Barracuda Networks Firewall X100 User's Guide

1. Barracuda Firewall - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuration WizardsAll Barracuda Firewalls now offer the following configuration wizards to guide you through initial setup and configuration:The

1. 2. 3. 4. 1. 2. 3. Server CertificateTab Setting ValueStatus Signature Algorithmsha1WithRSAEncryptionSubject RFC 2253emailAddress=support@bar

1. 2. 3. 4. 5. 6. 7. Next StepIf you are configuring a client-to-site VPN with IPsec, see .How to Configure a Client-to-Site VPN with IPsecHow

7. 1. 2. 3. 4. 5. 6. 1. Step 2. Configure Phase 2To configure Phase 2:In the left menu, right-click the entry (that you might have renamed t

1. You can now initiate a connection by navigating to . For more information, see TheGreenBow's help system.Tools > Connection Panel Trouble

1. 2. 3. 4. 5. Configuring Site-to-Site VPNsFor instructions on setting up site-to-site VPNs, see the following articles:How to Configure a Site-

1. 2. 1. 2. 3. The VPN server that runs on the Barracuda Firewall must listen on the appropriate IP address for its peer. Depending on whether th

1. 2. 3. 4. 5. 6. IP Addresses Location 1 Location 2Local Networks10.10.10.0/24 10.10.20.0/24Local Address212.86.0.253 213.47.0.253Tunnel Settin

6. 7. 8. 1. 2. 3. 4. 5. 6. 7. Remote AddressEnter .213.47.0.253The WAN IP address of location 2.Remote Networks Enter ./2410.10.20.0The .

7. 8. 1. 2. 3. 4. 5. Authentication Select . Shared PassphrasePassphraseEnter the shared secret.Click .AddStep 3. Configure the Firewall Rule

From a client in the local network, ping a host in the remote network. If no host is available, try to ping the management IP address of theremote Bar

Smart Pre-Submission Input ValidationAll Barracuda Firewalls now offer smart pre-submission input validation. This validation prevents configuration p

1. 2. 3. 1. 2. 3. 1. 2. In this article:Step 1. Enable the SSL VPNStatic IP AddressSecondary IP AddressDynamic Network InterfaceStep 2. Confi

2. 3. a. b. 4. 1. 2. 3. Action: Select Redirect to Service. Source: Click on and select from the list.Network Object InternetDestination:

3. 1. 2. 3. Step 4. Upload a CertificateIt is recommended that you install a CA-trusted root certificate on the Barracuda Firewall, so that web br

1. 2. 3. 1. 2. 3. 1. 2. 3. 1. 2. 3. the SSL VPN portal.In this article:Configure Outlook Web Access / Outlook Web AppAdd an ApplicationAdd

1. 2. 3. a. b. Related ArticlesHow to Configure a Client-to-SiteVPN with PPTPHow to Configure a Site-to-SiteVPN with IPsecHow to Configure a Clie

1. 2. 3. Barracuda offers two cloud services to centrally manage multiple Barracuda Firewalls and offload processor-intensive tasks:Barracuda Cloud

3. 1. 2. 3. a. b. 4. a. b. c. 5. 6. 1. 2. To configure the Barracuda Web Security Service on the Barracuda Firewall:On the page, selec

In this SectionMonitoring Active and Recent ConnectionsViewing LogsTroubleshootingHow to Configure Log StreamingMonitoring Active and Recent Connectio

To see if there is still incoming or outgoing traffic for a specific session, click Refresh and then look at its Last or Count value.Sometimes, you mi

IFWD-RET TCP Packet Forwarding Inbound Either source or destination are retransmitting packets. The connection mightbe dysfunctional.IFWD-FFIN-RCV T

URL Filtering of HTTPS Websites and Web Security Service ExemptionsAll Barracuda Firewalls can now apply URL filtering provided by the Barracuda Web

IPXY-DST-CLO TCP Stream Forwarding Inbound The socket to the destination is closed or isin the closing process.IPXY-SD-CLO TCP Stream Forwarding Inb

LOC-SYN-SND Local TCP Traffic A Local-Out TCP session is initiated bysending a SYN packet.LOC-SYN-RCV Local TCP Traffic A Local-In TCP session is in

