding Inbound Two established TCP socket connection to
the source and destination exist.
IPXY-SRC-CLO TCP Stream Forwarding Inbound The socket to the source is closed or is in the
closing process.
IPXY-DST-CLO TCP Stream Forwarding Inbound The socket to the destination is closed or is
in the closing process.
IPXY-SD-CLO TCP Stream Forwarding Inbound The source and the destination socket are
closed or in the closing process
IPXY-TERM TCP Stream Forwarding Inbound The session is terminated and will shortly be
removed from the session list.
UDP-RECV UDP Forwarding Traffic has been received from the source
and was forwarded to the destination.
ECHO-RECV ECHO Forwarding Traffic has been received from the source
and was forwarded to the destination.
ECHO-SENT ECHO Forwarding The source sent more traffic after racing a
reply from the destination.
OTHER-NEW OTHER Protocols Forwarding Session is validated by the firewall rule set.
No traffic was forwarded so far.
OTHER-RECV OTHER Protocols Forwarding Traffic has been received from the source
and was forwarded to the destination.
OTHER-REPL OTHER Protocols Forwarding The destination replied to the traffic sent by
the source.
OTHER-SENT OTHER Protocols Forwarding The source sent more traffic after receiving a
reply from the destination.
LOC-NEW Local TCP Traffic A local TCP session was granted by the local
rule set.
LOC-EST Local TCP Traffic The local TCP session is fully established.
LOC-FIN-WAIT1 Local TCP Traffic An established local TCP session started the
close process by sending a FIN packet.
LOC-FIN-WAIT2 Local TCP Traffic A local TCP session in the FIN-WAIT1 state
received an ACK for the FIN packet.
LOC-FINISH Local TCP Traffic A local TCP socket was removed from the
internal socket list.
The Barracuda NextGen Firewall X-Series offers the ability to supply information to Network Management Systems via SNMP. Both SNMP v2c
and v3 are supported. Barracuda Networks recommends using SNMP v3 because it is more secure. Use the Barracuda Firewall MIB file to use
the reference objects included for your SNMP monitor software appliance or script.
SNMP v2
IP address (range) from which the Network Management System will contact the X-Series Firewall SNMP service.
SNMP community string.
SNMP v3
Configure SNMP v2
3. In the Administrator IP/Range section, add the Allowed SNMP IP/Range to the IP/Network Address list.
Verify that the computer used to administer the X-Series Firewall is in one of the networks included in the Administrator
IP/Range. You will be locked out of the firewall otherwise. The default value of 0.0.0.0/0.0.0.0 allows all networks and IP
addresses to administer the X-Series Firewall.
4. Click Save.
Configure SNMP v3
3. In the Administrator IP/Range section, add the Allowed SNMP IP/Range to the IP/Network Address list.
Verify that the computer used to administer the X-Series Firewall is in one of the networks included in the Administrator
IP/Range. You will be locked out of the firewall otherwise. The default value of 0.0.0.0/0.0.0.0 allows all networks and IP
addresses to administer the X-Series Firewall.
4. Click Save.
From the LOGS tab, there are a number of log files that you can view to monitor and troubleshoot the Barracuda NextGen Firewall X-Series:
Firewall Log
HTTP Log
Network Log
VPN Log
Service Log
Authentication Log
HTTP Log Codes Overview
TCP Codes
ERR Codes
For all of these logs, click Help for a description of the information on the page.
Firewall Log
The Firewall Log displays firewall activity such as rules that have been executed and traffic that has been dropped. It lists all connections on the
X-Series Firewall. You can filter the log by criteria such as a source IP address or network, or the time that the connections occurred.
HTTP Log
The HTTP Log displays the activities of the X-Series Firewalls connection with the Barracuda Web Security Service. There are several codes in
the log. For details on these codes, see the HTTP Log Codes Overview section.
Network Log
Use the Network Log to investigate why network configuration changes are not working properly or cannot be activated.
The messages in the Network Log might explain the problem. If not, check the network configuration again for any problems or conflicts.
VPN Log
The VPN Log displays information for all client-to-site and site-to-site VPN tunnels. Use this log to investigate why VPN tunnels and PPTP
connections are disconnecting or not being established.
