Barracuda CloudGen Firewall Foundation Student Guide Rev2.0
November 25, 2022 | Author: Anonymous | Category: N/A
Short Description
Download Barracuda CloudGen Firewall Foundation Student Guide Rev2.0...
Description
© Barracuda Networks Inc., February, 2019. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1
Table of Contents
1
2
3
4
5
Introducing the Barracuda CloudGen Firewall................................................................................................................ 5 1.1
Available Products ................................................................................................................................................................ 5
1.2
Supported Platforms for the CloudGen Firewall .................................................................................................. 6
1.3 1.4
CloudGen Firewall Services.............................................................................................................................................. 6 System Architecture............................................................................................................................................................. 8
1.5
Management Interfaces..................................................................................................................................................... 8
1.6
Licensing ................................................................................................................................................................................. 11
Deployment..................................................................................................................................................................................... 15 2.1
Hardware Appliance Deployment ............................................................................................................................ 15
2.2
Client Configuration ......................................................................................................................................................... 15
2.3
Virtual Appliance Deployment.................................................................................................................................... 16
2.4
License Activation .............................................................................................................................................................. 18
Basic Configuration Tasks ......................................................................................................................................................... 20 3.1 3.2
Firewall Admin ..................................................................................................................................................................... 20 Configuration Tab and Example Configuration Change .............................................................................. 23
3.3
Administrative Settings ................................................................................................................................................... 25
3.4
Network Configuration ................................................................................................................................................... 27
3.5
Routing..................................................................................................................................................................................... 31
3.6
Dynamic Network Connections ................................................................................................................................. 32
3.7
Activating Network Configuration Changes ....................................................................................................... 35
3.8
Virtual Servers and Services .......................................................................................................................................... 36
Firewall Policies .............................................................................................................................................................................. 38 4.1
Firewall Service Overview .............................................................................................................................................. 38
4.2
Firewall Rulesets .................................................................................................................................................................. 39
4.3
Access Rules .......................................................................................................................................................................... 40
4.4
Firewall Objects ................................................................................................................................................................... 42
4.5
Access Rules Examples .................................................................................................................................................... 45
4.6
Network Address Translation (NAT) ......................................................................................................................... 47
4.7
Firewall Live and Firewall History............................................................................................................................... 52
4.8
Cascade Access Rules....................................................................................................................................................... 54
Introduction to Extended Firewall Features .................................................................................................................. 56 5.1
Intrusion Prevention System (IPS) ............................................................................................................................. 57
5.2 5.3
User Awareness ................................................................................................................................................................... 59 Traffic Shaping QoS ................................ ................ ................................ ................................ ................................ ................................ ................................ ................................ ................................ ........................... ........... 62 2
6
Barracuda Firewall Control Center ...................................................................................................................................... 64 6.1
Central Management ....................................................................................................................................................... 68
6.2
Adding Firewalls to the Control Center ................................................................................................................. 71
6.3
Remote Management Tunnels ................................................................................................................................... 73
6.4
Control Center Licensing ............................................................................................................................................... 76
6.5
Global Firewall Objects.................................................................................................................................................... 79
6.6
Repository ............................................................................................................................................................................... 80
6.7
Control Center Deployment ........................................................................................................................................ 82
7
Virtual Private Networks ............................................................................................................................................................ 83 7.1
VPN Service ............................................................................................................................................................................ 83
7.2
VPN Protocols ....................................................................................................................................................................... 83
7.3
Site-to-Site VPN.................................................................................................................................................................... 87
7.4
VPN Tunnel Settings ......................................................................................................................................................... 88
7.5
Site-to-Site VPN Authentication ................................................................................................................................. 90
7.6
Configuring a TINA Site-to-Site Tunnel .................................................................................................................. 91
7.7 7.8
Configure IPsec Site-to-Site VPN ................................................................................................................................ 92 Firewall Admin: Tunnel Monitoring ......................................................................................................................... 93
7.9
GTI Editor - Graphical Tunnel Interface .................................................................................................................. 95
8
Introduction to Traffic Intelligence ..................................................................................................................................... 98 8.1
9
Dynamic Transport Selection for Traffic Intelligence.................................................................................... 100
Introduction to Remote Access ..........................................................................................................................................103 ..........................................................................................................................................103 9.1
Remote Access...................................................................................................................................................................103 Access...................................................................................................................................................................103
9.2
Remote Access Clients .................................................................................................................................................. 104
10
Logging, Reporting, Statistics .........................................................................................................................................108 .........................................................................................................................................108
10.1 Logging.................................................................................................................................................................................. 108 10.2 Events ......................................................................................................................................................................................111 ......................................................................................................................................................................................111 10.3 Statistics .................................................................................................................................................................................114 .................................................................................................................................................................................114 10.4 Report Creator ....................................................................................................................................................................115 ....................................................................................................................................................................115 11
System Maintenance ........................................................................................................................................................... ...........................................................................................................................................................117 117
11.1 Back Up and Restore Your Configuration ........................................................................................................... 117 11.2 Updating Firewalls and Control Centers .............................................................................................................119 .............................................................................................................119 11.3 Recovery via Firewall Install ........................................................................................................................................ 120 12
High Availability......................................................................................................................................................................121 Availability......................................................................................................................................................................121
12.1 Stand-Alone High Availability Cluster ................................................................................................................... ...................................................................................................................124 124 12.2 Managed High Availability Cluster..........................................................................................................................125 Cluster..........................................................................................................................125 12.3 High Availability Cluster Status and Manual Failover ................................................................................... 125 3
13
IPv6 ................................................................................................................................................................................................127 ................................................................................................................................................................................................127
13.1 Overview of IPv6 ...............................................................................................................................................................127 ...............................................................................................................................................................127 13.2 IPv6 Network Configuration ....................................................................................................................................... .......................................................................................................................................127 127 13.3 IPv6-Enabled Services ....................................................................................................................................................129 ....................................................................................................................................................129 13.4 CloudGen Firewall as IPv6 Router ...........................................................................................................................131 ...........................................................................................................................131
4
1 Introducing the Barracuda CloudGen Firewall Barracuda CloudGen Firewalls are purpose-built hardware, virtual and cloud appliances designed to protect and connect your network infrastructure. On top of industry-leading centralized management, the highly resilient VPN technology combined with intelligent traffic management capabilities allows customers to increase efficiency and increase overall network availability.
1.1 1.1 Available Products Products Firewall The CloudGen Firewall is an enterprise-grade, next-generation firewall that was purpose-built for efficient deployment and operation within dispersed, highly dynamic, and security-critical network environments. In addition to next-generation firewall protection, it provides industry-leading operations efficiency and added business value by safeguarding network traffic against line outages and link quality degradation. User identity and application awareness are used to select the best network path, traffic priority, and available bandwidth for business-critical traffic. The CloudGen Firewall can transparently move traffic to alternative lines to keep traffic flowing.
Control Center All policies and client and device settings for all CloudGen Firewalls and Secure Connectors are centrally managed and tracked by the Firewall Control Center. This allows the CloudGen Firewall to meet enterprise requirements of massive scalability, efficient configuration, and life cycle and license management across dispersed networks, while at the same time offering performance guarantees for business-critical applications.
Secure Connector The Barracuda Secure Connector Connecto r offers large-scale remote acces accesss capabilities. It enables the evergrowing number of IoT devices and micro-networks to securely connect to the central or distributed corporate datacenter. In such a scenario, a large number of small Secure Connector (SC) appliances connect via VPN to their regional Secure Access Controller (SAC). The SAC forwards the management traffic to the Firewall Control Center. Corporate policies such as Application Control, URL Filtering, and Virus Scanning are handled either directly on the SAC or forwarded to the border firewall. The configuration and lifecycle management for all SCs and their SACs are handled by one central Firewall Control Center. The Control Center can manage multiple Secure Access Controllers, allowing you to scale up the network at will.
5
1.2 CloudGen n Firewall 1.2 Supported Platforms for the CloudGe The Barracuda CloudGen CloudG en family offers hardware and virtual model modelss to meet a wide range of networking requirements, from small branch offices up to large headquarters and datacenters. With the Firewall Vx, you can run a wide range of hypervisors that integrate effortlessly with your existing network and server infrastructure. And, with a Firewall Control Center Vx, you can centrally manage dozens or even hundreds of your virtual CloudGen Firewall models. Finally, the CloudGen Firewall has been specially designed for cloud deployments with either Microsoft Azure, Amazon AWS or Google Cloud.
Hardware The CloudGen Firewall is available in multiple hardware models that meet different diff erent networking requirements, ranging from the F12 for small or home offices to the F1000 for large datacenters. Throughput increases with the size of the firewall; some models come equipped with added features such as integrated Wi-Fi, an 8-port switch, or a WWAN modem. Hardware models are periodically updated. When a new model is released, it is referred to as a new revision. Thus, the second version of the F800 is released as F800 Revision B. The sticker you find on the back of your model includes information on your model's revision. E.g., Rev.C BAR-NG-1234567. Also note that when a new revision is launched, the preceding revision is phased out.
Virtual The virtual version of the CloudGen CloudG en Firewall can be deployed on VMware, Xen, KVM, and Hyper-V hypervisors using the virtual images provided by Barracuda Networks. Smaller virtual systems are classified by a "capacity" number in the model name that defines the number of protected firewall IPs, SSL VPN users, VPN users, and HTTP Proxy users. Larger virtual firewall models are limited only by the number of CPU cores and the performance of the underlying hypervisor.
Public Cloud The Barracuda CloudGen CloudG en Firewall is available in the Microso Microsoft ft Azure, Amazon AWS and Go Google ogle Cloud public clouds. There are two types of images available in the Azure and AWS Marketplace: Bring-Your-Own-License (BYOL) and an hourly rate (PAYG). Performance is limited only by the number of licensed CPU cores and the performance of the underlying cloud instances. Firewall VMs in Google Cloud are available as BYOL images.
1.3 CloudGen Firewall Services 1.3 Services are software modules running on the service layer of the firewall. Each service provides a piece of network functionality. Depending on which service you start, it might require additional services or be limited to one service per virtual server or device. The following services are available on stand-alone and managed CloudGen Firewalls: Access Control Service – The access control service defines security policies for network users
•
(e.g., VPN clients) and provides a range of features, such as registry checks and repairs on a client. Create access control objects with policy rulesets specifying the required system and 6
•
•
•
•
•
•
•
•
•
•
•
•
•
service settings to let the CloudGen Firewall perform identity and health checks on connecting clients and groups. DHCP – The DHCP service automatically assigns IP addresses to clients in the same network. For clients requiring special DHCP options, combine the DHCP server with the DHCP relay service to share a DHCP server across multiple network segments. DNS – The CloudGen Firewall can act as an authoritative DNS server. The DNS service returns definitive answers to DNS queries for domain names and IP addresses. Use split DNS to return different answers onaddress the source of the DNS query. This allows you to redirect internal clients to depending an internal IP of a IP server. Dynamic Routing Protocols (OSPF/RIP/BGP) – Dynamic routing enables the CloudGen Firewall to learn and select the optimal route to a destination IP address, detects changes to the network topology, and advertises these changes to other neighboring routers. Three dynamic routing protocols are supported - OSPF, RIP, and BGP. Forwarding Firewall – The forwarding firewall handles all traffic for which the destination does not match with a listening socket on the firewall - in other words, all traffic passing through the CloudGen Firewall. The firewall service includes all Application Control features such as virus scanning, mail security, or file content filtering. FTP Gateway – The FTP gateway service of the CloudGen Firewall acts as a proxy for an internal FTP server. Policies including authentication settings , permissions, and restrictions for server access and file handling are defined per gateway. You can also create user-specific and group-specific profiles. HTTP Proxy – The HTTP proxy service provides content filtering and caching, antivirus and malware protection, and access control. You can configure the HTTP proxy in forward, reverse and transparent mode. Mail Gateway – The mail gateway service handles mail traffic according to delivery policies and scans incoming and outgoing mail for viruses and malware. The mail gateway service also supports extended domains, POP3 scanning, and group patterns for recipient verification. The mail gateway interface displays the mail queue from where you can perform operations such as showing processes, logfiles etc. SSH Proxy – The SSH proxy service allows regulating SSH connections. Based on OpenSSH, the SSH proxy service provides DoS protection, public key support, and configurable SSH protocol support for accessing target systems. SIP Proxy – The SIP proxy server allows the CloudGen Firewall to act as a (transparent) proxy for SIP and RTP connections. Spam Filtering – The CloudGen Firewall spam filter service identifies spam by using mechanisms such as text analysis, DNS blacklists, and collaborative filtering databases. The spam filter examines the mail header and body against a configured ruleset and a Bayesian filter. To improve the filter mechanisms, the mail filter also regularly collects and processes mail from configured training environments. – The CloudGen Firewall offers the Barracuda Web Filter engine (URL Filter). URLs URL Filter – are categorized according to content. Virus Scanner – The virus scanner service provides virus protection, archive scanning, malware detection, and HTTP multimedia streaming. The virus scanner service can be configured using the integrated Avira or ClamAV virus scanning engine. Using the virus scanner service requires a subscription that can be renewed annually. T he VPN service supports site-to-site, client-to-site, c lient-to-site, and SSL-VPN VP VPN N connections. con nections. VPN – T CloudGen Firewalls support multiple encryption methods, traffic intelligence, and WAN optimization when using the TINA protocol. 7
Wi-Fi – For administration of Wi-Fi networks, the Wi-Fi service provides configuration settings
•
for the local access point. The service also supports user authentication in large networks via RADIUS and EAP.
1.4 System Architecture 1.4 The CloudGen Firewall architecture arch itecture is split into three layers: – The box layer runs infrastructure services, responsible for logging, event, Box Layer –
•
configuration, and control. The network subsystem is also part of the box layer, which creates some peculiarities with network configuration. Only the management IP address and the additional box layer IP addresses of the CloudGen Firewall is allocated in the box layer. The box layer is always active.
•
•
Virtual Server Layer – The virtual server layer builds on the box layer. It is a purely logical layer
whose most important function is to make IP addresses available for the services (service layer) started on it. The virtual server layer introduces and activates all IP addresses that are needed for proper operation. – The service layer introduces services such as the firewall, VPN, or DHCP. If the Service Layer – virtual server layer shuts down, all of its assigned services are also shut down and made unavailable.
1.5 1.5 Management Interfaces All CloudGen Firewalls and Control Centers can be configured and monitored via a stand-alone Windows application called Firewall Admin. Some hardware models also offer a web interface as an alternative configuration management tool. The web interface lets you configure the firewall through a web browser.
Web Interface
8
The web interface is available for Vx, Public Cloud Clou d and the following followin g hardware appliances: CloudGen Firewall F18, F80, F180, F183, F280, F380, and F400. The web interface provides administrators quick and easy access to the firewall from any standard compliant browser. When using the web interface as the primary management interface, it is possible to manage and monitor your session using Firewall Admin in read-only mode. When managing your CloudGen Firewall configuration through the web interface, be aware of the following: •
Only subset of the firewall features and services available in Firewall Admin are configurable in theaweb interface. Firewall Admin can be used in monitoring mode only. The firewall configuration is read-only in Firewall Admin. Monitor mode is indicated by the yellow triangle icon on the top of the Firewall Admin tab. In case the firewall becomes managed by a Control Center, the configuration will fall under full control of the Control Center. In this case, the web interface is automatically disabled and shut down. When switching from the web interface administration to Firewall Admin, the current firewall configuration is automatically saved on the firewall for later reactivation in case you want to switch back from Firewall Admin to the web interface. When managing the firewall configuration from Firewall Admin, the web interface is no longer available.
•
•
9
Barracuda uda Firewall Fi rewall Admin Barrac Barracuda Firewall Admin is a Windows application used to administer your CloudGen Firewalls and Firewall Control Centers. Since Firewall Admin is backward compatible, Barracuda recommends to always use the latest version.
Switching Between Management Interfaces Inte rfaces Switching between management interfaces is possible, but you must be aware that configuration changes done via Firewall Admin are not transferable to the web interface should you decide to go back to the web interface at a later time. Switching from the Web Interface to Firewall Admin
Managing the configuration via Firewall Admin automatically disables the web interface. You can switch managing the firewall configuration to Firewall Admin each time you log into a webinterface-managed firewall or during a Firewall Admin monitor session. Before disabling the web interface, the firewall configuration is backed up internally. If you decide to switch back to the web interface at a later time, the configuration is restored from this internal backup. Configuration changes done via Firewall Admin cannot be transferred to the web interface later. The firewall configuration is now managed manag ed by Firewall Admin, and the we web b interface is disabled. An internal backup of the firewall configuration is created automatically. Switching from the Web Interface to Firewall Admin
Switching firewall configuration management from Firewall Admin to the web interface re-enables the web interface and restores the internal backup created at the time the web interface was disabled. All configuration changes made in Firewall Admin are discarded, and the configuration is reset to the internal firewall configuration backup. Configuration changes done via Firewall Admin cannot be transferred to the web interface.
10
Firewall Admin Monitor Mode
When managing your firewall configuration via the web interface, Firewall Admin can be used in monitor mode. Monitor mode only allows read-only access to the firewall configuration. All other actions, such as creating PAR files or restarting services or the virtual server, can be completed using Firewall Admin. Monitor mode sessions are marked by a small yellow triangle icon in the session tab.
1.6 1.6 Licensing Licensing differs depending on the platform your CloudGen Firewall or Control Center is running on. There are three basic license types: Single licenses – The license is bound to the MAC address of the first network interface. Pool licenses – Pool licenses are bundles of single licenses. The license is bound to the Control Center. Pool licenses are part of the Enterprise Licensing model. •
•
•
Hourly licenses – This license type is available only for firewalls deployed in AWS or Azure. The license is bound to the VM or Instance.
Barracuda uda CloudGen Firewall Base Licenses Barrac The CloudGen Firewall base ba se license gives you a next-gen next-generation eration firewall with the following follow ing features: Application Control reporting SSL Inspection (available on all models, except F10, VF10 and F101) WAN Optimization (compression, Traffic Intelligence, QoS, data caching) Unlimited number of VPN clients (client-to-site Barracuda TINA and IPsec VPN) You can purchase the CloudGen Firewall in three different versions: •
•
•
•
Base License Type Hardware License Virtual License
Installed Installe d On •
CloudGen Firewall hardware hardware
• • • • •
Cloud License
• • •
Software License (legacy phion customers only)
•
appliance VMware Hypervisors Citrix XenServer Xen Server KVM Server Microsoft Hyper-V Microsoft Azure Amazon AWS Google Cloud (BYOL only) Standard Hardware
License Bound To •
MAC licenses Pool licenses MAC licenses Pool licenses
MAC licenses (BYOL) PAYG hourly rate
MAC licenses Pool licenses
• • •
• •
• •
11
Hardware Appliances
A CloudGen Firewall or Control Center hardware appliance is bound to a license on activation. If the appliance must be replaced (RMA), the existing license will be transferred to the replacement unit. There are no capacity restrictions for fo r hardware appliances. The only rrestriction estriction is the syste system m performance of the hardware itself. An unlimited number of protected IP addresses, SSL VPN users, and HTTP proxy users (AV+Webfilter) are included. Virtual Systems
Virtual systems are classified by a "capacity" number in the model name, which defines the number of protected Firewall IPs, SSL-VPN users, VPN users, and HTTP proxy users (virus scanning and NG Web Filter). This number is enforced for all smaller models of the virtual appliance (CloudGen Firewall VF10 - VF500). CloudGen Firewall VF1000 to VF8000 do not set a software limit to the number of protected IP addresses; the capacity number still applies as a sizing recommendation. Depending on the model number, they are also limited by the number of CPU cores that can be used. You must assign the correct number of CPU to your CloudGen Firewall or Control Center Vx. Public Cloud Systems
CloudGen Firewalls deployed in the Amazon AWS, Microsoft Azure, or Google Compute Cloud public clouds are not restricted to a capacity. Performance is limited only by the performance and number of CPU cores of the virtual instance used. To use any service (Firewall, VPN, etc...), you must have an active Energize Updates subscription. In addition to the services and features included with the Energize Updates subscription on other firewall models, the public cloud SSL VPN and NAC is also included for public cloud firewall BYOL licenses. Alternatively, you can choose to pay an hourly rate for your firewall in AWS or Azure by using the pay-as-you-go (PAYG) image. The PAYG license is generated and bound to the VM or instance on the first boot. Cold Spare Licensing
For redundancy, you can purchase a CloudGen Firewall without a license and use it as a cold spare replacement. If the production unit fails, call Barracuda Networks Technical Support to transfer the license to the stand-by unit and continue normal operations. Subscription Licenses
In addition to the base license, you can add the following subscriptions to enhance your firewall: Barracuda Energize Updates
This license is mandatory for fo r every firewall for the first year. The followin following g features are included with Barracuda Energize Updates: 24x5 technical support. Application Control Firmware updates Application Control definition updates IPS/IDS engine and signature updates •
•
•
•
•
12
• •
•
Barracuda Web Filter SSL-VPN Web Forward template updates File Content definition updates
Malware Protection
Enables the virus scanner service. This license is available for all CloudGen Firewalls except the F12 and VF10. Advanced Threat Protection Pr otection
Enables ATP. A malware subscription license is required except for the F12 which requires a Advanced Threat Protection license. The number of files you can upload per hour and per month are limited, depending on your firewall model. The number of files scanned are counted in the Barracuda ATP Cloud. If the local counter on your Firewall is reset, i.e., by reinstalling the OS, the local counter will be out-of-sync for the rest of the month. Limits still apply. Access ss Advanced Remote Acce
Enables the SSL VPN, NAC and CudaLaunch support. The Advanced Remote Access subscription is available for the CloudGen Firewall F18 or larger as well as for all CloudGen Firewall Vx and public cloud models. This subscription is automatically included for PAYG firewalls in the public cloud. Included SSL VPN Features Features
•
• •
Browser-based access via desktop and mobile portals SSL VPN-based server-side NAC VPN templates templates for SSL VPN
Included Network Network Access Client Fea tures tures
• •
Windows Personal Firewall Windows Health Check via Access Control Service
CudaLaunch CudaLaunch •
•
iOS, Android, Windows, and macOS support Central Management of accessible resources and VPN provisioning
User Session Limits Limits
•
• •
Unlimited concurrent SSL VPN user sessions Unlimited concurrent CudaLaunch sessions Multiple concurrent client-to-site VPN sessions by the same user
13
Instant Replacement Service
Includes the following features:
•
• •
Replacement unit shipped next business day. 24x7 technical support. Hardware refresh every four years.
Barracuda Web Security Service
To use the Barracuda Web Security service, s ervice, an additional sub subscription scription is required. Firewall Control Center Licensing
Barracuda Firewall Control Center licenses scale by the number of CloudGen Firewalls that can be managed by the Control Center. The High Availability license is included with the VC820 Global Edition model and can be purchased as an add-on for all other models. For a more detailed description of licensing options, see see Barracuda Campus Online Documentation.