VPN LogThe VPN Log displays information for all client-to-site and site-to-site VPN tunnels. Use this log to investigate why VPN tunnels and PPTPconne

ERR_READ_TIMEOUT The remote site or network is unreachable; it may be down.ERR_LIFETIME_EXP The remote site or network may be too slow or down.ERR_NO_

1. 2. 3. .Connection to Barracuda Support CenterRebooting the System in Recovery ModeIf your Barracuda Firewall experiences a serious issue that im

1. 2. 3. 4. 5. Replacing a Failed SystemBefore you replace your Barracuda Firewall, use the tools provided on the page to try to resolve the pro

1. 2. 3. 1. 2. 3. 4. 5. 6. 1. 2. How to Save Configuration BackupsHow to Update the Firmware on Your Barracuda FirewallHow to Restore the B

1. 2. 3. 4. 5. Applying the update might take several minutes to complete. The Barracuda Firewall automatically reboots after the update is appli

5. 6. 7. (5) EXIT Select a recovery option:If you want to retain all of your data and settings during the repair, enter to select the

Technical Specifications of the Barracuda FirewallSecurity Features Central Management Security Options Support OptionsFirewallStateful packet forward

Log StreamingAll Barracuda Firewalls now support streaming log files to an external syslog server. You can activate syslog streaming per log file on t

Wi-Fi (802.11n) accesspointUp to three wirelessnetworksClick-through Wi-Fi Portalwebpage for guest accessUser/pass webpage forWi-Fi guest accessVPNUnl

Firewall Yes Yes Yes Yes YesIPsec VPN(client-to-site)Yes Yes Yes Yes YesIPsec VPN(site-to-site)Yes Yes Yes Yes YesSSL VPN No Yes Yes Yes YesApplicatio

1. 2. Notice for the USACompliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of

Barracuda Networks may change the availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO EVENTSHALL BAR

i. ii. iii. BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS UTILIZED IN THE BARRACUDA SOFTWARE WHICHYOU EITHER OWN OR CONTROL.7. Li

CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LESSEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THEENERGIZE UPDATE SOFTWARE WHICH IS BEING UPGRADE

DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHT

with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification&qu

compliance.5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or dist

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it freesoftwar

Quick Links to Barracuda Labs Reputation Search in Logs, Active Connections, and Recent Connections pagesOn the pages, page, and page, you can v

documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED ORIMPLIED WARRANT

the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not aContributio

END OF TERMS AND CONDITIONSAPPENDIX: How to apply the Apache License to your work.To apply the Apache License to your work, attach the following boile

Active Routes User Interface ImprovementThe tab previously located in has been moved to the section on the page. YouActive Routes BASIC Networ

Download Barracuda VPN Clients through UIAll currently available Barracuda VPN clients can now be downloaded from the section of the page.Settings

Barracuda Firewalls can now be reloaded and rebooted if the unit is not activated yet. [BNF-2230]Known IssuesHigh Availability: Manually triggering an

POP3VNCIMAP4WebDAVWeb forwards (HTTP/HTTPs)All Barracuda Firewall models starting with X200 provide SSL VPN at no additional cost for an unlimited amo

Usability ImprovementsThe following sections describe the usability improvements that are available as of firmware release 6.1.0.Quick Links to Servic

1.5.6 How to Manage Guest Tickets - User's Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Firewall rule entries can quickly be edited after their firewall rule entries are double-clicked.NAT Objects TabNAT objects are more intuitively integ

Firmware Improvements Enhancement:The DHCP TFTP Host Name field now also accepts IP address and host name combinations. [BNF-2121]Fix: The internal in

Firmware ImprovementsEnhancement: It is now possible to disable the SIP Proxy. [BNF-1900]Enhancement: To simplify the firewall rule tester, time setti

DNAT firewall rules can now also be used to perform port address translation (PAT). In the Redirect To field, append the desired port tothe IP address

User interface rendering of the recent connection page was slow with huge amount of connection entries. [BTN-1492]The firewall log time filter user in

