Barracuda Basic Firewall Access-list Policy Lab

This post is a continuous post from previous one Barracuda CloudGen Firewall F12 Initial Configuration Lab.

In this post, I am gonna show you how to configure WAN / LAN interfaces, how to create your own forwarding access rule, plus Destination NAT rule. 

Related post:

• Barracuda CloudGen Firewall F12 Initial Configuration Lab

Topology

 

Online PNG Format Topology Diagram:

Configure Interfaces

In our previous post Barracuda CloudGen Firewall F12 Initial Configuration Lab, we already have configured our mgmt port , Port 1. Now, based on our topology, we are going to configure other two ports:

• LAN - Port 2
• WAN - Port 4

Go to Configuration - IP Configuration - Shared Networks and IPs:

Add LAN and WAN interfaces in with corresponding configuration:

For easy troubleshooting purpose, don't forget enable the option: Responds to ping, when you are configuring LAN/WAN port. That will make your firewall LAN/WAN port ping-able. 

Firewall Rule Settings

Traffic Criteria

 These settings define the traffic that will be handled by the rule:

Setting	Description
Bi-Directional	If the rule must be applied to traffic going to and from the specified source and destination, select this check box.
Source	The source IP addresses of the traffic.
Service	The IP protocol used or, with TCP/UDP, the relevant IP protocol and port for the traffic.
Destination	The destination IP addresses/netmask of the traffic.
Authenticated User	The authenticated users and groups who are affected by this rule. For more information, see Firewall Authentication. If the rule requires user authentication at the firewall, the rule is depicted with an icon in the Name column in the rule overview window.

 

Rule Activation

 These settings specify if the rule is active and how long it should be active: 

Setting	Description
Dynamic Rule	If the rule must be dynamically activated and deactivated for set periods of time, select this check box. For more information on configuring dynamic rules, see How to Activate a Dynamic Firewall Rule.
Deactivate Rule	To deactivate the rule, select this check box. To reactivate the rule, clear this check box.   To hide inactive rules in the rule set, click the Show/Hide Inactive Rules icon in the navigation bar. It is the first icon on the top right of the rule set.

Action and Connection

 The Action setting specifies how the Barracuda NG Firewall handles traffic that matches the rule criteria. These are the options that you can select:

There are quite a few different actions for your rules, 

• Block
• Deny
• Pass
• DST NAT
• MAP
• App Redirect
• Broad-Multicast
• Cascade

Action	Description
Block	Ignores the traffic and does not answer any matching packets.
Deny	Dismisses traffic and sends the following: •  TCP-RST (for TCP requests) • ICMP Port Unreachable (for UDP requests) •  ICMP Denied by Filter (for other IP protocols) to the source.
Pass	Passes the network traffic to the specified destination.
Dst NAT	Rewrites the destination IP address and port. You can specify the connection type; this lets you use source NAT and destination NAT together.
Map	Maps one destination IP address or subnet to another IP object. The map is also available the reversed way. For this action, you can select either client (destination NAT) or any predefined translation map for the connection type.
App Redirect	Redirects the traffic to a local application (transparent proxying).   Advanced parameters and timeouts of this type behave like in the local firewall.
Broad Multicast	Propagates the traffic to multiple interfaces. This action is only needed with bridging.
Cascade	Specifies that the traffic must be processed by a subset of the main rule set.
Cascade Back	If the traffic does not match any rules in a rule subset specified by a Cascade rule, use this action to direct traffic handling to the main rule set.

Execute

The traffic is piped into the STanDard IN (STDIN) of a program running on the server.

Depending on the Action of the rule, you can select a Connection Method that specifies how the source, destination, or service of the traffic is manipulated as it passes the Barracuda NG Firewall. This setting typically specifies the outgoing source IP address for address translation. The following Connection Method options are available:

 

Connection Method	Description
<explicit-conn>	Lets you define the IP address used to perform source network address translation (NAT).
Dynamic Scr NAT	Performs source NAT for the defined connection. The source IP address of network packets will be manipulated dynamically, according to the routing table of the Barracuda NG Firewall.
Loopback	Performs source NAT with the loopback IP address of 127.0.0.1.
No Src NAT	No source NAT is performed.
Source NAT with DHCP | ISDN | UMTS | xDSL	Performs source NAT with the IP address of the specified network interface type (DHCP, ISDN, UMTS, or xDSL). The firewall does not perform a routing table lookup.
Source NAT with VIP	Performs source NAT with the VIP address of the remote management tunnel. The firewall does not perform a routing table lookup.
Src NAT 1st Server IP	Performs source NAT with the 1st Server IP address. The firewall does not perform a routing table lookup.
Src NAT 2nd Server IP	Performs source NAT with the 2nd Server IP address. The firewall does not perform a routing table.

 

Traffic Modification and Inspection

These settings specify if the traffic is modified or inspected: 

Setting	Description
Redirect Target	This setting is for rules with the Action set to Dst Nat, App Redirect, or Map. In this section, you can specify the outgoing destination IP address for address translation.

	You can select the following policies:
	•
	IPS Policy – The traffic is inspected by the IPS engine according to the selected
	IPS policy.
	•
	Application Policy – The traffic is inspected according to the selected application
	policy. For more information, see Layer 7 Application Control.
Policy	•
	Time Objects – If Dynamic Rule is enabled, select the required Time Object.
	•
	QoS Band (Fwd) – Traffic in the forward direction is handled according to the
	selected QoS Band. For more information, see Traffic Shaping.
	•
	QoS Band (Reply) – Traffic in the reverse direction is handled according to the
	selected QoS Band.

 

Configure Pass Forwarding Firewall Rule

In this lab, we are gonna create a pass action rule, which is Allow rule in other vendor's firewall. 

A Pass access rule permits traffic for a specific Service coming from the Source to access the selected Destination . For the Source and Destination , you can specify network objects, IP addresses, networks, or geolocation objects .

Note: https://campus.barracuda.com/product/cloudgenfirewall/doc/79462929/how-to-create-a-pass-access-rule/

Configure Destination NAT Firewall Rule

A Dst NAT access rule redirects traffic that is sent to an external IP address to a destination in the internal network. The following example shows a Dst NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ (172.16.0.10). The redirect target can be a single IP address or hostname, or a network object. Hostnames and IP addresses can be appended with a port number to redirect the traffic to a different port.

Note: https://campus.barracuda.com/product/cloudgenfirewall/doc/79462926/how-to-create-a-destination-nat-access-rule/

Video

References

• Barracuda CloudGen Firewall Get Started
• Quick Start Guide
• Barracuda Cloud Control
• Barracuda Campus
• Default Forwarding Firewall Rules