14
2 Deployment The Barracuda CloudGen CloudG en Firewall family offers hardware and virtu virtual al solutions to meet a wide range of networking requirements, from small branch offices up to large headquarters and data centers. With the CloudGen Firewall Vx, you can run hypervisors that integrate effortlessly with your existing network and server infrastructure. And, with the Firewall Control Center Vx, you can centrally or even hundreds of your virtualdeployments CloudGen Firewall models. Finally,Azure, the CloudGenmanage Firewalldozens has been specially designed for cloud with either Microsoft Amazon AWS, or Google Cloud Platform.
2.1 Hardware Appliance Deployment 2.1 The CloudGen Firewall hardware hardw are appliances ship with a quick start guide. Follow Follo w this guide to connect to your firewall. To protect your network, follow the instructions for the standard deployment:
2.2 Client Configuration 2.2 Configure your client PC to use the following static IP address configuration for the network interface connected to the firewall: IP Address – 192.168.200.100 Netmask – 255.255.255.0 •
•
•
•
Gateway – 192.168.200.200 DNS Servers – Enter DNS servers in your network or use public DNS servers.
15
Management ement Ports Manag The management port for the CloudGen CloudG en Firewall differs depending on the model. Connect Connec t the management port to the network the management PC is in. Hardware System F12 - F400 F600 F800 F900 F1000
Management Port
WAN Port
Port 1 Port 1
Port 4 Port p4
MGMT port MGMT port MGMT port
Port p4 Port A4 Port D4
Default Management Interface Stand-alone firewalls from the F18 to the F400 use the web interface as the default management interface, with the option to switch to Firewall Admin. For all managed firewalls and for the firewalls F600 and larger, Firewall Admin is the only available management interface.
2.3 2.3 Virtual Appliance Deployment The Barracuda CloudG CloudGen en Firewall Vx provided can be deployed on VM VMware, ware,image Xen, KVM, andwith Hy Hyper-V per-V hypervisors using the virtual images by Barracuda. Each comes one virtual network adapter by default; additional network interfaces must be added by the admin. Virtual systems are classified by a "capacity" number in the model name that defines the number of protected Firewall IPs, SSL VPN users, VPN users, and proxy users (AV and URL Filter). For specialized installations, use Barracuda Firewall Install and a generic Barracuda CloudGen Firewall ISO image to deploy a custom configuration.
Sizing Your Virtual Machine Your Vx license limits the number of CPU cores you can assign to your firewall VM. Storage and RAM are not limited by the license and can be sized to fit your needs. CloudGen Firewall Vx
Number of
Minimum
Minimum
VF10 VF25, VF50, VF100, VF250, VF500, VF1000 VF2000 VF4000 VF8000 VC400 VC610, VC820
Licensed 1 Cores
Storage 80 [GB]
Memory 4 [GB]
2
80
4
4 8 16 No core limitation No core limitation
80 80 80 125 250
4 4 4 4 4
16
VMwaree ESXi VMwar
Supported Versions – VMware ESX(i) version 3.5 or higher Image Format – *.ova
Max Number of virtual network adapters – 10
• • •
To deploy the standard configuration, con figuration, use the OVA image. If you w want ant a custom custo m configuration, download the generic Barracuda CloudGen Firewall Vx ISO image and Barracuda Firewall Install to carry out the deployment.
Citrix
Supported Versions – Citrix XenServer 6.2 and higher
Image Format – *.hvm.xva (PVHVM) or *.pv.xva (PV) disk images. Max Number of virtual network adapters – 7
• • •
Xen images come in a PVHVM (mix of fully virtualized and paravirtualized drivers) or PV (only paravirtualized drivers) version. If your Citrix XenServer supports PVHVM, it is recommended to use the PVHVM image for near-native performance.
Opensource Linux Xen
Supported Versions – XenServer 4.X and higher Image Format – Linux script (.sh) script containing PVHVM or PV disk images.
Max Number of virtual network adapters – 7
• • •
Xen images come in a PVHVM (mix of fully virtualized and paravirtualized drivers) or PVM (only paravirtualized drivers) version.It is recommended to use the PVHVM image for near-native performance.
KVM
Supported Versions – KVM 5.4.2 and higher
Image Format – *.kvm.zip Max Number of Virtual Network Adapters –
• • •
Up to 28 (depending on the configuration configuration and number of devices in the VM configuration)
KVM uses a different approach for attaching devices to the virtual machine. It uses an emulated PCI controller with 32 slots. 5 slots are permanently occupied by necessary system components and disk controller. The remaining 27 slots can be freely assigned to other devices, including networks adapters. The KVM image for the CloudGen Firewall Vx uses the Virtio paravirtualized network adapters for best performance.
Hyper-V
• •
Virtual Disk Format – *.vhd Max Number of Virtual Network Adapters – Up to 8 network adapters + up to 4 additional
"legacy network adapters" Barracuda Networks offers a virtual disk you can use to install the Hyper-V version of the Barracuda CloudGen Firewall.
17
2.4 2.4 License Activation To automatically download and install the license on yyour our CloudG CloudGen en Firewall, connect connec t to the firewall with Firewall Admin. Depending on the platform, there are slight differences when activating your CloudGen Firewall license. Licensing must be completed during the initial threeday grace period.
Hardware Firewall Admin transmits the serial number of your unit to the Barracuda Licensing service and initiates the activation process. After completing the customer information form and accepting the EULA, your license is activated and automatically downloaded and installed on your unit.
Virtual and Public Cloud You must enter the license token received from Barracuda Customer Services after you purchased your virtual firewall license. Firewall Admin transmits the token to the Barracuda Licensing service and initiates the activation process. After completing the customer information form and accepting the EULA, your license is activated and automatically downloaded and installed on your unit.
Barracuda uda Licensing Licens ing Servers Barrac To activate, the firewall and the client clien t running Firewall Admin must have access to api.bcc.barracudanetworks.com and bcc.barracudanetworks.com on TCP port 443. When activating and installing licenses on a Firewall Control Center, only the client running Firewall Admin must have access to the licensing servers.
Using an HTTP Proxy Firewall Admin automatically uses the proxy address in the Windows registry. If a proxy is entered but disabled, Firewall Admin still uses it. You can enter a proxy in Firewall Admin by navigating to OPTIONS > Settings > Barracuda Activation > Proxy Settings .
18
Check the License Status Go to the DASHBOARD > General page and verify that all your purchased licenses are listed in the SUBSCRIPTION STATUS element.
19
3 Basic Configuration Tasks 3.1 Firewall Admin 3.1 Barracuda Firewall Admin is a stand-alone, Microsoft Windows application used to administer CloudGen Firewalls, Secure Connectors, and Control Centers. Unlike web-based administration portals, Firewall Admin lets you manage multiple firewalls from a single interface that remains independent from web browser incompatibilities. Firewall Admin is backward-compatible allowing you to always use the latest Firewall Admin version even if you are managing older, still supported, firmware releases.
Download Firewall Admin Firewall Admin can be downloaded directly from the Barracuda download portal at: at: https://dlportal.barracudanetworks.com
System Requirements
• •
• •
•
Windows Vista, Windows Windows 7, Windows 8/8.1, or Windows 10 Microsoft .NET Framework 4.0 or higher 50 MB free disk space 1 GB RAM 1 GHz CPU
Barrac Barracuda uda Firewall Admin User Interface A tab above the ribbon bar is created for each firewall or Control Center you are logged into. You can log into a single system multiple times. You can also reorganize the tabs by dragging them.
20
Dashboard After logging in to your firewall, the DASHBOARD page appears, which offers small, configurable, and movable elements arranged into three tabs: General, Firewall, and VPN. Each element contains specific, continuously updated information, such as system resources, current firewall or VPN throughput, or the number of client-to-site VPN tunnels. Elements can be arranged in the tab by drag-and-drop according to your preferences. Elements can be removed and added to the dashboard as needed.
Service Bar The service bar is the main navigation naviga tion and operation utility of the user in interface terface and provides a tab for each main section of the Barracuda CloudGen Firewall or Control Center. Additional services introduced on the Barracuda CloudGen Firewall, e.g., Mail Gateway or VPN , add further tabs to this bar from where you can access settings and sub-sections depending on the configured service.
On the Barracuda CloudGen Firewall, the Barracuda Firewall Admin interface service bar contains the following tabs: DASHBOARD – Provides a general system overview of your Barracuda CloudGen Firewall or Firewall Control Center (box level). CONFIGURATION – Contains the operative configuration tree for the Barracuda CloudGen Firewall or Control Center. CONTROL – On the Barracuda CloudGen Firewall, this tab shows information about virtual server and services, current network status, running processes, system and license status, etc. FIREWALL – Provides real-time and historical information on network traffic and application traffic passing the Barracuda CloudGen Firewall. ATP – Information about files scanned by the Advanced Threat Protection service. VPN – Provides access to VPN real-time information for site-to-site and client-to-site VPN connections, if configured. LOGS – Contains information related to system and service logs. EVENTS – Contains information related to events that are created on the Barracuda CloudGen Firewall. Barracu da STATISTICS – Contains information related to statistics generated on the Barracuda CloudGen Firewall. SSH – Login to the command line interface of the Barracuda CloudGen Firewall. (see also: Barracuda Campus Online Documentation). also: •
•
•
•
•
•
•
•
•
•
On the Barracuda Firewall Control Center, the Barracuda Firewall Admin interface service bar contains the following tabs: CONTROL – Provides an overview of all connected units on the Barracuda Firewall Control Center. CONFIGURATION – Contains the configuration sections for the Barracuda Firewall Control Center. DATABASE – Provides details and quick access to available ranges, clusters, boxes, servers, and services of the Barracuda Firewall Control Center. •
•
•
21
ADMINS – Provides access to the section for the administrator's list. These tabs contain pages related to logs, log s, statistics, and events. STATISTICS, EVENTS – These
FWAUDIT –
•
•
•
P rovides access to the section for the Firewall Audit service.
Ribbon Bar
Located directly under the service bar, the ribbon bar provides icons for each section relevant to the selected service bar tab. To access a section, open a tab in the service bar and select an icon from the ribbon bar to open the corresponding settings page. In some cases, you might have to expand the icons section in the ribbon bar to gain access to all sections.
Recent Session To simplify access and for informational in formational purposes, Barrac Barracuda uda Firewall Admin automatically stores box names and IP addresses of recently established Firewall Admin sessions in the Recent Sessions list. All connections are listed in the menu bar on the top left of the page.
To arrange Firewall Admin sessions session s in groups, right-click a session in the list lis t and select New Group. To add a session to the group, grou p, drag it into the group list. You Yo u can expand and an d collapse the group view by clicking the arrow icon in the left corner of the header field. To remove a session from the group, click the X icon, or right-click the entry and select Recent Sessions. To remove a group from the list, click the X icon next to the group header field. After a group was deleted, all sessions are moved back to the Recent Sessions list.
Firewall Admin OPTIONS The settings for Firewall Admin are accessible acc essible through the OPTIONS menu on the top left. Changes to the default settings are stored in the registry of the client. For further information, see CloudGen Firewall documentation at at https://campus.barracuda.com/.
22
3.2 Configuration Change 3.2 Configuration Tab and Example Configuration Configuration changes are done in the CONFIGURATION tab of Firewall Admin. The Configuration Tree lists all of the configuration pages for your system in a hierarchical order. Double-click on a configuration node to open the page. Each configuration page can be displayed in Basic or Advanced View. The Basic View contains the most commonly used configuration settings, whereas the Advanced View displays all available configuration settings.
Configuration Lock A configuration page must be locked before you can edit it. Other administrators must wait until you unlock the page. It is possible to break a lock if another admin forgets to unlock a configuration node.
Configuration Changes Firewall Admin stores your configuration changes locally. They do not take effect until they are sent to the system and activated.
23
Discarding or Undoing Configuration Changes To revert to the configuration, you yo u can use two methods: Before Send Changes – Clicking Discard in the upper-right corner. After a Send Changes – Configuration changes that are already sent to the firewall but not activated yet can be reverted by clicking Undo in the upper-right corner. •
•
Activated configuration changes can only be rolled back if the Revision Control System (RCS) is enabled.
Import/Export xport Configurations Import/E You can export and import individual configuration elements or entire configuration pages to/from the clipboard or text file. Click Im/Export in the upper-right corner, or the clipboard icon next to configuration elements.
24
3.3 Settings 3.3 Administrative Settings Changing the Root Password and Management ACLs The root password is used for f or the superuser root. The user root can log into the basic subsystems and OS. Unless set during deployment, the default root password is ngf1r3wall. The root password should be changed immediately the admin first login. Do not use the root user for daily configuration tasks; instead, use aafter firewall account. Password Requirements
Passwords can consist of small and capital characters, numbers, and non alpha-numeric symbols, except whitespaces. Barracuda Firewall Admin rates the password strength according to the entered characters. A password strength of strong or best is recommended for the root password.
Manag Management ement ACLs The management ACL specifies which IP addresses addres ses can access acces s the system. Use the management man agement access control list to whitelist networks that are allowed to connect via Firewall Admin to the firewall or ports Control whitelisted networks areother allowed access to to these the management IP on TCP 22 Center. (secure Only shell)these and 800-820. Access from all addresses port/addresses are denied. By default, access is allowed from an arbitrary address. Changing the ACL does not terminate active admin sessions. To enforce ACL changes, manually terminate active sessions on the FIREWALL > Sessions page. Attention! Attention ! If If you enter a wrong network, Firewall Admin will not be able to communicate with the
firewall. The only way to revert this change is to log into the physical console of the system and follow the instructions from Barracuda Networks Technical Support to manually recover connectivity to the firewall.
DNS You can define the DNS domain or suffix for the firewall and the DNS server to be used for DNS requests. The suffix Box DNS Domain fieldadded specifies theDNS DNSserver suffix for the system. a hostname is resolved, the is automatically to the during the DNSWhen request. It is recommended to enter multiple DNS servers.
NTP Precise timekeeping is very important for the firewall and Control Center. HA synchronization, data accounting, Control Center configuration updates, logging, event notification, and other timebased services rely on a correct time system. The NTP daemon can be configured to listen on the management IP, additional local IP addresses, and, if remote-managed, the VIP address of the managed firewall on port UDP/123. Connections to the NTP daemon are handled by the host firewall. Two synchronization methods are supported: NTP Servers – The firewall acts as a client and retrieves and sets the time according to the •
time retrieved from the NTP You can usebemultiple NTP servers. Thefor time between the NTP server andserver. the firewall must less than 1000 seconds thedeviation 25
•
synchronization to succeed. To continuously synchronize the time with a NTP server, you must enable the NTP daemon. If multiple time servers are used, the time server with the lower stratum value is preferred. NTP Peers – To keep the time in your network synchronized when the NTP servers are unavailable, use the two-way NTP peer synchronization. NTP peers will converge toward a median time in multiple steps. No synchronization step can exceed two minutes. This means that two systems might take some time to synchronize. You can use MD5, SHA, SHA1, RipeMD160, and autokey authentication.
When using a Barracuda Firewall Control Center for multiple systems in different time zones, consider using UTC for all your systems. Attention! Attention ! When When you run the NTP, your system becomes vulnerable to NTP exploits and UDP-based DoS
attacks. Never use untrusted reference time servers or run a time server in a hostile environment.
Email Notification Some services, such as ATP or the Virus Scanner service, can be configured to send email notifications. The configured email address is used for both the sender (to) and the source (from) in the notification emails.
26
Telemetry Data To allow us to continuously continu ously update and improve the features frequently us used ed by our customers based on real-world data, the CloudGen Firewall sends performance and usage data to the Barracuda telemetry servers at updates.cudasvc.com. Sending statistics is opt-out for new or freshly installed firewalls and opt-in for updated firewalls. For firewalls in the public cloud (AWS, Google, or Azure) telemetry can not be completely disabled, the minimal set of parameters is always transmitted. The firewall collects data and then starts one attempt to update the telemetry data via an HTTPS connection. If the the connection to the update servers fails, no further attempts are made until the next day. A copy of all parameters sent to the telemetry servers is logged every time an update is initiated. The Firewall Control Center only sends data collected on box level. No data from the Control Center layer is collected. To see what data your firewall is sending to the telemetry servers, go to the \Box\Control\Telemet \Box\Control\Telemetry ry log file.
3.4 Network Configuration 3.4 All box level network configurations are configured on the CONFIGURATION > Configuration Tree > Box > Network page.
Management ement IP Configuration Manag You can change the management IP address and interface to match your requirements. If the client is not in the same subnet, make sure the new management IP address is reachable from the client running Firewall Admin. If needed, add a gateway route. You must activate the network changes for the management IP change to take effect.
27
Interfaces The network interfaces attached to the firewall are listed here. On h hardware ardware systems, the interfaces and port names are detected automatically. For systems with modular port bays, the port setup must be selected from the Appliance Sub Model Type list. In the Physical Interfaces Interfaces table, you can disable auto-negotiation, specify a manual speed, set a customized MTU, and select the used driver.
an Additional Interface on the Virtual System Adding an On virtual systems, you can increase the number of network interface cards up to the maximum number supported by your hypervisor. All interfaces on virtual systems are named according to UNIX standards. The first port is named eth0; the second port is named eth1, and so forth. If the number of interfaces configured exceed the number attached to the virtual machine, the network activation fails.
IEEE 802.1Q VLAN Tagging VLANs allow you to split one physical network interface into several virtual LANs. The physical interface behaves like several interfaces, and the switch behaves like multiple switches. VLANs allow for layer 2 separation whenever layer 1 separation is not possible. The Barracuda CloudGen Firewall can use up to 256 VLANs on one physical network interface and a maximum of 4094 VLANs globally. The VLAN interfaces are named . (e.g., eth2.200). The firewall also provides native VLAN support tto o allow untagged traffic over tagged interfaces. You must use a properly configured 802.1q VLAN-capable switch and NICs that use drivers capable of tagging VLAN traffic.
Ethernet Bundles Ethernet bundles combine multiple physical ports to a single virtual link to increase the physical bandwidth available for the connection. You also increase the fault tolerance of the Ethernet link because the connection will continue to work even if one link fails. The Ethernet bundles feature is also known as "Etherchannels," "Link Aggregation", "Trunking," or "Bonding" depending on the vendor. You can create a maximum of 16 Ethernet bundles on a Barracuda CloudGen Firewall. Ethernet bundles can be operated in one of the following modes: Balance-RR – In this mode (round-robin policy), as many configured slave interfaces as possible are activated. The kernel will distribute network traffic sent to the master interface sequentially to all slave interfaces involved. In a similar fashion, inbound traffic to any of the slave interfaces is directed to the master interface. Active Backup – In this mode (active backup policy), at least two interfaces are required with only a single slave interface being active at any one time. A prolonged failure of the link check on the active interface will trigger the activation of a backup slave interface. Only the link status is monitored, not if actual traffic can be transmitted over the connection. Balance-XOR – Link is chosen by calculating the hash out of the source/destination MAC (Layer 2) combined with the IP addresses (Level 3). Depending on the hash, an interface is •
•
•
selected. This ensures that sessions from the same interface always use the same link from the Ethernet bundle. 28
•
•
Broadcast – Everything is transmitted on all slave interfaces. 802.3ad Link Aggregation – Uses the LACPDU protocol to negotiate automatic bundling links.
The directly connected devices must also support LACPDU. L ACPDU.
Hardware ware Appliances with Integrated Switches Hard Some hardware appliances such as the F180 and F280 Rev B feature an integrated 8-port switch. The switch is treated just like lik e any other routed port in the firewall co configuration. nfiguration. Yo You u can plug eight clients into the switch ports and then configure the port s as the default gateway. Each switch port is visible in the port element on the Firewall Admin dashboard.
29
VRF Virtual routing and forwarding (VRF) is a technology based on the operating principle of a physical router. Unlike a single router, virtual routers (VR) can be run simultaneously as multiple instances. Each of these instances uses its own routing and forwarding table. Because each virtual router instance (VRI) runs autonomously, traffic on the assigned interfaces is separated from the traffic managed by other virtual routers. This special separation of networks increases network security without having having to use VPNs like on a common network. Because it is possible to use the same IP addresses or IP ranges on multiple virtual routers, which can even overlap without conflicting each other, virtual routers can also be used for managing network traffic for multiple networks with identical network configurations simultaneously on the firewall.
Bridging A Layer 2 bridge checks the destination MAC address of each incoming frame. If the MAC address is assigned to the bridge computer, the frame is processed by it as the destination. If the MAC address is not assigned to the bridge computer, the network bridge notes the source address of the frame and the port on which the frame was received and either creates or refreshes an entry in a Layer 2 bridge table. The port is a number that identifies the network adapter and its corresponding LAN segment. Each entry in the Layer 2 bridge table consists of a MAC address, the port number corresponding to the LAN segment on which a frame from the MAC address was received, and a timeout value. Entries in the Layer 2 bridge table persist for 5 minutes before being removed.
30
RSTP RSTP is a network protocol for redundant network path management. If local networks contain redundant paths, RSTP will deactivate them or reactivate them in case the other redundant path becomes broken. The user interface for configuring RSTP is fully integrate integrated d in the UI for Layer 2 bridging. The configuration requires to define RSTP trees and then to assign the trees to the interfaces.
3.5 Routing 3.5 Routing tables are used to store the best path to a remote network. Routing tables are processed from top to bottom and if the source of the outgoing packets matches the routes in the route table are evaluated and the packet forwarded to the correct interface, next hop gateway, or VPN tunnel. Routes are evaluated first by destination, route metric (preference) of an IP packet and then by the scope (network size) to determine which routes matches. Two routes of the same scope (e.g., /24) and metric cannot be created. The Management network always uses a preference of 0. If two routes with different preferences exist, the route with the lower preference is chosen. E.g., 10.0.10.0/25 (preference 10) is preferred over 10.0.10.0/25 (preference 100) If two routes with the same preference exist to a destination, the route with the smaller subnet mask is used. E.g., 10.0.10.0/24 is preferred over 10.0.0.0/16 VPN routes are placed in a source-based route table located premain by default. If single routing table is enabled in the VPN Settings, VPN routes are inserted into the main routing table with a preference of 10. •
•
•
Directly Attached Network Routes (Direct Routing) Define how to reach networks that are directly connected to an interface (virtual or physical) of the firewall. To define a directly attached network route, you must enter: Target network in CIDR Format – E.g.,10.0.8.0/24 The network interface on the Barracuda CloudGen Clou dGen Firewall the network is attach attached ed Interface – The to. E.g., eth2 or port 2 After you have introduced the directly attached route and activated the network configuration, the route is in a pending state. Pending routes are marked with the grey X icon in CONTROL > Network and are not active. When an virtual server IP address from this network is introduced, the route becomes active and a green icon is displayed for the route. In the example above, you must create a direct route for the ISP issued 62.99.0.0/24. To reach the •
•
Internet, a gateway route (see below) must be created. If you enter the optional gateway IP address when creating the directly attached route, the default gateway route is created automatically. 31
You do not need to create a directly attached route for the network the management IP address is in. This route is created automatically when the management IP address is configured. Using Additional Local IPs to Directly Attach Networks
Additional local IP addresses are a combination of a box level IP address and a direct attached route. The route becomes active when the network configuration is activated; the route is never pending because of the additional IP address. Add the Additional IP addresses (CONFIGURATION > Configuration Tree > Box > Network). IP addresses assigned on box level should not be used on server layer of a high availability cluster. When using the IP address on box level, the route will remain active even if the virtual server is running on the other firewall in the HA cluster.