Log filter for service logs did not work correctly. [BNF-1366]Filtering log files occasionally caused a temporary unavailable message. [BNF-1374]IPsec

technology—including application control, user awareness, secure VPNs, link optimization, and advanced malware protection—but is designed forunsurpass

Within any organization, different individuals or groups require access to different resources and applications. For example, marketers may needto use

Unlike other firewall products that simply enhance or augment standard Linux firewall packages, the core of every Barracuda Firewall isa specially dev

1. 2. 3. 4. 5. 1. 2. 3. 4. 5. Set up the unit between the management PC and the network.Connect the LAN to port 1 and the management PC to p

Barracuda Firewall - OverviewThe Barracuda Firewall is an application-aware network firewall appliance that is designed for organizations without dedi

Area DescriptionSubscription Status To verify the status of your licenses, go to the pageBASIC > Statusand view the section. The status for all

Connect the Barracuda Firewall to your existing authenticationservice or create a built-in database for user information.Managing Users and GroupsIf s

Dynamic InterfaceDynamic interfaces for DSL, DHCP, or 3G. How to Configure WAN InterfacesVirtual InterfaceVirtual interfaces for VLANs. You must usep

1. a. b. 2. a. b. 1. 2. a. b. c. 3. a. b. c. 4. dynamic connection besides DHCP (PPTP or PPPoE) on port p2, delete thedefault interf

1. 2. 3. 4. 5. 6. 7. 8. 9. The interface must be configured on port p4 with an IP address of 69.122.23.58 and a netmask of 255.255.255.0 (or

1. 2. 3. 4. a. b. 1. 2. 3. 4. 5. 6. 7. 1. 2. 3. After you connect the Barracuda M10 USB modem to the Barracuda Firewall, configure the

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. How to Configure a DHCP ConnectionIf the IP address is dynamically assigned by your ISP, follow the instructi

10. 1. 2. 3. 4. 5. 1. 2. 3. 1. After committing your changes, log back into the Barracuda Firewall.How to Add a Static Network InterfaceFoll

1. 2. 3. 4. 1. 2. 3. 4. 1. 2. 3. 4. 5. 6. 1. 2. 3. 4. 1. 2. a. b. c. 3. a. b. c. Go to the page.NETWORK > IP Configur

3. c. 4. 1. 2. 3. 4. Click the tab and change to specify the Wi-Fi subnets.General SourceAt the top of the rule editor window, click .Save

Web InterfaceAdding source or destination networks, with netmasks higher than /24, to firewall rules now works as expected. (BNF-2869)The smart pre-su

1. 2. 3. 4. Next StepsAfter adding the virtual interface, you can use it in your network configurations as if it were a physical interface. Contin

1. 2. 3. 4. 1. 2. 3. To configure the bridge:Go to the page.NETWORK > Bridging Click .Add Bridged GroupEnter a name for the bridge and add

1. 2. 3. 4. 5. 6. 1. 2. 3. 4. Step 2. Configure the Firewall RuleStep 3. Verify the Order of the Firewall RulesStep 1. Configure the Interfa

4. 5. 1. 2. 3. 1. 2. 3. 4. – Add the service objects to redirect (e.g., ).Service HTTP – Click and add .Source Network Objects Internet

1. 2. 3. 1. 2. network).To assign a static IP address to a system:In the section, click under the tab.DHCP Server Subnets Edit ActionIn the

2. 3. Configure the following settings:Web Security: Select .Proxy ForwardingProxy : Enter the IP address of the forward proxy.ForwardingPort: Ent

1. 2. 3. 4. Every DNS record has a Time to Live (TTL) value, which is the length of time that the DNS record can be cached. For most DNS records,

Additional DNS RecordsAfter a zone has been created, you can edit its records or add NS records, A records, and any of the following records to the zo

1. 2. 3. 1. 2. a. b. i. ii. iii. 3. 4. Step 1. Enable Authoritative DNS on the Barracuda FirewallGo to the page and enable . In the ta

1. 2. 3. 4. 5. 6. 7. 8. the domain point to your static WAN IP addresses. If your domain name is already registered, contact your registrar to

What's New with Barracuda Firewall Version 6.1.3.003Web Interface The Barracuda Firewall User Interface is now fully Japanese localized. Note tha