To see the messages for specific VPN connections, you can also filter the log by IP addresses.
Service Log
The Service Log lists specific errors and warnings for services that are not configured properly or are encountering problems. To restart these
services and debug any problems, you might need to contact Barracuda Networks Technical Support for assistance.
Authentication Log
The Authentication Log displays messages from the authentication service. This includes logins for the web interface and messages from the
various authentication methods.
For example, if a client is not able to access a service, the unsuccessful authentications are written into the log. Successful authentications are
also recorded.
The following tables provide details on the codes that you might see on the LOGS > HTTP Log page.
TCP Codes
Code Description
TCP_REFRESH_FAIL_HIT An expired copy of the requested object was in the cache. Squid
attempted to make an If-Modified-Since request, but it failed. The old
(stale) object was delivered to the client.
TCP_REFRESH_MISS An expired copy of the requested object was in the cache. Squid
made an If-Modified-Since request and received a new object.
TCP_CLIENT_REFRESH The client issued a request with the "no-cache" pragma. ("reload" -
handled as MISS)
TCP_IMS_MISS An If-Modified-Since GET request was received from the client. The
requested object was not in the cache (stale).
TCP_SWAPFAIL The object was believed to be in the cache, but could not be
accessed.
ERR Codes
Error Description
ERR_NO_CLIENTS_BIG_OBJ All clients went away before transmission completed and the object is
too big to cache.
ERR_ZERO_SIZE_OBJECT The remote server closed the connection before sending any data.
The following diagnostic tools should help you troubleshoot most problems. Please read this article before contacting Barracuda Networks
Technical Support.
The ADVANCED > Troubleshooting page provides a suite of tools to help you troubleshoot network connectivity issues that might be impacting
the performance of your Barracuda NextGen X-Series Firewall.
For example, you can test your X-Series Firewall’s connection to the Barracuda Networks update servers to verify that it can successfully
download the latest Energize Update definitions. You can also ping or telnet to other devices from the X-Series Firewall, perform dig/NS-lookup,
TCP dump, and perform a trace route from the X-Series Firewall to any another system.
To let technical support engineers troubleshoot your system, you can initiate a connection between your X-Series Firewall and the Barracuda
Networks Technical Support Center. On the ADVANCED > Troubleshooting page, in the Support Connection section, click Establish
Connection to Barracuda Support Center. The connection to Barracuda's Support Center is established via a VPN over SSH 2.0 tunnel with
RSA 2048bit key length using AES128-cbc hmac-md5 hash functions.
If your X-Series Firewall experiences a serious issue that impacts its core functionality, you can use diagnostic and recovery tools that are
available from the reboot menu to return your system to an operational state. Before you use the diagnostic and recovery tools:
Use the built-in troubleshooting tools on the ADVANCED > Troubleshooting page to help diagnose the problem.
Perform a system restore from the last known good backup file.
Contact Barracuda Networks Technical Support for additional troubleshooting tips.
As a last resort, you can reboot your X-Series Firewall and run a memory test or perform a complete system recovery, as described below.
Reboot Options
The table below describes the options available at the reboot menu.
Barracuda Starts the X-Series Firewall in the normal (default) mode. This option
is automatically selected if no other option is specified within the first
three seconds of the splash screen appearing.
If you purchased the Instant Replacement service and the X-Series Firewall fails, you can call Barracuda Networks Technical Support and
arrange for a new unit to be shipped out within 24 hours.
After receiving the new system, ship the old X-Series Firewall back to Barracuda Networks at the address below, with an RMA number marked
clearly on the package. Barracuda Networks Technical Support can provide details on the best way to return the unit.
Barracuda Networks
Campbell, CA 95008
To set up the new X-Series Firewall so that it has the same configuration as your old failed system, first manually configure the new
system’s IP information on the BASIC > IP Configuration page, and then restore the backup file from the old system onto the new
system. For information on restoring data, see How to Backup and Restore the Barracuda NextGen Firewall X.