Gateway Routes (Next Hop Routing) To reach networks that cannot canno t be directly accessed, yo you u must define gateway routes. rou tes. A common gateway route is the default route (0.0.0.0/0), which will forward all packets not belonging to one of the directly attached networks to the remote gateway provided by the ISP. Before adding a gateway route, a direct route must be configured. Otherwise, you cannot contact the next hop IP address. If you are using multiple gateway routes for the same target network, you must give them different route metrics. To define a gateway route, you must enter: Target network – Target network in CIDR format. E.g., 0.0.0.0/0 for the default route Next hop address – IP address of the gateway device the traffic is sent to. E.g., 62.99.0.254 After adding the gateway route, you must initiate a Failsafe network activation for the route to become active ( in CONTROL > Network ). •
•
3.6 Dynamic Network Connections 3.6 The CloudGen Firewall supports support s different types of dynamic netwo network rk connections. connection s. Unlike statically configured, directly attached networks or additional local IP addresses, dynamic connections are automatically assigned and may change every time the interface is brought up. All dynamic connections are configured on the box layer. When an IP address is assigned to the interface, the firewall can instantly communicate in the network. Gateway routes and DNS servers can be added.
32
DHCP Client Connections When an interface is assigned to a DHCP client configuration, it is removed from the list of available interfaces. You can view your DHCP client connections on the CONTROL > Network page. A maximum number of twelve links can be connected.
xDSL Connections An xDSL connection is a tunneled connection using Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP), depending on your ISP. The CloudGen Firewall supports up to four xDSL connections. The WAN IP address assigned by the ISP can be dynamic or static. The CloudGen Firewall F82 with an internal DSL modem allows you to directly connect your ISP connection to the firewall without the need for an external modem. External DSL Modem
With an external xDSL modem, xDSL capabilities are restricted to the dial-in protocol. Barracuda Networks currently supports PPPoE, PPPoA, and PPTP for DSL. Typically, the modem supplied by your ISP is connected to the firewall using an Ethernet port. A maximum of four xDSL links can be configured using ports ppp1 to ppp4, which are exclusively reserved for xDSL connections. The port names can be edited with the names of the configured DSL links.
33
CloudGen Firewall with Internal DSL Modem
Some CloudGen Firewall models feature a built-in DSL modem. The DSL modem is a separate network device that is internally linked to the firewall. Configurations from the firewall are pushed to the DSL modem via an internal configuration network. The DSL modem can be used in two modes: Bridge Mode •
•
Advanced Mode
These operating modes determine if the firewall of the DSL intitates the PP PPP P connection. con nection. They also determine which and how many ports of the DSL modem can be used. In Bridge Mode, the DSL modem is in Pass-Through Mode, and the xDSL connection is established by the firewall. The public IP address assigned by the ISP is visible on the firewall. Only the WAN1 interface can be used, and the ISP must support retrieving the public IP address via DHCP.
In Advanced Mode, both the WAN1 and WAN2 interfaces can be used individually or in Active/Passive Mode with WAN2 as the standby xDSL connection. The firewall uses a transfer network to pass traffic through from the DSL modem. The xDSL connection is transparently handled by the DSL modem. The public IP address can be set statically or retrieved via DHCP. Advanced Mode must also be used if your ISP requires a physical connector that is compatible only with the WAN2 interface. In this case, the WAN1 interface is deactivated in order to use the WAN2 interface as the active interface.
The IP addresses used for fo r the internal configuration n network etwork of the DSL modem mod em must be unique in the network. In case of IP address conflicts, the configuration must be changed to use a different unused network. In case the connection between the firewall and DSL modem is lost due to misconfiguration or to reinstalling the firewall, the DSL modem must be reset via the pinhole to use the default 192.168.1.1. IP address again.
WWAN Connections WWAN connections are ideal for backup lines or for use in mobile offices or locations with no terrestrial Internet links. An external Barracuda Network WWAN modem that is connected to the firewall via USB is required.
34
Controlling Dynamic Connections Via Firewall Admin
To start, restart, or stop a dynamic connection, conn ection, go to the CONTROL > Box page. In the left menu, expand Dynamic Networks Networks. Click on the action for the dynamic interface: Restart-ALL •
•
• •
•
Stop-ALL OFF Restart-Link Stop-Link
Via Command Line
Dynamic connections can also be handled from the command-line interface via a server-side script: Start all DHCP connections - /etc/phion/bin/openx /etc/phion/bin/openxdhcp dhcp start & /etc/phion/bin/openxdhcp nxdhcp stop & Stop all DHCP connections - /etc/phion/bin/ope /etc/phion/bin/openxdhcp openxdhcp start *linkname* & Start an explicit DHCP connection - /etc/phion/bin/ Stop an explicit DHCP connection - /etc/phion/bin/openx /etc/phion/bin/openxdhcp dhcp stop *linkname* &
• •
• •
•
/etc/phion/bin/openxdsl dsl start & Start all xDSL connections - /etc/phion/bin/openx Stop all xDSL connections - /etc/phion/bin/ /etc/phion/bin/openxdsl openxdsl stop & Start an explicit xDSL connection - /etc/phion/bin/ /etc/phion/bin/openxdsl openxdsl start < linkname> & Stop an explicit xDSL connections - /etc/phion/bin/ /etc/phion/bin/openxdsl openxdsl stop &
• • •
is the name of the configuration entry in the xDSL or DHCP links list.
3.7 Activating Network Network Configuration Configuration Changes Changes After changing the configuration of the network subsystem, you must activate the new network configuration. Depending on whether the management IP address is also changed, the following options are available:
Network Activation Without Changes to the Management IP Address
•
•
•
Failsafe – A backup of the existing configuration is created, and the new network
configuration is activated. If the connection to Barracuda FirewallGen Admin is established successfully after activation, the network activation is complete. If it fails, the network configuration is reverted to the previously working state. During activation in Failsafe mode, the whole network system is shut down, and the firewall is briefly unreachable. Active connections may time out. Force – In this activation mode, the new network configuration is activated without making a backup of the old configuration. If the new network configuration does not work, there is no fallback mechanism. During activation in Force mode, the whole network system is shut down and the firewall is briefly unreachable. Active connections may time out. activate IPv6 and VLAN network configuration Soft – A soft activation is used to immediately activate changes. Unlike failsafe and force, a soft activation does not restart the network subsystem. Active connections continue uninterrupted. Changes to IPv4 network configurations activated 35
with a soft network activation might be picked up by services such as the control service, which monitors the active network configuration. If changes are detected, these services might introduce the detected changes immediately. Network configuration changes that are not immediately introduced or detected after the soft activation require a reboot to complete.
Network Activation with Management IP Address Changes
•
Activate now – Use this option when a management IP address has been changed. After the
new network configuration has been activated, the firewall reconnects to the new IP address. During activation in this mode, the firewall is shut down and connections may be interrupted. Alternatively, you can soft activate the new network configuration and reboot the firewall or Control Center for the network configuration changes to take effect.
3.8 3.8 Virtual Servers and Services Virtual servers represent the main operative instance on the CloudGen Firewall next to global settings and box configuration objects. The virtual server layer manages all IP addresses that are required for the services running on the virtual servers. It introduces all IP addresses that are needed for proper operation except remote management and HAlayer IP addresses. though virtual server contains the word "virtual", there is no virtualization between Even the box layer and the virtual server layer. The term “virtual” is used to describe the logically separated servers that are running on the system. You can create multiple virtual servers on each firewall.
Virtual Servers The virtual server layer runs on the box layer lay er of the CloudGen Firewall. It is a purely logical layer whose most important function is to make IP addresses available for the services (service layer). Introduce all IP addresses on the virtual server that will be used for the services running in the virtual server. These IP addresses must be in one of the networks for which a directly attached network route exists on box level. It is not recommended to use the management or additional box level IP addresses because this could causes problems in HA cluster configurations. When a virtual server is started, it assigns IP addresses to its services, causing the box layer to automatically activate pending routes of directly attached network routes. Once created, virtual servers cannot be renamed. Preconfigured Virtual Server S1
By default, the virtual server S1 is already created on every CloudGen Firewall except the larger hardware models. To avoid duplicated IP addresses within networks, this virtual server listens on the loopback IP address 127.0.0.9. On stand-alone CloudGen Firewall systems, you can keep the default virtual server S1. On firewalls you want to manage with a Control Center, create a new virtual server because virtual server names must be unique in the cluster.
36
Virtual Servers in the Control Center
On the Barracuda Firewall Control Center, virtual servers are created in the Control Center cluster. The setup procedure is very similar to the th e procedure on a stand-alone firewal firewall,l, which means that you can create a server and assign the network IP addresses and services. Virtual servers act as separate configuration entities, so you can copy them from one cluster to another. Virtual Server Names
Virtual server and service names can have a length of 30 characters each.
Services The service layer runs on the virtual server layer l ayer of the firewall. It introduces th thee services such as firewall, HTTP proxy, VPN, and DHCP. The services use the configured IP addresses of the virtual server on which they are running. If the virtual server shuts down, all of the assigned services and IP addresses are also shut down and made unavailable. Service Limitations
Some services can only be introduced once on a CloudGen Firewall: Forwarding Firewall – Because the Firewall module is based on the kernel, you can only have one firewall service per firewall. VPN – Because the VPN service is based on the kernel, it can only be introduced once on a firewall. The forwarding firewall and VPN service must be in the same virtual server. Access Control and Mail Gateway – These services provide a user interface that is always bound to the first introduced service of their type. HTTP Proxy – The HTTP proxy service can be introduced multiple times, but the HTTP proxy fail cache interface can only be used by one service. HTTP Proxy and Web Filter – – You must also configure the HTTP proxy service and the web filter service on the same system and assign them to the same virtual server. •
•
•
•
•
Guidelines for Service Names
The service name can be up to 30 characters. ch aracters. Before creating a servic service, e, define a naming standard that helps you to identify the firewall, virtual server, service, and location. This is important for large deployments with multiple firewalls.
37
4 Firew Firewall all Policies 4.1 Firewall Service Overview 4.1 The primary purpose of a firewall is to apply access acces s and security policies to traffic tr affic entering and leaving your networks. Two different firewall services are responsible, depending on the destination of the – traffic: The host firewall handles local inbound and outbound traffic. The host firewall Host Firewall runs on box level. Forwarding Firewall – The forwarding firewall service handles traffic passing through the firewall. The forwarding firewall runs as a service in a virtual server. •
•
Host Firewall The host firewall runs on the box layer of every CloudGen Firewall and Co Control ntrol Center and cann cannot ot be removed. The host firewall handles connections where the target IP address and port number match a listening socket of a service on the firewall. The boxfw is the system process for the host firewall. In addition to managing local traffic, the boxfw also manages other traffic handlers such as SIP, RPC, Timer, Audit, and Sync. Restarting the boxfw service reinitializes the service handlers and reloads the ruleset. The boxfw service is always running. You can have only one host firewall on a system. Examples of connections that are handled by the host firewall are: An incoming connection from a web browser to the HTTP Proxy service An outgoing connection from the HTTP Proxy service running on the firewall to a web server on the Internet Outgoing and incoming VPN traffic from the VPN service to the tunnel endpoint •
•
•
•
Outgoing NTP or DNS queries
Forwarding Firewall The forwarding firewall runs as a service on a virtual server. It handle handless all traffic that does not matc match h a listening socket on the firewall. You can create one (forwarding) Firewall service on each CloudGen Firewall. This service listens to all IP addresses configured for the virtual server and is responsible for all connections that are transferred over the firewall to a remote host. The access rules for the forwarding firewall are maintained in the forwarding ruleset. The forwarding firewall is tightly integrated with all Application Control features, such as the Virus Scanner, Advanced Threat Protection (ATP), Intrusion Prevention System (IPS), or the URL Filter. Examples of connections that use the forwarding firewall are: A web browser that connects to an external web server without using the HTTP Proxy service. •
• •
A ping to an external Linux server. Traffic coming out of a VPN tunnel. tunn el. 38
Limitations
• •
Only one forwarding firewall service is allowed per CloudGen Firewall. The firewall handles only IP protocols. pro tocols.
4.2 Firewall Rulesets 4.2 By default, without any access rules in the ruleset, all traffic is blocked by the firewall. To allow traffic, you must create rules in the firewall ruleset and place them in the correct order. Both host and firewall services have their own dedicated rulesets. These rulesets determine the order in which incoming traffic is matched against the access rules. Rules are processed from the top to the bottom; the first access rule that matches is executed. If the traffic does not match the first rule, the next rule is then evaluated, continuing in this way from top to bottom until a matching rule is found. If none of the rules match, the connection is blocked. Place the more granular, specific rules toward the top of the ruleset, and the broader, general rules toward the bottom. An access rule will not match if a rule before it matches the same traffic.
Forwarding Forwarding Firewall Rulesets
The forwarding firewall service uses two rulesets: r ulesets: Firewall Access Ruleset – The access ruleset operate on the OSI network layers 3 and 4. The access ruleset contains a list of access rules to filter. Incoming traffic is compared against the matching criteria set within each access rule. When a match is found, the action set in the access rule is executed. Application Ruleset – The application ruleset operates on the OSI network layer 7. If Application Control is enabled in an access rule that is executed, the application rule set is •
•
evaluated. rules allow you to pass or block connections depending on the applicationApplication type.
39
Host Firewall Rulesets
The host firewall ruleset is split spli t into rule lists for inbou inbound nd and outbound traffic. The inbound/outbound rule lists are processed before the inbound user/outbound user rule lists. Inbound / Inbound User Outbound / Outbound User •
•
4.3 4.3 Access Rules Access rules are used to filter traffic based on a set of required and optional criteria. When all criteria match, the packet is blocked or allowed. Allowed packets can further be changed depending on the action type and connection method.
Matching hing Criteria C riteria Matc When the firewall receives a request, it evaluates the ruleset to find a rule matching the traffic. Some of the matching criteria are required, some optional. Required Matching Criteria
Access rules are policies that define the action taken for matching traffic. The basic matching criteria are: Source – The source IP address or network. Destination – The destination IP address or network. Service – Destination port and, in some cases, protocol. •
•
•
40
•
(In case VRF is activated)
Because overlapping IP addresses are allowed with multiple virtual router instances, you must configure the following two options in order to avoid unexpected matching results: o Source VR Instan I nstance ce – specify the source virtual router instance o Destination VR Instance Instance – specify the destination virtual router instance Optional Matching Criteria
network resources based based on user information. information. User – Allow or block access to network
Time –
• •
Allow or block access to network resources based on time or date.
Access Rule Actions When an access rule matches, the connection is either allowed or blocked depending on the action. Traffic is Blocked
Actions that block traffic use red icons in the access rule editor. blocked ed using the BLOCK action are silently dropped. The sender Block – Connections block eventually sees a connection timeout. Deny – Connection blocked using the DENY action are actively rejected with a TCP response with reset flag set or for UDP an ICMP unreachable message. •
•
Traffic is Allowed
Actions that allow traffic use green icons in the access rule editor. Pass – All traffic matching the access rule is forwarded. Dst NAT / MAP / App Redirect –The firewall allows the traffic. Additionally these action types rewrite the destination IP address of the packet. Broadcast Multicast – Allows broadcasts on bridged interfaces. •
•
•
41
4.4 4.4 Firewall Objects Firewall objects are named collections that represent specific networks, services, applications, user groups, or connections. The default configuration already contains a set of frequently used firewall objects, but you can also create custom firewall objects. Firewall objects are re-usable, which means that you can use one firewall object in as many rules as required. Using firewall objects offers following advantages: firewall object has the a unique name that is more easily referenced than, for example, an IP Each address or a network range. Maintenance of the firewall rulesets is simplified. When you update a firewall object, the changes are automatically updated in every rule that refers to this object. •
•
Network Objects Network objects reference networks, IPv4 and IPv6 addresses, hostnames, geolocation objects, MAC addresses and interfaces. MAC address and interface are optional components that are only evaluated when the network object is used as the source in an access rule. For all other uses these optional parameters are ignored. A network object can also include other existing network objects. When creating a network object in the forwarding or host firewall ruleset, the scope of the object is limited that one ruleset. Networktoobjects cannot be deleted if they are referenced by other objects. You can delete network objects only when they are referenced in configuration files. The Referenced By column in the Network Objects listing displays where it is currently referenced. The following is a list of network netwo rk object types: Generic Network Objects – You can add network addresses of all types. All default network objects are generic network objects. Single IPv4 Address – A single IPv4 address. List of IPv4 Addresses – Multiple single IPv4 addresses and/or references to other single IP address objects. E.g., 10.0.10.1, 10.0.10.10 Single IPv4 Network Address – A single network in CIDR format. E.g., 10.0.10.0/25 List of IPv4 Network Addresses – Any combination of multiple networks, IP addresses, and/or references to other network address objects. E.g., 10.0.10.0/25, 172.16.0.10 Hostname (DNS Resolved) – A single DNS resolvable host name. Up to 24 IPv4 and 17 IPv6 addresses can be stored. E.g., myhost.test.com Single IPv6 Address – A single IPv6 address. List of IPv6 Addresses – Multiple IPv6 addresses and/or references to other single IPv6 address objects. Single IPv6 Network – A single IPv6 network. List of IPv6 Networks – Any combination of multiple IPv6 networks, IPv6 IP addresses, and/or references to other IPv6 network address objects. After selecting the network object type, the entries of the network object must be added. For hostname network objects, the FQDN is entered as the name of the network object. Include Entries o Explicit – Depending on the type of network object, enter IP addresses and/or networks. You can also include references to other network objects. •
•
•
•
•
•
•
•
•
•
•
42
o Geolocation –
•
Select the countries or regions from the gelocation database. This database contains a dynamically updated list of IP addresses used by specific countries. o Named Network Object – Select the scope of a named network object. Exclude Entries – Excluding entries is available for Generic Network Objects only. o Explicit – Enter IP addresses and/or networks to be excluded. It is not possible to reference other network objects in this context. o Geolocation – Select countries to be excluded. o Named Network Object – Select the scope of a named network object to be excluded.
Using Network Objects
Generic and hostname network objects can only be used in the firewall ruleset; the other types can also be used in other configurations.
Wildcard Network Objects
Wildcard network objects are network objects that include a network mask containing information regarding which parts of the IP address is to be evaluated. Wildcard network objects can be used to describe IP addresses that cannot be covered by network objects using subnets masks. Wildcard network objects must use the Generic Network Object type and be entered in the format IP: address/netwo address/network rk mask. For example: 0.0.0.1/0.0.0.255 = *.*.*.1 0.200.0.0/0.255.0.0 = *.200.*.* •
•
Service Objects A service object defines a list of IP protocols and, where applicable, corresponding port numbers or ranges. A service object can also contain a list of other service objects. Dynamic protocols such as FTP or RPC that require dynamic port allocations must be associated with a firewall plugin that can handle this service. By default, the Barracuda CloudGen Firewall contains a set of pre-configured service objects. Each service object contains the following information: IP Protocol – The protocol used for the service. E.g., TCP, UDP, ICMP-Echo Ports and Port Ranges – For TCP- and UDP-based protocols, you can enter a space-delimited list of ports (80,8080,8081), a range of ports (3333-6666), or a combination of both. Using * as a wildcard for all ports is allowed. Session timeout – To use different timeouts from the default TCP (24h) and UDP (1min) session timeouts, enter the maximum time in seconds after which the session is closed by the firewall. Balanced timeout – For UDP sessions, you can specify the maximum time in seconds that the session can be balanced before it is closed. In unbalanced sessions, data is sent only in one direction. In balanced sessions, both the source and the destination IP addresses send packets through the firewall. Plugin Modules – Plugins for shared service objects. Shared service objects refer to services using dynamic port allocation. The forwarding firewall service uses firewall plugin modules to dynamically open and close required ports. •
•
•
•
•
43
•
Port Protocol Protection – Enables the firewall to monitor the traffic for unwanted protocols.
Forbidden protocols can be reported, reset, or blocked.
Connection Objects A connection object defines the egress interface and source (NAT) IP address for traffic matching the access rule.
•
•
•
•
•
•
•
Dynamic NAT – The firewall uses the routing table to find a suitable interface for routing the
packet and uses the IP address of the relevant interface as the new source IP address. Original Source IP – The source IP address of the packet is not modified. Translated IP from WWAN Interface – The first IP address on the ppp5 device is used as the new source IP address. Translated IP from DHCP Interface – The first IP address on the dhcp device is used as the new source IP address. Translated IP from DSL Interface – The first IP address on the ppp1 device is used as the new source IP address. Custom Connection Objects (explicit-conn) – Create your own custom connection objects to define the explicit source address for this connection. NAT Tables – NAT Tables are an expanded type of source NAT for a network or IP address range.
Other Firewall Objects
•
Named Networks – Transfer subnetting information and reserved IP addresses to the firewall
configuration in a human-readable form. Named Networks can be used for both ruleset evaluation and visualization. Proxy ARPs – Allows the firewall to answer ARP requests for a device that is not on that network. User Objects – Lists of users and/or user groups for use within access rules. Schedule Objects – Time restrictions or scheduling tables that can be applied to access rules on an hourly, weekly, or calendar-date basis. Interface Groups – A specific interface or interface group containing one or more interfaces. Applications – Lists of applications and/or sub-applications when creating application-aware
URL Filter – –
•
•
•
•
•
•
•
•
access rules.
Access restrictions for websites. The CloudGen Firewall provides a predefined list of URL categories that are available for blacklisting and whitelisting. File Content Policies – Filter file downloads or email attachments based on their file type, name, or MIME type. User Agent Policies – Filter web traffic based on the information contained in the user agent string.
44
4.5 Examples 4.5 Access Rules Examples Example 1 – Allowing Access
To allow all traffic from the 10.0.8.0/24 network to the 172.16.0.0/24 network, you y ou need the following access rule:
Action Type – Select Pass. Traffic is allowed and forwarded without modifying the destination
IP address Source – Enter 10.0.8.0/24 or select a network object containing that network. Destination – Enter 172.16.0.0/24 or select a network object containing that network.
•
•
•
•
•
Service – Select Any Connection Method – Select Original Source IP. The source IP address of the packet is not
modified.
Move the rule to the appropriate spot in the ruleset.
45
Example 2 – Blocking Traffic
A Block or Deny action can be used to block HTTP access from the LAN to the DMZ host. Block rules for HTTP can be configured to redirect to a block page.
Action Type – Select Block. Traffic is blocked. The sender receives a connection timeout.
Source – Enter 10.0.8.0/24 or select a network object containing that network. Destination – Enter 172.16.0.10 or select a network object containing the DMZ host. Service – Select HTTP.
• • • •
To redirect the user to a block page, go the Miscellaneous section of the Advanced setting of the rule: Block Page for TCP 80 – Select Access Block Page. •
46
Move the rule to the appropriate spot in the ruleset.