1. 2. 3. 4. 5. secondary box must also connect port 3 with ISP 1. If you install cabling incorrectly, HA failover does not work properly. For an

ADVANCED > High AvailabilityNETWORK > IP Configuration > Management IP ConfigurationNETWORK > IP Configuration > Dynamic Interface Conf

TimeInterfaceAdditionally, Intrusion Prevention, SYN flood protection, and a limit on the number of sessions per source IP address can be enforced.To

Description – An additional description field for the firewall rule.Action – Specifies how the Barracuda Firewall handles network traffic that matches

Application policies regulate how this session is treated by the Barracuda Firewall if certain network traffic is detected by the applicationfilter. T

1. 2. 3. To change the order of the firewall rules:Go to the page.FIREWALL > Firewall RulesDrag rules up or down in the table. If you want a r

Flex or forwarded to a different proxy service.TRANSPARENT-PROXYIf enabled, this rule automatically redirects all HTTP requests on TCP port 80 to the

Connection TimeoutThe time in seconds to allow before a failing connection skips to thenext fallback level. For a faster failover, enter lower values.

1. 2. 3. 4. 1. 2. Example – HTTP and HTTPS Traffic to the InternetTo allow HTTP and HTTPS connections from the local 192.168.200.0/24 network to

2. 3. 4. 1. 2. 3. In the section, click the edit symbol ( ) for the custom service object that you want to edit.Custom Service Objects In the

Access to the guest ticketing administration page is now possible from any network segment. A corresponding targeRedirect to Servicet was included.

1. 2. 3. 4. You can either register your domain name with an independent entity or configure the Barracuda Firewall as the authoritative DNS resol

1. 2. 3. 4. 5. 1. 2. 3. 1. 2. 3. 4. Available settings include:Action – Blocks network traffic where malicious activities were detected.

1. 2. 3. 1. 2. 3. To block, allow, report, or throttle network traffic for specific application types, enable Application Control. It uses Layer

3. 4. 1. 2. 3. 4. 5. 6. 7. 1. 2. 3. 4. Applications Policy – Select one of the following policies:Default (Default Application Detection

4. 5. At the top of the rule editor window, click or .Add SaveStep 3. Verify the Order of the Firewall RulesBecause rules are processed from top

1. 2. 3. 1. 2. 3. Queues and Rate LimitsThe following diagram shows how the eight bandwidth policies are divided into queues:The Priority Queues

1. 2. 3. 4. 5. 1. 2. 3. Configure the Captive PortalUpload a CertificateMonitoring and Managing Authentication UsersConfigure the Captive Port

1. 2. 3. 4. 5. Monitoring and Managing Authentication UsersOn the page, you can view currently authenticated users. You can also disconnect s

If your mail server or Barracuda Spam & Virus Firewall is on the public network, you might want to allow your Barracuda Firewall to provideprotect

DNAT Either the nInternetetwork object or aspecific public IPaddress. Forexample, the IPaddress of thehosting provider.The destinationdepends on the

[BNF-2348]Fixed an issue where under rare circumstances configuration updates failed and login was no longer possible. [BNF-2504]Barracuda Firewall Re

1. 2. Verify Firewall Rule OrderVerify the order of the firewall rule(s) that you created. New rules are created at the bottom of the firewall rule

1. 2. In this article:Step 1. Configure a Firewall Rule for the Connection from the SIP Server to InternetStep 2. Configure a Firewall Rule for the

2. 3. 1. 2. At the top of the window, click .Edit Access Rule SaveStep 2. Configure a Firewall Rule for the Connection from the Internet to the

2. 3. At the top of the window, click .Edit Access Rule AddStep 3. Verify the Order of the Rules in the Rule SetBecause rules are processed from

1. 2. 3. 4. 5. 1. 2. 3. 4. Go to the page.FIREWALL > Firewall RulesClick to create a new firewall rule.Add Access RuleIn the windo

4. 5. At the top of the window, click .Add Access Rule AddStep 2. Verify the Order of the Firewall RulesNew rules are created at the bottom of t

1. 2. 3. 4. 5. 6. 7. 1. 2. 3. 4. 5. 6. 7. This example configures a time object named that includes all office hours except to .Lun