With the Barracuda NextGen Firewall X-Series, you can choose to stream the following logs to a syslog server:
Firewall Log
HTTP Log
Network Log
VPN Log
Service Log
Authentication Log
Verify that the syslog server supports the protocol that you want to use. All syslog servers support UDP, but not all support TCP.
To verify that the connection to the syslog server can be established, go to the BASIC > Recent Connections page. Filter the list of
connections for the Protocol, Service, and Destination IP of the syslog server.
The Barracuda NextGen Firewall X-Series can alert the administrator of important system events by sending notification emails. You can
configure a notification email policy for each event, and to limit the number of emails for frequently occurring events, you can define up to three
thresholds. Thus, the administrator will receive an email only when the number of events exceeds the threshold set in the timespan. The following
events can trigger email notifications:
Security Events
ATD Cloud Status – State of the connection between the firewall and the Barracuda ATD cloud.
ATD malicious activity detected – A malicious file has been detected by ATD.
User added to quarantine – A user has been added to the ATD quarantine.
Duplicate IP Detected – An IP address living on the system has additionally been detected in the network.
IPS Drop Alert – Traffic matching an IPS Event with the Action set to Drop and the Log set to Alert.
IPS Drop Warning – Traffic matching an IPS Event with the Action set to Drop and the Log set to Warning.
IPS Drop Notice – Traffic matching an IPS Event with the Action set to Drop and the Log set to Notice.
IPS Log Alert – Traffic matching an IPS Event with the Action set to Log and the Log set to Alert.
IPS Log Warning – Traffic matching an IPS Event with the Action set to Log and the Log set to Warning.
IPS Log Notice – Traffic matching an IPS Event with the Action set to Log and the Log set to Notice.
Operational Events
Critical Disk Space – More than 90% of available disk space is in use on at least one partition.
This event is always triggered during firmware updates. Do not set the Notification policy to Immediate.
Critical System Load – System load is extremely high. The X-Series Firewall will reboot if this condition persists.
Route Changed, uplink not available – An uplink has become unreachable due to changes in the routing configuration.
HA Partner Unreachable – The other HA unit in the HA cluster is no longer reachable.
HA Failover to this System – This X-Series Firewall has taken over as the active HA partner.
HA Failover to Partner – The other X-Series Firewall in the HA cluster has taken over as the active HA partner.
License expired or invalid – The system license has expired or is running on invalid hardware.
System Reboot – The X-Series Firewall has rebooted.
System Shutdown – The X-Series Firewall has been shut down.
5. Enter the Sender Address. Emails sent by the X-Series Firewall use this email in the FROM section.
6. Click Save.
3.
4. Select the Notification for each Security and Operational Event: When the number of events in the time-span defined for the first
threshold has been reached and email notification is sent.
None – No notification emails are sent for this event.
Immediate – An email notification is immediately sent for every event.
Threshold 1 – When the number of events in the timespan defined for the first threshold has been reached and an email
notification is sent.
Threshold 2 – When the number of events in the timespan defined for the second threshold has been reached and an email
notification is sent.
Threshold 3 – When the number of events in the timespan defined for the third threshold has been reached and an email
notification is sent.
5. Click Save.
In this Section
This article explains how to update your Barracuda NextGen X-Series Firewall to the latest generally available firmware version or if available
early release versions.
Latest General Release – The latest generally available version of the firmware available for use on the X-Series Firewall.
Latest Early Release – The newest firmware versions available for early access to your X-Series Firewall.
Applying a new firmware version may result in a temporary loss of service and the unit may reboot. For this reason, you should apply
new firmware versions during non-business hours.
Stand-Alone System
4. After the firmware has been successfully downloaded, click Apply Now.
Barracuda Networks recommends that you regularly back up the latest working configuration, in case you need to restore this information on a
replacement Barracuda NextGen X-Series Firewall or the current system data becomes corrupt. It is also very important to back up your
configuration before updating your X-Series Firewall to the latest available firmware.
Backups from appliances with older firmware versions (< 6.5.0) cannot be restored on an X-Series Firewall firmware version 6.5.0 or
newer.