4.6 4.6 Network Address Translation (NAT) NAT was originally used to reroute traffic in IP networks without renumbering every host. It has become a popular and essential tool in conserving global address space allocations in the face of IPv4 address exhaustion by sharing one Internet-routable IP address of a NAT gateway for an entire private network. Using NAT allows you to translate destination and source IP addresses in the IP packets. Depending on which IP addresses are rewritten, this allows you to make internal servers with an internal IP address publicly available, or hide internal networks behind a single public IP address. To be able to hide many internal IP addresses, simply rewriting the source IP address of the packet is not sufficient. The firewall must also perform port address translation (PAT) to ensure that the ports are only used once and the connection is associated with the correct internal IP address. Often, NAT types are referred to by the relationship between the internal and external IP addresses they establish: 1:1, N:1, or N:N.
Source NAT The source IP address of a packet packe t matching an access acces s rule is determined by the th e connection method of the access rule. Frequently used source NAT types are: Static Source NAT (1:1) Port Address Translation (N:1) NAT Tables (N:N) •
•
•
To determine which IP address addres s is used as the new source IP address, you yo u have the following options to define the Translated Source IP: Original Source IP – The source IP address of the packet is not changed. Dynamic NAT – The firewall uses the routing table to find a suitable interface for routing the packet and uses the first IP address assigned to this interface as the new source IP address. virtual server as the new source IP First Virtual Server IP – Source NAT using the First-IP of the virtual address. Second Virtual Server IP – Source NAT using the Second-IP of the virtual server as the new source IP address. Network Interface – The IP address of the interface is used as the new source IP address. Only use for dynamic interfaces such as dhcp or ppp. Single IP Network Object – Use the single IP address in the network object as the new source IP address. The network object must use the type Single IP Address Address. For static interfaces, use Explicit IP instead. Explicit IP – Enter an explicit IP address as the new source IP address. •
•
•
•
•
•
•
47
•
Explicit Network Mapping – Map the original IP address of the source network to the new
source network. The destination network must be the same size or larger, otherwise the firewall will wrap the larger source network into the smaller network. Static Source NAT (1:1)
One specific internal IP address is bound to one external IP address. Ports are not changed. For a static source NAT, create the following connection object: Translated Source IP – Select Explicit IP. Explicit IP – Enter the IP address. This is the IP address that is used as the new source IP address. Same Port – Enable to leave the ports unchanged. •
•
•
48
Port Address Translation (N:1)
PAT allows multiple IP addresses to be translated to one IP address with port address translation. Port address translation must be used so that two internal clients do not use the same port on the public IP address for their connections. By using a randomized port for each client, the firewall can keep track of which connection belongs to a client and thereby forward traffic correctly. Translated IP Address – Select Explicit IP. Explicit IP – Enter the IP address. This is the IP address that is used as the new source IP address. Same Port – Clear the check box to enable PAT. •
•
•
Dynamic NAT; Unique to the CloudGen Firewall
Dynamic NAT is a special connection object feature of the CloudGen Firewall. The new source IP address is determined by a routing table lookup for the destination network of the packet. The source IP address listed in the SRC column of the route is used as the new source IP address.
49
Destination NAT A destination NAT changes the destination IP address of the packet. The destination NAT is configured through the action of the access rule. Dst NAT – The destination IP address of the packet is rewritten. App Redirect – The destination IP address is rewritten, so that traffic is redirected to a local service. MAP – Rewrites incoming network ranges or IP addresses to destination networks or IP ranges. •
•
•
Dst NAT
The firewall rewrites the destination IP address addre ss and/or port to the values set as the redirect target.
Configure the Dst NAT as the action of the access rule with the new destination IP address in the Redirection Target List:
50
Application Redirect
If your Internet connection uses a dynamic IP address, you cannot create a listener for the services on that interface. The solution is to configure the services to listen on the loopback, or other IP addresses assigned to the firewall, and then redirect incoming traffic to the service using an Application Redirect access rule.
51
Combining Dst NAT and Source NAT Map
A Map access rule rewrites incoming network ranges or IP addresses to destination networks or IP ranges, just like a Dst NAT rule does for a single IP address. You can use a NAT table as an object for the Destination and/or Connection settings. It is important that the destination network is the same size or smaller than the network used to redirect the request. Otherwise, the firewall wraps the larger source network into the smaller redirection network.
NAT Table (N:N)
NAT tables are an expanded type of source NAT for a network or IP address range. The NAT tables connection object rewrites the source IP address to a source NAT IP address range.
4.7 Firewall Live and Firewall History Barracuda Firewall Admin offers both real-time and historical views for all connections handled by the forwarding and host firewall. Powerful and granular filters allow you to drill down to the information you need. The number of sessions kept in the connection cache depends on the model, but can be changed in the General Firewall Configuration Configuration settings.
Firewall Live The firewall Live view shows real-time session information. You have the following options of interacting with the displayed sessions: Pause / Resume continuous session updates. Double-click to display sess session ion details detail s. Terminate or abort the session Change the QoS Band of the session. •
•
•
•
52
•
Change Traffic Intelligence Intelligence settings.
Go to FIREWALL > Live to access the Firewall Live view.
Firewall History The firewall History view displays all sessions after the session slot ended. TCP sessions usually end with the FIN-FINACK-ACK sequence. This is displayed as Normal operation operation in the Info column. Resets are terminated with Session idle timeout, Last ACK timeout. For the stateless UDP and ICMP protocols, pseudo-sessions are created and generally end with a timeout. You have the following options of interacting with the displayed sessions: Remove the selected session from the cache Clear the cache. Double-click to display sess session ion details detail s. •
•
•
History view. Go to FIREWALL > History to access the Firewall History
Filtering Filtering is a powerful tool to show only the sessions required to troubleshoot a problem. Hover over the column of the entry until a filter icon is displayed. This allows you to directly •
• •
•
•
create orconnections modify a filter. Blocked are visible only in the History view. Sync the filter between the Live and History views to avoid having to configure the same filter on both pages. Save or restore the filter by clicking on the filter icon. Right-click on the header of the list and select Columns to customized the displayed columns.
Filter Options
You can filter the list of sessions by traffic type, status, and properties. The following filter settings are mandatory. 53
•
Traffic Selection – From the Traffic Selection list, you can select the following options to filter
for certain traffic types. Status Selection – From the Status Selection list, you can select the following options to filter for certain traffic states. Click + to add additional filters according to your needs. •
Note that some fields allow the use of wildcards (*?; !*?). Example: !Amazon* excludes all entries starting with Amazon; Y*|A* includes all entries starting with "Y" or "A".
Sorting Options
•
•
Sort values in a column – You can sort the entries in both the live and history views by clicking
on the header of the column you want to sort. Click again to change between sorting in descending and ascending order. Group entries – To group the entries based on their value in a column, right-click on the value and select Group-by .
Traffic Meter A traffic meter is integrated on the lower right of the page. The firewall engine samples the amount of traffic over 10 seconds and the traffic meter shows it based on the traffic origin (Forward, Loopback, Local, Total). Traffic can be displayed as Bits/sec, Bytes/sec or Packets/sec.
4.8 Cascade Access Rules 4.8 By default, only one rule list is used in the forwarding ruleset. To avoid the main rule list from containing too many rules, you can create additional rule lists. At the point in the main rule list where you want to evaluate one of the additional rule lists, create a Cascade access rule. The rule list you cascaded to is then evaluated. If none of the rules in the additional rule list match, traffic is blocked as a result of the default block policy. To avoid this and to continue evaluating the main ruleset, use Cascade Back rules. Since these Cascade Back rules use normal matching criteria, you can jump back to the main ruleset at any point in the additional ruleset. A Cascade can only redirect to a sub-ruleset, and the cascade back always jumps to the main ruleset. This behavior is used to avoid a loop.
54
55
5 Introduction to Extended Firewall Features HTTP and HTTPS traffic no longer consists of simple HTML websites. Web-based applications that are not business related can have unwanted side effects. These include: Opening back doors into your network Distracting people from work •
•
Consuming business-critical bandwidth Application Control provides the application ruleset that lets you expand the scope of the firewall engine to include application type as a matching criteria. The addition of application context to the traditional stateful packet inspection capabilities of the CloudGen Firewall gives you full, context-aware control, even for SSL-encrypted traffic. Application Control comes with a set of predefined application objects that contain detection patterns to give you control over the latest web applications, web services, and social media. To give you more granular control, it also detects embedded features (or sub-applications) within applications. For example, you can create policies that permit the general usage of social networks (such as Facebook or Twitter), but forbid embedded applications (such as chat, image uploading, or posting). Application Control is fully integrated into the firewall service. Application traffic can be dropped, throttled, prioritized, or just reported. Application Control is currently limited to IPv4. The application patterns and definitions definitio ns are stored in the app application lication pattern database. The •
database is continuously updated through your Energize Updates subscription. You can also add your own custom applications.
Control ol Features Application Contr
SSL Inspection – Many applications transmit their data over connections encrypted with SSL
or TLS. SSL Inspection intercepts and decrypts encrypted traffic to allow Application Control to detect and handle embedded features or sub-applications of the main application. For example, you can create a policy that permits the general usage of Facebook, but forbids Facebook Chat. If you choose not to enable SSL Inspection, the main applications can still be detected, but the firewall does not differentiate between individual features, such as Facebook Chat or Facebook games. URL Filtering – Websites accessed by the users are categorized based on the Barracuda Web
•
•
•
•
Filter URL category database. Depending on the policy assigned to this URL category, the website can then be allowed, blocked, or allowed temporarily. You can create either a whitelist (blocking everything except for selected sites) or a blacklist (blocking known unwanted content). content). If a site is not in the th e URL database, you can define a custom URL policy for it. The URL Filter can filter based only on the domain of the website. It does not offer control over subdomains, or subdirectories of the website. Virus Scanning – HTTP(S), FTP(S), SMTP(S), and POP3(S) traffic can be transparently scanned for malicious content while the traffic passes through the firewall. If a user downloads a file containing malware, the firewall detects and discards the infected file and then redirects the user to a warning page. You can specify the MIME types of all files that are to be scanned. Advanced Threat Protection (ATP) – Barracuda Advanced Threat Protection secures your network against zero-day exploits and other malware not recognized by the IPS or Virus Scanner. You can choose between two policies, which either scan the files after the user has downloaded them and, if perceived to be a threat, quarantine the user, or scan the file first and then let the user download the file after it is known to be safe. 56
•
•
•
•
•
– Filter files transmitted via HTTP(S), FTP(S), SMTP(S) and POP3(S) are filtered depending on their file type, name, or MIME type. User Agent Filtering – User Agent policies allow you to control access to a web-based resource based on the user agent string. Mail Security – Check the source IP address of incoming SMTP and SMTPS connections against a DNSBL and modify the header and subject of the email if the sender is listed in the DNSBL. Additionally, Link Protection can replace or remove malicious or suspicious links in the emails. File Content Scan
Safe Search – Enforce Safe Search on Google, Bing, Yahoo, and YouTube. Google Accounts – Block all Google accounts (personal and Google Apps) except for accounts
in the whitelisted Google Apps domains.
5.1 Intrusion Prevention System (IPS) 5.1 The Intrusion Prevention System Sys tem (IPS) actively monitors lo local cal and forwarding traffic for malicious activities and can also block suspicious traffic. The CloudGen Firewall engine analyzes network traffic and continuously compares the bit stream with its internal signatures database for malicious code patterns. You can create, edit, and override default and custom IPS signature handling policies. After configuring your IPS policies, you can also apply them to your access rules.
IPS Features TCP Stream Reassembly
The firewall engine provides support sup port for TCP Stream Reassembly (SR (SRA). A). In general, TCP streams are broken into TCP segments that are encapsulated into IP packets. By manipulating how a TCP stream is segmented, it is possible to evade detection, for example, by overwriting a portion of a previous segment within a stream with new data in a subsequent segment. This method allows the hacker to hide or obfuscate the network attack. The firewall engine receives the segments in a TCP conversation, buffers them, and an d reassembles the segm segments ents into a correct stream, for example, by checking for segment overlaps, interleaved duplicate segments, invalid TCP checksums, and so forth. Afterwards, the firewall engine passes the reassembled stream to the IPS engine for inspection.
57
URL Obfuscation
The IPS engine provides various countermeasures co untermeasures to avert possible po ssible network attacks. The IPS engine can avert FTP exploits in which the attacker tries to evade the IPS by inserting additional spaces and Telnet control sequences in FTP commands. TCP Split Handshake
The IPS engine provides an evasion evasio n countermeasure tech technique nique that can bloc blockk the usage of TCP split handshake attacks. Although the TCP split handshake is a legitimate way to start a TCP connection (RFC793), it can also be used by hackers to execute various network attacks. By gaining access to the internal network, hackers can establish a trusted IP connection and thereby evade firewall and IPS policies. Licensing and Pattern Updates
To use IPS and get the latest signature updates for yo your ur CloudGen Firewall, you must have a valid Energize Updates subscription. Generally, new IPS signatures are available once or twice a week. By default, the firewall checks every 60 minutes for IPS pattern updates from the Barracuda Central servers. Managed firewalls download the IPS signatures updates directly from the Firewall Control Center.
58
5.2 5.2 User Awareness Traditional security policies are no longer flexible fle xible enough to meet the needs of clients who work on multiple desktops or locations and who require special access rights based on user or group information. Allowing access to everyone or configuring access for individual IP addresses is neither secure nor practical. To fulfill today’s security requirements, firewall policies must be user aware. integration, for example, connection information can beto replaced with global objects.With This user allows you to create access rules that restrict or allow access resources based upon the user and group information .
Local Authentication Schemes If no external authentication service is available, NGF Local Authentication Authentication manages your users and groups directly on your CloudGen Firewall.
External Authentication Schemes User information can be retrieved from your external authentication servers. The authentication sever is queried when the user logs in via client-to-site VPN or through firewall authentication. The following external authentication schemes are supported: Microsoft Active Directory (MSAD) Barracuda DC Agent MS-CHAP Lightweight Directory Access Protocol (LDAP) Remote Access Dial In User Service (RADIUS) Con troller Access Control System Sys tem (TACACS+) Terminal Access Controller RSA-ACE SecurID MSNT Secure Web Gateway Authentication Barracuda Terminal Server Agent One-Time Password Authentication •
•
•
•
•
•
•
•
•
•
•
59
• •
•
Wi-Fi AP Authentication Online Certificate Status Protocol (OCSP) Kerberos
Barracuda DC Agent
The Barracuda DC Agent is the th e connector between various variou s Barracuda Networks Netwo rks products and Microsoft domain controllers to transparently monitor user authentication. The DC Agent allows you to monitor domain controllers to automatically detect when users log into their Windows domain. The DC Agent is installed install ed either directly on the domain co controller ntroller or on a dedicated Window Windowss PC on the office network. The agent periodically checks the domain controller for login events and to obtain a record of the authenticated users. The IP addresses of authenticated users are mapped to their username and group context and then provided to the firewall, allowing for true single signon capabilities. Barracuda TS Agent
The Barracuda TS Agent is the connector c onnector between the firewall and Microsoft Terminal Servers to transparently monitor user authentication. Because the source IP address for all users on the terminal server is the same for all users, the Barracuda TS Agent assigns each user a specific port range and sends this mapping information to the firewall. The firewall can now check the source port of a TCP or UDP packet from the terminal server and, with the port-user information from the TS Agent, determine the username and group context. Connectio Connections ns with the Barracuda Barr acuda TS Agent are SSL encrypted. Mapping information for users is sent only after connections are established. The Barracuda TS Agent also writes write s a debug log that helps you mo monitor nitor your Terminal Server and identify possible problems.
60
User Objects in Access Rules To use user or group information as a matching criteria in you yourr access or application rules, ru les, you must create user objects. Add these user objects to Forwarding Firewall access rules and specify user conditions such as login names, groups, and policy role patterns. You also have the option to include VPN groups in the object configuration.
61
5.3 5.3 Traffic Shaping QoS A company's network is made up of connections with various bandwidth that is utilized to different degrees. In cases where a link becomes saturated, excessive packets are dropped, and the latency increases. To avoid this situation, the firewall can delay packets to match the available bandwidth. If only bandwidth throttling is used, all packets are delayed without regard to the type of traffic. Thisthe canartificial help todelay balance short traffic surges. Note, however, that on the application, might negatively impact the application. Fordepending example, increased latency is acceptable for file downloads, but not for VOIP traffic. To solve this problem, traffic is assigned to a QoS band in the matching access or application rule. The QoS band determines the priority class assigned to the packet. Applied to our example, VOIP traffic would be immediately sent, while the file download would be delayed and throttled.
When to Use Traffic Shaping Traffic shaping only optimizes bandwidth bandw idth utilization o on n your link. It does not increase in crease the amount of bandwidth available. If your Internet line is saturated due to users watching YouTube and downloading large files from the Internet, traffic shaping ensures that, for example, your VOIP connections are prioritized so that connections are not dropped or degraded. Traffic shaping can also be used in fail-over scenarios where the backup LTE or UMTS line only offers a fraction of the bandwidth. In this case, traffic shaping can be configured to drop all non-critical traffic until the regular connection is available again. Note that traffic shaping cannot help you if your businesscritical applications saturate the link without other traffic using the line. In this case, you must upgrade the connection to accommodate the increased demand.
Default QoS Profile By default, the CloudGen Firewall is configured with the Default QoS profile. Assign the QoS profile to a physical interface to enable traffic shaping for a link. A QoS profile is made up of a root virtual interface with virtual sub-interfaces. This is often referred to as the shaping tree. Each virtual interface is split into three priority classes. The QoS Band defines which priority class a packet belongs to.
62
Default QoS Profile Virtual Interfaces The default QoS profile uses the following follo wing virtual interfaces: Default - Leaves the class unchanged. NoDelay - Always take precedence. Low Priority - Limited to 5% of the maximum link bandwidth. Choke - Essentially blocks traffic by limiting the bandwidth to a point where the application becomes unusable. •
•
•
•
Default QoS Bands By default, there are eight different QoS Bands: VOIP – Highest priority. Traffic in this QoS Band bypasses traffic shaping. Interactive – Highest priority before all other bandwidth policies. Traffic is sent with no delay and can use up to 90% of the available bandwidth. bandwidth. Business – Very high priority. Internet – Medium priority. If more than 10 MB of data is transferred in one session, the priority of the traffic in that session drops to the same as Background. Background – Next-lower priority. Low – Low priority. Low and Lowest Priority are limited to 5% of the available bandwidth. Lowest Priority – Lowest priority. Low and Lowest Priority are limited to 5% of the available bandwidth. Choke – Applications assigned Choke are unusable, but will not seek another way to send traffic. For example, if you wish to block Skype traffic, assign this policy to the Skype application. •
•
•
•
•
•
•
•
Monitor Bandwidth Policy Assignment To monitor which bandwidth policy is assigned assigne d to active network sessions, sessio ns, go to the FIREWALL > Traffic Shaping page. On the FIREWALL > Live page, you can also change the QoS Band on the fly for all active connections using traffic-shaping-enabled interfaces.
63
6 Barracuda Firewall Control Center The Barracuda Firewall Control Contro l Center is a central admini administration stration appliance designed to manage remote CloudGen Firewalls, Secure Connectors, and Secure Access Controllers. The Control Center provides a comprehensive set of central management services and features such as templatedriven objects, reusable global objects, user definable work views, and graphical representation of the global WAN network. The box layer of the Control Center is identical to the CloudGen Firewall. Depending on the platform and required number of ranges and clusters, different Control Center models are available: VC Editions – Virtual appliances for use on hypervisor platforms
•
•
•
VC400 Standard Edition – One range (tenant), one cluster (configuration group), and
unlimited managed firewalls. VC610 Enterprise Edition – One range (tenant), unlimited clusters (configuration groups) and unlimited managed firewalls. VC820 Global Edition – Five ranges (tenants), unlimited cluster (configuration groups) , and unlimited managed firewalls.
VCC Editions – Virtual appliances for use in public clouds
VCC400 Standard Edition – One range (tenant), one cluster (configuration group), and
unlimited managed firewalls. VCC610 Enterprise Edition – Two ranges (tenants), unlimited clusters (configuration group) and managed firewalls.
•
•
Control Center Feature Overview
Central Management M anagement – The Control Center handles all tasks required to administer your
firewalls in one central location. Templates, and a central repository allow you to reuse configurations over many firewalls. Revision Control System monitors changes by all admins. Multi-Admin Support and Role-Based Administration – The Control Center provides freely
•
•
•
•
•
configurable permission schemes and user management. Through usegranular of administrative roles, administrative scopes, and configuration levels, you can createthe very access permissions for each admin. The Control Center allows you to create or customize existing administrative roles. Graphical VPN Configuration Interface (GTI Editor) – The Graphical Tunnel Interface (GTI) provides you with a graphical interface to create and manage TINA and IKEv1 IPsec VPN tunnels. The GTI editor can be used on a global, range, or cluster level. Central Eventing and Log Collection – For system processes and services, events are generated and sent to the Control Center from the managed firewalls. On the Control Center, event forwarding is based on communication between the Box Event module running on the operative CloudGen Firewall (box) and the CC Event Service module running on the Control Center. The CC Syslog service collects log messages from CloudGen Firewalls managed by the Control Center and streams those log messages to an external log host. Shared Services – The firewall, SNMP, and DNS service can be configured to run on multiple virtual servers and use a combined configuration. 64
•
•
•
•
•
Revision Control System (RCS) – The Revision Control System (RCS) stores versioning
information on all configuration changes to your system. You can view older configuration versions and, if necessary, roll back previous changes. Central Statistics – The Control Center can collect and store statistics of its managed CloudGen Firewalls. The CC Statistics Collector and CC Statistic Viewer process the raw data and present the collected data in the STATISTICS tab on the Control Center. FW Audit – The CC FW Audit Log service receives structured firewall data from the managed units and stores the firewall audit information on the Control Center. The CC Firewall Audit Info viewer provides a consolidated view similar to the firewall access cache across multiple boxes. For large or high-performance environments, dedicated CloudGen Firewalls can be configured to collect and retrieve firewall audit log information. The collection and processing is handled by the CC FW Audit Log service and the Audit Info collector on the Control Center. Barracuda Earth – Barracuda Earth displays the status of your VPN site-to-site tunnels around the world. When connected to the Control Center, Barracuda Earth retrieves the data from your VPN connections and displays the tunnels according to the information on a customizable interface. Barracuda Earth is not available for the Control Center Standard Edition. Public Key Infrastructure (PKI) – The PKI service on the Control Center lets you create, manage, and revoke certificates. The PKI is not available for the Control Center Standard Edition.
65
System Hierarchy: Ranges, Clusters, and Boxes To manage a large number of firewalls, the Control Co ntrol Center organi organizes zes the managed firewalls into in to a hierarchy of ranges and clusters, with the individual firewall configurations at the lowest level. The number of available ranges and clusters depends on the Control Center edition. You must create at least one range and cluster to be able to add firewalls. For each level, you can define global settings. These setting are inherited by the lower levels with the option to override them as needed. You must create at least one cluster in a range to be able to add firewalls. The following range or cluster-wide settings can be added: Firewall Objects GTI Editor Statistics Access Control Objects QoS Shaping Trees Activation Template •
•
•
•
•
•
Control Center Editions Depending on the number of managed firewalls, the Control Center is available in three editions: Standard edition – One range, one cluster, unlimited number of managed firewalls. Enterprise edition – One range, unlimited number of clusters, unlimited number of managed firewalls. •
•
•
Global edition – Five ranges with the option to add additional ranges, unlimited number of clusters, unlimited number of managed firewalls.