1. 2. 3. 4. 1. 2. 3. In this article:Step 1. Enable Application ControlStep 2. Create a Firewall Rule to Choke Facebook TrafficStep 3. Verify t

3. 4. 5. Click the tab and then specify the following settings:Applications/BandwidthApplications Policy: Limit Bandwidth (Choke) Application Fil

1. 2. 3. 4. 5. Step 3. Verify the Order of the Firewall RulesBecause rules are processed from top to bottom, arrange your rules in the correct or

SSL VPN is available at no additional cost for an unlimited amount of users. Depending on the performance level of the appliance model,Barracuda Netwo

1. 2. 3. 4. 1. 2. 3. 4. ISP Type Service MetricPrimary ISP (80Mbit)Static IPassignmentHTTP 100Secondary ISP (40 Mbit)DynamicassignmentFTP 200I

1. 2. 1. 2. 3. 4. After adjusting the order of rules in the rule set, click .Save ChangesStep 4. Verify the Routing ConfigurationTo verify that

For user and group authentication, you can either a integrate the Barracuda Firewall with andminister users locally on the Barracuda Firewall or exter

1. 2. 3. a. b. c. 4. a. b. RADIUSOCSPGroup Filter PatternsBarracuda DC AgentThe Barracuda DC Agent runs on either the domain controller or a

1. 2. 3. 4. 1. 2. 3. 1. 2. 3. 4. 1. 2. 3. 1. 2. 3. To configure Active Directory:Go to the page.USERS > External AuthenticationC

1. 2. 3. 4. 1. 2. 3. 4. 1. 2. 3. 4. 1. 2. 3. 4. 5. User01 group membership string: CN=xyz, OU=sales, DC=mycompany, DC=comUser02 group

How to Set Up a Guest Access Confirmation PageWhen setting up a guest network, you can configure the Barracuda Firewall to use a confirmationpage that

1. 2. 3. 4. 1. 2. 3. 4. 5. Step 2. Enable the DHCP Server for the Guest NetworkTo automatically assign IP addresses for guests, enable a DHCP

Related ArticlesHow to Configure Wi-FiHow to Configure the DHCP ServerHow to Manage Guest Tickets -User's Guide In this article:Before You BeginS

1. 2. 3. 4. 1. a. b. c. 2. 1. 2. 3. 4. 5. To automatically assign IP addresses for guests, enable a DHCP server for the guest network.Go

High AvailabilityAll Barracuda Firewalls can now be deployed as part of a High Availability (HA) cluster. The primary unit handles all network traffic

Step 6. (Optional) Configure the Login PageOn the page, you can configure the page that is displayed to guests when they log into the network.USERS

1. 2. 3. 4. 5. 1. 2. In this article:Before You BeginCreate a TicketDelete a Guest TicketPrint Ticket Information for GuestsBefore You BeginGet

Print Ticket Information for GuestsTo give guests their username and password for accessing the network, you can print their ticket information. The p

In this SectionClient-to-Site VPNSite-to-Site VPNSSL VPN for the Barracuda FirewallHow to Allow VPN Access via a Dynamic WAN IP AddressClient-to-Site

Mac OS XIPsecPPTPSSL VPNBarracuda VPN ClientNative OS X PPTP clientThird-party IPsec clientsLinuxIPsecPPTPSSL VPN (browser only)Barracuda VPN ClientNa

1. 2. 3. 1. 2. In this article:Step 1. Identify the User Authentication MechanismStep 2. Configure the Barracuda Firewall VPN Server and Firewall

2. 3. 1. 2. 3. 1. 2. 3. 4. 5. In the section, click .Certificate Generation Create CertificateIn the window, fill in the certificate det

1. 2. 1. 2. 3. 1. 2. AuthenticationThe username is case-insensitive, but the password iscase-sensitive. If the client cannot connect because of

2. 3. 1. 2. 3. 1. 2. specify a static IP address for the user.Click .Save ChangesMS-CHAPv2/NTLMWith , you can allow access on a per-user or p

Certificate RequirementsStep 1. Create the Required CertificatesExample iOS Certificate SettingsRoot CertificateServer CertificateClient CertificateSt