You can back up your current X-Series Firewall configuration into a single file. After a misconfiguration or hardware failure, you can import this
backup file (*.bak) to the X-Series Firewall to restore the saved configuration. You have multiple options for saving configuration backups:
Note that you can restore backups only to X-Series Firewalls with the same serial number.
For manual backups, on the local file system of a computer that manages the X-Series Firewall.
For automated backups, remotely on an FTP(S) server.
Automatic hourly backups. The X-Series Firewall automatically creates a backup file every hour for the last 24 hours.
System password
System management IP address
DNS information
To automatically back up your configurations and store them on either an FTP server or a Windows network share:
You need to use the full path on the server when configuring the FTP server. E.g., /home/user/ftpbackups/ for
ftp:://ftpserver/ftpbackups/.
You can restore your X-Series Firewall from either locally saved backups, backups stored in the cloud (Barracuda Cloud Control), backups stored
on an FTP(S) server or from the hourly backups on the X-Series Firewall.
If the restore process is being performed to upload settings onto a new (unconfigured) X-Series Firewall, be sure to manually set the IP
address and DNS information from the BASIC > IP Configuration page prior to starting.
Restoring a backup will overwrite the current configuration of your X-Series Firewall. Do not restore backup files from old 6.0.x or 6.1.x
firmware versions on an X-Series Firewall running 6.5.X.
Cloud – All backup files stored in the cloud for this particular X-Series Firewall (as determined by serial number). To access and
restore from a backup file stored in the cloud that was created from a different system, please contact Barracuda Networks
Technical Support for assistance.
FTP or FTPS – All backup files stored in the FTP server location configured above. By default, only the backup files for this
particular X-Series Firewall (as determined by serial number), will be displayed. To list all available X-Series Firewall backup files
regardless of serial number, set the Show All Backups option to Yes.
Local – Uses your native desktop browser to navigate to a location of your choosing.
Disk – Choose backup file stored locally on your X-Series Firewall.
4. Select the backup file and click Restore Backup.
5. Confirm the information displayed on the main backup page to start the process.
6. After the backup has successfully finished, reboot the X-Series Firewall.
To recover the Barracuda NextGen X-Series Firewall, you can use the Recovery Console with one of the following recovery options:
Barracuda Repair – Retains your settings and data during system recovery.
Full Barracuda Repair– Resets the X-Series Firewall to factory default settings. With this option, all your settings and data will be lost. If
you are unsure of which recovery option to use, first run the Barracuda Repair. If problems persist, run a Full Barracuda Repair.
Do not manually reboot your system at any time during recovery or repair, unless otherwise instructed by Barracuda Networks
Technical Support. Depending on your current firmware version and other system factors, this process can take up to 15 minutes. If it
takes longer, please contact Barracuda Networks Technical Support for further assistance.
Before you recover the X-Series Firewall, ensure that you have physical access to the system. You must also have the following equipment:
1. Ensure that the X-Series Firewall is turned off and the ports in the back of the appliance are accessible.
2. Connect the monitor to the VGA port.
3. Connect the keyboard to one of the USB ports.
4. Turn on the X-Series Firewall by plugging the power cord in.
5. When the bootloader menu displays, use your keyboard to select Recovery. After two to three minutes, the system boots into the
Recovery Console menu:
Recovery Console
BARRACUDA NETWORKS RECOVERY CONSOLE
Please make a selection
(1) Barracuda Repair (no data loss)
(2) Full Barracuda Recovery (all data lost)
(3) Enable remote administration (reverse tunnel)
(5) EXIT
6. Select a recovery option:
If you want to retain all of your data and settings during the repair, enter 1 to select the Barracuda Repair (no data loss) option.
If you want to restore the X-Series Firewall with the default factory settings, enter 2 to select the Full Barracuda Recovery (all
data lost) option. With this option, you will lose all of your current data and settings. When you are prompted by the on-screen
instructions, confirm that you want to continue with the recovery.
7. After you receive the message stating that the recovery process is complete, enter 5 to exit the Recovery Console. The X-Series Firewall
then reboots.
If problems persist after the reboot, please contact Barracuda Networks Technical Support for further assistance.