The Control Center is available on all al l three platforms (hardware, virtual, and ccloud) loud) and for the standard and enterprise editions. The global edition is only available as a virtual machine.
66
Center nter Model Model Control Center Trust Ce
Connections between the Control Center, CloudGen Firewalls, and Barracuda Firewall Admin are authenticated with X.509 private/public keys. The Control Center handles the certificate and authentication of remote firewalls and Firewall Admin. The Control Center also stores a list of valid SSH keys for all managed firewalls. Control Center connects to a managed CloudGen Firewall – During deployment, the public keys for the box certificate and the Control Center certificate are exchanged. These keys are •
•
•
used to authenticate all SSL connections between the Control Center and the managed units.
Connecting to the Control Center with Firewall Admin – Firewall Admin can verify if the Control
Center certificate is valid and if it is communicating with the intended Control Center by checking the certificate with the Control Center public key it has previously downloaded from the Control Center. Connecting to a managed firewall with Firewall Admin – Firewall Admin downloads the public key from the Control Center and then uses that key to verify the box certificate of the managed firewall.
67
6.1 6.1 Central Management The Control Center handles handle s all tasks required to administer admini ster your firewalls from one cen central tral location. The Control Center, managed firewalls, firewall s, and Firewall Admin exch exchange ange information to create a robust environment to store, retrieve, and propagate updates. The Control Center acts as the central repository for all con configuration figuration files, pattern updates, and firmware updates. Through the management connection, the Control Center distributes all relevant updates to the individual, managed firewalls. System state, logs, and events are also continuously received from each managed firewall. Firewall Admin can access all the centralized information directly on the Control Center. This allows for easy and quick configuration changes without having to connect to each remote firewall. The managed firewalls are accessed by Firewall Admin only if real-time information such as the FIREWALL > Live page are needed. In case the Control Center is not reachable, the firewalls can still be configured via an emergency override.
Managed ed Firewalls and Configuration Updates Configuring Manag To change the configuration of o f a managed firewall, the admin log logss in to the Control Con trol Center via Firewall Admin. After locating the firewall in the range and cluster it is located in, changing the configuration is identical to a stand-alone firewall. When the configuration change is activated, the Control Center automatically pushes the update to the firewall. The Configuration Updates page displays the status for the configuration sync of all firewalls managed by the Control Center. The color of the summary icon allows you to quickly check the configuration update status: Green – The last configuration update was sent successfully. Red – An error occurred during the last update. The Reason column provides more detailed information. Blue – An update is in progress. Yellow – Firewall is no longer managed by the Control Center - configuration update is not possible. •
•
•
•
Right-click the firewall to manually send, block, or delete a configuration update:
Update Now – All new configurations are sent to the firewall. Complete Update – The complete configuration is sent to the firewall.
Block Update – All configuration updates are held back.
• • • •
• •
Unblock Update – Re-enable configuration updates. Delete – Delete updates that can no longer be applied. Force Delete – Delete configuration updates for active firewalls.
68
System Health and Status Monitoring The status map of the Control Contro l Center shows the health and system status statu s for all managed firewalls. The state of the firewall is depicted by a series of colored icons for each ssection: ection: in formational and notice eevents vents have been Green – The system is in a normal state. Only informational generated. Yellow – Warnings have been generated. A check is recommended. Red – Security events and errors have been generated. A check is mandatory. Blue – A virtual server has been disabled due to probing policies. configuration. nfiguration. Grey – The system is unavailable and has been disabled in the co •
•
•
•
•
69
File/Pattern Updates The Control Center downloads download s and distributes all pattern, definitio definition, n, and database u updates pdates to all managed firewalls. If the Control Center is not reachable, the firewalls will download the updates directly from the download servers. You can configure the check interval for each update. If the Control Center has no direct Internet access, you can copy file updates from an up-to-date CloudGen Firewall to the Control Center. An Energize Updates subscription is required on the Control Center.
Firmware Updates on Managed Firewalls Firmware updates for the managed firewalls are handled directly on the Control Center. Always update the Control Center itself first because it is not possible to manage firewalls running firmware versions newer than the firmware version running on the Control Center. If you are managing clusters with an old firmware version, you may have to update the firewalls if the new firmware version for the Control Center no longer supports the old cluster version. For example: 7.0.0 no longer supports cluster version 5.0. So when updating a Control Center from 6.2.1 to 7.0.0, all 5.0.0 clusters and firewalls must be updated before you can proceed with the update.
Downloading Update Packages
Every hour the Control Center checks for updates for all configured cluster versions. If you have recently added a cluster using a firmware version that is not used by other clusters, it may take up to one hour for the corresponding updates, hotfixes, and patches to be displayed. You can either trigger the Control Center to download the updates directly, or download the updates yourself from the Barracuda Download portal and then upload them manually to the Control Center. If the Control Center is behind a device doing SSL Inspection, you must add an exception for dlportal.barracudanetworks.com to be able to successfully download updates. 70
Update the Managed Firewalls
The Firewall Control Center can manage multiple clusters, eac each h using different differen t firmware versions. Since the cluster is bound to the major firmware version, all firewalls in a cluster must be updated at the same time. In addition, the cluster configuration must be migrated afterwards in order to be able to administer the updated units. To identify the required update packet, check ch eck the release notes and migratio migration n instructions to determine the update path from the firmware version the firewall is currently running. To troubleshoot an update, connect to the firewall and review the Box\Release\update or Box\Release\update_hotfix logs.
6.2 Firewalls to the Control Control Center 6.2 Adding Firewalls To manage a firewall with the Control Center, Cen ter, you can either import the PAR file of an existing firewall or create a new firewall configuration directly on the Control Center.
Control ontrol Center Configure New Firewall on the C Creating a new firewall configuration on the Control Center allows you to prepare the firewall without access to the device. The firewall can be created with default settings or by using a wizard. The wizard offers you the option to create creat e and link a virtual server. If you create a new firewall configuration without the wizard, the virtual server must be created and assigned to the firewall separately.
Default Box
New firewalls clone their configuration from the Default box configuration of the cluster they are created in. To share configurations over multiple clusters or to create linked configuration, link the configuration nodes in the default box to repository entries. Firewalls using repository links are updated if the repository entry is changed. Without repository links, the configuration of the new firewall is not changed if the default box configuration is updated.
Import Existing Firewall To import existing firewalls into the Control Con trol Center, import a PAR file from the firewall into the desired cluster on the Control Center. The major firmware version of the firewall and cluster must match and the imported virtual server name must be unique in the cluster. After importing the PAR file, the Firewall Control Center automatically signs the box certificates. Deploy the PAR file to the firewall to finish adding the firewall to the Control Center. Since virtual server and service names must be unique per cluster, it is recommended to replace the default S1 virtual server with 71
a new virtual server using a unique name. After moving and, if necessary, renaming the services to the new virtual server, delete the old S1 virtual server.
Copying, Cloning, Moving, and Removing Managed Firewalls
You can move, copy, and delete managed firewalls. Moving a firewall is also the only way to change the name of the firewall. Moving or copying the firewall does not copy or move the associated virtual servers. They must be copied or moved independently. You can also clone a CloudGen firewall box by using the Clone Wizard. To clone a CloudGen Firewall box: 1. Expand the Boxes node (CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster ). 2. Right-click the box you wish to clone and select Clone Box Wizard.
The Wizard window opens. You can also right-click Boxes and select Clone Box Wizard. In this case, you must also select the Box to clone in the configuration. 3. Enter the name of the new box in the Naming Replace To field. 4. In the Management IP field, e nter the IP address of the new box.
72
5. Adjust all settings according to your requirements. 6. Click Finish. 7. Click Activate.
6.3 Remote Management Tunnels T unnels 6.3 To secure the management traffic traff ic between a remote firewall and the Con Control trol Center, the remote firewall uses a remote management tunnel to connect to the master VPN service on the Control Center. The tunnel using the TINA VPN protocol is always initiated by a service on the box level of the firewall. This is done to ensure that firewalls using dynamic IP addresses and/or behind NATed connections can connect reliably. In addition, by using a box level service, the management tunnel is independent of the state of the virtual server. The downside of using a box level service is that Internet connectivity must be ensured no matter if the virtual server is up or not.
VIP Network The VIP network is a dedicated network n etwork or network range o on n the Control Center Cen ter used for communication between the remote firewalls and the Control Center. The admin must assign each remote firewall that connects via a remote management tunnel a virtual management IP address out of the VIP network. The VIP IP address is also used by Firewall Admin to access the remote firewall through the management tunnel. Proxy ARPs for the VIP network on the Control Center allow Firewall Admin to reach the remote firewalls from the local network using the virtual management IP address.
Box Layer Connectivity Because the remote management tunnel is established from the box layer and needs an Internet connection, do not configure direct attached networks for the Internet connection. Direct attached networks use an IP address on the virtual server layer. This causes the Internet connection to go down when the virtual server is down, blocked, or misconfigured. For dynamic IP WAN 73
connections, no action needs to be taken because the IP address is automatically bound to the box layer of the firewall. For static IP addresses, configure additional box level IPv4 and/or IPv6 addresses.
Remote Management Tunnel The remote management tunnel tun nel can be established to both IPv4 and IPv6 addresses. addresse s. For IPv4, the VPN point of entry is the public IP address of the border firewall forwarding TCP/UDP692 to the Control Center. For IPv6 connections, the Control Center must be reachable via an IPv6 global unicast address. You must also add the IPv6 address to the virtual server IP addresses and to the listening addresses of the master VPN service on the box level of the Control Center. Even though the VPN envelope is IPv6 compatible, only IPv4 traffic can be sent through the tunnel. You can enter multiple IPv4 and IPv6 addresses as the VPN point of entry. The firewall will try each IP address sequentially until a successful connection is established. For the firewall to be able to reach the Control Center through the VPN tunnel, enter the following IPv4 addresses as the remote network: Control Center IP address Control Center box layer IP address (optional) Authentication, NTP and DNS servers IP addresses •
•
•
74
Allowing External Connections Service Connections to the Control Center Master VPN Service The Control Center usually does doe s not have a public IPv4 that the rremote emote firewall can use to reach the master VPN service. In this case, the public IPv4 address of the border firewall is used as the VPN point of entry. The border firewall then forwards the remote management tunnel traffic with a Dst NAT access rule for TCP/UDP 692 to the Control Center master VPN service. For IPv6 connections, the Control Center is assigned a global unicast IPv6 address. Configure the border firewall to allow TCP/UDP 692 traffic to this IPv6 address to be able to establish an IPv6 remote management tunnel.
Monitoring Monitoring and Troubleshooting
To check if the remote management tunnel tu nnel is up, log in to the box level of the Control Con trol Center and go to VPN > Client-to-Site.
Check the status of the managed firewalls on the Status Map of the Control Center. If you cannot log in to the firewall that is connected (green), the IP address of the client running Firewall Admin cannot reach the remote firewall. Create an access rule on the Control Center firewall using Dynamic NAT as the connection method, and verify that connection to the VIP network is routed to the Control Center. To manually restart the remote management managem ent tunnel, log in to the remote fire firewall wall via SSH and enter the following commands to stop and start the VPN tunnel: o vpnc3 stop o vpnc3 start
•
•
•
75
6.4 6.4 Control Center Licensing The Control Center handles handle s licensing for all managed mana ged firewalls. Firewalls can use either single licenses, or bulk licensing through pool licenses. To be able to activate a new firewall, the Control Center and the client running Firewall Admin must have access to api.bcc.barracudanetworks.com on TCP port 443.
Licensing a Barracuda Firewall Control Center If you deployed your Control Center with the CC Wizard, all licenses are automatically downloaded and installed on the box layer and the management interface of the Control Center. If the CC Wizard not supported your deploymentinterface type or to platform, you manually install the ControlisCenter license onforthe management establish themust CC identity after activating the license on the box layer.
Single Licenses for Managed Managed Firewalls Single licenses are bound to the MAC and cpuid of the individual firewall and cannot be transferred. To make deploying a large number of firewalls easier, the Control Center can automatically fill in or complete the Barracuda Activation for activating a new firewall. If you have filled in the Activation Template (Config > CC Parameters) on the Control Center, the form is automatically filled in . The licenses are downloaded and transferred to the firewall automatically after a successful activation. By enabling unattended activation in the Barracuda Activation tab for your license, you will not be prompted when a unit is activated.
Pool Licenses for Managed Firewalls Pool licenses are purchased in multiples of five and are bound to the base license of the Control Center. The licenses are then assigned to the managed firewalls of the same product type and the same or smaller model than the pool license. For example: an F600 pool license can be assigned to a F600 or a F380, but not to a VF500. For firewalls using pool licenses, Barracuda Activation must be disabled. The enterprise license types are: F – For hardware appliances. Hardware pool licenses must be purchased in combination with the hardware appliances. VF – For virtual appliances. SF – For software licenses. •
•
•
76
Enterprise License Handling The Pool Licenses section on the Barracuda Activation Activation page offers several actions for license handling. To access the context menu options, right-click a license from the Pool Licenses list: Import Pool License – Import the pool license. You are prompted to enter the Token and select the Product Type. The pool license is now listed in the Pool Licenses section. Remove Pool BAR – Removes the selected pool license. Use Unattended Activation – If you activate this option, Barracuda Firewall Admin will not ask for personal contact information upon activating licenses on Barracuda servers. Activation templates can be edited in the configuration on Global, Range, and Cluster levels. Update Licenses on CC – Trigger an instant check if licenses are updated on the Barracuda license servers. (This check is performed hourly in the background.) Move Instances to another Pool – Replace the box licenses derived from one pool license with box licenses from another pool license. This can be used when a new pool license with a bigger pool was purchased. In the next step, you can select which new pool the licenses should be generated from. The new pool licenses must already be listed (i.e., previously imported) in the Pool Licenses window. The new license pool must also have enough free instances as in the old pool and must also contain all the modules from the old license pool and, optionally, additional ones. Reassign Licenses to Instances – If the pool license was renewed, but box licenses were not automatically updated by the Control Center, use this option to manually trigger the update. Refresh – Refresh the Pool Licenses list. Tools – Opens the standard Tools context menu from where you can export the list to file or clipboard. •
•
•
•
•
•
•
•
Continuous Updating of the Pool License Float
Managed firewalls using pool licenses must renew the license by connecting to the firewall at regular intervals. The license status for each firewall is listed on the Control > Floating Licenses page. What happens when a license expires?
When a subscription exceeds the expiration date, it enters GRACE mode. When the grace period ends, the license becomes INVALID. Single licenses have a grace period of 15 days, and Enterprise licenses (pool) have a grace period of 60 days (except the VFp – Virtual Appliance Pool). No later than 15 days prior to the expiration date, the the Barracuda Firewall Admin application displays a warning message.
77
What happens when a license becomes invalid?
When a license becomes INVALID, the subscribed features/services keeps working but configuration changes and subscription updates are blocked after 24 hours. On the day the license becomes invalid, the Barracuda Firewall Admin application displays a warning message.
78
Special Considerations for Control Center Licenses in Grace Period
If the host-ID address of the Control Center has changed, the licenses will become invalid and enter a 15-day grace period. During the grace period, do not change settings on the CC Identity page. Contact Barracuda Technical Support to resolve the licensing issues.
6.5 6.5 Global Firewall Objects Global Firewall Objects allow you to enter the network addresses one time for all the networks, public IP addresses, and special servers, and then to reuse them when configuring the services. A Global Firewall Object on the global or range level can be overridden by a different IP address or network on the range, cluster, or firewall level. This allows for one-time configurations in cases where one cluster uses a different IP address or network from all other configurations. You can also employ this functionality to enforce the usage of the same firewall object names for all your configurations. This allows you to create repository entries to be reused for all clusters. Site-specific firewall objects are globally defined in name and type, and the IP addresses or networks are entered in the Server Properties of the virtual servers. Site-specific network objects can be used only in the Forwarding and Distributed Firewall services. The following global objects can be created: Network objects •
• •
• • • • • •
•
Named Network objects Service objects Application objects User and Groups objects URL Filter objects File Content Policy objects User Agent objects Schedule objects Generic IPS Pattern objects
Be aware that changes to a global firewall object, such as renaming it, require you to click Send Changes and Activate before the change becomes available in the firewall services. The object type cannot be changed after it has been set.
Globall Firewall Objects vs. vs . Range/Cluster Firewall Objects Globa For a more granulated definition of firewall objects, global firewall objects can be overridden by range or cluster firewall objects of the same name. An object that overrides a globally defined object is indicated by a server icon with a red arrow in the network object list. In the firewall rule editor, overridden objects are not marked separately.
Site-Specific Network Objects Define a site-specific network object to define network objects for IP addresses or networks that differ for each CloudGen Firewall. The values for these network objects must be entered for each virtual server on the Server Properties > Networks page and can then be used in the forwarding firewall ruleset.
79
Globa Globall GTI Objects When tunnel endpoints are created in the VPN GTI Editor, corresponding dynamic network objects are created at the same time. These objects are named servername_clustername_range with a corresponding prefixed GTI Server. Global GTI objects are inherited as references by local and forwarding firewall rulesets of each firewall service related to the tunnel endpoint and can be used for rule specification. Every time a new tunnel endpoint is inserted into the Global VPN GTI Editor, the GTI Objects must be reloaded in the Global Firewall Objects window in order to become available in the configuration dialogs. Global GTI objects cannot be edited or renamed.
Firewall Objects Naming Convention C onventionss Although not required, following a naming convention for the global firewall objects simplifies configuration. It also lets you know at first glance what data is stored in the global firewall object. Setting the Network Color also also makes a network object easily identifiable in the GUI. For this example: ____
6.6 Repository 6.6 Repositories are a powerful tool for administrators to distribute configurations to multiple firewalls in a Control Center. Configuration data that is used on more than one machine should be stored in a repository. This saves time and reduces configuration errors because the information is entered only once. Configurations stored in repository objects can be copied or linked to firewall configuration nodes. Linked configuration nodes are automatically updated when the repository object is updated, but might cause problems during updates or when moving the firewall. The repository entries must be migrated to match the firmware version of the firewall. This means that all linked firewalls must be updated, or a second repository entry used for the firewalls that are on a different update schedule. Copying the repository objects over the firewall configuration nodes takes care of this problem, but the node is no longer linked and changes to the repository are not synced to the firewall. 80
Three types of repositories exist:
•
•
•
General repository Range repository repository Cluster repository
Overriding Linked Repository Entries You can override the repository settings to change specific settings of a linked configuration page while keeping the other settings linked to the template. To disable the override, click the clipboard icon that is next to the setting and select Unoverride Entry. The setting is linked and overwritten with the setting that is configured in the template.
Moving a Firewall with Links to a Repository Repository links may break when moving or copying a firewall configuration, depending on whether it is a global, range, or cluster repository. The settings on the previously linked configuration pages will be saved, but the pages are no longer linked to the repository. Repository Global Range Cluster
move cop copyy to a different ra nge link remains link is broken link is broken
• • •
move cop copyy to a different cluster link remains link remains link is broken
•
• •
81
Multiple Object Action Linking or copying a repository entry to many firewalls is made easier by multiple object action. This allows the admin to link or copy one repository entry to mu multiple ltiple firewall con configuration figuration nodes in one step.
6.7 Control Center Deployment The Control Center wizard guides guide s you through the setup of all Con Control trol Center Cente r settings. The wizard is available only on new or freshly installed virtual Control Centers with the exception of Control Centers in the public cloud. The CC Wizard is automatically started when logging in to a new Control Center the first time. It can also be launched manually from the OPTIONS menu.
82
7 Virtual Private Networks 7.1 VPN Service 7.1 VPN offers a secure, efficient, and economical way to connect physically separate networks and to let users access corporate network resources from a remote location. The Barracuda CloudGen CloudG en Firewall provides three types of VPN services: Client-to-Site VPN – Lets remote users access the corporate network with VPN clients and mobile devices. Site-to-Site VPN – Securely and transparently connects remote locations with your network. SSL VPN – Lets remote users access corporate resources over a secure web interface without the need of configuring a VPN client. •
•
•
Client-to-Site VPN Client-to-Site VPN offers users access to the corporate network from a remote location over a secure tunnel connection. Clients authenticate by user/password and/or X.509 certificates. Depending on the VPN client device, the CloudGen Firewall supports TINA or IPsec VPN protocols.
Site-to-Site VPN Site-to-Site VPNs establish secure connections between two locations over a public network such as the Internet. The proprietary TINA protocol offers intelligent traffic management capabilities using Traffic Intelligence, WAN optimization, and on-the-fly traffic shaping. For connectivity with third-party VPN gateways, it is also possible to create Site-to-Site VPN connections using IPsec.
SSL VPN SSL VPN grants users secure SSL/TLS-encrypted access to internal corporate resources and applications through a customizable web interface without the need of installing or configuring a VPN client. SSL VPN supports centralized authentication, authorization, and content inspection. Server and application URLs are translated into a URL namespace, making resources accessible via a single hostname.
7.2 7.2 VPN Protocols The CloudGen Firewall supports support s two different types of VPN Pr Protocols: otocols:
•
•
IPsec – The IPsec VPN protocol is the industry standard VPN protocol. The CloudGen Firewalls
supports both IKEv1 and IKEv2 site-to-site and client-to-site VPNs. This allows them to connect to any standard-compliant third-party VPN gateway and offer client-to-site connectivity for IPsec VPN clients. TINA – To overcome limitations imposed by IPsec, we offer TINA, a proprietary extension of the IPsec protocol. TINA is designed to improve VPN connectivity and availability between two sites. TINA VPN tunnels can be created only between two CloudGen Firewalls.
Benefits of the TINA Protocol: Protocol:
83
•
•
•
•
• •
Routes two encryption domains or VPN domains via different paths. Modified initial handshake improving denial-of-service protection for X509 certificate based authentication. Multiple encapsulation transports: ESP, UDP, TCP, TCP/UDP hybrid mode or routing (no encapsulation). Heartbeat monitoring and fast failover support. Continuous bandwidth and throughput evaluation. Immunity to NAT devices or proxies (HTTPS, SOCKS) between two tunnel endpoints.
Transport Transport Modes The transport of the VPN traffic is configured con figured separately from the VPN tun tunnel. nel. The following followin g transport modes are supported on every CloudGen Firewall: UDP – UDP encapsulation benefits from the low overhead, reduced latency, and NAT-traversal capabilities of the UDP protocol. UDP has no error checking, which may be a problem for connections with high packet loss or if VPN traffic largely consists of UDP connections. TCP – TCP offers transport reliability and NAT traversal capabilities. It is the only available option if you are behind a proxy. If you must connect through an HTTP proxy, port 443 can also be used. encapsulates TCP in UDP and UDP in TCP to Hybrid (TCP & UDP) – A Hybrid mode tunnel encapsulates balance the strengths of each protocol with optimal transport reliability. Latency-critical UDP traffic should not be sent in Hybrid mode because the TCP transport mode may increase the latency. ESP – ESP is the native IPsec protocol, and as a Layer 3 protocol, it offers the best performance. NAT traversal is not possible. Routing – No encapsulation is performed for this transport mode. It requires a routed setup between the two locations (usually MPLS). Therefore, it is not a true VPN tunnel transport, but it is useful for cases where no encryption or encapsulation is required. •
•
•
•
•
Use the following table to help you decide which transport is correct: Transport Mode UDP TCP Hybrid (TCP & UDP) ESP
Proxy / SOCKS Compatibility
NAT Compatibility
Response Time
Transport Reliability
no yes no
yes yes yes
fast normal fast
normal complete complete
no
no
fast
normal
84
UDP Transport Mode
The UDP TINA tunnel transport tran sport uses UDP port 691 for the VPN tunnel connection. conn ection. UDP is an unreliable, minimal message-orientated transport layer protocol that provides no guarantees to the upper layer protocol for message delivery. However, it provides quick deliveries and generates little processing overhead on the VPN service. UDP transport mode is the default mode and is best for response-optimized tunnels. Because most of the transferred connections through VPN tunnels are usually TCP client-to-server connections, UDP can be safely used as a transport mode. Retransmission of the reliable part of the communication is already done by the application itself. Its protocol overhead is lower than that of TCP. TCP Transport Mode
The TCP tunnel transport trans port uses TCP connections connectio ns on port 691 or 443 (if HTTP p proxies roxies are used). This mode is necessary for connections through SOCKS4 or HTTP proxies. This transport mode is used if the reliability of the transferred data must be ensured. Keep in mind that compared to UDP or ESP, the overhead generated by the TCP protocol decreases the VPN throughput rates. A TCP transport is commonly used if the Internet path of a remote location is unreliable and has packet drops. Hybrid (TCP & UDP) Transport Mode
The Hybrid transport mode is a mixture of both TCP and UDP co connections. nnections. It uses two VPN tunnel transports in a single VPN tunnel: one tunnel with the UDP transport mode and one tunnel with the TCP transport mode. The tunnel engine uses the TCP connection for UDP requests and the UDP connection for TCP-based and ICMP-based applications. By sending UDP data into the TCP VPN tunnel transport and TCP data into the UDP VPN tunnel transport, this mode tries to compensate for the respective limitations of each protocol. Using the Hybrid mode with latencycritical UDP sessions is not recommended because UDP sessions are automatically transferred over the TCP tunnel transport adding latency to your session.
ESP Transport Mode
Before using ESP, verify that ESP traffic is not filtered by the ISP for the connection. The ESP transport mode is best for performance-optimized tunnels. This transport mode does not encapsulate the ESP data flow in an additional protocol. ESP generates the least overhead and is the most effective transport mode for TINA tunnels. ESP is also used by IPsec. However, ESP cannot be used on NAT'd connections. The status of a site-to-site TINA TIN A tunnel transport is permanently monitored by both VP VPN N gateways. The ESP transport requires a separate UDP U DP connection fo forr monitoring. For UDP and TCP, however, transport monitoring is carried out directly in the tunnel transport. The separate
85
monitoring connection for the ESP transport may result in a state where the VPN seems to be up, but no data can be sent through the VPN tunnel. This happens when monitoring over the healthy UDP connection is successful, but the ESP packages are blocked before reaching their destination.
Call Direction •
•
•
– An active VPN server accepts tunnel requests and initiates the tunnel connection. Active Since connections are both accepted and initiated, active-active configurations are also
possible. When the tunnel is down for a defined time, it cleans its state to accept retries from its partner. Furthermore, it tries to initiate the connection by itself. Passive – A passive VPN server does not build up the tunnel. It merely accepts requests from its partner. If the tunnel is down for a defined time, it cleans its state to accept retries from its partner. OnDemand – Use this option with Traffic Intelligence . The VPN server initiates the tunnel when packets are sent through the transport. When the transport is no longer used, it is terminated after a specified timeout.
86
IP Version The VPN service supports IPv6 for f or the VPN envelope. Thi Thiss means that the site-to-site site -to-site and client-tosite VPN tunnels can be created between two IPv6 endpoints, but only IPv4 traffic can be sent through the tunnel. IPv6 is not supported for: Dynamic Mesh L2TP PPTP SSL VPN •
•
•
•
7.3 7.3 Site-to-Site VPN A site-to-site VPN allows multiple locations to establish secure connections over the Internet or other public networks. VPN tunnels transparently joins networks, making remote resources securely available to clients behind the VPN devices through the tunnel. The Barracuda CloudGen Firewall offers two VPN protocols: TINA and IPsec.
TINA VPN TINA is a Barracuda Networks proprietary VPN protocol designed to extend the feature se sett and to remove the limitations of the IPsec protocol. TINA is designed to provide superior VPN connectivity and availability. Site-to-Site TINA tunnels can only be established between CloudGen Firewalls. Advanced VPN features, such as Traffic Intelligence or WAN Optimization, are only available for TINA VPN tunnels.
87
IPsec VPN IPsec has established itself as the standard for VPN tunnels and is widely supported by almost all VPN device manufacturers. The Barracuda CloudGen Firewall support both IKEv1 and IKEv2 IPsec Site-to-Site VPN tunnels to third-party VPN devices.
Creating VPN Tunnels Using the Barr Barracuda acuda Firewall Control Center GTI Editor The Barracuda Firewall Control Contro l Center includes the G GTI TI Editor, a graphical interface interfac e to create and manage VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. The GTI Editor eliminates many of these redundant steps, helping you configure your VPN tunnels more quickly and correctly.
7.4 VPN Tunnel Settings 7.4 VPN Service and VPN Service Listener The VPN service must be created in the th e same virtual server as the Firewall service. Only on onee VPN service is allowed per firewall. Configure the service to listen on a public IPv4 or IPv6 address. For dynamic IPv4 Internet connections, use a listener on a private or loopback IP address and an App Redirect rule.
Local and Remote Networks Configure the local and remote networks for the CloudGen Firewall. Only IPv4 networks can be Remote Networks Networks tab, add all networks that will be routed routed through tunnel. In the through the VPNthe tunnel. From the Local Networks tab, specify all IP networks that should be connected to the partner via the VPN tunnel. Packets that belong to these networks are routed into the VPN tunnel if they are addressed to the partner network.
VPN Routes VPN tunnel routes are placed before the main routing table so that they are processed before directly attached network routes. When a VPN tunnel is configured and enabled, the tunnel routes are introduced as static routing entries within the VPN routing table. As a result, data traffic is directed to the VPN service and the outgoing device vpn0 even when the tunnel is not established. In rare cases, using a separate routing table for the VPN routes is not possible. By setting Add VPN Routes to Main Routing Table (Single Routing Table) to Yes in the VPN Settings, the VPN routes are inserted into the main routing table with a preference of 10. Be warned that replacing the default
88
source-based routing table with a single routing table without a proper migration plan may break your setup and cause loss of connectivity.
IPsec Peer Information In Main mode, a static IP address is required for the source and destination peer. In Aggressive mode, one site is allowed a dynamic IP address. Aggressive mode is not recommended due to security limitations.
TINA Peer Information TINA peers are more flexible than IPsec IPs ec peers. When you define the first transport, you set the public peer IP addresses of each firewall. This configures the transport source IP for the connection and the transport destination peer IP to which the connection is established. The transport source IP can be one of the following:
• •
•
virtual server IP address interface – This is especially useful for dynamic Internet connections (E.g., dhcp0 for the first
DHCP link) dynamic – The transport source IP address is defined automatically by the routing lookup. This is the easiest method for a single dynamic Internet uplink. The transport destination IP can be a virtual server IP of the destination VPN service. If the remote site has a dynamic IPv4 Internet connection, the transport destination IP can be a DNS hostname. Use source-based routing if you have multiple Internet connections.
Encryption / Authentication The Encryption setting specifies sp ecifies the encryption algorithm such as AES, AES256, AES25 6, or 3DES. The Authentication setting specifies the hashing algorithm for the tunnel such as SHA1, MD5,... Using encryption algorithms with longer key lengths is more secure, but requires more CPU cycles to decrypt and encrypt the data. Try to avoid using 3DES because this algorithm works very slowly and only offers acceptable performance with the help of special hardware acceleration cards.
(TINA only) Transport Mode Choose the transport mode for the VPN tunnel. Barracuda Network recommends using a UDP transport.
89
(TINA only) Tunnel Probing and Timeout The tunnel probing and timeout timeou t settings specify how ho w often the VPN service probes th thee remote VPN service and how quickly the VPN tunnel is re-established after interruptions. You can configure both settings from the Advanced tab of the TINA tunnel settings. From the Tunnel Probing list, select how often the firewall checks the health of the VPN tunnel. If a probe is lost,continues the tunneltotimeout starts, and the service sends a probe every second. If the probing fail, thetimer tunnel is closed andVPN re-established. By default, tunnel probing is set to probe every 30 seconds and the tunnel is re-established 20 seconds after it times out. This means that the TINA tunnel is only down for a maximum of 49 seconds before the VPN service tries to restart the tunnel. The most aggressive settings that you can select are 1 second for probing and 3 seconds for the timeout period.
Perfect Forward Secrecy To automatically and regularly change ch ange the encryption key or pas passphrase, sphrase, use Perfect Perfec t Forward Secrecy (PFS). To use PFS, it must be enabled on both devices. For IPsec tunnels, this is enabled in the IPsec tunnel settings; for TINA, you must enter the Advanced settings of the VPN Settings. PFS is enabled by default for TINA tunnels, with a transparent fallback in place in case the other firewall uses an old firmware version that does not support it.
(IPsec) Dead Peer Detection You can configure Dead Peer Detection (DPD) by default in the VPN settings or for individual IPsec tunnels. Ensure that the same DPD settings are configured on both IPsec devices. If a device does not support DPD, set DPD to 0.
7.5 Authentication tion 7.5 Site-to-Site VPN Authentica There are several different possible authentication auth entication methods for sit site-to-site e-to-site VPN tunnels: Pre-shared RSA public key Pre-shared passphrase (IPsec only) – A preshared key. IPsec passphrases may not contain the •
•
•
•
# character.
External root-signed x.509 certificate This method is capable of many restrictive configurations
(match on one root certificate, match on all root certificates, and an additional pattern check for subject/subject alternative name, policy match, and generic v3 OID match). Explicit x.509 certificate certificate – This method is used if a CA/public key infrastructure (PKI) is not available.
TINA Tunnel Identification Exchange Configuring a TINA tunnel is similar to configuring an IPsec tunnel. For identification, the TINA protocol allows only certificates or public and private keys. Pre-shared keys are not allowed. Firewall Admin automatically generates a Server Protocol Key when the TINA tunnel configuration window is opened. The public key must be imported into the TINA tunnel configuration of the other site as the remote peer identification public key, and vice versa. To exchange the public key between both sites, export it to the clipboard and import it on the other site.
90
If you do not correctly exchange keys between the tunnel partners, the VPN tunnel will not be successfully established. To verify that the keys were correctly exchanged, compare the hash values of the keys. The hash of the server protocol key for the CloudGen Firewall is displayed as the public key hash on its tunnel partner, and vice versa. You can select one of the following hashing algorithm algorithmss for the VPN tunnel: MD5 – Message Digest 5. Hash length is 128-bit. (Not recommended. High performance, but theoretically vulnerable.) SHA – Secure Hash Algorithm. Hash length is 160-bit. (Not recommended. High performance, but theoretically vulnerable.) NOHASH – No hashing of packets will be performed. RIPEMD160 – RACE Integrity Primitives Evaluation Message Digest. Hash length is 160-bit. (Highly recommended.) SHA256 – Secure Hash Algorithm. Hash length is 256-bit. (Highly recommended.) SHA512 – Secure Hash Algorithm. Hash length is 512-bit. GCM – Galois/Counter Mode (GCM). Hash length is 128-bit. Provides assurance of confidential data authenticity up to about 64 GB per invocation using a universal hash function defined over a binary Galois field. •
•
•
•
•
•
•
7.6 T INA Site-to-Site Tunnel 7.6 Configuring a TINA TINA site-to-site VPNs can only on ly be configured configu red between two CloudGen Firewalls. Firewal ls. For the VPN tunnel to be able to authenticate and transmit data, follow the following steps: Configure identical encryption settings on both firewalls. Configure the VPN service to listen on the external IP address of the firewall. If a dynamic IPv4 address is used, create an app redirect rule and configure the listener on a 127.0.0.X IP address. Configure the remote and local IPv4 networks on each firewall. Be sure to enter these networks from the perspective of the firewall you are configuring. E.g., the local network on the location 1 firewall is the remote network on the location2 firewall. Exchange the public keys to authenticate. On each firewall, create pass access rules to allow traffic to and from the local and remote networks. Use Original Source IP or a NAT Table as the Connection Method. •
•
•
•
•
91
7.7 Configure IPsec Site-to-Site VPN
The configuration of IPsec IP sec VPN tunnels is straightforward s traightforward and similar to TINA TIN A site-to-site configuration: Configure identical encryption settings on both firewalls. Configure the VPN service to listen on the external IP4 or IPv6 address of the firewall. If a dynamic IP address is used, enable Use IPsec dynamic IPs in the VPN Settings. Configure the remote and local IPv4 networks on each firewall. Be sure to enter these networks from the perspective of the firewall you are configuring. E.g., the local network on the location 1 firewall is the remote network on the location2 firewall. Use a pre-shared key or X509 certificate authentication. On each firewall, create pass access rules to allow traffic to and from the local and remote networks. Use Original Source IP as the Connection Method. •
•
•
•
•
IKEv1 or IKEv2 The CloudGen Firewall supports support s both IKEv1 and IKEv2 IP IPsec sec VPN tunnels. tunn els. Choose one depending dependin g on your requirements or the remote VPN gateway.
Main Mode or Aggressive Mode Use Main mode when you have static public IP addresses at both locations. Use Aggressive mode if you are connecting to a location that does not have a static IP address. Ensure that you configure the same mode on both systems.
Dead Peer Detection You can configure Dead Peer Detection (DPD) by default in the VPN settings or for individual IPsec tunnels. Ensure that the same DPD settings are configured on both IPsec devices. If a device does not support DPD, set DPD to 0.
Perfect Forward Secrecy To automatically and regularly change ch ange the encryption key or pas passphrase, sphrase, use Perfect Perfec t Forward Secrecy (PFS). To use PFS, enable it on both IPsec devices. In the IPsec tunnel settings, select the Enable Perfect Forward Secrecy check box and configure the Phase2 DH-Group setting.
92
Compatibility with Third-Party IKEv1 IPsec Gateways When using the CloudGen Firewall with third-party IKEv1 IPsec gateways, keep the following limitations in mind: For both locations in the IPsec tunnel, verify that the lifetime settings are configured identically. The CloudGen Firewall only supports lifetime limits. It does not support transferred •
•
data amount limits. Generally, Phase I lifetimes should last longer than Phase II lifetimes. Supernetting is not supported.
7.8 7.8 Firewall Admin: Tunnel Tunn el Monitoring The Firewall Admin VPN tab provides information on all VPN connections that are configured on the firewall.
Site-to-Site
To view VPN tunnels, go to the VPN > Site-toSi te-to-Site Site page. The page displays all introduced VPN tunnels. If a VPN tunnel cannot be established, a red icon is displayed next to the active partner, and a gray X is displayed next to the passive partner. If a tunnel is active, no icons are displayed in front of its name. To reduce the number of tunnels that are displayed on the page, you can filter the list. When you right-click a VPN tunnel, you can select options to view information for controlling it. You can terminate or initiate the VPN tunnel. In addition, you can force a hard kill of the IPsec tunnel, which deletes all tunnel SAs.
93
VPN Status
On the VPN > Status page, you can view the status of your VPN tunnels. Active tunnels are displayed with a blue icon. Deactivated tunnels are displayed with a green icon. When you rightclick a tunnel, you can select Disable Tunnel to deactivate it. To activate a tunnel, right-click it and select Enable Tunnel. The Access Cache section displays all incoming VPN connections to the VPN service and provides information about the last time an attempt was made to establish a particular tunnel and whether this attempt was successful. The Drop Cache section lists all IP packets that arrived at the VPN server but were rejected.
VPN Client Downloads
You can copy Barracuda Network Access Client update files to the firewall. The next time a Barracuda Network Access Client connects to the VPN server, it will be offered this installation file for download.
VPN Troubleshooting Tips If a VPN tunnel cannot be successfully established, check the following: Do both VPN servers have the correct IP addresses defined as service IPs? For a TINA tunnel: Have the public keys been correctly exchanged? •
•
•
•
•
•
•
Check the hash values that were given for each key. If the keys have not been correctly exchanged, this is displayed in the Drop Cache section on the VPN > Status page. For IPsec VPN tunnel partners: Have the correct settings (including the passphrase) been entered? If a tunnel has been successfully established, but no data can be sent through the tunnel, check the following: Has the ESP option been selected as transport protocol for a TINA tunnel? If yes, the network device between the two VPN servers might be filtering out ESP data. Has a firewall service been added to both tunnel partners? Without a forwarding firewall service, data cannot be redirected by the CloudGen Firewall. Was a source NAT carried out in an access rule that allows traffic into the remote network? Did you correctly configure the VPN tunnel for use with source NAT?
94
7.9 7.9 GTI Editor - Graphical Tunnel Interface The Barracuda CloudGen CloudG en Firewall VPN Graphical Tunnel Interface (GTI) provides you w with ith a graphical interface to create and manage TINA and IPsec VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. The GTI editor eliminates many of these redundant steps, helping you configure your VPN tunnels more quickly and with less errors. Environments with many VPN tunnels especially benefit by using the GTI editor. The GTI editor is available on the Barracuda Firewall Control Center and can be used on a global, range, or cluster level.
VPN GTI Settings per VPN Service For each VPN service you want to use in the GTI Editor, you must configure a few basic parameters:
Transport Source IP – This is a list of one of more IP addresses the VPN service is listening on.
They can be entered explicitly or selected selecte d by the system using a rou route te table lookup looku p (Dynamic via routing). You can also use all IP addresses configured in the VPN service properties by selecting All Service IPs. Transport Listening IP – Use an external IP address, which remote firewalls use as a
•
•
destination IP address to establish a VPN tunnel. If only active VPN connections are going to be configured on this unit, no listening IP is needed (set it to 127.0.0.1 or ::1). Networks – In the Server Properties of the virtual server your VPN service is running on, set the on-premises IPv4 network(s) that are made available via the VPN tunnel. All other settings for the VPN tunnels are taken from the GTI Editor Defaults that are defined for each VPN group. •
VPN Groups VPN groups contain VPN services running in the same scope as the GTI Editor. You can create as many groups as needed and then assign the available VPN service to the individual groups. When using the GTI on the cluster or range level, only include VPN services running on virtual servers of that range or cluster.
95
VPN Tunnels VPN tunnels are created by dragging a connection from one firewall to the other. The tunnel configuration parameters stored for each VPN service are then used to create the VPN tunnel. It might be necessary to configure some settings or remove a listening IP address, depending on how you configured the VPN GTI settings.
Add an Editor an External VPN Server to the GTI Editor The GTI Editor can only configure con figure VPN tunnels for manag managed ed CloudGen Firewalls. To receiv receivee a complete overview, you can add external non-managed or third-party VPN servers to the GTI Editor. You must manually configure the VPN and network settings for VPN tunnels to external VPN servers. The external VPN server must be configured to match the settings entered here. To differentiate between managed and unmanaged VPN servers, external VPN services are represented by a grey icon.
96
Traffic Intelligence The GTI Editor allows you to add additional transport tun tunnels nels by a simple drag-and-drop drag-and-dro p operation when using Traffic Intelligence. The tunnel configuration for the new transport can then be configured just like the primary transport.
GTI Editor Limitations There are some limitations you need to consider when using the GTI editor. - Recreate the You cannot import import manually manually configured VPN tunnels tunnels into the GTI GTI Editor -
•
•
•
manually configured VPN tunnels in the GTI Editor. After creating the VPN tunnels in the GTI Editor, remove the manually configured tunnels. Otherwise, the VPN tunnel is configured twice and will not work correctly. Remember to create access rules that allow traffic in your VPN tunnels - The GTI Editor only creates VPN tunnels. Firewall rules must still be created manually to allow traffic to and from your VPN tunnels. The GTI Editor is only available in the Control Center - When you go to the VPN page while logged into an CloudGen Firewall, only the VPN tunnels are listed. You will not see the VPN groups or the VPN tunnel diagram.
GTI Tunnel Monitoring You can view the collective state of all GTI VPN tunnels of a firewall on the CONTROL > Status Map of the Control Center.
97
8 Introduction to Traffic Intelligence Traffic Intelligence (TI) provides multiple VPN VP N transports with each transport capable of using a different WAN connection, thereby expanding on the concept of a traditional VPN tunnel with only one VPN transport to one logical VPN tunnel. TI also provides redundant, reliable, and failsafe network connections: the VPN tunnel is up and can transmit traffic as long as at least one transport is operational. Admins can retain full control over how each transport is used, or they can configure the advanced balancing and bandwidth management features to optimally use the available bandwidth. Note that since TI requires the TINA VPN protocol, both the local and remote gateway must be Barracuda CloudGen Firewalls.
VPN Transports When connecting two sites, a single transport tunnel can use only one WAN connection for each site. Therefore, to use multiple WAN connections, multiple parallel VPN tunnels would have to be created, resulting in difficulties when routing traffic over these parallel tunnels. However, by using multiple transports, only one VPN tunnel and the routes for one tunnel are needed. For each WAN connection, a VPN transport is added to the VPN tunnel. The connection object of the access rule that matches traffic determines which transport is used. Transports can use a mix of IPv4 and IPV6 WAN connections, MPLS lines, and fallback WWAN connections. The transport protocol used can be set individually for each VPN transport, depending on the type of traffic and WAN connection: UDP, TCP, ESP, or Routing. Transports are split into three classes, with each class containing up to eight IDs for a maximum total of 24 transports per VPN tunnel.
98
VPN Transport Classes
The three VPN transport classes clas ses are classified according accor ding to their "cost": Bulk – For cheap and potentially unreliable connections. Bulk transports are recommended for xDSL or cable WAN connections. Quality – For a more reliable line, such as a business-quality Internet line or MPLS links. Fallback – For the most expensive lines. Fallback transports are recommended for dial-in lines or WWAN connections. •
•
•
Traffic Intelligence (TI) Transport Selection Policies
•
•
•
•
Transport quality is defined through thro ugh the firewall. Appropriate access rul rules es referring to these objects are created in order to activate TI settings. Connection objects define the primary and secondary transport class, and they determine general policy behavior if the preferred transports fail. Connection objects provide protection from "expensive" transports by explicitly excluding their usage. Connection objects may be handled in the context of a master-slave concept by the tunnel endpoints. The connection object may be configured to advertise its settings.
VPN Transport Class IDs VPN transport classes can be assigned one of eight different class IDs ( 0 - 7) that define the VPN transport cost in more detail. The class IDs provide you with more configuration options for creating VPN transports in a single VPN tunnel and with a single routing information (higher metrics indicate a more expensive transport). The VPN transport selection in the connection object determines the direction and either fallback or load balancing policy for the matched traffic across the VPN tunnel.