The Barracuda NextGen Firewall X-Series uses the Certificate Manager as a central repository to manage all X.509 certificates on the device.
You can create self-signed certificates or upload your own certificates. All certificates are available for all X-Series Firewall services, as long as
they meet the requirements for that service.
Private keys are not included in the backup. Download the private key and keep it in a safe location.
For a Client–to–Site VPN connection to a mobile device, set the DNS to the FQDN of the X-Series Firewall. The
FQDN must resolve to the IP address of the VPN service on the X-Series Firewall.
Add to VPN Certificates – Automatically add this certificate to the list of VPN certificates. You can also manually add the
certificate to the VPN certificates later on the VPN > Settings page.
4. Click Save.
Upload a Certificate
You can upload certificates in PEM or PKCS12 files. PEM files can either contain a single certificate or multiple certificates. Multiple PEM files
must contain one or more certificates and the private key in order to create a complete chain of trust.
Private keys are not included in the backup. Download the private key and keep it in a safe location.
Delete a Certificate
You cannot delete certificates that are in use. Change the certificate for all services listed in the Usage column and then click in the Action c
olumn to delete the certificate.
Certificates that are to be used for the VPN service must be added to the VPN certificates. If you did not select Add to VPN Certificates when
creating or uploading the certificates, you can also add it to the VPN Certificates in the VPN Settings. Root CA certificates must be CA
certificates.
You can only use certificates with the CA option for SSL Inspection.
The Barracuda Report Creator creates PDF reports using the statistics and logs collected by your Barracuda NextGen Firewall X-Series. Reports
can be created instantly or per schedule and are delivered either by email or stored on the Windows client that is running the Report Creator.
CudaLaunch
CudaLaunch provides mobile users secure remote access to your organization's applications and data. CudaLaunch is available for iOS and
Android devices via the Apple App Store or Google Play Store. Desktop portal access is not supported for the Barracuda NextGen X-Series SSL
VPN.
Barracuda offers a Windows, macOS, and Linux client to configure and establish client-to-site VPNs. The Network Access Client consists of the
Barracuda Personal Firewall, the Barracuda Access Monitor, and the Barracuda VPN Client.
For more information, see Barracuda Network Access and VPN Client.
With the Barracuda NextGen Report Creator, you can customize reports on Barracuda NextGen X-Series Firewalls with the statistics and logs
that are collected on the appliances. If you want to generate a collective report for multiple X-Series Firewalls, you can organize the appliances
into consolidation groups. The report content is fully configurable and can provide the following information:
You generate a report by combining templates that specify what appliances or consolidation groups are included in the report, the type of
information to include in the report, how the report is formatted, and how the report should be delivered. You can either use predefined templates
or customize your own templates.
Video
Watch the video below to see the Barracuda NextGen Report Creator in action:
Videos are not visible in the PDF export.
To configure reporting for X-Series Firewalls, you must install the Barracuda NextGen Report Creator:
In the Appliances section of the Barracuda NextGen Report Creator, create an entry for every X-Series Firewall that you want to generate a
report for. In each entry, specify the settings for connecting to the appliance.
2. In the Appliances section in the left pane, click the plus sign ( ).
3. Select Barracuda Firewall from the Type list.
4. Enter the Management IP or Hostname of the X-Series Firewall.
5. Enter the Login and Password.
6. Click Test Connection to verify that the Barracuda NextGen Report Creator can connect to the appliance.
7. Click Save.
If you are creating reports for a large number of firewalls, sort them into Consolidation Groups:
The Barracuda NextGen Report Creator is now configured to create reports containing the selected data from your X-Series Firewalls.
The Report Data templates specify the type of information included in the report. The following predefined report types are available:
Top Applications – Create reports summarizing the usage of applications. By default, the top 25 applications are displayed, covering
the last 7 days. Settings can be changed in the template.
Top Allowed Applications – Create reports summarizing the usage of allowed applications. By default, the top 25 applications are
displayed, covering the last 7 days.
Top Blocked Applications – Create reports summarizing the access of blocked applications. By default, the top 25 applications are
displayed, covering the last 7 days.