Transport Sele ction Policy Transport Selection
99
Each VPN transport class class is made up of eight class IDs ( 0 - 7) that define the VPN transport cost in more detail. The class IDs provide you with more configuration options for creating VPN transports in a single VPN tunnel. A higher metrics indicates a more expensive transport.
TI Learning Policy The TI learning policy defines o ne firewall one as the master andtraffic the other as the Thi Thiss is needed in case the TI settings in the access rules matching the VPN on the localslave. and remote firewalls differ. The master synchronizes the TI settings to the TI slaves, replacing the TI configuration on the slave. The TI learning policy saves you some configuration effort by only configuring the TI settings on the TI master. As long as the other firewall is configured as the TI slave for this connection, the TI settings are automatically synced.
8.1 Dynamic Transport Selection for Traffic Intellig Int elligence ence 8.1 SD-WAN features for Traffic Intelligence combine a multi-transport VPN tunnel with the following advanced VPN routing, balancing, and shaping features: Bandwidth and Latency Detection Dynamic Bandwidth Performance-Based Transport Selection Adaptive Bandwidth Protection Adaptive Session Balancing Traffic Duplication •
•
•
•
•
Dynamic Bandwidth and Latency Detection
For UDP transports, the firewall can determine the actual bandwidth available for a VPN transport through monitoring, active probing, and passive probing. The goal for the link-quality probing is to find the settings that offer the best possible combination of latency and bandwidth with the fewest dropped packages.
100
Performance-B Performance-Based ased Transport Selection Performance-Based Transport Selection selects the optimal transport based on the policy selected in the TI settings of the custom connection object. Only UDP transports with Dynamic Bandwidth and Latency Detection enabled are included in the Performance-Based Transport Selection policy. The following policies are available: availa ble: •
•
•
•
Optimize for Optimize for Latency Inbound Bandwidth Optimize Optim ize for Outbound Bandwidth Optimize for Combined Bandwidth
Adaptive Bandwidth Protection Adaptive Adaptive Bandwidth Protection ensures that traffic in the NoDelay (VoIP) QoS band is always prioritized over standard traffic. The firewall uses the link-quality metrics gathered by Dynamic Bandwidth and Latency Detection to adjust traffic shaping to always fully utilize the available bandwidth. It is recommended to combine adaptive balancing on the VPN transport with consolidated shaping to shape the VPN traffic in a two-step process: Adaptive Shaping on the VPN Transport – Shapes on the transport with a focus on site-to-site traffic in one VPN tunnel. For example: backup and voice traffic on the same VPN transport. Consolidated Shaping – Shapes the VPN traffic as a whole. Consolidated shaping is best used to control simultaneous traffic from many sites. This protects standard traffic from one VPN crowding out NoDelay traffic on another VPN tunnel. •
•
Adap Adaptive tive Session Balancing Adaptive Session Balancing uses link-quality metrics collected by Dynamic Bandwidth and Latency Detection for both the initial balancing and to rebalance sessions with a lifetime over 5 seconds. When selecting the transport, the firewall also takes asymmetric links into account, selecting the transport that offers the best upstream or downstream performance based on the selected balancing policy. Sessions shorter than 5 seconds stay on the initial transport and are not rebalanced. Rebalancing happens continuously in order to always select the optimal transport.
101
When combined with Adaptive Bandwidth and Latency Detection, transport selection for standard traffic takes existing NoDelay traffic on the transport into account to ensure that standard traffic is not assigned a transport that is already filled up with NoDelay traffic.
Traffic Duplication Traffic Duplication copies packets packe ts and simultaneously simultaneou sly sends them through throu gh the selected primary and secondary transports. Both traffic streams are combined again at the other end of the VPN tunnel. Use Traffic Duplication for applications requiring instant failover without a single dropped packet in case a VPN transport goes down. Since traffic is duplicated, both transports must have the same bandwidth and latency.
102
9 Introduction to Remote Access 9.1 Remote Access 9.1 VPN offers a secure, efficient, and economical way to connect physically separate networks and to let users access corporate network resources from a remote location. The Barracuda CloudGen CloudG en Firewall provides remote access vi via: a: Client-to-s Client-to-site ite VPN – Layer 3 access to the corporate network for remote users. VPN clients are required. SSL VPN – Lets remote users access corporate resources through CudaLaunch or a secure web interface without the need of configuring a VPN client. •
•
Client-to-Site VPN VPN client-to-site connections are used to connect an individual device, such as a laptop or mobile phone, to the company network. The VPN client running on the client connects to the VPN service on the firewall. The VPN service on the CloudGen Firewall supports the following VPN protocols: TINA IPsec IKEv1 IPsec IKEv2 L2TP/IPsec PPTP •
•
•
•
•
SSL VPN The Barracuda CloudGen CloudG en Firewall SSL VPN is ideal for giving re remote mote users secure access to their organization's network and files from virtually any device. With its web portal, the SSL VPN service provides seamless integration without having to install a client app. The CudaLaunch App for iOS, Android, Windows, and macOS works with the SSL VPN service to provide a richer level of remote access. The number of simultaneous users using the SSL VPN is limited only by the hardware limitations of the firewall. The Advanced Remote Access subscription is available for the CloudGen Firewall F18 and larger, as well as for all Vx models.
103
9.2 9.2 Remote Access Clients Depending on the type of VPN and resources, you must use a remote access client that is compatible with the VPN and the platform you are connecting from. In addition, the remote access client must also offer access to the resources you want to use . For SSL VPN, this is either CudaLaunch or a browser, depending on the resource. For full client-to-site VPN connections, this is the Barracuda VPN or Network Access Client, a native VPN client integrated in the operating system, or CudaLaunch.
Browser-Based Access Web-based resources or apps that do not require SSL tunnels can be accessed via the browser through the SSL VPN service on the firewall. This entry-level access is good for infrequently used internal resources.
CudaLaunch CudaLaunch is a fully managed client for all SSL VPN features. VPN connections are fully integrated. On iOS, CudaLaunch manages the native IPsec client, including updating the configuration in case the VPN settings are changed on the firewall. On Android, CudaLaunch includes a full TINA VPN client; configuration changes are also pushed directly to the client, without interaction from the admin. For Windows devices, the VPN connection can be started and stopped directly in the app, but the VPN client must be installed. On macOS, the VPN connection for the Barracuda VPN Client can be downloaded directly from CudaLaunch, but configuration changes of the VPN configuration are not synced. Logging in via CudaLaunch
To log in, you must have the following followi ng information: Hostname or IP address – The IP address or FQDN resolving to the public IP address the SSL VPN service is listening on. Username / / Password •
•
104
SSL VPN Apps and Tunnels in CudaLaunch
The Apps tab contains all the SSL VPN apps. Tap the icon to launch a resource. For native apps, CudaLaunch automatically establishes a tunnel in the background.
Dynamic Firewall Rules in CudaLaunch
Dynamic firewall rules can be enabled and disabled via CudaLaunch. Session matching rules that are enabled with a time limit are terminated when the set time limit expires.
Settings Attributes in CudaLaunch
The user is prompted to fill in user attributes attribut es on the first launc launch h of an SSL VPN app. Attributes can also be changed in the settings menu.
VPN Client Integration
The VPN Connections tab contains the VPN group policies configured by the admin for CudaLaunch. The Barracuda Network Access or VPN Client must be installed on the client to be
105
able to start the VPN connection in CudaLaunch. To connect to the client-to-site VPN, click on the VPN Group policy.
VPN Apps
VPN Apps establish a secure client-to-site VPN connection to access the remote service behind the firewall. This feature is available on Windows, iOS, and Android. Windows clients are also required to install the Barracuda Network Access or VPN Client. To launch the VPN connection from the Apps screen, click the icon associated with it. The connection is launched using the default browser of the operating system, and the user can access internal resources.
Barracuda Barracuda VPN Clients Cl ients For client-to-site VPN connections, the VPN client is chosen to match the VPN protocol configured in the VPN service. For VPN connections using the TINA protocol, you must use the Barracuda VPN or Network Access Client.
106
Barracuda Network Access Client for Windows
The Network Access Client consists of client clien t software components component s and server-side components compon ents that the client software periodically communicates with to have the health state of its underlying operating system verified and its network access rights assessed. CloudGen Firewalls can interpret that information and subsequently allow or deny network access attempts by the respective client. The Barracuda Network Access Acces s Client consists consist s of the following applications: Barracuda Personal Firewall – A lighter version of the CloudGen Firewall designed for client usage that, depending on the client license used, can accept rulesets sent from the CloudGen Firewall. – Software that interacts with the Access Control server, collects Barracuda Access Monitor – system information from client workstations for health evaluation, and takes security measures such as executing antivirus updates and starting scans. Barracuda VPN Client – Integrated VPN client that lets you create VPN profiles and establish connections. The VPN Client license is included with every appliance. On hardware appliances, it allows for unlimited users, whereas on virtual appliances it is limited to the virtual appliance’s capacity. •
•
•
Barracuda VPN Client for Windows, macOS, Linux, and FreeBSD
The VPN Client allows you y ou to set up client-to-site VPNs using TINA, the Barracuda Barrac uda Networks proprietary VPN protocol. The Barracuda VPN client establishes a secure connection to the VPN service on the CloudGen Firewall. For Windows and macOS version 10.5 or higher, the client features a graphical user interface. The command-line client is supported for Linux, FreeBSD, and macOS version 10.4 or lower.
Native IPsec Clients For IPsec VPN using IKEv1 or the IKEv2 protocol, every standard compliant VPN client should work. Depending on the platform, you might need to adjust the client-to-site configuration to match the requirements of the client.
Native PPTP or L2TP/IPsec Clients You can use any standard-compliant PPTP or L2TP/IPsec VPN client to connect.
107
10 Logging, Reporting, Statistics 10.1 Logging 10.1 Services on the box and virtual server layer of the firewall generate logs events. All log files are stored in plain text in the system's /var/phion/logs directory and can be viewed and filtered in the LOGS tab in Firewall Admin. To limit the size of a single log file, the Barracuda Barrac uda CloudGen Firewall Firewa ll creates a new log file for each service every four hours. By default, verbose logging is enabled to aid troubleshooting during deployment. Logs can be stored either locally and/or streamed to a log collector or Control Center.
Firewall Admin Log Viewer Viewe r Go to LOGS. The Log Viewer displays all log files as nodes in a tree, similar to how configuration options are displayed in the Configuration Tree. Click on the small document symbol in any category within the log file tree to inspect the collected information.
In the navigation section at the top of the Log Viewer, you can specify a time and date to view logs that were created within a set time interval.
To display only a specific entry type, click Set Filter at at the top right of the window.
Select the desired log file type from the click OK to apply the filter.
Entry Type list,
specify specify the filtering criteria, and
For a real-time update view of a log file, make sure that Live Mode is set to On.
108
Log File Types For each log file type on the firewall you can define: Box – Log files for the box layer services. Boxfw – Log files for the host firewall. Fatal – Log file that contains entries from all fatal log files. •
•
•
•
Misc – Log files that are not allocated to the box layer or virtual server layer. Server – Log files created by services running on a virtual server.
User – User-defined log file names.
• •
The log configuration is split s plit into two parts: Log Cycling – On this page, you configure how log files log cycling settings. Log Configuration – On this page, you specify whether or not the log is saved to disk or streamed to an external log host. By default, the CloudGen Firewall generates log entries for each configured service. Log files are saved in the /phion0 file system partition and stored between seven and fourteen days, depending on the log file type. To limit log file sizes, a new log file is created every four hours. The old log file is handled according to the log file cycling policy. •
•
Log Cycling To configure the length of time that log lo g files are saved, go to CONFIGURATIO CONFIGURATION N > Configuration Tree > Box > Advanced Configuration > Log Cycling. In the File Specific Settings window, you can add or edit entries in the Actions table to configure the following log maintenance policies: Remove – Lets you specify how long a log file is stored before it is deleted as long as at least the number of logs files defined by the Always Keep parameter remains on the firewall. Purge – Lets you specify how long a log file is stored before it is deleted, without the option of how many log files can be kept beyond the specified time length. Move – Lets you specify how long a log file is stored before it must be moved to a specified directory. Move to external storage – Log files are moved to a previously prepared USB storage device directly connected to the firewall. External Log File Storage must be enabled. •
•
•
•
Storage
The CloudGen does not no monitor t monitorthe thedirectory contents content stoofprevent the directory specifi ed out in the field, so youFirewall must manually it fromspecified running of storage Dir field, space.
Stream to Syslog Server or Control Center To save disk space, and to centrally cen trally collect all logs, you ccan an configure syslog streaming. s treaming. This forwards all log messages to an external syslog file collector. The Control Center can also act as a syslog server for the managed firewalls.
Log Streaming to AWS CloudWatch and Azure OMS Logs can also be streamed directly to AWS CloudWatch or Azure OMS. For Azure OMS, the firewall must be deployed in Azure; for AWS Integration must be configured. stream the selected log files, configure syslogCloudWatch, streaming toCloud use either AWS CloudWatch or Azure To OMS as the target. Once they are stored in the clou d, they can be stored, analyzed, or processed.
109
Web Log Streaming Web log streaming allows you to send a syslog stream to an external device, such as the Barracuda Web Security Gateway, for visualization and reporting purposes. Web logs can only be streamed, not stored locally, because every HTTP and HTTPS request is logged and may result in a high volume of logs. Although TCP and TCP/TLS are supported as streaming protocols, UDP is recommended for format performance reasons. Depending thestreaming target device, it is possible to customize the log to match the target device on using templates. The default settings for Web Log streaming are configured to work with the Barracuda Web Security Gateway. Streaming web logs over a VPN tunnel using WAN optimization is not supported.
Splunk Integration Splunk is a third-party platform for operational intelligence that allows you to monitor websites, applications servers, and networks. The Barracuda CloudGen Firewall app shows information on matched access rules, detected applications, and applied URL filter polices on various fixed and real-time timelines. Data is imported into Splunk via syslog streaming of the Firewall activity log.
External USB Log File Storage To increase the disk space for fo r log files on your hardware h ardware firewalls, you can attach external U USB SB storage devices. All USB 2.0-compatible storage devices can be used. The USB storage device must be prepared by running the prepare_cudastorage script. During initialization, the USB device is wiped, and the device label is changed. Only prepared USB storage devices can be used. If multiple prepared USB storage devices are connected, the first device in the list is mounted and used. If you are using a very large external disk, you may run into the Console Max Idle timeout while the disk is formatted. Go to Infrastructure Services > Control and in the Administrative Sessions set the timeout value to 0 while running the script.
110
10.2 10.2 Events The Barracuda Firewall Admin EVENTS page lets you monitor and manage events generated by the Barracuda Firewall Control Center and CloudGen Firewalls. To access the EVENTS page, click the EVENTS tab in the ribbon bar. For information how to configure eventing, see see Events .
The events table displays events information in the fol following lowing columns:
Severity – The event type. Category – The event category.
Flags – The event status. Event – The name of the event.
Event Time – The date and time the event was generated. Desc – The event description.
Count – The number of times the event occurred. only) The The name of the system that created the event. From Box – (CC only)
Layer – The layer that the event occurs on. belon gs to. Class – The class that the event belongs
• •
• •
• • • •
• •
On the Events page, the importance and type of each event is determined by its icon: Icon
Event Type Information Notice Warning Error Security
The Flags column shows the event status indicated by the following icons: Text Type
For more information, see
Event Type New and unread event. Confirmed event. Event that must be confirmed. Event with alarm. How to Configure Basic, Severity, and Notification Settings for Events
.
111
Manag Managing ing Events To manage the list of events that th at are displayed, you can refresh the lilist st automatically or manually, delete events, and specify which content is shown on the list. To delete an event, right-click it and select Delete Event . To verify that an event has been properly deleted, refresh the event list. Select actions:an event and use the quick access bar at the top of the page to perform the following
Confirm – Confirm the selected event.
Reset Alarm – Reset the alarm for the selected event. Delete – Delete the selected event.
• • •
Refresh – Refresh the list of events manually. Notification messages are only enabled in Live Mode
•
view. This mode displays the current event system status and enables pop-up windows and sound. To manually refresh the list of events, click Refresh. To automatically refresh the list of events in Live mode, click No Auto Refresh and then click Live.
Acknowledging Events and Alarms Some events, such as error events, require confirmation. You can also determine if an event needs acknowledgment by double-clicking it to view its properties. If an event has an alarm, you can also either reset or disable the alarm. If an event must be confirmed and is in alarm condition, deleting the alarm will also delete the request for confirmation. If an alarm is stopped, any configured repeating server actions are also stopped. To acknowledge an event that th at requires confirmation, righ right-click t-click the event and select Confirm as Read. Acknowledging the event also terminates any alarms (such as a sound playing or an email notification) that have been set for it. an d remove a warning icon fr from om it, select Reset Alarm and Confirm To acknowledge an event and as Read. To temporarily disable the event alarm, select sel ect Temporary Disable and enter the time span for disabling the alarm. The event is then displayed with a 'Mute' icon. •
•
112
Filter Options To filter the list of events that are displayed, click clic k the fields on top of the columns. c olumns. Select a filter and/or enter values for a filter setting. The entries will be displayed according to the selected criteria.
To reset the view, click Clear Filter on on the top right of the page.
Viewing Event Properties To view detailed information for an event, even t, you can either double-click it or righ right-click t-click it and select View Event. In the Event Properties window, you can view the system, layer, class, and type for the event, as well as its event ID. Field
Description
Box Layer
The IP address of the system system that created created the event. event. There are three three layers: 1 – Boot layer. 2 – Box layer. 3 – Server/Serv Se rver/Service ice layer. There are there there classes: 1 – Operative 2 – Resources Re sources 3 – Security The event ID.
Class
Type
In the lower section of the Event Properties window, you can view the dates and times of when the event was confirmed, acknowledged, or had its alarm disabled. You can also view information about the administrator who confirmed the event. •
•
•
•
• •
•
•
By Admin– The administrator who confirmed con firmed the event. If the event is unco unconfirmed, nfirmed, this field
is empty. worksta tion of the administrator who co confirmed nfirmed the event. If By Peer – The IP address for the workstation the event is unconfirmed, this field is empty. w as read or confirmed. If the event is Date – The date and time of when the event was unconfirmed, this field is empty. ev ent was generated. Insert – The date and time of when the event Box – Internal system information related to the insert time (please ignore this value). change s for the event, such as wh when en it was Update – The date and time of any status changes acknowledged or marked as read. sen t. Alarm – The date and time of when the alarm was sent. w as disabled temporarily. tempor arily. Temp. disabled – The date and time of when the alarm was
113
10.3 10.3 Statistics By default, the CloudGen Firewall generates statistics entries for most of the configured services. Statistics files are stored in the /phion0 file system partition. Statistics are not associated with log files. Statistics are stored within databases on the CloudGen Firewall. The CloudGen Firewall generates two different types of statistics: Top Statistics – Connection data. Time Statistics – Time data. Click the Statistics tab to view the statistics for a service or module. From the Statistics module list, select a specific statistics file. Statistics files are displayed as nodes in a tree, similar to how configuration options are displayed in the Configuration Tree. After selecting a statistics file, click Show in the upper left of the page. The statistics for the selected module display in a chart below the list. •
•
To view specific statistics summaries, you can apply the fo following llowing filters:
• • • •
Min Max Average Specific Time Intervals
General Statistics Settings To configure how statistics are recorded and maintained, go to CONFIGURATION > Configuration Configuration Tree > Box > Infrastructure Services > Statistics. On this page, you can edit the following settings: Corrupted Data Action
The action that should be performed by the CloudGen Firewall if the statistics database data base is corrupted. You can select one of the following actions: Delete – Deletes the corrupted statistics databases. Archive – Moves the corrupted statistics databases to the lost and found directory. Be aware that these databases will not be automatically deleted by the CloudGen Firewall. •
•
Disc Write
Specifies the data to be recorded. You can select one of the following settings: On – Records all data from the box layer and virtual server layer. Off – Does not record any data. Box_only – Records only data from the box layer. Server_only – Records only data from the virtual server layer. •
•
•
•
Skip Null Stats
Select yes from this list if null data should not be recorded. To record null data, select no.
114
Query Process Priority
Specifies the priority given to statistics queries when the CPU might be overloaded. Enter a value from 0 (highest priority) to 19 (lowest priority).
Configuring Statistics Cooking In the left menu of the Statistics page, expand Configuration and click Statistics Cooking. On this page, you can configure the granularity of the statistics data. By default, statistics data is deleted after 30 or 60 days. To configure the settings for specific statistics data, double-click a service or module entry in the Cook Settings table to open the Cook Settings window. In this window, you can configure the following time or top statistics settings: Time Statistics
In the Type: Time section, specify the maximum amount of days to apply the following settings for time statistics: Resolution 1h after (Days) – Time statistics start being recorded in a granularity of 10 seconds. In this field, specify after how many days the granularity will be reduced from 10 seconds to 1 •
hour. Resolution 1d after (Days) – Specifies after how many days the granularity will be decreased to
1 day, after it has been reduced to 1 hour. Delete Data after (Days) – Specifies after how many days statistics data will be deleted.
•
•
Top Statistics
In the Type: Top section, you can configure the following settings: Condense after (Days) – Top statistics start being recorded in a granularity of 1 day. In this field, specify after how many days the granularity will be reduced. Delete Data after (Days) – Specifies after how many days the data should be deleted. Resolution – From this list, select whether the granularity is reduced to a week or a month. •
•
•
10.4 10.4 Report Creator The Barracuda Report Creator creates customized c ustomized reports using statistics and logs lo gs collected on Barracuda CloudGen Firewalls. Each report can be configured to use multiple appliances, custom or predefined report data templates, and a customizable layout and delivery method. Custom reports can be configured to include the following information: User Reports – Includes information on traffic caused by individual users, IP addresses, or Active Directory user groups. Address Activity Reports – Includes information on accessed URL categories per source IP address. URL Category Reports – Includes information on which URLs were accessed in this specific URL category per source IP address. Application Category Reports – Includes information on detected application categories. •
•
•
•
•
Applications Reports – Includes information on detected applications in a specific application
category per source IP address.
115
•
VPN Usage Reports – Includes information on TINA site-to-site and client-to-site VPN
connections.
•
Security Reports – Includes IPS, Virus Scanner, ATP and Botnet and Spyware Threat reports.
Limitations •
•
Microsoft .NET Framework 4.0 Client Profile is not contained in the installation archive for the Report Creator. Application Control data displayed in the Report Creator might not include the entire data set for the specified time period because old data may be deleted on the CloudGen Firewall if the disc space gets too low. Due to this limitation, the Report Creator is not suitable for comprehensive auditing purposes.
Installation and Requirements Operating System Additional Requirement
Microsoft Windows Vista, or higher
Microsoft .NET Framework 4.0 Client Profile
Download Download the Barracuda Report Creator from the Barracuda Download Portal: https://dlportal.barracuda.com Portal:
BRS The Barracuda Reporting Server (BRS) (BR S) is a hardware appliance purpos purpose-built e-built for rapidly generating aggregated / dedicated reports for Cloud Generation firewalls while maintaining or improving the accuracy of reporting data. Unlike a firewall which retents data for a maximum of 7 days, the Reporting Server caches data up to 12 months. Creating reports is done using schedules. The BRS enables Cloud Generation firewalls to use less disk space on their internal SSDs an therefore contributes to longer SSD lifetimes. It also provides an aggregate view of data for customers with multiple connected devices.
116
11 System Maintenance 11.1 Back Up and Restore Your Configuration 11.1 To back up and restore configurations configu rations of the CloudGen Firewall o orr Control Center, a Portable Archive (PAR) file containing all configuration settings is created via Firewall Admin or the phionar command line tool. The following items are backed up in PAR files:
•
• •
•
•
Configuration data Licenses (Control Center only) CC global admin accounts (Control Center only) X.509 certificates from the CC PKI (Control Center only) Revision Control System data
The following items are NOT backed up and must be backed up separately:
• •
•
•
Log files Statistics data Eventing database Spamfilter learning database
PAR File Types Filetype PAR
PAR file
Restore configur configuration ation via
Comment
uncompressed, unencrypted archive file
This is the default option.
PGZ
compressed, unencrypted
Firewall Admin, /opt/phion/update/, USB Stick when using Barracuda Firewall Install Firewall Admin, /opt/phion/update
PCA
archive file encrypted archive file
Firewall Admin. If the password is set to the serial number of the appliance, you can also restore via /opt/phion/update/ or USB stick when using Firewall Install
Can only be created via Firewall Admin. CloudGen Firewall and Firewall Control Center version 6.0.1 or higher.
Back Up and Restore Your CloudGen Firewall Create a PAR or PCA file to back up and restore the configuration of a stand-alone CloudGen Firewall. PCA archives with manual passwords cannot be used to reinstall your CloudGen Firewall or Firewall Control Center via Firewall Install or update the configuration via /opt/phion/update. Decrypt the archive manually with phionar for for these operations.
Back Up and Restore Your Control Center Cente r
117
Two PAR files are needed to back up your you r Firewall Control Center: The box llayer ayer box.par and and the archive.par containing containing the Control Center configuration including all managed firewalls. You cannot restore a managed firewall from the archive.par directly, so if you are restoring the configuration of a Control Center that has been reinstalled after a system crash, you must also restore the configurations of the managed firewalls.
Managed Managed CloudGen Firewalls To back up and restore the configuration configu ration of a CloudGen Firewall that is managed mana ged by the Control Center, you must create a PAR file in the Control Center and then recover the managed firewall directly.
Command Line: phionar To create scripts that automatically back up your firewall or Control Cen Center, ter, use phionar . This tools can create normal, compressed, or encrypted PAR files. Encrypted archive files can be created for Firewall and Control Center version 6.0.1 or higher.
Command Line: cctool Use cctool to back up and restore 'Control Center (CC) configurations' including FSC setups. cctool extracts CC configuration tree information from the CC database (ccdb) and writes the information into an archive PAR file. In terms of functionality, cctool does the same as when creating or restoring CC configuration using CloudGen Admin. cctool is part of every firmware release 7.2.2 and higher and can be used on both CloudGen firewalls and Control Centers. cctool is network-aware which means you can use it not only locally but also remotely. For example, when you call cctool on a firewall with the appropriate parameters, cctool can also be executed on a remote Control Center. Additionally, this works on firewalls not managed by a Control Center. The output extracted from the database into the archive PAR file is alway alwayss stored on the box where the cctool command is initiated.
118
11.2 Updating Firewalls and Control Centers 11.2 Updates, patches, and hotfixes are published in update archives. Depending on the deployment type, the update process differs.
Updating Updat ing a Stand-Alone St and-Alone CloudGen Firewall or Control Center There are three options to update or install inst all hotfixes on you yourr firewall or Control Center: Firewall Admin dashboard dashboard element •
• •
Firewall Admin manual upload Command line
Update via Firewall Admin Dashboard Element
The Updates dashboard element elemen t automatically shows aallll available and compatible comp atible updates for the firmware version running on your firewall. Previously installed hotfixes are displayed in the Installed tab. Dependencies for updates or hotfixes are automatically resolved and the required installation path displayed in the element. On managed firewalls, the update element is not available because this functionality is handled by the Control Center. By default, the update element is updated every 60 minutes. Manual Update via Firewall Admin
If you are updating a firewall or Control Center that does not have access to the Barracuda download portal, you must download the update package from the Barracuda Download portal to the client running Firewall Admin. You can then upload and install the update packages manually. Update via Command Line
In some cases, especially with models having slower hardware or flash-based storage such as the F12 and F101, it is recommended to reduce the load during the update by initiating the update via command line .
Updat Updatee a High Availability Cluster Cluste r For firewalls in a high availability cluster, you can either fail over the virtual server manually or set HA Firmware Update to Automatic Failover in in the Advanced view of the Box Properties to move the virtual server to the other firewall in the cluster before starting the update. By only updating one firewall at a time, the admin can prevent downtime for users during a firmware update. Each firewall can be updated only to the next firmware version according to the migration path. If two updates are required, the process must be repeated for each update package.
Updating Managed Firewalls Updating The Control Center distributes and triggers the installation installa tion for all updates for its managed mana ged firewalls. If the Control Center has access to dlportal.barracudanetworks.com , all hotfixes, updates, and patches are downloaded directly to the Control Center. If SSL Inspection is used on the firewall in front of the Control Center, an exception must be added for the download portal. If the Control
119
Center has no Internet connection, the update archives must be uploaded manually from the client running Firewall Admin. To simplify updating a large number of firewalls, the managed firewalls are placed in update groups. The admin selects the update group and has the option of selecting additional individual firewalls, the update package, and when the updates should be pushed out to the firewalls. After the update has been distributed, the admin schedules the update.
11.3 11.3 Recovery via Firewall Install If your hardware firewall is replaced with a newer hardware revision, or needs to be re-imaged, you can reinstall the Barracuda OS and restore the configuration. The Firewall Install tool creates a bootable USB stick containing the ISO and, as an option, hotfixes and the PAR/PCA file of your firewall. If you are including a PCA file, verify that the password for the PCA file is set to the serial number of your hardware appliance. Hotfixes are installed in alphabetical order after the firmware in the post-install section. Rename the hotfix archives as necessary to satisfy dependencies. A reboot is required after hotfix installation. If you are using the USB Barracuda WWAN modem, the modem must be unplugged before the installation.
Requirements Empty USB flash drive of at least 2 GB. Barracuda Firewall Install application. CloudGen Firewall ISO image. You must install the Visual C++ Redistributable for Visual Studio 2012 on your computer to use Barracuda Firewall Install. (optional) PAR or PCA file. (optional) Hotfixes Download the Barracuda Firewall Install and ISO image from the Barracuda download portal: https://dlportal.barracudanetworks.com . portal:
•
•
•
•
•
•
Manually Adding Hotfixes or Updates To manually add hotfixes or patches to an existing recovery U USB SB stick, create the /appliance/hotfixes directory and add the hotfix files. Hotfixes are installed alphabetically based on their file name. Rename them to ensure dependencies are met during installation.
120
12 High Availability High Availability ensures that the services running on the Barracuda CloudGen Firewall are always available even if one unit is unavailable due to maintenance or hardware issues. An HA cluster contains two firewalls in an active-passive configuration: •
•
Primary Unit – The primary firewall running all servers and services. Backup or DHA Unit – The secondary firewall is in standby unless the primary unit is down, in
which case it takes over the virtual server with all services. To monitor and inform each other on their status, both unit unitss continuously exchange ex change live packets. Both units also exchange echo requests (pings) and Address Resolution Protocol (ARP) requests. These requests are repeated every ten seconds secon ds for the box layer and virtual sserver erver layer IP addresses of both units. The backup unit becomes active and all virtual servers are transferred to the backup unit when the management IP address or the first virtual server IP of the primary unit does not respond. While the status of the inactive unit is unknown, the frequency of exchanges and requests is increased. If the primary unit responds, the frequency is decreased back to every ten seconds. If there is no response within ten seconds, the Backup unit makes an emergency server start. When the inactive unit restarts, it recognizes that the virtual servers and services are active on its partner unit, shuts down its own virtual servers, and goes into standby mode to ensure that only one unit is active. HA monitoring and status sync is done on the box layer of the CloudGen Firewall. By default, sync traffic is exchanged between the management IP addresses of both units.
Requirements and Limitations for High Availability
•
•
•
•
Both units must use the same platform: You cannot mix virtual and physical appliances. Both units must be the same model. Using different revisions of the same hardware appliance is possible. If you are running an HA setup with different appliance revisions, ensure that both physical ports of the private uplink are using identical port labels. Otherwise, HA synchronization may fail. Latency on the HA sync connection may not exceed 80 ms.
121
Switch Requirements Reliable HA depends on the correct configuration of the surrounding switches and routers. Especially important is the ARP cache time or ARP timeout, which must be set to a value between 30 and 60 seconds. When the virtual server fails over to the secondary CloudGen Firewall, the MAC addresses associated with the Virtual Server IPs also change. The MAC address is immediately sent out via gratuitous or unsolicited ARP requests, updating the MAC address table or ARP cache of the connected switches and routers. If the lifetime of the ARP timeout of the switch is set to be longer, for example 300 seconds, the secondary unit would not be reachable for up to 5 minutes because the ARP cache would not be updated for that time. Longer timeouts also increase the number of ARP requests sent out by the firewall, increasing the load on the switch.
HA Sync Using a Private Uplink
When configuring a high availability cluster without a private uplink, the switch both firewalls are connected to represents a single point of failure. If traffic is not forwarded by the switch, the HA sync breaks because the primary and secondary unit cannot establish a connection. To always have a reliable connection, you can configure a private uplink. For this, one network interface must be dedicated for HA purposes. It is recommended to directly connect the two firewalls and use a /30 subnet for the uplink. You can configure the control daemon to use just one or both connections for the HA sync by defining translated HA IP that establish the relationship between existing MIP and the private uplink IP. Only one additional HA sync link can be used u sed in addition to the sync link using the default management IP.
122
In Depth: Transparent Failover Procedure and Limitations Use transparent failover to synchronize the forward packet sessions (inbound and outbound TCP, UDP, ICMP-Echo, and OTHER-IP-Protocols) of the Firewall server between the two HA partners. Transparent failover is enabled by default and is set per access ru rule. le. Unsynchronized Components
The following information is not no t HA-synced: Module or Component Firewall
Unsynchronized Sub-Components
• • • • •
• • •
• • •
VPN Service Access Control Service Eventing Logging Statistics Home Directories
•
Generic TCP proxy sessions WANOPT sessions SSL decryption sessions Sessions using a box IP I P address Sessions excluded from HA synchronization synchronization via Advanced Rule Settings in the matching access rule RAW TCP Firewall History Firewall Monitor data Application/Protocol/Conten Application/Protoc ol/Contentt information IPS for synced sessions ATP scan queue is not synced IPSec tunnels t unnels
All All All All All
(Admins) SMS Messages
All
Synchronizing Procedure
Synchronization can be carried out via a dedicated private HA uplink and/or the LAN connection. Synchronization traffic is transmitted by AES-encrypted UDP packets, so-called sync packets, on port 689. The AES keys are created by using the BOX RSA keys and renewed every 60 seconds. Only a small amount of synchronization traffic is necessary for synchronizing via LAN connection. Sync traffic is kept at a minimum by synchronizing only sessions and not each packet. Due to the characteristics of the TCP protocol (SYN, SYN-ACK, …), only existing established TCP connections are synchronized. When the synchronization takes place during the TCP handshake, the handshake must be repeated.
123
The synchronizing procedure proc edure takes place immediately ((ifif possible). If synchronization synchron ization packets are lost, up to 70 sessions per second are synchronized. Depending on the system availability, the behavior differs: If the partner unit is inactive/rebooted - Sometimes it may happen that the backup unit is not available and, therefore, does not respond to the sync packets (for example, for maintenance reasons). In this case, the active unit stops synchronizing. As soon as the partner •
•
unit reappears, there-synchronizes active unit checks whether the other one was rebooted or has an obsolete session state and all necessary sessions. If the active unit reboots without a takeover - The Firmware Restart button was clicked. The sessions and sockets are gone, but the unit is not rebooted physically. In this case, the partner unit recognizes that its session state is obsolete and removes all synchronized sessions.
Takeover Procedure
When the primary, active HA unit does not respond to the heartbeat (Control UDP 801), a takeover is initiated after a 10-15 second delay. This delay is necessary to account for potentially low network performance. Services are unavailable during the takeover procedure. When the primary unit stays inactive, the synchronized sessions on the second unit are activated and all connections are available again. The backup unit does not have the current TCP sequence numbers. In case of a takeover, the sequence number is not checked for correctness. As soon as the connection has traffic, the sequence number is known to the former backup unit, and the sequence number check can be performed again. The missing sequence number on the backup unit also results from the fact that TCP connections that were taken over but have since had no traffic cannot be reset in a clean way. Terminating the session via the Terminate Session button removes the connection but does not send a TCP Reset (TCP-RST) signal.
Access Rule Design for High High Availability When creating access rules, it is important to understand how Dynamic NAT connection objects work. If your HA cluster uses box layer and server layer IP addresses, Dynamic NAT will always use the box layer IP address of the interface as the source address. This is a problem because the box layer IP address does not fail over together with the virtual server to the other firewall, and the sessions using the box layer IP address time out. Use custom connection objects to ensure that the service layer IP address is used. It is possible to disable syncing sessions matching an access rule by changing the Transparent Failover active/inactive setting in the Advanced Settings of the rule.
12.1 12.1 Stand-Alone High Availabilit Availabilityy Cluster The functionality of stand-alone stand-alon e and managed high availa availability bility clusters are the same. Ho However, wever, the configuration differs. For a stand-alone HA cluster, the primary firewall downloads the licenses for both firewalls, and when the secondary firewall is joined to the HA cluster, the license for the secondary firewall is transferred over. The licenses are bound to the MAC addresses of the primary and secondary firewall. The primary firewall is also the configuration master for all configurations, except the Network and Box Properties page. All configurations and session information is synced from the primary firewall to the secondary firewall.
124
12.2 Managed High Availability Cluster 12.2 To be able to configure a high availability cluster cl uster between two managed fire firewalls, walls, both must be in the same cluster on the Control Center. Managed high availability clusters only share the same virtual server configuration; the box level of both firewalls are configured individually. Use cluster level repositories to share the box level configurations between both units. The two firewalls receive their configurations directly from the Control Center; the HA session sync is carried out directly between the two firewalls.
12.3 High Availability Cluster Status and Manual Failover 12.3 High Availability Cluster Status To check the status of the high availability cluster and if the primary o orr secondary firewall is currently active, go to CONTROL > Server . In the default state, the Status of primary firewall is primary and the status of the secondary firewall is standby. Primary Firewall
Secondary Firewall
125
Manual Failover If virtual servers and services must be shut down (for example, for system maintenance), you can do a manual failover to transfer all virtual servers to the secondary ( backup) unit. Block the virtual server on the primary unit to shut down the control service. The control service will send a signal to the secondary unit that tells it to start its virtual server. Then, stop the virtual server on the primary unit to enable the control service to restart it automatically if the secondary unit goes down. This mechanism works identically for an HA pair that is managed by a Barracuda Firewall Control Center and a stand-alone HA pair. Primary Firewall is Back Up: Failover to the Primary Firewall
When the primary firewall is available again, click Stop Server to to unblock the server. The primary firewall is now ready to take over in case the secondary firewall fails, but the virtual server continues to run on the secondary firewall until a manual failover from the secondary to the primary firewall is performed.
126
13 IPv6 13.1 Overview of IPv6 13.1 IPv6 is the successor to the IPv4 and designed to address the looming problem of IPv4 address exhaustion. IPv6 is designed to be implemented in a dual stack model alongside IPv4 to allow for a transition phase until IPv6-only networks become reality. In addition to the larger address space, IPv6 also has multiple other benefits, such as more efficient routing and packet processing and simplified network configurations through IPv6 autoconfiguration. By default, only traffic from IPv4 networks is accepted by the firewall. When IPv6 is enabled, IPv6 addresses can be used only via Firewall Admin, not via command-line tools.
Enable IPv6 By default, IPv6 is disabled on the CloudGen Firewall and Control Center. After enabling IPv6, all interfaces automatically create link-local IP addresses. A reboot is required after enabling IPv6 to ensure the kernel modules are loaded properly.
13.2 IPv6 Network 13.2 Netw ork Configuration As with IPv4, all box-level IPv6 network configurations are configured on the CONFIGURATION > Configuration Tree > Box > Network page.
IPv6 Routes As with IPv4, both gateway and direct attached routes can be configured for IPv6 networks. Changes to IPv6 routes require a Soft network activation. This means you can add and remove IPv6 routes without service interruption.
127
IPv6 WAN Connections Static IPv6 WAN Connections
Static IPv6 addresses are configured either on box layer as an Additional IPv6 Address, or on the service layer. In this case, a direct attached route and a gateway default route must be configured for the network interface your ISP is connected to. Add an IPv6 virtual server IP address to enable the pending route.
Dynamic IPv6 WAN Connections
For IPv6 WAN connections, the CloudGen Firewall supports both prefix delegation, and stateless and stateful autoconfiguration. Unlike dynamic interfaces for IPv4 configurations, the network interface is not renamed. The name assigned to the interface during the IPv4 configuration is used. The following operation modes mode s are supported: Stateful – The firewall is assigned the IPv6 address via DHCPv6. Stateful and Prefix delegation – The firewall is assigned the IPv6 address and a network address prefix via DHCPv6. Prefix delegation delegation – The firewall is assigned a network address prefix by the ISP. The interface is assigned a 64-bit 64-bi t prefix. The last 64 bits of the address are Stateless – The determined with the EUI-64 process. When configuring a dynamic IPv6 connection, be aware of the following limitations: Using the provided DNS servers may overwrite DNS servers received from the provider via DHCPv4. All routes for dynamic IPv6 interfaces are added to the main routing table. •
•
•
•
•
•
•
Fully transparent fail overs for high availability clusters are not possible.
IPv6 Management IP Address By default, the CloudGen Firewall and Control Center are managed via an IPv4 management IP address. To manage the firewall via IPv6, configure an additional IPv6 box level IP address. Although it is not possible to completely remove the IPv4 management IP, you can set it to a loopback IP address.
128
High Availability Clusters IPv6 session information is synced between two firewalls in a high availability cluster. The connection for synchronizing sessions between two firewalls is IPv4-only. This means that it is not possible to configure a high availability cluster using IPv6 management IP addresses.
DHCPv6 Server with Prefix Delegation DHCPv6 IP address pools are usually configured statically. If you receive your IPv6 networks via prefix delegation, the DHCPv6 server configuration must be changed to use the prefix from the IPv6 WAN interface.
13.3 13.3 IPv6-Enabled Services Although it is possible to assign IPv6 addresses to all services, not all services support IPv6. Generally speaking, infrastructure services such as DNS and DHCP fully support IPv6, but others, such as the firewall service, only offer partial support.
Virtual Server and Service IPv6 Addresses For services to be able to use IPv6 addresses, configure IPv6 virtual server IP addresses. The IPv6 address must also be explicitly added to the Service Properties as well. Although it is possible to add IPv6 addresses for every service, IPv6 is not necessarily supported by the service itself. The IPv6 addresses can only be configured as an explicit virtual server IP address. It is required to configure an IPv4 address as the first virtual server IP address. Use a loopback IP address as the IPv4 Server a ddresses.. IP to expose only IPv6 addresses
Services IPv6 Suppor Supportt The following services offer off er support for IPv6. Not all features available for IPv4 may be available for IPv6. Firewall Service VPN Service (envelope only) Virus Scanner (not in combination with Application Control) DNS Service DHCP Service DHCP Relay Dynamic Routing: OSPF/RIP/BGP SNMP Service •
•
•
•
•
•
•
•
129
• •
•
Mail Gateway CloudGen Firewall Management Sync of IPv6 session information in High Availability Clusters
VPN Service
The VPN service supports IPv6 for f or the VPN envelope. Thi Thiss means that the site-to-site, site -to-site, client-to-site, and remote management VPN tunnels can be created between two IPv6 endpoints, but only IPv4 traffic can be sent through the tunnel. IPv6 is not supported for: •
•
• •
•
Dynamic Mesh L2TP PPTP SSL VPN WAN Optimization
Firewall Service IPv6 Network Objects
There are several network object types type s that can store or resolve to IP IPv6 v6 addresses or networks. Generic Network Objects – You can add network addresses of all types. Generic network objectss can hold both IPv4 and IPv6 network objects. object •
•
Hostname (DNS resolved) – Resolves up to 17 IPv6 addresses. Single IPv6 Address – One IPv6 address. E.g., 2001:db8::1 List of IPv6 Addresses – Multiple IPv6 addresses.
Single IPv6 Network – One IPv6 network. E.g., 2001:db8::/56 List of IPv6 Networks – Multiple Multiple IPv6 networks.
Custom external network objects – Load a space-separated list of IPv4 and IPv6 IP addresses
•
• • •
•
and/or networks from a text file.
130
IPv6 Access Rules
IPv6 traffic is matched against IPv6 rules in the forwarding firewall ruleset. IPv6 access rules are created in the same ruleset as IPv4 access rules. The following actions are available for IPv6 rules: Pass Deny Block Cascade •
•
•
•
Control rol and Intrusion Prevention P revention System Application Cont
If the IPS policy is set in the matching IPv6 access rule, IPv6 traffic is scanned and, depending on the mode, blocked or reported if the traffic pattern matches an IPS signature. Application Control is detect-only for IPv6 traffic. All other Application Control features, such as SSL Inspection or URL Filtering, are not supported.
13.4 13.4 CloudGen Firewall as IPv6 Router IPv6 separates devices into clients and routers. The CloudGen Firewall can act as an IPv6 router for the client networks. a client joins an IPv6 network, it sends a router on solicitation The router responds withWhen a router advertisement (RA) containing information how themessage. client should obtain its global unicast IPv6 address and the default gateway. Global unicast IPv6 addresses can be assigned via stateless or stateful autoconfiguration. Stateless autoconfiguration instructs the client to configure itself with a globally unique Internet address and includes the IPv6 IP address of the next hop or default gateway. Stateless autoconfiguration can also include other information, such as DNS servers or search domain information. Stateful autoconfiguration allows the client to retrieve all information not included in the RA from a DHCPv6 server. The router continues to send RA in regular intervals to all client clientss on the network netwo rk to propagate changes to the network to its clients.
Autoconfigura toconfiguration tion Stateless IPv6 Au Stateless autoconfiguration does not requireintermediary a DHCPv6 server. It isslowing mainly used by networks that require a fast connection time without services downeither the process, or by small networks where it saves time and resources by not deploying DHCP or proxy servers for devices to be able to connect to other networks.
131
Stateful IPv6 Autoconfiguration with DHCPv6 The CloudGen Firewall can act ac t as the router in the IPv6 st stateful ateful autoconfiguration autoconfigur ation process. The firewall answers the router solicitation request with a router advertisement instructing the client to use a DHCPv6 server. The network configuration parameters are then retrieved by the client from the DHCPv6 server. Using DHCPv6 server allows you to memorize the client's state and provides a means for securing access control for your networks because the firewall can then be configured to allow traffic only from the IPv6 networks assigned to the clients by the DHCPv6 server.
View more...
Comments