Top URL Categories & Websites – Create reports summarizing accessed URL categories and websites. By default, the top 25
accessed URLs are displayed, covering the last 7 days.
Top Allowed URL Categories & Websites – Create reports summarizing the top 25 allowed URL categories and websites.
Top Blocked URL Categories & Websites – Create reports summarizing the top 25 access attempts to URL categories and websites
that have been blocked by the X-Series Firewall.
Application Usage and Risks – Create reports summarizing used applications and risks covering the last 7 days.
5. Click Save.
The template is available for selection when configuring the report. If you need information in your report that is not provided by the predefined
reports, you can create your own custom report. For more information, see How to Create Custom Reports.
).
4. Right-click the template name, select rename, and enter a name.
5. Configure the following settings for the layout:
Report Title – The heading text that is displayed on the first page of the report.
Front Page Logo – The larger image that is displayed on the first page of the report. This image must be in PNG format. Your
custom logo image is not automatically resized. Use images with a maximum width of 500 pixels.
Header Logo – The small logo that is displayed in the headline. This image must be in PNG format and have a maximum height
of 44 pixels. The custom header image is automatically resized to 155 X 44 pixels. Upload it in multiples of these values to get
the best results.
Page Size – The print page size.
Font Name – The font used in the report.
Font Size – The size of the font for the continuous text. Headlines have a fixed size that cannot be changed.
Create a Deliveries template to specify how the reports are delivered. You can either store reports in a local directory or email the reports.
6. To email reports, select EMAIL from the Type list and then configure the following settings:
Sender – The sender email address.
Recipient(s) – The email addresses that should receive the report. Separate multiple addresses with a semicolon (;).
Mail Text – (Optional) Text for the email body.
Server Address – The IP address of the email server.
Port – The SMTP port on the email server to connect to. Common default values are:
25 – Anonymous sending.
587 – TLS authenticated sending.
Force TLS encryption – Enables authenticating at the email server, with the username and password configured below. This
option requires a valid Sender Address.
Use anonymous authentication – Allows use of the email server without a username and password. This option does not
require a valid Sender Address.
User Name and Password – If required, the credentials to authenticate on the email server.
7. Click Save.
After setting up the Barracuda NextGen Report Creator, you can generate a report.
2. In the Reports section in the left menu, click the plus sign ( ).
3. Left-click the template name, select rename, and enter a name for the report.
4. In the Content section of the main pane, repeat the following steps for each appliance or consolidation group you want to add to the
report:
a. In the Appliances section, click the plus sign ( ) and then select the consolidation group or
appliance.
b. In the Data for "your appliance name" section, click the plus sign ( ) and then select the
types of reports that you want to generate.
5. Select the Layout from the list.
6. In the Delivery section, click the plus sign ( ) and then select the delivery method you previously
configured:
EMAIL – Sends the report to the email address specified in the Deliveries template.
FILE – Saves the report in the location path specified in the Deliveries template
7. Click Save.
Click Run Now to generate the report. The report is sent to your desktop or delivered via email, depending on the configuration of the selected D
eliveries template.
To automate the reporting, schedule a task and specify how often the report is generated.
5. To open the Windows Task Scheduler, click Create Custom Task. Barracuda NextGen Report Creator tasks are stored in the Barracu
daNGReportCreator subfolder.
6. Click OK. Your scheduling task is created in the Windows Task Scheduler.
7. Save your configurations.
You can use various keyboard shortcuts within the Barracuda NextGen Report Creator:
Click here to show the keyboard shortcuts...
Tab, Shift+Tab Move forward or backward through the currently visible controls.
Alt+D Schedule a task for the currently selected report. You can use this
shortcut only in the Report tab.
Alt+R Create a report. You can use this shortcut only in the Report tab.
Custom Report – Use this type to create reports for allowed or blocked traffic by common criteria such as protocol, user, source, and
risk.
User Activity Report – Create a summary of all activities for one or more users.
URL Category Reports – Create reports for the top blocked or allowed URL categories.
Application Category Reports – Create reports for the top blocked or allowed application categories.
Application Reports – Create reports summarizing the usage of specific applications.
Configure the Barracuda NextGen Report Creator. For more information, see Barracuda Report Creator.
To configure a custom report, choose a template type and add your custom template.
3. Select the custom report type you want to create and click . A custom report is inserted below the report type.
4. Right-click the placeholder report name, select rename, and enter a name for the new custom report.
5. Click on the custom report. In the main window configure:
Time Span – Select how far back data should analyzed. Min: 1 hour. Max: 4 weeks.
Filters – Set Merge Filtered Data to yes to consolidate all data for this filter into one report. Set to no to receive consecutive
reports for each filter entry. Depending on the report data type, configure:
User Address Activity Reports – Enter one or more Username or IP address (IPv4) separated by a semicolon.
Spaces are interpreted to be a part of the username.
IP Address Activity Reports – Enter one or more single IP address (IPv4) () separated by a semicolon. Do not use
spaces between the IP addresses.
URL Category Reports – Click on the three dots at the end of the line (...), select one or more URL Categories from
the list, and click OK.
Application Category Reports – Click on the three dots at the end of the line (...), select one or more Application
Categories from the list, and click OK.
Application Reports – Click on the three dots at the end of the line (...), select one or more Application Categories fr
om the list, and click OK.
Content – Set these settings to define how many details are included in the report.
Advanced – Set Source IP address anonymization to Yes to obscure the last number of the source IP address. E.g., 10.0.10.
x
6. Click Save.
3. In the Data section click and add the custom report(s) created in step 1.
4. Click Save.
You can now run or schedule reports containing the custom report data. For more information, see Barracuda Report Creator.
CudaLaunch is a Windows, macOS, iOS, and Android application that provides secure access to your organization's applications and data from
remote locations and a variety of devices. CudaLaunch also integrates with the Barracuda VPN Client to connect via client-to-site VPN. The
CudaLaunch portal's responsive interface is compatible for both desktop and mobile devices.
Video
CudaLaunch offers secure access to resources made available on the X-Series Firewall. Remote users can access firewall services and features
and establish VPN connections. CudaLaunch is available for Windows and macOS via the Microsoft 10 Apps Store, macOS App Store, and the
Barracuda Download portal.
CudaLaunch provides secure remote access to your organization's resources from mobile devices. CudaLaunch for mobile is available for iOS
and Android devices via the Apple App Store or Google Play Store. Both versions offer similar functionality.
Download CudaLaunch from the Barracuda Download Portal, the Microsoft Windows 10 App Store, or the macOS App Store.
(optional) To use the VPN group policies in the VPN Connection tab, install the VPN Client & Network Access Client.
Configure the services and features you want to use in CudaLaunch. For more information, see How to Enable SSL VPN and
CudaLaunch.
Interface
CudaLaunch arranges all available web resources into the following sections, accessible via the interface service bar:
Logging in
Hostname or IP address – The IP address or FQDN resolving to the public IP address the SSL VPN service is listening on.
Username
Password
You can change the display language for CudaLaunch on the Settings page. To do so, click on the options icon on the top left and select Setting
s > General.
The Apps tab contains all the web resources. To launch a resource from the Apps screen, click the icon associated with it.
The web resource launches in a new tab in your network browser, and you are redirected to the application page.
Native Apps
When launching native apps such as RDP, CudaLaunch automatically establishes a tunnel in the background and launches the app in a new
browser tab.
VPN Connections
The VPN Connections tab contains the VPN group policies configured by the admin for CudaLaunch. The Barracuda Network Access or VPN
Client must be installed on the client to be able to start the VPN connection in CudaLaunch. To connect to the client-to-site VPN, click on the VPN
Group policy.
SSL tunnels are used to tunnel TCP connections for client/server applications.
Click the Tunnels tab. Click on one of the SSL tunnel profiles that are made available by the admin.
The client connects to a port on the 127.0.0.1 interface. Use the local IP address and port number in the locally installed app.
Network places
Network places provide remote access to corporate file shares made available by the admin. The Folders tab allows you to browse network
shares and to rename, delete, retrieve, and upload files.
Click the Folders tab. Click the 'forward' arrow icons to navigate through the folders and files.
To launch a resource from the Folders screen, click the icon associated with it. When prompted for attributes, enter username and password,
and click Continue.
Adding favorites
On the Favorites page, you can store web resource shortcuts for easier access. Click the Favorites tab. To add a web resource to the favorites,
click the + icon.
Select the item you want to add from the list, and click the checkmark icon. The resource you have added is now visible under the Favorites tab.
To remove a resource from the favorites list, click the Favorites tab and then click the trash can symbol.
You can view general information about CudaLaunch on the Info page. To do so, click on the Options icon on the top left and select Info.
To view logs, version number, and connection details, select About. On the Log window, you can copy the logfiles to clipboard and view the
license agreement.
From the Options menu, you can also refresh the CudaLaunch configuration. To do so, select Refresh.
Logging off
To log out of CudaLaunch, expand the Options menu on the top left, and then select Log Out.
Configure the services and features you want to use in CudaLaunch on your Barracuda NextGen Firewall X-Series. For more
information, see How to Enable SSL VPN and CudaLaunch.
Verify that you are using a mobile device with a supported operating system. For more information, see SSL VPN Supported Devices.
Hostname or IP address – The IP address or FQDN resolving to the public IP address the X-Series Firewall's SSL VPN service is
listening on.
Username
Password
Web forwards
Swipe to the Apps tab. To launch a web forward, tap on the icon. Frequently used web forwards can be added to the Favorites tab for easy
access.
Swipe to the VPN Connections tab. Tap on one of the VPN connection profiles that are either stored on your device or made available by the
admin through SSL-VPN VPN templates. The key symbol in the taskbar is displayed as long as you are connected to the VPN. Settings for the
VPN connection can be changed in the Option menu under VPN Profiles. Changes to the VPN templates by the administrator are automatically
synced to the mobile device. Full-device VPN connections can be used by all native apps on your device, not just CudaLaunch.
User attributes are user-specific placeholder values used for web forwards. User attributes can be filled/changed in the Options menu of
CudaLaunch. When a web forward is launched the first time, the user is requested to fill in the user attributes. To fill in or change a user attribute,
tap Settings in the Options menu of CudaLaunch. Tap on Personal Settings to see a list of the user attributes for your user.
To log out of CudaLaunch, expand the options menu on the top left, and then select Log Out.
The Barracuda Network Access Client is a suite of applications available for Windows that lets you control network and VPN client access based
on rules and policies. The Barracuda Network Access Client consists of the Barracuda Personal Firewall, the Barracuda Access Monitor, and
the Barracuda VPN Client. The Barracuda VPN Client is also available for macOS and Linux. For more information, see the Barracuda NAC and
VPN Client's overview page.
Supported features
The Barracuda Network Access / VPN client provides the following features:
For information on how to set up and use the Barracuda Network Access and VPN clients, see the following articles:
For information on how to configure the consumer-level Barracuda Firewall product line for client-to-site VPN, see How to Configure a
Client-to-Site VPN with Certificate Authentication.
The hardware configuration list in this table was valid at the time this content was created. Due to technological advances, the
components are subject to change at any time. Thus, the list may not reflect the current hardware configuration of the Barracuda
NextGen Firewall X-Series.
X50 / X51 X100 / X101 X200 / X201 X300 (End of X300 X400 X600
Sale) Revision B
Hardware
Form factor Desktop Desktop Desktop 1U rack mount Desktop with 1U rack mount 1U rack mount
Rack Mount
Brackets
Dimensions 10.8 x 6.4 x 10.8 x 6.4 x 10.8 x 6.4 x 14.9 x 6.4 x 14.9 x 6.4 x 16.8 x 15.9 x 16.8 x 15.9 x
(inch) 1.8 1.8 1.8 1.8 1.7 1.7 1.7
Some shipped with a wall mount kit. Print the Barracuda NextGen Firewall X-Series Wall Mount Jig to use as a template when drilling the
required holes. Do not scale the PDF when printing.
Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules.
This apparatus complies with the Class B limits for radio interference as specified in the Canadian Department of Communication Radio
Interference Regulations.
This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC).
Power Requirements